The thing that concerns me is a fire that is encrypted most surely have other elements, 1) to unencrypt and 2) to run it. As an encrypted file is like a zip file inert until run/opened, etc.
I assume, it uses the code and IP shown to the outside world. This particular one depends on the LAN functioning; at least it stopped when I disabled the LAN. I did not find other related files, which of course does not necessarily mean they are not there.
The file update.pif is totally inaccessible because it generates Read/Write errors to prevent being examined. Therefore, a password protected zip fails. It seems also polymorphic, for its length varies between 153 - 160 kB (as far as observed) and this may point to an internal counter. Considering the encryption the source code must be very large.
I have Microsoft AntiSpyware, Spyware Blaster and WinPatrol resident which may have saved the system.
What browser are you using, it would be interesting to find out just how it is being downloaded just by visiting a site.
Explorer 6, SP1 + updates. But the virus penetrated the system during startup. On the dirty computer (using same OS, etc) it was not downloaded because of Avast webshield blocking *.pif
Since such sites don't let you go, the next screen showed the girls.
The fact that it planted itself in the system32 folder indicates that you brows whilst logged on to a user account with administrator privileges
Yes, correct.
You might want to check out this link as limited users shouldn't be able to add/modify files in the system32 folder Security Tips & Tricks - DropMyRights
This is certainly advisable