Sagipsul Virus - Have solved some problems, but I need more help

[cbizz]

I have been infected with some type of "Sagipsul" virus. My computer has the following symptoms:

-Porn icons used to come up on the desktop. A virus scan from Symantec antivirus, followed by a delete or quarantine fixed this issue.

-Sometimes, my computer would initiate a shutdown with a 60 second timer. I got around this issue by opening a command prompt, and then typing "shutdown -a" to abort the shutdown.

-Also, I used to be getting some type of error in svchost.exe, but opening windows in safe mode, doing a symantec scan, and removing the infected files fixed this.

Even after all this, I still think I have some type of infection because I still am getting popups to go to sites like:
sagipsul dot com /go/...

I think I have something called the "SuperJuan" virus:
antispyware dot com /glossary_details.php?ID=133826

However, when I try to run the SuperJuan removal tool, I am greeted with the following message:
"The Windows Installer Service could not be accessed. This can occur if you are running Wndows in safe mode or if the Windows installer is not correctly installed. Contact your support personnel for assistance."

Lastly, I am unable to view the homepages for companies like Symantec or Norton. I receive this message:
"Server Error in '' Application.
HTTP Error 404 - Not Found.
Version Information: Autodesk EDM Web Server 11.0.118.0 "

Note that you can go through a proxy to fix this problem, but that is only a temporary solution. I have attached my hijack this log. If anyone can help, please do so! If I come across any way to fix it, I will post it here.

Thanks!

 

[peteC]

There are more characteristics for the virus.

1) multiple random named dll files are created under windows/system32

The randomness makes instructions on removal difficult because
you can't say remove file aaqrxdht.dll because all files will be different
for everyone. All the DLLs are identical and have the same number
of bytes, created at the same time, and if you can do a "check sum"
command have identical checksums (means they are identical)

2) There is a registry entry that starts a number of these random named .dll
files. I don't recall exactly where but a search for juan or sagipsul should
show you them.

3) The scheduled tasks under control panel starts up a random
named dll. Remove that scheduled task.

4) Sites like avg, symantec.com, norton.com, windows update, even techguy.com
will be blocked. HOWEVER,, the numeric IP does get you to the site.
Also, a Google search may show you a link but the link will be
blocked, BUT, can be worked around if a "cached" link is available.
The cached link is not seen as a direct link to the blocked site.

5) Related to #4. You might be able to download a virus protection .exe,
BUT, if that .exe calls on a web site that is blocked, your install wil fail.

6) I believe there is one random named .dll that resists removal/renaming
because it is in use. I think there is an AppInit registry entry that
may be called by windowslogin. That regustry entry may have been
changed to point to the random named .dll. I'm not an expert but
I think that may be the case. Other registry entries may exist but
I have no idea if it can be deleted or the value changed to a safe
value.

Pete C

I forgot one

7) Restore points are lost

 

[rf6647]

Case of Difficulty - Malware Removal sites not reachable
See this post
See messages 3 & 4.
Something as simple as renaming application's executable or using another computer to obtain programs could do it.

• Following the Guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions creates a common beginning for an initial assessment.
  
  
• Seeing is believing - complaining of sagipsul -
  • Without supporting logs, anything caught by HJT is used to suggest changes.
  • However, the MBAM and/or SAS logs will improve handling of this thrreat.
    • Scan with this pair (MBAM, SAS) until clean or until it uncovers something that won't clear
  • Scan with HJT. Tick & Fix. Restart the computer.

  O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
  O4 - HKLM\..\Run: [Wkuvetofi] rundll32.exe "C:\WINDOWS\Wwujilominixigot.dll",e
  O4 - HKLM\..\Run: [Vrokufi] rundll32.exe "C:\WINDOWS\ofelilunut.dll",e
  O4 - HKLM\..\Run: [444cef88] rundll32.exe "C:\WINDOWS\system32\rkedfiiw.dll",b
  
  O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL itaweq.dll
  
  O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}
  
  Start > run  [B]control desk.cpl,,0[/B]  > customize desktop  >  web  > click bad reference & delete

Delete files - if present - from the list inside code box


Post new logs if problems are still present.

 

[peteC]

I'll explain.

The blocking being done, prevents any install .exe from accessing their
web site for either software to install, modules and files to install or
virus database files that detect and correct.

It is not the name of the .exe, it's what that install file .exe does to install the
anti-virus programs.

For example: If symantec. com has a sagipsul virus removal tool
called sagi-remove. You could be instructed by symantec .com to download
the install program. That install program say being named setup.exe. That
program would be the one that installs sagi-remove.exe that will fix the virus.

1) The sagipsul site blocking will prevent you from accessing www. symantec. com.

You can then choose to use another PC to download setuo.exe from www. semantec. com
as a work around. You put that on a flash disk USB thumb drive.

You put that setup.exe on the infected PC. You execute it. That setup.exe
program does an install by accessing the internet to get to the symantec. com
location that has all the module files and virus detection and prevention database
files. The infected PC blocks access to the symantec. com domain, as you remember.
Result, your install fails because essential access to symantec. com by setup.exe
is blocked. Renaming setup.exe won't fix that.


Let's try another approach, install setup.exe on the good computer. If you
do that, do you know what files to copy to the infected PC, and what about
things like registry entries that setup.exe made or other changes to existing
files not just the new files? Can you reproduce by hand copies, text and
maybe binary edits the actions that setup.exe did?

If the anti-virus is truly simple and self contained (that is portable) you could
install it all (MAYBE) on a thumb drive. That's not going to be from the big anti-virus software makers.


The thing to do is find out HOW is that virus blocking access to microsoft,
mcafee, norton, symantec, malwarebytes, techguy, avgt, and all the rest.
If that can be fixed FIRST. Then you can get the sagipsul removal anyone it
can be found.

 

[kimsland]

Great info peteC. Although it may be best placed in the Meeting Spot forum (not actually sure)

Probably best for rf6647 try to get back to resolving the issue now
Presently waiting for cbizz to "Post new logs" to be reviewed by support.