Need Help: Persistent PIFs, EXEs and SCRs

Hi Everyone!

I'm in Win7, 64bit.

Sometime two days ago, I suddenly got a notification from AVAST that I had an unwanted SCR file in one of my ebook folders. Soon after, it had detected a more general BOOKS.pif. I soon found either an EXE, an SCR, a RAR, or a PIF in my folders, with the name of the directory.

For example, on my desktop, there's a DESKTOP.PIF (after that was removed), I got an DESKTOP.RAR.

I uninstalled AVAST since it wasn't helping, and updated and ran my MBAM. It detected a couple of threats after doing a full-scan as well as manually scanning my harddrive. It requested a restart afterwards.

I installed BitDefender (free) and had it run a full scan. It also detected pretty much the same threats (which had cropped up in between scans) and deleted them after restarting.

I had also manually uninstalled other applications as well, and unfortunately (since the FAQ here in MajorGeeks says not to), I also did a CLEAN and REGISTRY FIX with CCleaner (I do this whenever I uninstall something as a routine).

I thought everything was fine since all the malware was deleted, but earlier tonight, I started seeing PIFs and EXEs again, and BitDefender started going crazy with alerts. I made it delete quarantined items, and it did so (after asking for a reboot).

So now I'm posting the logs here (as per the FAQ), since I'm pretty sure that the PIFs and EXEs and SCRs are going to crop up again (so far, BitDefender and MBAM seem like stop-gap/band-aid measures).

I could really use some help!

Thanks!

 

I've had the files for a long time—at the very least 6 months. That's why I was so shocked when I was told that there was PUP/Malware there, because I haven't accessed or opened that directory (or moved anything into it) for months.

I'll be sticking with BitDefender, I think.

The only new thing that I've had (which is still pretty improbable since I've had it for a month before this happened) is that I bought a new tablet (android). But it's pretty unlikely that a virus cross-infected from one OS to the other, and I haven't directly downloaded anything onto the tablet at all.

 

Hi Kestrel,

Unfortunately, currently I don't have a good enough internet connection it seems (I use a mobile data-plan). I tried using eSET online scanner, but I get stuck just in the "Component Download" phase.

BTW, the files have made their appearance once again, after around 24 hours of being away. My BitDefender started going crazy with alerts again, and I checked my desktop and I have desktop.pif and desktop MS-DOS shortcut.

One thing I noticed—whenever these files are present and my AV is alerting me, it seems that my Windows Explorer gets configured to show hidden file extensions (I hide these by default).

Any tips?

 

I've had the ebooks for 6 months or so. But the PIFs, EXEs and SCRs only started cropping up around 4 days ago. It just so happened that they first appeared (or at least, first detected) in the ebook folders.

 

Hi!

Sorry, I lost my internet connection for a week or so due to some issues with my ISP.

Anyway, it seems like there's no set pattern in terms of time when the files will appear. Also, I haven't been able to find any particular trigger that causes them to appear (i.e. running a particular application, opening a webpage, etc.)

According to Bitdefender, the files (both the .PIF and the .EXE) are classified as Backdoor.Generic.792814. Some can easily be deleted after quarantine, others require restarts.

After I completely deleted my eBooks folder, they've stopped appearing there. Now, they're simply appearing on my desktop and a folder I have in my desktop.

I'm running a scan using MalwareBytes now. When I'm done with that I'll attach the report on a new post.

Please see attached BitDefender report

 

Here's the MBAM log.

I've already restarted my PC, so the files (detected by both BD and MBAM) are now gone—for the moment.

 

Yep, they have come back again.

As we speak, my BitDefender is saying that I need to restart to completely remove the infection—It's always the same. I can delete the quarantined files, but there's always one file left on my desktop that cannot be deleted except with a restart.

I tried to open the file using sublime text just to take a look, and I was told that the file was being used by another program (i.e. that's why it can't be deleted, I guess.)

I'm at my wit's end, actually. Just a head's-up: as instructed when I scanned using Rogukiller, Hitman and TDSSKiller, I didn't implement any changes. The guide here says I just need to ignore stuff for now and wait for a specific solution.

 

Hmm. All right, I'll do a full scan using all the tools again the next time they crop up—there's a possibility that the tools didn't find the files since they had already been quarantined or deleted by BitDefender.

