• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
Michu Neo

Another disappearing exe files. New plauge?

6 posts in this topic

My .exe are disappearing after the install of some specific programs. Problem is nearly the same like here:


Norton AV some essential exes are disappearing, i have no idea what else i can do.

I tried some web-browsers scan (MKS & something else), i have cleaned my registry (RegistryBoster, it seems like it is not blacklisted like other AV and AS programs)

I also tried to kick this deeply annoying virus with Linux but he have problems with emulationated Windows AV programs (i'm not surprised), and Linux AV's of course doesn't see Win viruses.

ALSO my task manager and CMD doesn't work. I think it might be the same virus / trojan / worm.

Just like Forthekill i thought i deleted some viruses and trojans (MKV online have been searching for 12 hours and found 7 trojans), i cleaned up registry(+/- 600 errors). But still nothing.

What should i do?


AND one importand thing! My Safe Mode isn't working... When i choose it my computer is rebooting. Very danger thing I suppoose.


My hijack


Logfile of HijackThis v1.99.1

Scan saved at 16:52:09, on 2007-06-14

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:










D:\Program Files\Ter\sp_rsser.exe

D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

D:\Program Files\Common Files\Real\Update_OB\realsched.exe

D:\Program Files\Gadu-Gadu\gg.exe


D:\Program Files\Radeon Omega Drivers\v3.8.273\ATI Tray Tools\atitray.exe

D:\Program Files\CiDial\CiDial.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Mozilla Thunderbird\thunderbird.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.antyradio.pl/warszawa/index.html?id=76

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [siSUSBRG] D:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft] netshield.exe

O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\RunServices: [Microsoft] netshield.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - Startup: ATI Tray Tools.lnk = D:\Program Files\Radeon Omega Drivers\v3.8.273\ATI Tray Tools\atitray.exe

O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: Download all links using BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download all videos using BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download link using &BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A4AAB0DD-7A51-4885-8B90-852C5E32D9EA}: NameServer =

O20 - Winlogon Notify: winbae32 - winbae32.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Ter\sp_rsser.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Edited by Michu Neo

Share this post

Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.


Thank you for your patience.


[this is an automated reply]

Share this post

Link to post
Share on other sites

Hi Michu Neo,


Welcome to SpywareInfo! :wave:


I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.


OK, here’s what we do first.


BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.


Please download SDFix by AndyManchesta and save it to your desktop.


Double-click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix).


Please then reboot your computer into Safe Mode by doing the following:

  • Restart your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
  • Instead of Windows loading as normal, a menu with options should appear.
  • Select the first option, to run Windows in "Safe Mode", then press "Enter".
  • Choose your usual account.

Once in Safe Mode, please do the following:

  • Open the extracted C:\SDFix folder and double-click on RunThis.bat to start the script.
  • Type "Y" to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally, copy and paste the contents of the results file Report.txt back onto the forum.




Please download CCleaner (freeware) and save it to your desktop:

  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the "Windows" tab.
  4. Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.

[*]Then, click the "Applications" tab:

  • CHECK everything there.

[*]Next, click the "Options" button in the left pane, then click the "Advanced" button:

  • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".

[*]Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.

[*]When done, please exit CCleaner.

CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.





Please download ComboFix by sUBs:


NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.





Please download Dr.Web CureIt and save it to your desktop:

  • Double-click the cureit.exe file, select "Start", and allow it to run the "Express Scan".
  • This will scan the files currently running in memory and when something is found, click the "Yes" button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, click Options -> Change settings.
  • Choose the "Scan" tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives; a red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Once the scan has finished, it will display a list of the files found and checked by default.
  • If the file "process.exe" was found - uncheck it. This is because this file is related with some of our cleaning tools and the tools need it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it.
  • Then, click "Yes to all" if Dr.Web CureIt asks if you want to cure/move any infected files.
  • When the scan has finished, look if you can click the icon next to the files found: check.gif
  • If so, click it, and then click the next icon right below and select "Move incurable" as you'll see in next image:
  • This will move infected files to the %userprofile%\DoctorWeb\quarantine folder if they can't be cured (this is in case if we need samples).
  • After selecting, in the Dr.Web CureIt menu on top, click "File" and choose "Save report list".
  • Save the report to your desktop. The report will be called DrWeb.csv.
  • Close Dr.Web CureIt.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.




Uninstall Symantec completely using the directions on this page. It will provide you a link for the Symantec uninstaller.



Then, please download and install this FREE (for home and non-commercial usage only) and good anti-virus program.


Download Active Virus Shield (Powered by Kaspersky) and save it to your desktop.

  • Please remember to register for your Activation Code using a legitimate email address.
  • Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:
  • Then please update the program and run a scan on "My Computer". Allow it to "Neutralize All" that it finds.
  • When done, launch Active Virus Shield's main window.
  • Click the "Scan" button on the left, and then click "Detected".
  • In the ensuing window, click the "Save As" button to save a copy of the log.
  • Copy and paste that log in your next reply.

Note: You must use only 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.





Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from the SDFix scan.
  2. The log from the ComboFix scan.
  3. The log from the Dr.Web CureIt scan.
  4. The log from the Active Virus Shield scan.
  5. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).


Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Share this post

Link to post
Share on other sites

I'm sorry but it's over :/


First I think you've missed it:


"AND one importand thing! My Safe Mode isn't working... When i choose it my computer is rebooting. Very danger thing I suppoose."


If safe mode would work, I would try whole your method.

I tried to use SDFix and CCleaner, no results. When I saw that cmd and task manager still doesn't work, i became quite angry, I logged myself into my linux and i formatted all win partitions. Mayby I even killed few viruses but when taskmng.exe was still infected it was time to format whole ntfs.


The funniest thing is that when I used so much AV's (one by one) and finally SD & CC, this virus or something that blocks AV's .exe files still were doing that...


But at the end, I want to really thanks for all your support. You're doing great job! Thanks!


Michu Neo

Poland [EU]

Share this post

Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.


If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.


Everyone else please begin a New Topic.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.
Sign in to follow this  
Followers 0