Sagipsul Infection -- did the 8 step process

By frhentb1 · 24 replies
Jan 2, 2009
  1. Hello...this is my first post. This forum is very helpful. Got infected by annoying Sagipsul trojan and ran the 8 step process. Have cleaned off everything and updated JRE as directed. I have attached log files.

    After running thru steps, popups have stopped and sitres are no longer blocked in Firefox.

    Please check logs and let me know if I have removed this successfully.

    Many Thanks
  2. rev_olie

    rev_olie TS Guru Posts: 560

    Your fix looks successful. A combination of Superantispyware and Malwarebytes removes this infections.

    I would use Avira as in the 8 step guide instead of AVG from now on to give your PC fuller protection.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    rev_olie, I seem to be following you on several threads. I want to bring your attention to something. Finding malware removed is not enough. In this case, Mbam found a great deal of malware and some needed a reboot to remove. You cannot assume the user has done that.

    Additionally This person is using two antivirus programs. That is not good.

    frhentb1, please decide whether you want McAfee or AVG on the system- remove the other program. More than one AV program can cause a conflict that may mean less protection, not more.
    After you have handled this, please update and scan with Malwarebytes, followed by new scan with HijackThis. Please attach both logs.
  4. frhentb1

    frhentb1 TS Rookie Topic Starter

    Sagipsul removal

    Bobbye & rev_olie

    thanks for quick reply..I slicked AVG and am runing just macafee. reran Malwarebytes and hijackthis ...logs attached. hopefully this is resolved. appreciate your expertise.
  5. rev_olie

    rev_olie TS Guru Posts: 560

    Sorry for not checking both on the re scan and spelling.

    As you can see i said
    This was a mistake and i mean to also add McAfee to the recommendation as well as AVG.

    Also assuming with the pop ups stopping and the recommendations that malwarebytes gives the user did indeed restart
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    But you're recommending more than one antivirus program!
    Security should be:
    One antivirus program
    One firewall Two or more spyware/adware programs.

    Good- glad to see Mbam come out clean this time! But there is some malware in HijackThis. I missed this entry first time around- my apology. Third third entry is the one I said we'd check after AVG was removed:
    These are the entries. I'll have you tun SDFix, then rescan with HijackThis. Hopefully they will be gone.
    msiconf.exe is a variant of the Trojan.Fakealert Trojan.

    SDFix is a specialized file tool created by AndyManchesta to remove IRCBot variants, backdoor Trojans and the Rootkit components that come with them. This includes Msiconf.exe

    SDFix Instructions:
    Please follow exactly. Use the sceen shots to assist with what you are seeing.

    Please attach new HijackThis log when through.
  7. frhentb1

    frhentb1 TS Rookie Topic Starter

    Sagipsul infection

    thanks for info..ran SDFix as instructed...Hijackthis log attached.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Did you check the SDFix log to see what was found? These entries remain:
    Since SDFix,which is the recommended repair failed,something is protecting it, so we'll have to do a manual repair:
    Step 1: Use Windows File Search Tool to Find msiconf.exe Path
    Step 2: Use Windows Task Manager to Remove msiconf.exe Processes
    Step 3: Detect and Delete Other msiconf.exe Files

    NOTE: when you are doing the 'Searh' in Step 1, please include a search for sqeayo.dll

    When you have finished with the deletions, please rescan with HijackThis and attach new log.
  9. frhentb1

    frhentb1 TS Rookie Topic Starter

    After runnung SDFix - Looking for msiconf.exe


    ran a search as directed for both msiconf.exe and sqeayo.dll and no results were found. I also checked the task manager and there are no processes labelled msiconf.exe.

    Maybe this malware is dead and buried?

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    The only way I can tell if SDFix remove malware is to see the log.
  11. frhentb1

    frhentb1 TS Rookie Topic Starter

    SDFix Logs


    here is what SDFix wrote out:

    In the file called 'Report'

    SDFix: Version 1.240
    Run by Administrator on Fri 01/02/2009 at 07:52 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :

    Restoring Default Security Values
    Restoring Default Hosts File


    Checking Files :

    No Trojan Files Found

    Removing Temp Files

    ADS Check :

    No streams found.



    No streams found.


    in TESTADS6

    What do you think?
    many thanks
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I think we need to run one more program. As long as the O20 - AppInit_DLLs: sqeayo.dll is coming up, you still have malware somewhere.