The files always appear here: c:\users\justin exito\desktop\

It's either

c:\users\justin exito\desktop\desktop.pif
c:\users\justin exito\desktop\desktop.exe
c:\users\justin exito\desktop\desktop.rar

They also appear in folders I have on my desktop. I used to have a folder on my desktop called BACKUP.

c:\users\justin exito\desktop\backup\backup.exe
c:\users\justin exito\desktop\backup\img\img.exe

Now that I've deleted BACKUP, they've started appearing in another of my folders.

As stated before, BitDefender identifies them as Backdoor.Generic.792814
MBAM calls them Worm.AutoRun

Here's the log from an MBAM scan I did yesterday, right before I restarted and therefore all of these files were deleted (for around 12 hours):

 

Hi Kestrel,

Just to make sure we're both on the same wavelength:

I no longer have a /desktop/backup folder. I deleted in completely. After I did so, the files started appearing in the other folders that I had on my desktop directory.

Regardless, I had done a disinfection 2 days ago, and so no files were present as far as I know (until the next time whatever triggers them to appear).

Either way, I did as you instructed. Here is the LOG from OTM:

Code:

All processes killed
========== FILES ==========
File/Folder c:\users\justin exito\desktop\desktop.pif not found.
File/Folder c:\users\justin exito\desktop\desktop.exe not found.
File/Folder c:\users\justin exito\desktop\desktop.rar not found.
File/Folder c:\users\justin exito\desktop\backup\backup.exe not found.
File/Folder c:\users\justin exito\desktop\backup\img\img.exe not found.
File/Folder C:\Users\Justin Exito\Desktop\Backup\js\vendor not found.
File/Folder C:\Users\Justin Exito\Desktop\Backup\spinner not found.
File/Folder C:\Users\Justin Exito\Desktop\Backup\spinner not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56475 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Justin Exito
->Temp folder emptied: 17546 bytes
->Temporary Internet Files folder emptied: 68398270 bytes
->FireFox cache emptied: 25294505 bytes
->Google Chrome cache emptied: 244705047 bytes
->Flash cache emptied: 1397 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 24756 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33298 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33298 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 323.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 08162014_170406

Files moved on Reboot...
C:\Users\Justin Exito\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

Registry entries deleted on Reboot...

I repeat, the files have been absent since I did the last disinfection, but only time will tell if they'll appear again. If they do, I'll run OTM as instructed. If not, then the purging of the temporary cache might have done the trick.

 

Hi Kestrel,

Well, after almost a week of being clean, the files started appearing again. What was fun was because they started appearing while i was watching a movie, so I ignored the popups.

So what happened was that BitDefender would automatically quarantine the files that it could, and eventually the malware would notice that its file was missing and create a new one. I ended up having more than 6 instances of a 'desktop.pif', each of them subsequently quarantined.

In the end, I did the OTM task, but I think it might not have worked perfectly since BitDefender deleted the 'main' file (the exe, bat, rar, scr or pif file that can't be deleted without reboot) during the restart before Windows loaded (and therefore before OTM got a hold of the file to "move".

Either way, here's the log from OTM:

Code:

All processes killed
========== FILES ==========
File move failed. c:\users\justin exito\desktop\Desktop.pif scheduled to be moved on reboot.
File/Folder c:\users\justin exito\desktop\desktop.exe not found.
File/Folder c:\users\justin exito\desktop\desktop.rar not found.
File/Folder c:\users\justin exito\desktop\desktop.bat not found.
File/Folder c:\users\justin exito\desktop\backup\backup.exe not found.
File/Folder c:\users\justin exito\desktop\backup\img\img.exe not found.
File/Folder C:\Users\Justin Exito\Desktop\Backup\js\vendor not found.
File/Folder C:\Users\Justin Exito\Desktop\Backup\spinner not found.
File/Folder C:\Users\Justin Exito\Desktop\Backup\spinner not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Justin Exito
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4365 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 280315866 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3071 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
RecycleBin emptied: 742599656 bytes
 
Total Files Cleaned = 976.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 08212014_025225

Files moved on Reboot...
File c:\users\justin exito\desktop\Desktop.pif not found!
C:\Users\Justin Exito\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

Registry entries deleted on Reboot...