also @ TechSpot: Motorola Droid 4 unboxing, hands-on video
Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Sign up or Login to participate.
Go Back   TechSpot OpenBoards > Tech Support > Virus and Malware Removal
Reload this Page Sagipsul Popups, 8 Steps Completed Logs Attached

Download Now:

Sagipsul Popups, 8 Steps Completed Logs Attached
Thread Tools Search this Thread
  #1  
Old 01-05-2009
Newcomer, in training
  
Member since: Jan 2009, 2 posts
Sagipsul Popups, 8 Steps Completed Logs Attached
Thank you for the help in advance. These popups are driving me crazy.
Attached Files
File Type: txt mbam-log-2009-01-05 (12-18-50).txt (5.5 KB, 1 views)
File Type: log hijackthis.log (10.5 KB, 1 views)
File Type: log SUPERAntiSpyware Scan Log - 01-05-2009 - 12-50-33.log (465 Bytes, 1 views)
  #2  
Old 01-06-2009
Bobbye's Avatar
Helper on the Fringe
  
Location: Florida
Member since: Mar 2007, 15,043 posts
Let's clean up some leftovers:
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
Quote:
O4 - HKUS\S-1-5-19\..\Run: [toyayurela] Rundll32.exe "C:\WINDOWS\system32\titobigi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [toyayurela] Rundll32.exe "C:\WINDOWS\system32\titobigi.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: zukmyo.dll C:\WINDOWS\system32\rewikote.dll
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Right click on Start> Explore> Windows System32> right click> delete on any of the files below if found:
Quote:
titobigi.dll
toyayurela
saseneda.dll
zukmyo.dll
rewikote.dll >> Fraudulent Security Program
I cannot reliably identify this Domain. A search for 'ambusi' brings up this site:
http://www.wordcraftbook.com/writing_abi.php which then shows this URL within it:
http://www.ambusi.com/member/branding/2004/03/30/naming

There appears to be an organization named AmBusi which is the American Business Institute (AMBUSI) and internet site for layers. THAT URL is: http://www.netforlawyers.com/ambusi.htm

So the way it's set up on your system isn't correct and I need you to verify these entries:
Quote:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\Software\..\Telephony: DomainName = ambusi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ambusi.com
If AmBusi is your legitimate Domain, the entries are not set up correctly.

Open IE: Tools> Internet Options> Security tab> Trusted sites> Sites> remove these from the trusted zone:
Quote:
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
Reboot into Normal mode

Run SDFix:
SDFix: http://www.tech-101.com/viewtopic.php?f=18&t=38
Quote:
* Download SDFix and save it to your Desktop.
Quote:
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Boot into Safe Mode
Quote:
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Run SDFix
Quote:
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here
Update and rescan with Malwarebytes again following SDFix, the do a new scan with HijackThis. Attach all the logs when through.
  #3  
Old 01-06-2009
Newcomer, in training
  
Member since: Jan 2009, 2 posts
Wow, thank you very much for taking the time to help me out Bobbye.

I did everything you suggested and have attached the new logs.

In regards to Ambusi...it is the former name of the company I work for. The domain is no longer in use, however we still have the domain name. Do I need to make any changes with the ambusi.com entries?

Thanks Again.

-Dax
Attached Files
File Type: txt report.txt (9.8 KB, 1 views)
File Type: txt mbam-log-2009-01-06 (12-46-59).txt (852 Bytes, 1 views)
File Type: log hijackthis.log (10.2 KB, 3 views)
  #4  
Old 01-07-2009
Bobbye's Avatar
Helper on the Fringe
  
Location: Florida
Member since: Mar 2007, 15,043 posts
Quote:
The domain is no longer in use, however we still have the domain name.
Then the entries should be removed.

Did you find and delete any or all of these files?
Quote:
Quote:
titobigi.dll
toyayurela
saseneda.dll
zukmyo.dll
rewikote.dll >> Fraudulent Security Program
I am concerned about the security you're running- all I see are the two Active X files loading for McAfee:
Quote:
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab>> for McAfee Security Installer Control.
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab>> process info for McAfee Security Download Control.
But there are no McAfee programs entries and no McAfee Services running as there should be if you have the McAfee security installed. Can you fill me in on this please? Were you using this as part of a corporate network? Maybe the defunct Domain. Because it does not appear that you have a fully functioning security program.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
Quote:
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n028p/EN/install/gtdownlr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\Software\..\Telephony: DomainName = ambusi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ambusi.com
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.


Regarding this entry:
Quote:
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://parachute.webex.com/client/v...nt/ieatgpc.cab
Please see the Cert Advisory on the potential buffer overflow. If you need an update, get it. If you need to disable the Active XD entry, do it.
WebexUCFObject ActiveX Control stack buffer overflow:
http://www.kb.cert.org/vuls/id/661827
Update Java:
Quote:
Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 11 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.
Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 11
What is the status of the original pop-ups. Have we resolved that issue? Are you having any other problems>
Closed Thread

Similar Topics
Topic Replies Forum
8 Steps Completed, Logs Attached 3 Virus and Malware Removal
Ran 8 steps: Vundo, sagipsul, etc logs attached 2 Virus and Malware Removal
Sagipsul pop ups - Ran 8 steps and logs attached 0 Virus and Malware Removal
Down to Sagipsul. Completed 8 steps and logs attached 0 Virus and Malware Removal
8 steps completed - logs attached 6 Virus and Malware Removal

Thread Tools Search this Thread
Search this Thread:

Advanced Search
All times are GMT -4. The time now is 03:01 PM.