Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pegefile.pif


  • Please log in to reply
4 replies to this topic

#1 idk

idk

  • Members
  • 302 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland, New Zealand
  • Local time:09:58 PM

Posted 13 July 2007 - 11:49 PM

Whenever I try to go to C drive though My Computer> C:/, it says windows cannot find pegefile.pif and it asks me to browse to the file.
Also Kaspersky detected and deleted many Trojan-Psw's and Pegefil.pif is said to be 'Trojan-PSW.Win32.Delf.wh'.

I've tried system restore but that didn't work.
I could restore Pegefile.pif back where it was through Kaspersky but Kaspersky says it's a trojan so it's not worth the risk.

Please Help me solve this problem.

Edited by idk, 13 July 2007 - 11:57 PM.


BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:01:58 AM

Posted 14 July 2007 - 12:00 AM

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 idk

idk
  • Topic Starter

  • Members
  • 302 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland, New Zealand
  • Local time:09:58 PM

Posted 14 July 2007 - 01:20 AM

Thanks for your advice.
Here is the report:

Scanning Report
Saturday, July 14, 2007 17:43:07 - 18:16:29

Computer name: ODNM15MCI8ORV2F
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\
Result: 9 malware found
Alexa (spyware)

* System (Disinfected)

Backdoor.Win32.WinterLove.z (virus)

* C:\DOCUMENTS AND SETTINGS\KEVIN SUN\LOCAL SETTINGS\TEMP\14.EXE (Renamed & Submitted)

HackTool.Win32.Agent.be (virus)

* C:\WINDOWS\SYSTEM32\SEVICES.EXE (Renamed & Submitted)

Rootkit.Win32.Agent.dx (virus)

* C:\WINDOWS\SYSTEM32\DRIVERS\USBINTE.SYS (Submitted)

Trojan-Downloader.Win32.Agent.bxu (virus)

* C:\WINDOWS\SYSTEM32\MSFEED.EXE (Renamed & Submitted)

Trojan-PSW.Win32.Delf.wh (virus)

* D:\SYSTEM VOLUME INFORMATION\_RESTORE{858F4941-E33E-46E1-8633-C9FDE0101CE0}\RP399\A0088604.PIF (Renamed & Submitted)
* E:\SYSTEM VOLUME INFORMATION\_RESTORE{858F4941-E33E-46E1-8633-C9FDE0101CE0}\RP399\A0088602.PIF (Renamed & Submitted)

W32/Malware.AARS (virus)

* C:\DOCUMENTS AND SETTINGS\KEVIN SUN\LOCAL SETTINGS\TEMP\15.EXE (Submitted)

Win32.TrojanClicker (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 26577
* System: 3854
* Not scanned: 4

Actions:

* Disinfected: 2
* Renamed: 5
* Deleted: 0
* None: 2
* Submitted: 7

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:

* F-Secure AVP: 7.0.171, 2007-07-13
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 2007-07-09
* F-Secure Libra: 2.4.2, 2007-07-13
* F-Secure Orion: 1.2.37, 2007-07-13
* F-Secure Pegasus: 1.19.0, 2007-06-12

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics



The pegefile.pif thing still comes up when I try C,D or E disk.

#4 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:01:58 AM

Posted 14 July 2007 - 02:01 AM

OK, does not look good, I need for you to follow the Instructions Preparation Guide for use before posting a HijackThis Log hopefully, this will solve your problem(s) right now it appears that this is a malware issue (viruses and spyware/adware)

at the end of this , there are exact instructions on how to post a hijack this log.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#5 buddy215

buddy215

  • BC Advisor
  • 12,990 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:58 AM

Posted 14 July 2007 - 04:36 AM

Trend Micro identifies one of the malware you have as WORM_DROM.I
http://www.trendmicro.com/vinfo/virusencyc...EI&VSect=Sn
If you use the info in the above link to remove the notice about the missing Pegefile.pif,
do not follow the instruction to delete the system restore files. The Hijack this team here suggests even an infected restore point is better than no restore point.

Follow Oldf@rt's instructions for posting a Hijack This log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users