TechSpot

Sagipsul popups, antivirus updates blocked

By regomar
Jan 5, 2009
  1. I first encountered this problem last night and have spent most of the day trying to fix it. This malware I have become infected with was able to completely block access to popular anti-virus and anti-malware websites and in-software updates for programs such as Ad-aware, Spybot, and AVG without using the hosts file. This aspect of the malware is being actively discussed here: en.kioskea.net/forum/affich-43800-avg-windows-update-failure

    With the information from the above linked site I ran a program called 'Trojan Remover' which fixed my inability to browse anti-virus websites and allowed me to update my programs.

    Unfortunately, I still get occasional popups directing towards sagipsul.com. I found others with these popups through google and that directed me to these forums where I followed the 8 rules and ran CCleaner, Malwarebytes, SuperAntiSpyware, and Hijack This. Since completion I no longer appear to get popups but am afraid that something still is resident on my computer in the background gathering information.

    In posting here I am hoping for confirmation of this malware being gone, or any further steps I must take in order to remove it.

    Below is my attached hijackthis log, Malwarebytes log, and SuperAntoSpyware log.

    Thank you very much for your time.
     
  2. rf6647

    rf6647 TS Maniac Posts: 829

    Your tip about ‘Trojan Remover’ is appreciated.

    Code:
    C:\WINDOWS\system32\[B]yqrocd.dll[/B] (Trojan.Vundo.H) -> Delete on reboot.
    
    MBAB did not handle all that it found until the computer restart.

    It appears that the infection is mostly handled.

    Rescan with MBAB & SAS (run as pairs) until clean or something that cannot be cleaned.

    HJT scan informs what has not been handled (computer restart before HJT scan)

    Caught by HJT.
    Code:
    O20 - AppInit_DLLs: [B]yqrocd.dll [/B]+ valid
    [LIST]
    [*]Confirm file has been deleted. 
    [*]'Regedit' can be used to delete references to file
    [*]Or wait for updated MBAM to clean this reference.
    [/LIST]
    
    Additional finding -
    • Source for this not understood
    • User choice - removal recommended
      • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8777;https=localhost:8777
    If symptoms remain, post new logs and describe conditions.


    Following clean scans establish a clean restore point.

    Establish a new clean restore point and Clear your existing System Restore points:
    • New
      • Go to Start > All Programs > Accessories > System Tools > System Restore>
      • Select Create a restore point> OK.
    • Clear Old
      • go to Start > Run > cleanmgr > Select the More options tab >
      • Choose the option to clean up System Restore > OK

        • This will remove all restore points except the new one you just created.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...