TechSpot

Getting Random Popups

By bewareofgecko
Dec 29, 2008
  1. I've been getting alot of popups recently, most of them being from "sagipsul.com"

    Tried using McAfee and Malwarebytes and tryed to fix it in HJT but to no avail.

    Half the time I have to alt-tab to see them and the other half i get an obnoxiously loud video which I cannot see and have to end via the Firefox process.

    I've attached the HijackThis log.

    Thanks.
     
  2. rf6647

    rf6647 TS Maniac Posts: 931

    • Following the Guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions creates a common beginning for an initial assessment.

    • Seeing is believing - For anyone complaining of Sagipsul spyware -
      • Without supporting logs, anything caught by HJT is used to suggest changes.
      • However, the MBAM and/or SAS logs will improve diagnosis of this thrreat.

      • Scan with HJT. Tick & Fix. Restart the computer.
      Code:
      O20 - AppInit_DLLs: I:\WINDOWS\system32\jopiroka.dll
      O20 - Winlogon Notify: efcBtsSi - efcBtsSi.dll (file missing)
      O2 - BHO: (no name) - {46121e97-e1d7-4ca8-bafc-9b1bc48148b8} - I:\WINDOWS\system32\dutudari.dll (file missing)
      O2 - BHO: (no name) - {478460EC-E93C-44FC-8CA6-384131269FE8} - (no file)
      O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
      O2 - BHO: (no name) - {D822FBF5-5BDC-4929-A771-F587C1974506} - (no file)
      O2 - BHO: (no name) - {EE2AD6DD-858C-4646-9AC0-8EEBF398F4F4} - I:\WINDOWS\system32\ljJASLDS.dll
      O4 - HKLM\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s
      O4 - HKLM\..\Run: [0c15c650] rundll32.exe "I:\WINDOWS\system32\rbigggdi.dll",b
      O4 - HKUS\S-1-5-19\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-20\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s (User 'NETWORK SERVICE')
      O8 - Extra context menu item: &Search - ?p=ZUfox000
      
      
      If the HJT scan catches things not cleaned by MBAM & SAS, this type of information will lead to adapting to changes.

    Other Considerations
    Sagipsul malware may be extending the runtimes for MBAB. Please try to disconnect from the Internet while scanning with MBAB.
     
  3. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 160

    i think you missed some to remove he has a bad APPLINT and a goggle redirect.

    O2 - BHO: (no name) - {46121e97-e1d7-4ca8-bafc-9b1bc48148b8} - I:\WINDOWS\system32\dutudari.dll (file missing)
    O2 - BHO: (no name) - {478460EC-E93C-44FC-8CA6-384131269FE8} - (no file)

    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)

    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O2 - BHO: (no name) - {D822FBF5-5BDC-4929-A771-F587C1974506} - (no file)

    O4 - HKLM\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s
    O4 - HKLM\..\Run: [0c15c650] rundll32.exe "I:\WINDOWS\system32\rbigggdi.dll",b

    O4 - HKUS\S-1-5-19\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s (User 'NETWORK SERVICE')

    O8 - Extra context menu item: &Search - ?p=ZUfox000

    O20 - AppInit_DLLs: I:\WINDOWS\system32\jopiroka.dll
    O20 - Winlogon Notify: efcBtsSi - efcBtsSi.dll (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
     
  4. rf6647

    rf6647 TS Maniac Posts: 931

    Wolf -
    O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    It is legit - see here
     
  5. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 160

    maybe but the updater is re installed so easy and with the given redirects be safe is my opinion
    the redirect install uses the same CLASSID's
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.