    Please download ComboFix.:

    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    Run Combo-Fix.exe and follow the prompts.
    Rescan with HijackThis after ComboFix and attach both logs.
  13. frhentb1

    frhentb1 TS Rookie Topic Starter

    combofix run


    ran combofix as directed..when complete ran hijackthis...logs attached. thanks
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Yeah! ComboFix got one of them:
    - - ORPHANS REMOVED - - - -
    HKU-Default-Run-msiexec.exe - msiconf.exe

    But HijackThis is still showing:
    O20 - AppInit_DLLs: sqeayo.dll
    Which needs to be removed. It's a Registry entry. Hang tight for a bit. Let me see if someone can write code (I don't) to remove this. If not, you'll have to do a regedit.

    Check and make sure the McAfee program is functioning correctly. Some 'orphan' files were removed in ComboFix.

    You can update Adobe Reader in the meantime.
    Update Adobe:
  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I realize it's a registry entry
    But have you tried searching your drive for sqeayo.dll (you will need to do an advanced search, including System and Hidden files and folders)

    And then if found use this tool to remove it:
    KillBox is a tool to delete in-use files, if the file is running, KillBox will attempt to end the process (close the running file) and delete it.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Thanks kimsland. The search was done on Post #9:
    I had hopped that a removal of msiconf.exe would take the AppInit entry with it but no such luck.
  17. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I'm just thinking aloud here:

    O20 - AppInit_DLLs Registry value autorun

    The AppInit_DLLs value is found in the following registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows


    Using an Administrator account, can we manually check registry: (start->Run->Regedit)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
    For any entry for sqeayo.dll
    And then manually remove it from there :confused:
  18. frhentb1

    frhentb1 TS Rookie Topic Starter

    great! thanks...will standby. i have run regedit once before but never actually editted the registry...i know this needs to be done with caution.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    kimsland, I saw that site before asking for assistance. It was clear as mud to me! Seems to me someone here writes code to remove these entries, saving the user from working in the Registry.

    frhentb1, kimsland is very knowledgeable. If you want to try the regedit, go ahead. But backup the Registry first.

    I'm still looking for a 'code writer'.
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Well that's not a good sign, to start with :suspiciou
    Just changing one little dot, in the registry can cause the entire Windows to stop working!

    I'd like to wait, before doing this, in case others reply

    The only thing I can suggest is re-search the entire drive (hidden and system files) again. If nothing found. Wait
  21. frhentb1

    frhentb1 TS Rookie Topic Starter

    rerunning search

    kimsland and bobbye

    i will rerun search when i get home this evening (posting reply from work)...i will ensure to search hidden files which i don't remember doing the first time. will post results....thanks

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I have not been able to find an way for you to find and delete this file except for a regedit. But I am not recommending that for you. It would require locating and deleting the file- I can't send you to a specific file. At this point, consensus is either to get help with a regedit from an experienced person, or leave it alone.

    Try one thing for me: right click on the taskbar> Task Manager> Processes tab> double click on the frame above the process names to sort> look for anything 'sqeayo'> if you see it, click to highlight> End task.

    Then do a search again, but make sure hidden files and folders show:
    Open search> files & Folders> then go up to Tools> Folder options> View tab> check 'show hidden files and folders'> now put sqeayo in the search field and search. IF you find it, do a right click> delete.

    Go back and hide the files & folders again.
  23. frhentb1

    frhentb1 TS Rookie Topic Starter

    Searching 4 sqeayo

    kimsland & bobbye

    viewed all processes and did search across entire system including systems and hidden files for sqeayo and found nothing except references in all the log files from the tools we have been running. no trace outside of logfile reports for this dll.

    will watch for further advice

    many thanks

  24. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Go to your User Accounts in Control Panel
    Confirm under your name states: "Computer Administrator"
    If it does not state this, you may need to do the following in Safe Mode, under the Administrator account.

    Click on Start -> Run -> Regedit
    Maximize the Registry Editor Window that opens (if not maximized already)

    From starting at the original title "My Computer" (in Registry Editor still)
    Click on each of the + signs to expand each tree on:
    Windows NT
    <- Make sure this last one is highlighted

    Right click on the "Windows" key (the yellow folders are called "keys")
    Select Export
    Choose Desktop as the location (for convenience)
    Give it a name such as: KeyBackup

    In the right hand pane, search for any entry with sqeayo.dll in any field
    Right click on the found entry (if found)
    Select Delete, then click Yes

    At this stage I'd like you to Zip up the "KeyBackup.reg" file on your Desktop
    And then attach it to a New Reply (even if the sqeayo.dll entry was not found)

    Restart your computer
    If you did make any alterations (ie deletions) in Registry Editor
    Please now provide a new HJT log, in a new reply

  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Thanks kimsland.

    frhentb1, go for it. kimsland has done a great job of laying it out for you and some of the risk element has been removed.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...