Getting Random Popups

[bewareofgecko]

I've been getting alot of popups recently, most of them being from "sagipsul.com"

Tried using McAfee and Malwarebytes and tryed to fix it in HJT but to no avail.

Half the time I have to alt-tab to see them and the other half i get an obnoxiously loud video which I cannot see and have to end via the Firefox process.

I've attached the HijackThis log.

Thanks.

 

[rf6647]

• Following the Guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions creates a common beginning for an initial assessment.
  
  
• Seeing is believing - For anyone complaining of Sagipsul spyware -
  • Without supporting logs, anything caught by HJT is used to suggest changes.
  • However, the MBAM and/or SAS logs will improve diagnosis of this thrreat.
    
    
  • Scan with HJT. Tick & Fix. Restart the computer.

  O20 - AppInit_DLLs: I:\WINDOWS\system32\jopiroka.dll
  O20 - Winlogon Notify: efcBtsSi - efcBtsSi.dll (file missing)
  O2 - BHO: (no name) - {46121e97-e1d7-4ca8-bafc-9b1bc48148b8} - I:\WINDOWS\system32\dutudari.dll (file missing)
  O2 - BHO: (no name) - {478460EC-E93C-44FC-8CA6-384131269FE8} - (no file)
  O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
  O2 - BHO: (no name) - {D822FBF5-5BDC-4929-A771-F587C1974506} - (no file)
  O2 - BHO: (no name) - {EE2AD6DD-858C-4646-9AC0-8EEBF398F4F4} - I:\WINDOWS\system32\ljJASLDS.dll
  O4 - HKLM\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s
  O4 - HKLM\..\Run: [0c15c650] rundll32.exe "I:\WINDOWS\system32\rbigggdi.dll",b
  O4 - HKUS\S-1-5-19\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s (User 'LOCAL SERVICE')
  O4 - HKUS\S-1-5-20\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s (User 'NETWORK SERVICE')
  O8 - Extra context menu item: &Search - ?p=ZUfox000

  If the HJT scan catches things not cleaned by MBAM & SAS, this type of information will lead to adapting to changes.

Other Considerations
Sagipsul malware may be extending the runtimes for MBAB. Please try to disconnect from the Internet while scanning with MBAB.

 

[BlkHeartWolf]

i think you missed some to remove he has a bad APPLINT and a goggle redirect.

O2 - BHO: (no name) - {46121e97-e1d7-4ca8-bafc-9b1bc48148b8} - I:\WINDOWS\system32\dutudari.dll (file missing)
O2 - BHO: (no name) - {478460EC-E93C-44FC-8CA6-384131269FE8} - (no file)

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: (no name) - {D822FBF5-5BDC-4929-A771-F587C1974506} - (no file)

O4 - HKLM\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s
O4 - HKLM\..\Run: [0c15c650] rundll32.exe "I:\WINDOWS\system32\rbigggdi.dll",b

O4 - HKUS\S-1-5-19\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [jamuvehazi] Rundll32.exe "I:\WINDOWS\system32\rumirojo.dll",s (User 'NETWORK SERVICE')

O8 - Extra context menu item: &Search - ?p=ZUfox000

O20 - AppInit_DLLs: I:\WINDOWS\system32\jopiroka.dll
O20 - Winlogon Notify: efcBtsSi - efcBtsSi.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

 

[rf6647]

Wolf -
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

It is legit - see here

 

[BlkHeartWolf]

maybe but the updater is re installed so easy and with the given redirects be safe is my opinion
the redirect install uses the same CLASSID's