Another Sagipsul Problem

By NeilR
Jan 5, 2009
  1. Thanks to everyone who has contributed to the amazing wealth of information here. Today my computer started having the problems that seem like those of other people who've described the Sagipsul problems:

    * lots of extra Firefox windows opening up
    * inability to access anti-spyware sites
    * sudden crashes of my machine attributed first to "Generic Host Process for Win32 Services" and then followed immediately by "DCOM Server Process Launcher service terminated unexpectedly" errors
    * difficulty rebooting, even into Safe Mode, following the crashes

    After trying several suggestions from other sites, I finally found the eight-step process here and have gone through it. I'm no longer having the crashing or difficulty rebooting, but am still seeing extra Firefox windows pop open occasionally (although now far less frequently). So I'm posting the logs below to ask for your additional help. Note that there were several files removed from earlier efforts today that preceded the eight-step process. If it's important to include those also, please let me know.

    Thank you so much for your help.
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Uninstall your McAfee Antivirus
    Then run the McAfee Removal Tool


    Install Avira free Antivirus (wich happens to be way better than McAfee)

    Update it, and run a full scan
    Let me know howmany infections were removed ;)
  3. NeilR

    NeilR TS Rookie Topic Starter

    Thanks, and a Question

    kimsland, thank you so much for your help.

    > Let me know howmany infections were removed

    On two scans, Avira found 13 files from 3 trojans:

    * TR/Crypt.XPACK.Gen Trojan
    * TR/Trash.Gen Trojan
    * TR/Downloader.Gen Trojan

    The third scan was clean. As were my last two scans with SUPER AntiSpyware. Malwarebytes is still finding things every time I scan it--C:\WINDOWS\system32\dbmbtf.dll seems to be a particularly pesky one--but hopefully I'm getting closer (log files attached).

    One question I had: by running the McAfee Removal Tool, I took off not only the McAfee AntiVirus but also the McAfee Firewall. Do I need to install one? The 8-step message names Comodo and Zonealarm, but I don't know if there's one that's preferable.

    Thanks again for your help.
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Comodo is preferred
    But lets just hold off for a moment (whilst cleaning is still happening)

    Your Malwarebytes program version is now old
    And, your Malwarebytes definitions are also old (too old)

    Please update Malwarebytes (there's an update Tab, that you select in the program)
    Once updated (hey, I've mention update too many times now ;) :) )
    Run a full scan

    If it finds more issues, for you to manually remove (at the end of the big scan)
    You are best to run it again (to then remove the ones that were previously hidden)
    But update it first :)
  5. NeilR

    NeilR TS Rookie Topic Starter

    Okay, now I'm getting clean scans from Avira, Malwarebytes and SUPER AntiSpyware (logs attached). Not seeing the popups anymore, so the only strangeness I'm seeing is that sometimes when I click on a link in a Google search results page, I'm taken not to the URL I clicked but to an ad. For example, a search of "cbs nhl scoreboard" offers up a link to


    but when I click on it I am instead directed to


    Any suggestions?

    Thanks again SO MUCH for your time.
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Please re-open and scan with HJT
    Place a tick next to the following entries (note: some bad; some not required to start with Windows)
    Confirm your Internet browserr (ie Internet Explorer is closed before selecting fix)
    Then download Combofix
    Lots of info on its use here:
    Direct download here:

    Save it to a location that you can easily find later (in Safe Mode) ie directly to C drive

    Restart your computer to Safe Mode (by repeatedly pressing F8 on your keyboard before Windows starts)
    Log into your Administrator account
    Locate the previously downloaded Combofix
    Double click on it to run, answering any prompts along the way
    Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)

    Once Combofix has finished, save the log file to be attached to a new reply
    Restart back to Normal mode, and attach the Combofix log

    Whilst waiting for my reply, you may want to re-open Malwarebytes; update it again; and then run another full scan (I'm thinking there may still be more uncovered malwares to remove) I would do this ;)
  7. NeilR

    NeilR TS Rookie Topic Starter

    Combofix log is attached. I reran the Malwarebytes scan and that came up clean again, but I am still having the redirected links problem I mentioned before.

    I know I say this every message but I can't thank you enough. The time you're spending to help me out is significant and I really appreciate it.
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well the Combofix scan (and automatic Malware removal) has helped
    Please run CCleaner
    Scan with HJT and save log
    Attach the new log to a new reply

    All done in that order :)
  9. NeilR

    NeilR TS Rookie Topic Starter

    > Well the Combofix scan (and automatic Malware removal) has helped

    That's good news. I'm definitely seeing far fewer symptoms than when we started.

    New HijackThis log is attached.

    Thank you!
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I cannot see any further issues with your HJT log :grinthumb

    Clear & Reset System Restore's Cache

    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
    * Tick on the checkbox - Turn off System Restore on all drives
    * Click Apply
    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

    Resolved :grinthumb
    That's about it. How's it running?
  11. NeilR

    NeilR TS Rookie Topic Starter

    Done, I think

    > That's about it. How's it running?

    The only issue I was having was the Google result links still being redirected to ad1.doubleclicker.n-t. So I did another search on that server and found a page of someone who also had fixed everything on their computer but that problem and ended up using the GooredFix file described (and linked to) on this page:

    That seems to have taken care of the last of my problems. kimsland, thank you so very much for all your help. I'm indebted to you. Is there a tip jar around here?
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  13. anime07502

    anime07502 TS Rookie

    OK who invented this GOOREDFIX This is AWESOME!
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...