Results 1 to 9 of 9

Thread: sagispul malware?

  1. #1
    Junior Member
    Join Date
    Jan 2009
    Posts
    6

    Unhappy sagispul malware?

    Every few minutes, I get a new window opening up with a url that contains text from a search I had just made, and it always starts with "http://sagipsul.com/go". Has anyone else experienced this? I have the latest version of spybot, I just ran the scan and it found a few things and fixed them, but this one is still there.

    Any help would be appreciated.

  2. #2
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    Can you post a log of what Spybot-Search&Destroy is detecting (in red) exactly?

    From your description it seems like either they could be a cookie setting that is not configured correctly (according to other users in the Google Search Engine) or to me it could be a hijack.

  3. #3
    Junior Member
    Join Date
    Jan 2009
    Posts
    6

    Default Sagispul Malware?

    I didn't keep anything from the last scan, but I remember that it found these things:
    antispywaremaster
    win32.agent
    funweb
    mywebsearch
    smitfraud
    virtumonde

    I didn't pay closer attention, because I just assumed that whatever the problem was spybot had found it. But alas! It's still here.

    Also, I was using firefox when all this began, I've switched over to IE for the time being, as that browser doesn't seem to be affected.

    I did a search for this whole sagispul thing, and found a few websites describing what the problem was, as well as what appears to be ads for ways of fixing said problem disguised as a thread such as this one, where someone asks for help, and the helper gives advice on the best software for fixing the problem.

  4. #4
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    Kazuzu:

    Consider posting in the Malware Removal forum and having someone take a look at your system.

    If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:
    After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal forum, making sure to post the HijackThis log produced from the above instructions.
    ___

  5. #5
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Kazuzu:

    I also suggest that you consider posting in the Malware Removal forum.

    In regard to the following:

    Quote Originally Posted by Kazuzu View Post
    I didn't keep anything from the last scan, but ...
    Just so that you are aware, by default Spybot produces two Checks.yymmdd-hhmm.txt files during a scan. The second Checks.yymmdd-hhmm.txt has the details of what the scan found. In addition a Fixes.yymmdd-hhmm.txt file is produced if you fix or attempt to fix something.

    There are two methods to access and post that information from previous scans:
    • Method 1:
      • Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Look for the Checks.yymmdd-hhmm.txt or the Fixes.yymmdd-hhmm.txt file that contains the detections that you would like help with. Open it. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.
    • Method 2
      • The Checks.yymmdd-hhmm.txt and Fixes.yymmdd-hhmm.txt files are stored in the following folders:
        • Windows 95 or 98:
          C:\Windows\Application Data\Spybot - Search & Destroy\Logs
        • Windows ME:
          C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
        • Windows NT, 2000 or XP:
          C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
        • Windows Vista:
          C:\ProgramData\Spybot - Search & Destroy\Logs
      • Using Windows Explorer, navigate to the correct Checks.yymmdd-hhmm.txt or the Fixes.yymmdd-hhmm.txt file. Double click on it and it should open with Notepad. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  6. #6
    Junior Member
    Join Date
    Jan 2009
    Posts
    6

    Default

    Here's what I got:


    --- Report generated: 2009-01-02 22:29 ---

    Hint of the Day: Click the bar at the right of this to see more information! ()


    Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-1749298407-531232663-2846475313-1007\Software\Microsoft\instkey

    Virtumonde: [SBI $8F2A4A7E] Class ID (Registry key, nothing done)
    HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

    Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

    Virtumonde.generic: [SBI $2F10E03B] Settings (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

    Virtumonde.generic: [SBI $6C003E72] User settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-1749298407-531232663-2846475313-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

    Virtumonde: [SBI $4D2BC948] Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim

    Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP

    Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)
    C:\WINDOWS\system32\PAHQBJlm.ini2

    Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)
    C:\WINDOWS\system32\PAHQBJlm.ini

    Virtumonde: [SBI $D510A69C] Configuration file (File, nothing done)
    C:\WINDOWS\system32\shhtpgog.ini

    Virtumonde.sci: [SBI $D87CA6BD] Class ID (Registry value, nothing done)
    HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\=...C:\WINDOWS\system32\ssqRICRI.dll...

    WebTrends live: Tracking cookie (Internet Explorer: AA) (Cookie, nothing done)



    --- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

    2008-07-07 blindman.exe (1.0.0.8)
    2008-07-07 SDFiles.exe (1.6.0.4)
    2008-07-07 SDMain.exe (1.0.0.6)
    2008-07-07 SDShred.exe (1.0.2.3)
    2008-07-07 SDUpdate.exe (1.6.0.8)
    2008-07-07 SDWinSec.exe (1.0.0.12)
    2008-07-07 SpybotSD.exe (1.6.0.30)
    2008-09-16 TeaTimer.exe (1.6.3.25)
    2009-01-02 unins000.exe (51.49.0.0)
    2008-07-07 Update.exe (1.6.0.7)
    2008-10-22 advcheck.dll (1.6.2.13)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2008-09-15 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2008-10-22 Tools.dll (2.1.6.8)
    2008-11-04 Includes\Adware.sbi (*)
    2008-12-29 Includes\AdwareC.sbi (*)
    2008-06-03 Includes\Cookies.sbi (*)
    2008-09-02 Includes\Dialer.sbi (*)
    2008-09-09 Includes\DialerC.sbi (*)
    2008-07-22 Includes\HeavyDuty.sbi (*)
    2008-11-18 Includes\Hijackers.sbi (*)
    2008-12-22 Includes\HijackersC.sbi (*)
    2008-12-09 Includes\Keyloggers.sbi (*)
    2008-12-22 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2008-11-18 Includes\Malware.sbi (*)
    2008-12-29 Includes\MalwareC.sbi (*)
    2008-12-15 Includes\PUPS.sbi (*)
    2008-12-15 Includes\PUPSC.sbi (*)
    2007-11-07 Includes\Revision.sbi (*)
    2008-06-18 Includes\Security.sbi (*)
    2008-12-29 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2008-12-10 Includes\Spyware.sbi (*)
    2008-12-10 Includes\SpywareC.sbi (*)
    2008-06-03 Includes\Tracks.uti
    2008-12-28 Includes\Trojans.sbi (*)
    2008-12-29 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    *********

    I hope I did this right!

    Thanks

  7. #7
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    Were you able to fix all the problems? If not, I would suggest you start your thread in the Malware Removal Forums as soon as possible.

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,667

    Default

    Hi there.

    {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
    http://www.systemlookup.com/CLSID/22...file_name.html

    Quote Originally Posted by drragostea View Post
    Kazuzu:

    Consider posting in the Malware Removal forum and having someone take a look at your system.

    If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:

    After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal forum, making sure to post the HijackThis log produced from the above instructions.
    ___
    Good idea. Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  9. #9
    Junior Member
    Join Date
    Jan 2009
    Posts
    6

    Default

    Oi vey, I tried to go to the Malware area you directed me to, and for some reason IE was rediculously slow, so I gave up... for now! I will be posting later on today when I have time, and I'll be sure to use Safari, which seems to be way faster...

    Thanks again!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •