Solve : Windows cannot find F:\Windows\eksplorasi.pif?

1.	Solve : Windows cannot find F:\Windows\eksplorasi.pif?
Answer» Hello I am getting the following error: Windows cannot find F:\Windows\eksplorasi.pif (Win XP Pro is on the F drive). I ran AVG, but it picked up nothing. But then I did a CC Cleaner test and it produced what is in the attachment. Likewise with Malwarebytes' Anti-Malware. The Malwarebytes' Anti-Malware appears to have detected a couple of problems in the Registry. I haven't downloaded HiJack yet. Thanks for any help. Steve [attachment deleted by admin]That SPECIFIC file is most likely part of a worm. Clean the registry with a registry cleaner. If that doesn't work, I have something to ask. Does it happen on startup?Do not advise anyone to run a registry cleaner in this forum please. When a computer is running bad and having errors a reg cleaner is the LAST thing you WANT to run.Whoops. Sorry, didn't know about that. Will keep it in mind.Hello Thanks for your contributions so far. Yes, the error message only appears at startu. I have used Avast, AVG, CC Cleaner and one or two other programmes, but the error still appears. I have also tried HiJack this and I would appreciate it if someone could look at the log: Logfile of Trend Micro HijackThis v2.0.2 Scan SAVED at 12:17:21, on 08/02/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\system32\spoolsv.exe F:\WINDOWS\Explorer.exe F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe F:\Program Files\Java\jre6\bin\jqs.exe F:\WINDOWS\system32\slserv.exe F:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe F:\WINDOWS\system32\VTTimer.exe F:\Program Files\Java\jre6\bin\jusched.exe F:\PROGRA~1\AVG\AVG8\avgtray.exe F:\WINDOWS\system32\ctfmon.exe F:\Program Files\Messenger\msmsgs.exe F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe F:\PROGRA~1\AVG\AVG8\avgrsx.exe F:\WINDOWS\system32\wscntfy.exe F:\WINDOWS\system32\wuauclt.exe F:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: Shell=Explorer.exe "F:\WINDOWS\eksplorasi.pif" O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\IE\jqs_plugin.dll O4 - HKLM\..\Run: [ACQTMOUSE] "F:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe" O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Bron-Spizaetus] "F:\WINDOWS\ShellNew\bronstab.exe" O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Tok-Cirrhatus] "F:\Documents and Settings\Steve Higham\Local Settings\Application Data\smss.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Macromedia Licensing Service - Unknown owner - F:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: SmartLinkService (SLService) - Smart Link - F:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 4968 bytes Thanks again. SteveOpen HijackThis and select Do a system scan only. Place a check mark next to: - F2 - REG:system.ini: Shell=Explorer.exe \"F:\WINDOWS\eksplorasi.pif\" - O4 - HKLM\..\Run: [Bron-Spizaetus] \"F:\WINDOWS\ShellNew\bronstab.exe\" - O4 - HKCU\..\Run: [Tok-Cirrhatus] \"F:\Documents and Settings\Steve Higham\Local Settings\Application Data\smss.exe\" Now close ALL windows except for HijackThis and click Fix checked. ---------- Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Go to Start > Run and type notepad.exe then click OK Copy and paste the below into Notepad and save as fixme.reg to Your Desktop Code: [Select]REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run] "Bron-Spizaetus"=- "Tok-Cirrhatus"=- Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry. Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work. Delete the fixme.reg from the Desktop. ---------- Flash Drive Cleanup You have an autorun worm that will infect any flash drive you have used on this computer and any other they have been used on. Please have any flash drives ready as Flash Disinfector will ask for them. Download Flash Disinfector by sUBs and save it to your Desktop. Double-click Flash_Disinfector.exe to run it. Your desktop and icons may disappear. This is normal. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection. Follow any prompts that may appear. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well. Wait until it has finished scanning and then exit the program. There will be no GUI interface or log file produced. Reboot your computer when done. . Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection. ---------- Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixHello evilfantasy Many thanks for all your work. I'll try it and post back. I couldn't download the Flash disinfector from your post, but I've downloaded it from elsewhere. Cheers again. SteveHello evilfantasy The .pif error message has now gone and I have run the Flash Disinfector. Many thanks for your advice. I also downloaded ComboFix, saving it to my desktop and disabling my AVG plus other antivirus software, but I get a permission error (Windows cannot find the path). I am not able, therefore, to post the ComboFix log. Many thanks, anyway, for removing the .pif error I was getting! SteveBefore you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode. Download SDFix by AndyManchesta and save it to your desktop. When using this tool, you must use the Administrator's account or an account with Administrative rights** * Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button. * A window will now open showing SDFix being extracted into the C:\SDFix folder. * Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions. * DO NOT use it just yet. Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When your computer has started in safe mode, and you see the desktop, close all open Windows. * Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK button. Code: [Select]C:\SDFix\RunThis.bat * SDFix window will open containing some brief info and a disclaimer on the use of the tool. * Type Y on your keyboard and then press Enter to begin the cleanup process. * It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. * Copy and paste the contents of the results file Report.txt. Hello evil fantasy Thanks again for your help. This is the log: SDFix: Version 1.240 Run by Steve Higham on 11/02/2009 at 18:42 Microsoft Windows XP [Version 5.1.2600] Running From: F:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-11 18:46:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="avgrsstx.dll" "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 "LoadAppInit_DLLs"=dword:00000001 scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:xpsp2res.dll,-22019" "F:\\Program Files\\Java\\jdk1.6.0_11\\jre\\bin\\java.exe"="F:\\Program Files\\Java\\jdk1.6.0_11\\jre\\bin\\java.exe::Enabled:Java(TM) Platform SE binary" "F:\\Program Files\\AVG\\AVG8\\avgupd.exe"="F:\\Program Files\\AVG\\AVG8\\avgupd.exe::Enabled:avgupd.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:xpsp2res.dll,-22019" Remaining Files : Files with Hidden Attributes : Tue 30 Oct 2007 607,744 A..H. --- "F:\Documents and Settings\Steve Higham\Desktop\Windows\~WRL0037.tmp" Sun 20 Apr 2008 20,992 A..H. --- "F:\Documents and Settings\Steve Higham\Desktop\Windows\Systems Administrator\~WRL2174.tmp" Finished! I'm not getting the Window cannot find the 'pif' file any longer and that 'sluggish' feel you get from a computer when it is contaimnated has gone. It looks as if it's all clean now, doesn't it? Cheers SteveYes looks good now. Download OTCleanIt.exe and save it to your Desktop. Double-click OTCleanIt.exe. Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes, if not delete it yourself. . ---------- Set a New Restore Point to prevent possible reinfection from an old one Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed. Go to Start > Programs > Accessories > System Tools and click System Restore Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create. The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Next go to Start > Run and type Cleanmgr Click OK Click the More Options Tab. Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one. You can find instructions on how to enable and re-enable system restore here: Windows XP System Restore Guide or Windows Vista System Restore Guide . ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. Concerned about Browser Security? Consider using Mozilla Firefox. With more than 15,000 improvements, Firefox 3 is faster, safer and smarter than ever before. For Internet Explorer 7 users there is IE7Pro. IE7Pro is a must have add-on for Internet Explorer, which includes a lot of features and tweaks to make your IE friendlier, more useful, more secure and customizable. To prevent unknown applications from being installed on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Answer»

