Help! Sagipsul.com Virus. Hjt Log Included.

Four or five days ago, I got an incredibly annoying pop-up virus. Pop-ups appeared about every 30 seconds - 1 minute, almost all going to sagipsul.com. I started getting Internet Explorer error messages when I wasn't using IE. I downloaded and ran both SuperAntiSpyware (which didn't help) and Malwarebytes (which seemed to help - 82 threats detected). About a day passed, and it started happening again. I ran all my anti-virus programs again, except this time none of them took care of the problem fully. I'm not getting the pop-ups every minute now, but I do get them every time I attempt to run a google search.


Please help. This is driving me batty.


Here's the log:


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 9:32:13 AM, on 1/6/2009


Platform: Windows XP SP3 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16762)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


C:\WINDOWS\system32\spoolsv.exe


C:\WINDOWS\Explorer.EXE


C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


C:\Program Files\Bonjour\mDNSResponder.exe


C:\WINDOWS\eHome\ehRecvr.exe


C:\WINDOWS\eHome\ehSched.exe


C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe


C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


c:\WINDOWS\system32\ZuneBusEnum.exe


C:\WINDOWS\system32\SearchIndexer.exe


C:\WINDOWS\ehome\ehtray.exe


C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe


C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe


C:\WINDOWS\stsystra.exe


C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe


C:\WINDOWS\system32\igfxtray.exe


C:\WINDOWS\system32\igfxsrvc.exe


C:\WINDOWS\eHome\ehmsas.exe


C:\WINDOWS\system32\hkcmd.exe


C:\WINDOWS\system32\igfxpers.exe


C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe


C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe


C:\Program Files\QuickTime\QTTask.exe


C:\Program Files\Felitec\Mindful\Mindful.exe


C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe


C:\Program Files\Zune\ZuneLauncher.exe


C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe


C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


C:\Program Files\Messenger\msmsgs.exe


C:\WINDOWS\system32\ctfmon.exe


C:\Program Files\DNA\btdna.exe


C:\WINDOWS\system32\dllhost.exe


C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


C:\Program Files\Windows Desktop Search\WindowsSearch.exe


C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe


C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe


C:\WINDOWS\System32\svchost.exe


C:\Program Files\Mozilla Firefox\firefox.exe


C:\WINDOWS\system32\rundll32.exe


C:\WINDOWS\system32\rundll32.exe


C:\WINDOWS\system32\rundll32.exe


C:\WINDOWS\system32\rundll32.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metafilter.com/


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6930


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gate.temple.edu:8080


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


O2 - BHO: {070290ca-ba11-fdab-1fd4-17a05792411a} - {a1142975-0a71-4df1-badf-11abac092070} - C:\WINDOWS\system32\eygrtt.dll


O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll


O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll


O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll


O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe


O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup


O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe


O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE


O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe


O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe


O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe


O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe


O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe


O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe


O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"


O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless


O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


O4 - HKLM\..\Run: [Mindful] C:\Program Files\Felitec\Mindful\Mindful.exe


O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"


O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"


O4 - HKCU\..\Run: [Power2GoExpress] NA


O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1


O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"


O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O15 - Trusted Zone: http://*.mcafee.com


O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab


O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll


O18 - Filter hijack: text/html - {92892e2a-389c-4f98-899f-9265ed89b71a} - C:\WINDOWS\system32\msiebbar.dll


O20 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL mwpugq.dll tofici.dll c:\windows\system32\vugukibo.dll eygrtt.dll,C:\WINDOWS\system32\buwidodu.dll


O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL


O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe


O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe


O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


--


End of file - 10357 bytes

Comments

  • rootkit
    rootkit ✭✭✭
    edited January 2009

    Please pack the file(s) in an archive, protected with the password infected.


    Attach the archive in your next post here.(if it's too big, upload it on www.rapidshare.com or other server and leave here the download link).



    C:\WINDOWS\system32\eygrtt.dll


    C:\WINDOWS\system32\msiebbar.dll


    c:\windows\system32\vugukibo.dll


    C:\WINDOWS\system32\buwidodu.dll



    After this, check and press Fix checked in Hijackthis for:



    O2 - BHO: {070290ca-ba11-fdab-1fd4-17a05792411a} - {a1142975-0a71-4df1-badf-11abac092070} - C:\WINDOWS\system32\eygrtt.dll


    O18 - Filter hijack: text/html - {92892e2a-389c-4f98-899f-9265ed89b71a} - C:\WINDOWS\system32\msiebbar.dll


    O20 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL mwpugq.dll tofici.dll c:\windows\system32\vugukibo.dll eygrtt.dll,C:\WINDOWS\system32\buwidodu.dll


    Please do this:


    Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.

  • I'm sorry, but I'm going to need baby-stepped through this. I have WinAce and tried to create an archive. (In the past, I've unpacked archives, but never created them.) But when I looked into the system32 folder, the only one of the four files I could find was the eygrrt.dll one. In Folder Options, I made sure I could view all files, but still none of the others showed. I ran HijackThis again to make sure they still appeared in the log, and they did. So why aren't they showing up in system32?


    What should I do now? Should I skip the archiving step and move on to having HJT fix the files and then using Combofix? Or is it necessary for me to archive them? And if so, how?

  • rootkit
    rootkit ✭✭✭
    1. Close all programs so that you are at your desktop.


    2. Double-click on the My Computer icon.


    3. Select the Tools menu and click Folder Options.


    4. After the new window appears select the View tab.


    5. Put a checkmark in the checkbox labeled Display the contents of system folders.


    6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.


    7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.


    8. Remove the checkmark from the checkbox labeled Hide protected operating system files.


    9. Press the Apply button and then the OK button and shutdown My Computer.


    10. Now your computer is configured to show all hidden files.


    Now look for the files :)

  • I have the same problem with this popup thing trying to send me to the Sagipsul site. I bought and tried Malware Removal Bot. Problem is, first time it found like a lot of infections. I tested Firefox, got the popup, and ran Malware again. It found another 50 infections.


    I had it fix those and IMMEDIATELY reran it. It found another 50 infections.


    I ran hijack this, and none of the things you note above were in the list. I uninstalled Firefox in case that had been messed with(the popups don't seem to happen in Netscape, which was my old browser).


    Should I try Combofix? If you want me to post a file or something, let me know. ANy help would be appreciated. This is the worst virus I've ever caught.