Unlocatable file

I used the on-line checker at F-secure to try and solve my problem (all my icons and task bar disappear after 5 seconds) and it gave me this result:

"C:\Windows\System32\.pif Trojan-Downloader Bat.Ftp.y"

I've been through the system32 directory 5 times and I can't find a file named .pif.

Does this make sense to anyone, any advice on how to find this? Since I don't have the Start menu I can't get to the search functioon, does anyone know if this can be lauched from a directory, and if so, which directory and file?

thanks.

 

try an online scan using ewido. you can also try an online scan at pestpatrol which will not remove any pests but allow you to expand all and print so you can see the locations of the pests. or use another AV scanner like trendmicro and see if it's picked up and removed. hope this helps. keep us posted.

 

Thanks Raven.

I found pestpatrol and did the scan, and it turned up a win32.rbot.de infected file, but the path was truncated, and I couldn't see anyway to reveal the path, so I can't delete the file. If you have a link to the pestpatrol url that will allow you to expand, or explain what that means, I'd appreciate it.

The problem continues: five seconds after I boot, all the icons and the taskbar disappear, and I'm left with wallpaper. Task Manager works, and everything is running.

I doubt this worm has anything to do with this problem.

 

You've probably got this little blighter:- http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

If you can't find a file you should 'unhide' your Windows files by following this tutorial:- http://www.bleepingcomputer.com/forums/index.php?showtutorial=62

To clean your machine you must first disable system restore, clean out your temp files, then run your AV in 'safe' mode.

You should also do an online scan here:- http://www.kaspersky.com/service?chapter=161739400

I doubt whether ewido would help with this type of problem BTW.

 

Tooper, you're tops! Thanks.

Duh, how do I disable system restore? Which temp files?

Thanks again.

 

Rather than the tedium of explaining how to clear out temp files, I strongly recommend you D/L CCleaner from here:- http://www.ccleaner.com/

Before running CCleaner you should configure it by clicking 'Options'/'Advanced' and unticking the box 'Only delete files in Windows Temp folders older than 48 hours'.

To disable System Restore:- http://www.bleepingcomputer.com/forums/tutorial56.html

(I'm assuming you're on XP - if not please say what you are on)

You do the above before going into 'safe' to run your AV (don't forget to update your AV first though - so you have the latest definitions).

To get into Safe Mode; see here:- http://www.bleepingcomputer.com/forums/tutorial61.html

 

topper,

I ran the Kaspersky scan. It found two virsus in files I can't see. I'm going to download their s/w.

I tried to alter the settings for My Computer, and don't know if I succeeded, there is only a five second window before everything disappears. Maybe this would work in Safe Mode? I'll give it a try.

Thanks for your help, I'll let you kniw what happens next.


d.

 

I went into Safe Mode, changed the settings in MC, and turned off System Restore. I'm now in normal mode, going to d/l the Kaspersky s/w, run the temp cleaner, then go into SM to run the virus scan. More later

 

Sorry I didn't make things clear, but ideally you should do the KAV scan after you've done all the other things.

Then if it finds something it cannot remove you should give the precise name of the malware, together with its full and exact file path.

 

Topper,

Here's where I am:

1. Problem still exists, all icons and task bar disappear after about 30 seconds. What I think is happening is that the Sart programs load, then a process goes off when they are finished that erases the screen. I downloaded the ewido s/w, and that takes a while to load, thus increasing the time from 5 seconds before I had this s/w to the current 30.

2. In safe mode I changed the settings in my computer.

3. In spite of that, I still cannot see a file "c:\windoes\system32\.pif" which was id'd by both f-secure and Kaspersky's on-line virus checkers as "trojan-downloader.bat.ftp.y" by both scanners.

4. In safe mode, ewido can find nothing. I ran it twice, and then once just against the system32 folder.

5. The on-line Kaspersky is seeing the .htm filles I deleted by hand that have the tojan.js.pooter.b virus, plus the .pif file already mentioned. these are the exact files seen by f-secure.

6. I turned off system restore in sm, and also before sf I ran the temp cleaner, and dl the KAV.

7. When I went to run the KAV in sf, I had to first update the data files, which seemed to go fine; however, when I ran the program I got an error message that the data files were corrupt. I called tech support (in Russia?) and gave up after 40 rings.

Thoughts?

Thanks!

 

Should I reun the KAV and f-secure on-line scans from safe mode?

 

.pif is an extension normally given to Public Information Files associated with windows. To have a file given that name without another extension seems very odd.

Bring up Windows Explorer and make sure you have done all of the following:-

1. Select "Tools" from the menu on top.
2. Select "Folder Options".
3. Select the "View" tab.
4. Scroll down and Select "Show hidden files and folders".
5. Unselect "Hide extentions for known file types".
6. Unselect "Hide protected operating system files".
7. If you get a "warning" prompt, say yes you want to do it anyway.
8. Click Apply and Ok.

Then navigate to the Windows\System32 folder and look for .pif, bearing in mind that the 'period' in front of the pif may place it out of alphabetic sequence, and there may be another extention (such as .exe) after the .pif.

If you still can't find it, run a search for .pif, by clicking Start/Search and in the Search box you would need to click 'All Files and folders', then in 'More advanced options' tick the box for 'Hidden Files and Folders'. See if that throws it up.

What AV are you running and did you run it in 'safe' and if so with what result? I'm not referring to your online scans but your resident AV.

Edit - if you are using ewido, make sure it is set to scan 'All Files' and not Scan by extention. You do this by clicking Scanner/Settings in the GUI.

 

I did all of the steps indicated to see files.

I cannot get to the Search function. In normal mode, I am restricted to launching prgrams via Task manager. I can't find in the C:\ directory a way to alunch Search. Surprisingly, in Safe Mode, the Search function is different and does not allow a search for a particular file, it merely brings up the C:\ directory. Any clue how to launch Search from the C:\ directory?

I'll check ewido and run it again if it was not set for all files.

 

In the version of ewido I have (the trial version, there are zero options for setting anything rellated to the scan. Did you mean the on-line version?

 

Pilor error. Found the panel, and it was set to scan by extension. I changed it to every file and will run it now.

 

ewido, the version I d/led yesterday, came up clean.

I went into safe mode and changed my computer to show the file extensions. I went through the system32 directory twice and cannot find the file. Then, I re-visited the search function and figured out how to search for a specific file, and it came up empty.

So, we have two on-line scans from two seperate companies that are telling me there is an infected file in the system32 directory, the file names and descriptions are identical; the sans came from Kaspersky and f-secure.

Could this be an artifact of the scans?

Anyway, all my icons and the task bar still disappear.

 

Let us try another approach just for the moment.

Open Task Manager(Alt/Ctrl/Del) click on File, click on New Task(Run...) and type in: explorer.exe then click OK, then see if that brings back your Taskbar & Desktop icons.

If that fails, are you running sbcglobal software? If so try going into task manager, click file/new task/msconfig and uncheck ipmon32 in the 'start up'tab of msconfig.

F-secure and Kaspersky are based on the same engine, which may explain why they both see this thing. You could consider downloading a trial version of Kaspersky Personal 5.0 and installing it, updating the sigs, then let that solve your problem:- http://www.kaspersky.com/trials

If you do that, and are running a software FW, make sure it is disabled during install. Then disable Kaspersky's Network Attacks feature before enabling your FW again (failure to do that will give real problems).

Edit - you have never said what AV you are running resident; but whatever it is make sure it is fully disabled before you install Kaspersky.

 

Well, I did the f-secure on-line scan and came up clean (I was in safe mode). Tried doing the Kaspersky also, but the reduced screen size wouldn't let me see enough to run it, so I'm going to run it from normal mode.

I have AVG and ewido installed now. I did download the Kaspersky trial yesterday, updated the db, and then when I tried to run it, got an error message that the db was corrupted.

I'll let you know what the results of the Kaspersky on-line scan are.

I tried the explorer.exe, and with the complete path. Neither brought the icons back. In addition, explorer didn't launch, it didn't show as a process and the application didn't open.

I've also tried searching for a process named "sysu.exe" and one named "bxomebc.exe" as I read they are indicative of a virus that causes this. No luck, neither process is running.

Problem is still there, however, icons and taskbar vanished when I just booted into normal mode.

 

Of course the data base of KAV is corrupted - you downloaded a trial version without any sigs in it.

After install you are supposed to load the sigs by doing an update; then they won't be corrupted anymore.

If you are running AVG you MUST disable the resident shield fully. To do that you open the Control Center, double-click the Resident Shield and remove the checkmarks next to each item.

Edit - Doh! I've just noticed you said you did update the KAV sigs!

This is leaving very little room for manoeuvre. You could try running sfc.exe (System File Checker) to see if you have a corrupt windows file.To do that, click Start/Run and type 'sfc.exe /scannow' (without the quotes but with the space between the 'e' and the '/'). I suppose you would have to use 'Run' through Task Manager.

Aside from that, the only things I can think of are: system restore, reformatting, or putting in a HighjackThis log, which unfortunately you cannot do here.

If you want to try the HJT option, you can D/L it from here:- http://www.spywareinfoforum.com/~merijn/downloads.html

And here are a couple of tutorials on how to work it:-

http://www.tomcoyote.com/hjt/

http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

There are several Forums you could try posting it at, including:-

http://forums.subratam.org/index.php?showforum=7

http://gladiator-antivirus.com/forum/index.php?showforum=170

http://forums.tomcoyote.org/index.php?showforum=27

http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

Aside from this I'm afraid I'm out of ideas.

 

Iran the on-line scans from ewide, Kaspersky, and f-secure, and each said my machine is clean.

Thanks for your help. I now have a clean pc with no icons or taskbar. What in the world could this be?

I'll try the scan you suggested in sm, I don't know how to find Run from Task Manager.

 

I couldn't run the Windows file scan as it wanted a XP disc; this is Dell laptop and the disc that came with it wouldn't work.

I d/l a program that lists everything that runs at start up, I'll paste it below. I'm not knowledgable enough to read this a spot what I think is a program that runs during start-up that erases the screen. Could you eyeball this and see if anything pops out at you? Thanks!

~removed log - snap~

 

Hi daviidneylon,

Even though you have not posted a HJT log, the log you did post would require an indepth analysis. As previously mentioned, we no longer analyse logs unless they have been specifically requested by a Staff Member or specially titled Expert as per this Announcement.

TopperID has posted a link above (Post #19) where you can download HijackThis, and also several links to forums that still do HijackThis log analysis.

Please do follow up with one of the listed forums, and let us know how you make out.

Regards,

snap

 

thanks for the tip, I'm new to posting.

I re-installed the os, and I don't think that went well, my pc now won't boot unless the cd is in the drive.....there is no mouse until a few minutes.

Oh, and the original problem is still there, I lose all icons anf the task bar.

 

The fact that scannow asked for your windows CD suggests you do indeed have a corrupt system file.

Please refer to these two articles to learn what you might do to get scannow working when you have no CD.

http://ask-leo.com/i_dont_have_an_installation_cd_for_windows_xp_what_if_i_need_one.html

http://www.updatexp.com/scannow-sfc.html

Edit - please don't worry about the above at the moment, the first priority is to attend to the HJT log and be guided by the advice given in relation to that.

 

Snap, I'd like to post a query to this forum under the general problem, which is "Vanishing icons and taskbar" Which would be the most appropriate topic?

Thanks very much.