Every few minutes, I get a new window opening up with a url that contains text from a search I had just made, and it always starts with "http://sagipsul.com/go". Has anyone else experienced this? I have the latest version of spybot, I just ran the scan and it found a few things and fixed them, but this one is still there.

Any help would be appreciated.

Can you post a log of what Spybot-Search&Destroy is detecting (in red) exactly?

From your description it seems like either they could be a cookie setting that is not configured correctly (according to other users in the Google Search Engine) or to me it could be a hijack.

I didn't keep anything from the last scan, but I remember that it found these things:
antispywaremaster
win32.agent
funweb
mywebsearch
smitfraud
virtumonde

I didn't pay closer attention, because I just assumed that whatever the problem was spybot had found it. But alas! It's still here.

Also, I was using firefox when all this began, I've switched over to IE for the time being, as that browser doesn't seem to be affected.

I did a search for this whole sagispul thing, and found a few websites describing what the problem was, as well as what appears to be ads for ways of fixing said problem disguised as a thread such as this one, where someone asks for help, and the helper gives advice on the best software for fixing the problem.

Kazuzu:

Consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum, making sure to post the HijackThis log produced from the above instructions.
___

Kazuzu:

I also suggest that you consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum.

In regard to the following:


I didn't keep anything from the last scan, but ...
Just so that you are aware, by default Spybot produces two Checks.yymmdd-hhmm.txt files during a scan. The second Checks.yymmdd-hhmm.txt has the details of what the scan found. In addition a Fixes.yymmdd-hhmm.txt file is produced if you fix or attempt to fix something.

There are two methods to access and post that information from previous scans:
Method 1:
Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Look for the Checks.yymmdd-hhmm.txt or the Fixes.yymmdd-hhmm.txt file that contains the detections that you would like help with. Open it. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.
Method 2
The Checks.yymmdd-hhmm.txt and Fixes.yymmdd-hhmm.txt files are stored in the following folders:
Windows 95 or 98:
C:\Windows\Application Data\Spybot - Search & Destroy\Logs
Windows ME:
C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows NT, 2000 or XP:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows Vista:
C:\ProgramData\Spybot - Search & Destroy\Logs
Using Windows Explorer, navigate to the correct Checks.yymmdd-hhmm.txt or the Fixes.yymmdd-hhmm.txt file. Double click on it and it should open with Notepad. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.

Here's what I got:


--- Report generated: 2009-01-02 22:29 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1749298407-531232663-2846475313-1007\Software\Microsoft\instkey

Virtumonde: [SBI $8F2A4A7E] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $2F10E03B] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $6C003E72] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1749298407-531232663-2846475313-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde: [SBI $4D2BC948] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim

Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP

Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)
C:\WINDOWS\system32\PAHQBJlm.ini2

Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)
C:\WINDOWS\system32\PAHQBJlm.ini

Virtumonde: [SBI $D510A69C] Configuration file (File, nothing done)
C:\WINDOWS\system32\shhtpgog.ini

Virtumonde.sci: [SBI $D87CA6BD] Class ID (Registry value, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\=...C:\WINDOWS\system32\ssqRICRI.dll...

WebTrends live: Tracking cookie (Internet Explorer: AA) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2009-01-02 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-12-29 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-22 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-12-22 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-12-29 Includes\MalwareC.sbi (*)
2008-12-15 Includes\PUPS.sbi (*)
2008-12-15 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-29 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2008-12-10 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-12-28 Includes\Trojans.sbi (*)
2008-12-29 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

*********

I hope I did this right!

Thanks

Were you able to fix all the problems? If not, I would suggest you start your thread in the Malware Removal Forums as soon as possible.

Hi there.

{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
http://www.systemlookup.com/CLSID/22877-random_file_name.html


Kazuzu:

Consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288).

After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum, making sure to post the HijackThis log produced from the above instructions.
___
Good idea. :) Best regards.

Oi vey, I tried to go to the Malware area you directed me to, and for some reason IE was rediculously slow, so I gave up... for now! I will be posting later on today when I have time, and I'll be sure to use Safari, which seems to be way faster...

Thanks again!