Something is changing my .exe files to 0-byte files

and adding this $$$ebpebpebpebp$$$ to the extentions. ( read.exe becomes read.exe$$$ebpebpebpebp$$$)

This only happens when I try to install Kaspersky AV version 5. But I know it is a good, clean version. Something is being triggered by the installation of kaspersky. I have Symantec's v 9 corporate instaled and if finds nothing.

I've checked for hidden data streams (supposedly a vulnerability of NTFS partitions) and found a few which I deleted, but still have the problem.

I've been messing with this for 2 days now and am at a total loss. It quickly will change .exe, some .rar, and some desktop.ini files. Once written, they can't be deleted. It also adds entries to the registry of .rar$$$ebpebpebpebp$$$ and .exe$$$ebpebpebpebp$$$ as new file types.


Dabba Dooba
Political User
Download Ad-ware and search for spyware and all that crap. U positive that its clean? Has it always done this or did u just get it?
I've already scanned with the latest versions of ad-aware, spybot, spysweeper, hijack this and others. Yes I know it to be a clean version because it installs on other systems just fine. Also scanned with a couple tools for alternate data streams (ADS) which most AV scanners won't detect. Should add I'm using Win XP Pro with SP2


Dabba Dooba
Political User
Man...kinda of a stumber when its not ad-ware or a virus. Its gotta be a virus cause what else would be doin that? I dont think i will be sane again untill i find out whats goin on.


The Voices Talk to Me
What about your system processes list? Anything JDLR there? Might try and kill all processes except the system critical ones and see if it still happens. That would at least eleiminate other software so if it still happens you know it is something in windows.

dave holbon

OSNN Veteran Addict
Somewhere I remember this type of file extension alteration being part of the execution or activation process of various types of virus in an attempt at buffer overflow. This virus has some bugs inherent in its design as it’s failed to patch the executable correctly and write out the code back to the copy which results in zero file sizes with the strange extensions. This could even be a new virus or a corrupted old one either way I doubt if most AVC’s will detect, Kaspersky should though, that is if you can start it. Try running directly from the CD but again can’t remember if you can do this with Kaspersky.

:) :) :)

dave holbon

OSNN Veteran Addict
If you’re using Windows XP SR2 firewall, download from the Kasperskey site their 30 day trail of Kasperskey firewall and disable the XP version just before the re-boot.

Download the latest version of Kasperskey 30 day trail of AVP, un-install the version of Kasperskey (whatever it is) and install the new download version. Re-boot the machine, go to Kasperskey site and update the AVP engine. Re-boot again.

Do not go on-line. Perform a complete system scan with AVP as this can access all your restore points and other areas of the system you cannot access as it runs in ring one, as a system process, and will catch just about everything possible.

If no problems are found then I suspect that the files now at zero bytes were themselves viruses or whatever but I know that this is probably not the case, my view is that a virus within a virus, or bug in a virus has caused this. Set Kasperskey to scan at its highest level by selecting, “settings” on the tab and set “configure real time protection” and “on demand scan” to their highest levels, re-boot then perform another full system scan.

As before hidden partitions on your drive are sometimes prevalent and some sophisticated viruses can produce their own password protected partitions using what is in effect a hand written (miniature operating system itself) partition that no version of windows or Linux are aware of. If this does not work only one path is left, this being to download from the hard drive manufacture the utility that performs a low level format of the drive and has the ability to destroy all partition on it, totally. No operating system can do this, it must be the utility from the hard drive manufacture.

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
What a long strange trip it's been. =)

Forum statistics

Latest member