also @ TechSpot: Microsoft unveils Windows 7 pricing, upgrade programs
Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Login to participate.
Go Back   TechSpot OpenBoards > Operating Systems & Software > Virus & Malware removal
Reload this Page Sagipsul Popups, 8 Steps Completed Logs Attached

Sagipsul Popups, 8 Steps Completed Logs Attached

Reply
Bookmark Thread Tools
  #1  
Old 01-05-2009
Newcomer, in training
  
Member since: Jan 2009, 2 posts
Sagipsul Popups, 8 Steps Completed Logs Attached
Thank you for the help in advance. These popups are driving me crazy.
Attached Files
File Type: txt mbam-log-2009-01-05 (12-18-50).txt (5.5 KB, 1 views)
File Type: log hijackthis.log (10.5 KB, 1 views)
File Type: log SUPERAntiSpyware Scan Log - 01-05-2009 - 12-50-33.log (465 Bytes, 1 views)
Reply With Quote
  #2  
Old 01-06-2009
Bobbye's Avatar
TechSpot Evangelist
  
Location: Clearwater, FL
Member since: Mar 2007, 4,566 posts
Let's clean up some leftovers:
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
Quote:
O4 - HKUS\S-1-5-19\..\Run: [toyayurela] Rundll32.exe "C:\WINDOWS\system32\titobigi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [toyayurela] Rundll32.exe "C:\WINDOWS\system32\titobigi.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: zukmyo.dll C:\WINDOWS\system32\rewikote.dll
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Right click on Start> Explore> Windows System32> right click> delete on any of the files below if found:
Quote:
titobigi.dll
toyayurela
saseneda.dll
zukmyo.dll
rewikote.dll >> Fraudulent Security Program
I cannot reliably identify this Domain. A search for 'ambusi' brings up this site:
http://www.wordcraftbook.com/writing_abi.php which then shows this URL within it:
http://www.ambusi.com/member/branding/2004/03/30/naming

There appears to be an organization named AmBusi which is the American Business Institute (AMBUSI) and internet site for layers. THAT URL is: http://www.netforlawyers.com/ambusi.htm

So the way it's set up on your system isn't correct and I need you to verify these entries:
Quote:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\Software\..\Telephony: DomainName = ambusi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ambusi.com
If AmBusi is your legitimate Domain, the entries are not set up correctly.

Open IE: Tools> Internet Options> Security tab> Trusted sites> Sites> remove these from the trusted zone:
Quote:
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
Reboot into Normal mode

Run SDFix:
SDFix: http://www.tech-101.com/viewtopic.php?f=18&t=38
Quote:
* Download SDFix and save it to your Desktop.
Quote:
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Boot into Safe Mode
Quote:
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Run SDFix
Quote:
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here
Update and rescan with Malwarebytes again following SDFix, the do a new scan with HijackThis. Attach all the logs when through.
Reply With Quote
Login to remove this ad - join the TechSpot Community for free.
  #3  
Old 01-06-2009
Newcomer, in training
  
Member since: Jan 2009, 2 posts
Wow, thank you very much for taking the time to help me out Bobbye.

I did everything you suggested and have attached the new logs.

In regards to Ambusi...it is the former name of the company I work for. The domain is no longer in use, however we still have the domain name. Do I need to make any changes with the ambusi.com entries?

Thanks Again.

-Dax
Attached Files
File Type: txt report.txt (9.8 KB, 1 views)
File Type: txt mbam-log-2009-01-06 (12-46-59).txt (852 Bytes, 1 views)
File Type: log hijackthis.log (10.2 KB, 3 views)
Reply With Quote
  #4  
Old 01-07-2009
Bobbye's Avatar
TechSpot Evangelist
  
Location: Clearwater, FL
Member since: Mar 2007, 4,566 posts
Quote:
The domain is no longer in use, however we still have the domain name.
Then the entries should be removed.

Did you find and delete any or all of these files?
Quote:
Quote:
titobigi.dll
toyayurela
saseneda.dll
zukmyo.dll
rewikote.dll >> Fraudulent Security Program
I am concerned about the security you're running- all I see are the two Active X files loading for McAfee:
Quote:
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab>> for McAfee Security Installer Control.
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab>> process info for McAfee Security Download Control.
But there are no McAfee programs entries and no McAfee Services running as there should be if you have the McAfee security installed. Can you fill me in on this please? Were you using this as part of a corporate network? Maybe the defunct Domain. Because it does not appear that you have a fully functioning security program.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
Quote:
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n028p/EN/install/gtdownlr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\Software\..\Telephony: DomainName = ambusi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ambusi.com
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.


Regarding this entry:
Quote:
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://parachute.webex.com/client/v...nt/ieatgpc.cab
Please see the Cert Advisory on the potential buffer overflow. If you need an update, get it. If you need to disable the Active XD entry, do it.
WebexUCFObject ActiveX Control stack buffer overflow:
http://www.kb.cert.org/vuls/id/661827
Update Java:
Quote:
Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 11 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.
Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 11
What is the status of the original pop-ups. Have we resolved that issue? Are you having any other problems>
Reply With Quote
Reply
Thread Tools


Similar Topics
Topic Category Replies Last Post
8 steps completed, logs attached, Critical error Popup Virus & Malware removal 5 01-08-2009 07:10 AM
8 Steps completed, please read my logs Virus & Malware removal 14 01-05-2009 10:56 PM
8 steps completed successfully, but now for logs? Virus & Malware removal 0 01-05-2009 09:29 AM
8 steps completed - logs attached Virus & Malware removal 6 01-01-2009 10:35 PM
Completed 8 steps - Logs posted Virus & Malware removal 10 11-16-2008 11:55 PM


All times are GMT -4. The time now is 04:33 PM.