Hello

I am getting the following error:

Windows cannot find F:\Windows\eksplorasi.pif (Win XP Pro is on the F drive).

I ran AVG, but it picked up nothing. But then I did a CC Cleaner test and it produced what is in the attachment. Likewise with Malwarebytes' Anti-Malware.

The Malwarebytes' Anti-Malware appears to have detected a couple of problems in the Registry.

I haven't downloaded HiJack yet.

Thanks for any help.

Steve

[attachment deleted by admin]That SPECIFIC file is most likely part of a worm. Clean the registry with a registry cleaner. If that doesn't work, I have something to ask. Does it happen on startup?Do not advise anyone to run a registry cleaner in this forum please.

When a computer is running bad and having errors a reg cleaner is the LAST thing you WANT to run.Whoops. Sorry, didn't know about that. Will keep it in mind.Hello

Thanks for your contributions so far.

Yes, the error message only appears at startu. I have used Avast, AVG, CC Cleaner and one or two other programmes, but the error still appears. I have also tried HiJack this and I would appreciate it if someone could look at the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan SAVED at 12:17:21, on 08/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.exe
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\slserv.exe
F:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe
F:\WINDOWS\system32\VTTimer.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
F:\PROGRA~1\AVG\AVG8\avgrsx.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe "F:\WINDOWS\eksplorasi.pif"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\IE\jqs_plugin.dll
O4 - HKLM\..\Run: [ACQTMOUSE] "F:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Bron-Spizaetus] "F:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tok-Cirrhatus] "F:\Documents and Settings\Steve Higham\Local Settings\Application Data\smss.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - F:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - F:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4968 bytes

Thanks again.

SteveOpen HijackThis and select Do a system scan only.

Place a check mark next to:

- F2 - REG:system.ini: Shell=Explorer.exe \"F:\WINDOWS\eksplorasi.pif\"
- O4 - HKLM\..\Run: [Bron-Spizaetus] \"F:\WINDOWS\ShellNew\bronstab.exe\"
- O4 - HKCU\..\Run: [Tok-Cirrhatus] \"F:\Documents and Settings\Steve Higham\Local Settings\Application Data\smss.exe\"

Now close ALL windows except for HijackThis and click Fix checked.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Bron-Spizaetus"=-
"Tok-Cirrhatus"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Flash Drive Cleanup

You have an autorun worm that will infect any flash drive you have used on this computer and any other they have been used on. Please have any flash drives ready as Flash Disinfector will ask for them.

Download Flash Disinfector by sUBs and save it to your Desktop.

Double-click Flash_Disinfector.exe to run it.
Your desktop and icons may disappear. This is normal.
It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
Follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
There will be no GUI interface or log file produced.
Reboot your computer when done.

.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixHello evilfantasy

Many thanks for all your work. I'll try it and post back. I couldn't download the Flash disinfector from your post, but I've downloaded it from elsewhere.

Cheers again.

SteveHello evilfantasy

The .pif error message has now gone and I have run the Flash Disinfector. Many thanks for your advice.

I also downloaded ComboFix, saving it to my desktop and disabling my AVG plus other antivirus software, but I get a permission error (Windows cannot find the path).

I am not able, therefore, to post the ComboFix log.

Many thanks, anyway, for removing the .pif error I was getting!

SteveBefore you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

* Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
* A window will now open showing SDFix being extracted into the C:\SDFix folder.
* Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
* DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

When your computer has started in safe mode, and you see the desktop, close all open Windows.

* Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK button.

Code: [Select]C:\SDFix\RunThis.bat
* SDFix window will open containing some brief info and a disclaimer on the use of the tool.
* Type Y on your keyboard and then press Enter to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Copy and paste the contents of the results file Report.txt.
Hello evil fantasy

Thanks again for your help.

This is the log:

SDFix: Version 1.240
Run by Steve Higham on 11/02/2009 at 18:42

Microsoft Windows XP [Version 5.1.2600]
Running From: F:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 18:46:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"LoadAppInit_DLLs"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:xpsp2res.dll,-22019"
"F:\\Program Files\\Java\\jdk1.6.0_11\\jre\\bin\\java.exe"="F:\\Program Files\\Java\\jdk1.6.0_11\\jre\\bin\\java.exe:*:Enabled:Java(TM) Platform SE binary"
"F:\\Program Files\\AVG\\AVG8\\avgupd.exe"="F:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:xpsp2res.dll,-22019"

Remaining Files :

Files with Hidden Attributes :

Tue 30 Oct 2007 607,744 A..H. --- "F:\Documents and Settings\Steve Higham\Desktop\Windows\~WRL0037.tmp"
Sun 20 Apr 2008 20,992 A..H. --- "F:\Documents and Settings\Steve Higham\Desktop\Windows\Systems Administrator\~WRL2174.tmp"

Finished!

I'm not getting the Window cannot find the 'pif' file any longer and that 'sluggish' feel you get from a computer when it is contaimnated has gone.

It looks as if it's all clean now, doesn't it?

Cheers

SteveYes looks good now.

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

.
----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox. With more than 15,000 improvements, Firefox 3 is faster, safer and smarter than ever before.

For Internet Explorer 7 users there is IE7Pro. IE7Pro is a must have add-on for Internet Explorer, which includes a lot of features and tweaks to make your IE friendlier, more useful, more secure and customizable.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Solve : Windows cannot find F:\Windows\eksplorasi.pif?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment