TechSpot

VirusProtector2008, then Sagisp ul/Vundo, Leading to a General Mess

By Mire
Jan 4, 2009
  1. VirusProtector2008, then Sagispul/Vundo- Still need help

    Hello~

    Yesterday an alert window popped up telling me my computer was not protected and that I had to reinstall McAfee.

    Last night, almost 24 hours ago I had an alert from McAfee Anti-Virus telling me that multiple Trojan's were being blocked. I opened the program up from the quick start menu, and a ToS came up. I figured it was automatically reinstalling as it asked me to do earlier, and clicked yes. As I was doing so though, I realized that the ToS title had nothing to do with McAfee, or any other program I currently have installed.

    It was a program called VirusProtector2008 and it promptly opened a "simulated" scan and asked me to buy the full package.

    So I realized I had a problem on my hands, and I asked my friends husband to help me over IM. I described what happened above and he told me to try and download Malwarebytes, and he told me the link might not work. Thankfully it did and after downloading it I did a scan. My computer froze a few times, but finally I got it to work and VirusProtector's desktop shortcut and the little icon on the bottom left disappeared after the scan + Reboot.

    I also did a quick-scan with SuperAntiSpyware, and found more infected files, I was pretty confident I had beaten it after that.

    I was pretty happy everything was back to normal on my computer, but when my friend sent me some youtube videos I noticed it was opening in a new window, not in another tab like usual. Then blank Sagispul.com pages would pop up (and once a yellowpages-type ad? )

    So I realized that maybe when I had to restart that Malware hadn't had the chance to finish updating. (I checked, I'm pretty sure it didn't) My friend had logged off for the night so I couldn't ask her husband for help anymore so before taking further action I looked for a reliable site with more information than just "Download Malwarebytes" and hope for the best.

    And here I am! I've found this site extremely informative as someone who had never even heard of Malware. I went through the 8-step sticky and followed the instructions there.

    I'll be attaching the first scans log, as well as the ones I did following the 8-steps.

    As for symptoms, besides the pop-ups in Firefox and McAfee acting weird, every time I downloaded even a little gif or something Firefox would freeze. My internet has also been slower than usual. I just got Cable about a month ago and I've heard during certain times of the day it can be slower than usual so the slow-down didn't make me too suspicious until the bogus Virus scanning program showed up. Also, my automatic Windows updates had been disabled I know for a fact that I hadn't changed this myself because I recently moved the time in which It would automatically reset my computer.

    I have been kind of reckless with what sites I've been visiting via Google searches. (I usually only click on sites I've heard of) And I wasn't aware that outdated java could be a security risk, I hadn't updated it in a long while. But it's all updated now and I'm learning from my past mistakes. If anyone could check my logs to see if there is anything still hiding in my computer and any further advice on what I can do if there is, I would really appreciate it!

    I'm using McAfee SecurityCenter, and I had it disabled during the scans. I did do an (anti-virus) scan last night, and all that came up was "Generic PUP.x" which I had it fix for me. I don't know how to get a log from McAfee so I hope that's sufficient enough information.

    Thanks so much in advanced for help! ( ..And sorry in advanced if I missed anything! )

    EDIT: Right after I postd this thread, My tabs prefrences for firefox was changed to open new window again.

    And Just now I got this alert from McAfee:
    Yikes! I'm not sure what to do.
     
  2. Mire

    Mire TS Rookie Topic Starter

    I hope it's OK to post again, The logs I've posted are quite outdated now.

    I've been running Malwarebytes, SUPERAntiSpyware, Spybot S&D, and McAfee Virus Scan pretty constantly the past few days.

    I haven't gotten anything from Malwarebytes in a long while.

    Spybot S&D found two instances of virtumonde on two separate occasions on the same day, it's the only program that seems to recognize it so I've been running it along with the others now. I don't know how to pull a log from it.

    McAfee found another instance of that Generic thing I posted before. I don't know how to pull logs from this program either.

    Today I ran everything again feeling a bit more safe (My internet speed had still not improved by much, and Skype continues to cut off calls and such) and I ran SUPERAntiSpyware last, and in that scan I found Rootkit.SENEKA-Trace.

    Apparently it was added in an update posted yesterday. I could have sworn I updated before scanning, but the point is I caught it and deleted it.

    Anyways, I couldn't find very much information at all on the bugger except it's not good at all. But I hope it's gone now? I did a speed test on my ISP's website after deleting it and it about doubled from what it was at yesterday (testing it around the same time of day).

    I hope someone can go threw this log and tell me.. This has really been freaking me out and I'm afraid to even log in to any games I usually play or even forums.

    I'll continue to keep doing scans... I just want my computer back to normal. :(
     
  3. rf6647

    rf6647 TS Maniac Posts: 829

    It appears that the infection has been handled. Your description indicates that MBAM has been clean for 2 days and the connection throughtput has recovered.

    HJT scan informs what has not been handled.
    Code:
    O20 - AppInit_DLLs: [B]iulnnu.dll[/B]
    [LIST]
    [*]Confirm file appearing in code box has been deleted. 
    [LIST]
    [*]C:\WINDOWS\SYSTEM32\IULNNU.DLL
    [/LIST][*]HJT 'tick & fix' can be used to delete O20 reference to files
    
    [/LIST] 
    
    I recommend that your reset internet setting as described by Kimsland.

    However, additional items from HJT scan informs what has not been handled.
    Code:
    [LIST]
     [*]HJT 'tick & fix' can be used to delete these if IE reset is not used.
    [/LIST] 
    O2 - BHO: (no name) - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)  >> askjeeves
    O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)  >> mcafee
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) >> Livecall
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) >> goo gle
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file) >> goo gle
    O2 - BHO: (no name) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - (no file) >> msn
    O2 - BHO: (no name) - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)  >> askkeeves
    O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - 
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - 
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - 
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - 
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - 
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - 
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - 
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - 
    
    
    If symptoms remain, post new logs and describe conditions.


    Following clean scans , establish a new clean restore point and Clear your existing System Restore points:
    • New
      • Go to Start > All Programs > Accessories > System Tools > System Restore>
      • Select Create a restore point> OK.
    • Clear Old
      • go to Start > Run > cleanmgr > Select the More options tab >
      • Choose the option to clean up System Restore > OK

        • This will remove all restore points except the new one you just created.
     
  4. SpiritWind

    SpiritWind TS Rookie Posts: 164

    Sagipsul, etc

    Hi :

    Having come across "sagipsul.com" infections while on other Support Forums,
    certified "Malware Removal Specialists" recommended other programs than the Ones that have been used here at this point to deal with this . Several have
    recommended the use of the FREE "SDFix" and there is a "Tutorial" with a download link at www.bleepingcomputer.com/forums/topic131299.html . Perhaps it
    would be wise to use this program !?

    And to increase the probability that there is no Vundo-type "infection" on your
    computer, I recommend the use of the FREE "VundoFix", available at
    http://vundofix.atribune.org and to follow their "Normal Usage for Removal"
    guidelines .
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...