I recently became infected with sagispul.com. Like most other people I get random pop-ups, but I also get blocked from a lot of sites (lavasoft.com for instance) to download updates to spybot, and adaware. I have run these and removed Virtumonde and a couple other things.

I am using Firefox 2.0.0.20 if that affects the fix.

I ran hijackthis and have attached a log. I also found several questionable .dll/.exe in Windows/System32 all created when the popups started, that don't appear in hijackthis log.

I appreciate your help.

Attached Files

	strange_dll_exe.txt (109 Bytes, 4 views)
	hijackthis1_1_09_a.log (5.1 KB, 4 views)

Hi winxpuser

Welcome to Techspot.

Unfortunatley i cannot help you at the moment because your Hijack this is both installed in the wrong location and is out of date

Remove your last install and then go here and download the new version

THEN

Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory

FINALLY

Once you have changed this, due to the nature of your problem please locate the HijackThis.exe file yourself with Windows Explorer and right click on it and select Rename. Rename to analyse.exe by just typing in analyse.exe to overwrite the old name. This is very important since a few forms of malware will hide unless HijackThis is renamed

Thanks and when you post the new log i will re read

Thanks

Just completed the 8 step process after updating HiJack This.

Ran Full System Scan with Avira Free - 2 Warnings

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!

Ran CCleaner

Turned off ZoneAlarm

Turned off SuperAntiSpyware

Turned off AntiVirGuard

Ran Malwarebyte's Anti-Malware - no items found

Ran SuperAntiSpyware - no items found

Updated JAVA - Java 6 Update 11

Ran HiJackThis

All problems have disappeared! Logs attached.

Am I clean?

I have started using the free version of Zone Alarm and Free AntiVirus Guard.

Attached Files

	mbam-log-2009-01-04 (14-17-17).txt (840 Bytes, 2 views)
	SUPERAntiSpyware Scan Log - 01-04-2009 - 14-39-25.log (465 Bytes, 1 views)
	hijackthis.log (6.9 KB, 1 views)

Your log appears clean

It is posible it was an infected system file etc that has been removed as junk by CCleaner.

Keep using CCleaner and Avira every 2-3 weeks but you look good now

Hi, thank god for your website!

I've followed your very clear 8 steps, and have attached the logs.
Since completing it a few minutes ago I've not seen one of the damn pop-ups but if you could check the logs I'd really appreciate it?

The timing of this attack is terrible, I'm an architecture student in my final year and this virus has put a real kink in my progress toward final submission on wednesday.. Hopefully I'll be clear!

I'm not sure if it was the same virus but my machine was hanging at indeterminate times in a variety of applications, and I'd also started to see a pop-up claiming to be from Microsoft which would attempt to download software without me authenticating it. I recall some news about such a program a couple of months ago. Would this have been brought on by sagispul compromising my security or do I have something else I need to sort out?

Thank you again. Do you have a Paypal or something that I can contribute something to? I have a feeling you may have saved my degree!!

Buddy

Attached Files

	hijackthis.log (13.7 KB, 1 views)
	mbam-log-2009-01-10 (14-46-31).txt (5.9 KB, 3 views)
	SUPERAntiSpyware Scan Log - 01-10-2009 - 15-37-50.log (861 Bytes, 1 views)

Hi buddyholly27
Welcome to Techspot.

With this type of infection the 8 step removal process usually removes it. However on one of your log you have

Delete on start up

Please start your own thread in the security section as its best to double check to make sure this infection was removed on start up also it saves confusion on the existing thread.

Create a new post here and some one will get back to you.

Thanks

cheers for the very quick response rev_olie!



sorry for confusing the thread, I was in a 'bit' of a blind panic and failed to follow the correct procedure. I'll re-post it now, in the right place!

I'm just running a couple of checks, and so far they're coming back as clear.

Buddy