Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infection (pisomefu.dll)


  • Please log in to reply
13 replies to this topic

#1 JJackson

JJackson

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 12 April 2010 - 01:05 AM

Hi! I'm hoping to get help with removing a possible infection: I first noticed the problem after I rebooted, trying to fix "Windows Live OneCare". I got an error message, saying "pisomefu.dll" wasn't found. I did some searching, and found that this seems to be some sort of virus. However, things only got worse. I couldn't re-install "Windows Live OneCare"; Qwest agreed to send me a CD with "Norton AntiVirus", but I won't get it for several days. In the meantime, I've researched more, and ran the "Lop S&D" tool (found in the logs of another topic); it found 4 hidden files, but everything else seemed fine. My computer is extremely sluggish now, and when in Internet Explorer, sometimes gives me the message "can't display the webpage", which has prevented me from being able to download help for my computer. BTW, I'm running Windows XP SP3, and the names of the 4 hidden files are: C:\WINDOWS\SYSTEM32\gefalika.dll, C:\WINDOWS\SYSTEM32\filokinu.dll, C:\WINDOWS\SYSTEM32\zuhuwuro.dll, and C:\WINDOWS\SYSTEM32\dawopiga.dll (doesn't indicate this one is executable, perhaps because it can't find "pisomefu.dll"?) Any help with this would be greatly appreciated!

Edited by elise025, 12 April 2010 - 05:39 AM.
Since no logs are posted, I am moving this to the Am I Infected forum ~ Elise


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 AM

Posted 12 April 2010 - 08:42 AM

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to a malware file that was set to run at startup in the registry but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • If found, right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
If you're going to keep and use Autoruns, be sure to read:Please download Malwarebytes Anti-Malware (v1.45) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JJackson

JJackson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 12 April 2010 - 10:58 PM

Thank you for replying so quickly! I will try your suggestions tomorrow, however, I'm concerned that it looks like I'll have to do a bit of downloading from the infected computer, which is now EXTREMELY sluggish (I've been going online on my un-infected laptop). Cross your fingers and say a prayer (maybe more!) for me. I'll let you all know what happens!-- JJ :thumbsup:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 AM

Posted 13 April 2010 - 07:56 AM

If you cannot use the Internet or download any required programs to the infected machine, try downloading them from another computer (family member, friend, library, etc) with an Internet connection. Save to a flash (usb, pen, thumb, jump) drive or CD, transfer to the infected machine, then install and run the program(s). If you cannot copy files to your usb drive, make sure it is not "Write Protected".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 JJackson

JJackson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 13 April 2010 - 05:02 PM

quietman7, Do I have to purchase the anti-malware? I ran it and it found that my computer was infected, but it won't remove the viruses until I "register". Help! -JJ

#6 JJackson

JJackson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 13 April 2010 - 05:13 PM

When I hit the "register" tab, nothing happens! What's going on with Malwarebytes' Anti-Malware? Does anyone have an activation key I can use? Thanks!-- JJ

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 AM

Posted 13 April 2010 - 05:25 PM

You don't need a license key to perform a scan. You only register to get a key if you want to purchase the full version of Malwarebytes Anti-Malware which includes the ability to schedule updates and provides a real-time malware protection module.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 JJackson

JJackson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 13 April 2010 - 06:01 PM

quietman7, I ran the scan, and it found 27 infections; however, I don't see where I can ask it for a log report that I can save to my notepad. Also, why can't I see "AntiVirus X :thumbsup: P" as a program on my computer? I want to uninstall it, because it's giving me annoying messages every 2 seconds, and interfering with me going online (since my computer is infected, which it won't un-infect unless I pay at least $50.00. Please help!-- JJ :flowers:

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 AM

Posted 13 April 2010 - 08:34 PM

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 JJackson

JJackson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 13 April 2010 - 10:06 PM

quietman7, There is NO Logs Tab on the MBAM software (free version) I downloaded using either of your download links. You must be referencing the paid-for version. --JJ

#11 JJackson

JJackson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 13 April 2010 - 10:25 PM

quietman7, More info-- when I downloaded MBAM on my laptop (which runs Windows Vista), I got the version that has the Logs tab; the version on my infected desktop (which runs Windows XP) is a TOTALLY different-looking version of MBAM, with no Logs tab. BTW, I got the CD from QWest with Norton Anti-Virus, and am running a scan/repair on my infected desktop. I'll then reboot, run MBAM again, and see if everthing's good! I'll let you know what happens! Thanks!-- JJ

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 AM

Posted 14 April 2010 - 06:47 AM

the version on my infected desktop (which runs Windows XP) is a TOTALLY different-looking version of MBAM

Then remove it and download the latest version from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

Update the database through the program's interface (preferable method) before scanning.

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 JJackson

JJackson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 16 April 2010 - 11:52 AM

quietman7, I was able to finally get to the correct version of MBAM (I think the viruses on my computer somehow hijacked this!); I did run a full scan, after I was continuing to have problems with my CPU running at 100%, due to a "svchost.exe" (which is a virus, right?). Things seemed O.K. until I rebooted, and then "svchost.exe" reared its ugly head again. I'm running a full scan of MBAM again, but am I going to have to do this everytime I reboot? How come MBAM is saying it successfully removed all infections, but then they seem to show up again after I reboot? Any help would be very much appreciated! -- JJ :thumbsup:

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 AM

Posted 16 April 2010 - 04:15 PM

I was continuing to have problems with my CPU running at 100%, due to a "svchost.exe" (which is a virus, right?)

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time in Task Manager in order to optimize the running of the various services.
  • svchost.exe SYSTEM
  • svchost.exe LOCAL SERVICE
  • svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program or service so that it can run automatically each time the computer is booted. Keep in mind that a legitmate file can also be infected by some types of malware such as Virut which is a dangerous polymorphic file infector. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Always make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

There are several ways to investigate and see what services a Svchost.exe process is controlling:Note: Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

Tools to investigate running processes and gather additional information to identify them and resolve problems:These tools will provide information about each process, CPU usage, file description and its path location.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users