Weird problem: can not see any file that starts with com*

[Jeraden]

Wierd error that just started happening sometime in the past week.
I can't see any file that starts with the letters com

Example:
file named a.txt, can see it fine
rename it to comabc.txt, file instantly disappears
create another a.txt and rename it again and I get an error that comabc.txt already exists - so its there, I just can't see it.

prefixed files aren't impacted though, I can still see xcom.txt

The most significant problem caused by this is that I can't see command.com anymore, which is causing some errors here and there. This is on a winxp sp2 system and just started happening within the last week. This is on my work computer, where I don't have administrator rights too, although others with rights have tried on my pc and have the same issue.

Other people can see these files over network shares though, so its something specifically wrong with my computer. Similarly, if someone puts a command.txt file on a network drive, I can't see it there either, although everyone else can.

I did a virus scan and it found nothing, nor could I find any viruses with these symptoms using a search, though I could have missed some as most viruses affecting command.com were from like 10 years ago.

Any ideas? I'm stumped.

 

[Rallispec]

open up the 'folder option' menu under the 'tools' tab of any open window. Then make sure that 'show hidden files and folders' is selected under the 'view' tab.


other than that, nothing jumps to my mind right away.

 

[Jeraden]

Yep, I had checked that, its set to display hidden files. Just renaming a file shouldn't really make it suddenly get hidden either, although thats whats basically happening.

 

[Smilin]

Smells VERY fishy.

What is the behavior like in safemode? Same or different?

 

[Jeraden]

Just tried in safe mode, same deal.
And actually, its any file that starts with "com", not the full "command".

So for example, if I go to start->programs->accessories, I don't have a Communications folder showing up, as it starts with Com.

Looks like they are going to take my pc tomorrow and rebuild it, the support staff couldn't figure out what was the problem either.

 

[aGreenAgent]

Sounds like a trojan or something. Usually they hide things that could be used to remove them.

 

[Smilin]

Originally posted by: aGreenAgent
Sounds like a trojan or something. Usually they hide things that could be used to remove them.

Yep.

Also try this.. Do a start | run and type "\\(yourcomputername)\c$" then browse around and see if you can see com files now.

trojans/rootkits sometimes filter the local filesystem but then don't filter the network.

mapping a drive to \\yourcomputer\c$ then scanning that drive might be interesting too.

If your IT guys have an image ready though, just go that route.

 

[mechBgon]

Just for fun, you might try F-Secure's BlackLight beta rootkit finder if you have Admin privileges on this system and won't make waves by doing so: www.f-secure.com/blacklight

 

[Jeraden]

Originally posted by: Smilin
Also try this.. Do a start | run and type "\\(yourcomputername)\c$" then browse around and see if you can see com files now.

Gave this a shot but same thing.

Tried the f-secure blacklight, but lack administrator privileges, so it wouldn't install. Bummer.

If it is a rootkit causing the problem, not really sure how I would have gotten it unless it was from some browser exploit on some website, as I haven't downloaded anything recently.

 

[montag451]

try bhodemon
for ie 'helper'objects

 

[mechBgon]

If you have dedicated IT staff, keep the laptop off the network and bring the matter to their attention so they can look into it.

 

[dclive]

Originally posted by: Jeraden
Just tried in safe mode, same deal.
And actually, its any file that starts with "com", not the full "command".

So for example, if I go to start->programs->accessories, I don't have a Communications folder showing up, as it starts with Com.

Looks like they are going to take my pc tomorrow and rebuild it, the support staff couldn't figure out what was the problem either.

If you do this over the network (view the C$ drive from another machine) does the same thing happen?

Sounds like a filter driver hack to me.

 

[Smilin]

Originally posted by: dclive

Sounds like a filter driver hack to me.

yep.

 

[Jeraden]

People viewing my drive from another machine can see the files fine. Me viewing other peoples computers over the network and I can't see their com* files.

They already took my machine this morning and are rebuilding it, so I guess I'll never know what caused it.

 

[dclive]

Originally posted by: Jeraden
People viewing my drive from another machine can see the files fine. Me viewing other peoples computers over the network and I can't see their com* files.

That's _the_ big symptom of a filter driver hack. Your machine got hacked; thank your IT department for redoing it, and see if you can run antispyware tools and antivirus tools on it in the future.