sagispul malware?

[Kazuzu]

Every few minutes, I get a new window opening up with a url that contains text from a search I had just made, and it always starts with "http://sagipsul.com/go". Has anyone else experienced this? I have the latest version of spybot, I just ran the scan and it found a few things and fixed them, but this one is still there.

Any help would be appreciated.

 

[drragostea]

Can you post a log of what Spybot-Search&Destroy is detecting (in red) exactly?

From your description it seems like either they could be a cookie setting that is not configured correctly (according to other users in the Google Search Engine) or to me it could be a hijack.

 

[Kazuzu]

Sagispul Malware?

I didn't keep anything from the last scan, but I remember that it found these things:
antispywaremaster
win32.agent
funweb
mywebsearch
smitfraud
virtumonde

I didn't pay closer attention, because I just assumed that whatever the problem was spybot had found it. But alas! It's still here.

Also, I was using firefox when all this began, I've switched over to IE for the time being, as that browser doesn't seem to be affected.

I did a search for this whole sagispul thing, and found a few websites describing what the problem was, as well as what appears to be ads for ways of fixing said problem disguised as a thread such as this one, where someone asks for help, and the helper gives advice on the best software for fixing the problem.

 

[drragostea]

Kazuzu:

Consider posting in the Malware Removal forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:

• "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance).

After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal forum, making sure to post the HijackThis log produced from the above instructions.
___

 

[md usa spybot fan]

Kazuzu:

I also suggest that you consider posting in the Malware Removal forum.

In regard to the following:

I didn't keep anything from the last scan, but ...

Just so that you are aware, by default Spybot produces two Checks.yymmdd-hhmm.txt files during a scan. The second Checks.yymmdd-hhmm.txt has the details of what the scan found. In addition a Fixes.yymmdd-hhmm.txt file is produced if you fix or attempt to fix something.

There are two methods to access and post that information from previous scans:

• Method 1:
  • Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Look for the Checks.yymmdd-hhmm.txt or the Fixes.yymmdd-hhmm.txt file that contains the detections that you would like help with. Open it. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.
• Method 2
  • The Checks.yymmdd-hhmm.txt and Fixes.yymmdd-hhmm.txt files are stored in the following folders:
    • Windows 95 or 98:
      C:\Windows\Application Data\Spybot - Search & Destroy\Logs
    • Windows ME:
      C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
    • Windows NT, 2000 or XP:
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
    • Windows Vista:
      C:\ProgramData\Spybot - Search & Destroy\Logs
  • Using Windows Explorer, navigate to the correct Checks.yymmdd-hhmm.txt or the Fixes.yymmdd-hhmm.txt file. Double click on it and it should open with Notepad. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.

 

[Kazuzu]

Here's what I got:


--- Report generated: 2009-01-02 22:29 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1749298407-531232663-2846475313-1007\Software\Microsoft\instkey

Virtumonde: [SBI $8F2A4A7E] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $2F10E03B] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $6C003E72] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1749298407-531232663-2846475313-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde: [SBI $4D2BC948] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim

Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP

Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)
C:\WINDOWS\system32\PAHQBJlm.ini2

Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)
C:\WINDOWS\system32\PAHQBJlm.ini

Virtumonde: [SBI $D510A69C] Configuration file (File, nothing done)
C:\WINDOWS\system32\shhtpgog.ini

Virtumonde.sci: [SBI $D87CA6BD] Class ID (Registry value, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\=...C:\WINDOWS\system32\ssqRICRI.dll...

WebTrends live: Tracking cookie (Internet Explorer: AA) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2009-01-02 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-12-29 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-22 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-12-22 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-12-29 Includes\MalwareC.sbi (*)
2008-12-15 Includes\PUPS.sbi (*)
2008-12-15 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-29 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2008-12-10 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-12-28 Includes\Trojans.sbi (*)
2008-12-29 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

*********

I hope I did this right!

Thanks

 

[drragostea]

Were you able to fix all the problems? If not, I would suggest you start your thread in the Malware Removal Forums as soon as possible.

 

[tashi]

Hi there.

{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
http://www.systemlookup.com/CLSID/22877-random_file_name.html

Kazuzu:

Consider posting in the Malware Removal forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:

• "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance).

After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal forum, making sure to post the HijackThis log produced from the above instructions.
___

Good idea. Best regards.

 

[Kazuzu]

Oi vey, I tried to go to the Malware area you directed me to, and for some reason IE was rediculously slow, so I gave up... for now! I will be posting later on today when I have time, and I'll be sure to use Safari, which seems to be way faster...

Thanks again!