Another Sagipsul Problem

[NeilR]

Thanks to everyone who has contributed to the amazing wealth of information here. Today my computer started having the problems that seem like those of other people who've described the Sagipsul problems:

* lots of extra Firefox windows opening up
* inability to access anti-spyware sites
* sudden crashes of my machine attributed first to "Generic Host Process for Win32 Services" and then followed immediately by "DCOM Server Process Launcher service terminated unexpectedly" errors
* difficulty rebooting, even into Safe Mode, following the crashes

After trying several suggestions from other sites, I finally found the eight-step process here and have gone through it. I'm no longer having the crashing or difficulty rebooting, but am still seeing extra Firefox windows pop open occasionally (although now far less frequently). So I'm posting the logs below to ask for your additional help. Note that there were several files removed from earlier efforts today that preceded the eight-step process. If it's important to include those also, please let me know.

Thank you so much for your help.

 

[kimsland]

Uninstall your McAfee Antivirus
Then run the McAfee Removal Tool

Restart

Install Avira free Antivirus (wich happens to be way better than McAfee)

Update it, and run a full scan
Let me know howmany infections were removed

 

[NeilR]

Thanks, and a Question

kimsland, thank you so much for your help.

> Let me know howmany infections were removed

On two scans, Avira found 13 files from 3 trojans:

* TR/Crypt.XPACK.Gen Trojan
* TR/Trash.Gen Trojan
* TR/Downloader.Gen Trojan

The third scan was clean. As were my last two scans with SUPER AntiSpyware. Malwarebytes is still finding things every time I scan it--C:\WINDOWS\system32\dbmbtf.dll seems to be a particularly pesky one--but hopefully I'm getting closer (log files attached).

One question I had: by running the McAfee Removal Tool, I took off not only the McAfee AntiVirus but also the McAfee Firewall. Do I need to install one? The 8-step message names Comodo and Zonealarm, but I don't know if there's one that's preferable.

Thanks again for your help.

 

[kimsland]

Comodo is preferred
But lets just hold off for a moment (whilst cleaning is still happening)

Your Malwarebytes program version is now old
And, your Malwarebytes definitions are also old (too old)

Please update Malwarebytes (there's an update Tab, that you select in the program)
Once updated (hey, I've mention update too many times now )
Run a full scan

If it finds more issues, for you to manually remove (at the end of the big scan)
You are best to run it again (to then remove the ones that were previously hidden)
But update it first

 

[NeilR]

Okay, now I'm getting clean scans from Avira, Malwarebytes and SUPER AntiSpyware (logs attached). Not seeing the popups anymore, so the only strangeness I'm seeing is that sometimes when I click on a link in a Google search results page, I'm taken not to the URL I clicked but to an ad. For example, a search of "cbs nhl scoreboard" offers up a link to

sportsline.c-m/nhl

but when I click on it I am instead directed to

ad1.doubleclicker.n-t/c.php?u-l=h--p%3A%2F%2Fsportsline.c-m%2Fnhl&p=1

Any suggestions?

Thanks again SO MUCH for your time.

 

[kimsland]

Please re-open and scan with HJT
Place a tick next to the following entries (note: some bad; some not required to start with Windows)
Confirm your Internet browserr (ie Internet Explorer is closed before selecting fix)

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www2.verizon.net/welcome/default.asp?variant=dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O20 - AppInit_DLLs: dbmbtf.dll

Then download Combofix
Lots of info on its use here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Direct download here: https://www.techspot.com/downloads/5587-combofix.html

Save it to a location that you can easily find later (in Safe Mode) ie directly to C drive

Restart your computer to Safe Mode (by repeatedly pressing F8 on your keyboard before Windows starts)
Log into your Administrator account
Locate the previously downloaded Combofix
Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)

Once Combofix has finished, save the log file to be attached to a new reply
Restart back to Normal mode, and attach the Combofix log

Whilst waiting for my reply, you may want to re-open Malwarebytes; update it again; and then run another full scan (I'm thinking there may still be more uncovered malwares to remove) I would do this

 

[NeilR]

Combofix log is attached. I reran the Malwarebytes scan and that came up clean again, but I am still having the redirected links problem I mentioned before.

I know I say this every message but I can't thank you enough. The time you're spending to help me out is significant and I really appreciate it.

 

[kimsland]

Well the Combofix scan (and automatic Malware removal) has helped
Please run CCleaner
Restart
Scan with HJT and save log
Attach the new log to a new reply

All done in that order

 

[NeilR]

> Well the Combofix scan (and automatic Malware removal) has helped

That's good news. I'm definitely seeing far fewer symptoms than when we started.

New HijackThis log is attached.

Thank you!

 

[kimsland]

I cannot see any further issues with your HJT log :grinthumb

Clear & Reset System Restore's Cache

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Resolved :grinthumb

Another Sagipsul Problem

That's about it. How's it running?

 

[NeilR]

Done, I think

> That's about it. How's it running?

The only issue I was having was the Google result links still being redirected to ad1.doubleclicker.n-t. So I did another search on that server and found a page of someone who also had fixed everything on their computer but that problem and ended up using the GooredFix file described (and linked to) on this page:

http://forums.somethingawful.com/showthread.php?threadid=3041544

That seems to have taken care of the last of my problems. kimsland, thank you so very much for all your help. I'm indebted to you. Is there a tip jar around here?

 

[kimsland]

Hmm I like that GooredFix
http://jpshortstuff.247fixes.com/GooredFix.exe

I'm keeping it for other threads with this issue
(every now and then I even learn something, thanks :grinthumb )

As for a tip jar - No
It's all free

 

[anime07502]

OK who invented this GOOREDFIX This is AWESOME!