Sagipsul Infection -- did the 8 step process

[frhentb1]

Hello...this is my first post. This forum is very helpful. Got infected by annoying Sagipsul trojan and ran the 8 step process. Have cleaned off everything and updated JRE as directed. I have attached log files.

After running thru steps, popups have stopped and sitres are no longer blocked in Firefox.

Please check logs and let me know if I have removed this successfully.

Many Thanks

 

[rev_olie]

Your fix looks successful. A combination of Superantispyware and Malwarebytes removes this infections.

I would use Avira as in the 8 step guide instead of AVG from now on to give your PC fuller protection.

 

[Bobbye]

rev_olie, I seem to be following you on several threads. I want to bring your attention to something. Finding malware removed is not enough. In this case, Mbam found a great deal of malware and some needed a reboot to remove. You cannot assume the user has done that.

Additionally This person is using two antivirus programs. That is not good.

frhentb1, please decide whether you want McAfee or AVG on the system- remove the other program. More than one AV program can cause a conflict that may mean less protection, not more.
AVG:

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

This entry is questionable: avgrsstx.dll is a valid AVG entry, but the sqeayo.dll is not. We'll see what happens with this if you uninstall AVG.
O20 - AppInit_DLLs: sqeayo.dll,avgrsstx.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

McAfee:

C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

After you have handled this, please update and scan with Malwarebytes, followed by new scan with HijackThis. Please attach both logs.

 

[frhentb1]

Sagipsul removal

Bobbye & rev_olie

thanks for quick reply..I slicked AVG and am runing just macafee. reran Malwarebytes and hijackthis ...logs attached. hopefully this is resolved. appreciate your expertise.

 

[rev_olie]

Bobeye,
Sorry for not checking both on the re scan and spelling.

As you can see i said

I would use Avira as in the 8 step guide instead of AVG from now on to give your PC fuller protection

This was a mistake and i mean to also add McAfee to the recommendation as well as AVG.

Also assuming with the pop ups stopping and the recommendations that malwarebytes gives the user did indeed restart

 

[Bobbye]

I would use Avira as in the 8 step guide instead of AVG from now on to give your PC fuller protection
This was a mistake and i mean to also add McAfee to the recommendation as well as AVG.

But you're recommending more than one antivirus program!
Security should be:
One antivirus program
One firewall Two or more spyware/adware programs.

Good- glad to see Mbam come out clean this time! But there is some malware in HijackThis. I missed this entry first time around- my apology. Third third entry is the one I said we'd check after AVG was removed:
These are the entries. I'll have you tun SDFix, then rescan with HijackThis. Hopefully they will be gone.

O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O20 - AppInit_DLLs: sqeayo.dll

msiconf.exe is a variant of the Trojan.Fakealert Trojan.

SDFix is a specialized file tool created by AndyManchesta to remove IRCBot variants, backdoor Trojans and the Rootkit components that come with them. This includes Msiconf.exe

SDFix Instructions:
Please follow exactly. Use the sceen shots to assist with what you are seeing.
http://www.bleepingcomputer.com/forums/topic131299.html

Please attach new HijackThis log when through.

 

[frhentb1]

Sagipsul infection

thanks for info..ran SDFix as instructed...Hijackthis log attached.

 

[Bobbye]

Did you check the SDFix log to see what was found? These entries remain:

O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O20 - AppInit_DLLs: sqeayo.dll

Since SDFix,which is the recommended repair failed,something is protecting it, so we'll have to do a manual repair:
Step 1: Use Windows File Search Tool to Find msiconf.exe Path

1. Go to Start > Search > All Files or Folders.
2. In the "All or part of the the file name" section, type in "msiconf.exe" file name(s).
3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
4. When Windows finishes your search, hover over the "In Folder" of "msiconf.exe", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete msiconf.exe in the following manual removal steps.

Step 2: Use Windows Task Manager to Remove msiconf.exe Processes

1. To open the Windows Task Manager, right click on Taskbar> Task Manager
2. Click on the "Image Name" button to search for "msiconf.exe" process by name.
3. Select the "msiconf.exe" process and click on the "End Process" button to kill it.

Step 3: Detect and Delete Other msiconf.exe Files

1. To open the Windows Command Prompt, go to Start > Run > cmd and then press the "OK" button.
2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
3. To change directory, type in "cd name_of_the_folder".
4. Once you have the file you're looking for type in del "name_of_the_file".
5. To delete a file in folder, type in "del name_of_the_file".
6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
7. Select the "msiconf.exe" process and click on the "End Process" button to kill it.

NOTE: when you are doing the 'Searh' in Step 1, please include a search for sqeayo.dll

When you have finished with the deletions, please rescan with HijackThis and attach new log.

 

[frhentb1]

After runnung SDFix - Looking for msiconf.exe

Bobbye

ran a search as directed for both msiconf.exe and sqeayo.dll and no results were found. I also checked the task manager and there are no processes labelled msiconf.exe.

Maybe this malware is dead and buried?

frhentb1

 

[Bobbye]

The only way I can tell if SDFix remove malware is to see the log.

 

[frhentb1]

SDFix Logs

Bobbye

here is what SDFix wrote out:

In the file called 'Report'

SDFix: Version 1.240
Run by Administrator on Fri 01/02/2009 at 07:52 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :



In TESTADS1
C:\WINDOWS
No streams found.

In TESTADS2
C:\WINDOWS\explorer.exe

In TESTADS3
C:\WINDOWS\explorer.exe

In TESTADS4
C:\WINDOWS\system32
No streams found.

In TESTADS5
C:\WINDOWS\system32\svchost.exe

in TESTADS6
C:\WINDOWS\system32\ntoskrnl.exe

What do you think?
many thanks

 

[Bobbye]

I think we need to run one more program. As long as the O20 - AppInit_DLLs: sqeayo.dll is coming up, you still have malware somewhere.

Please download ComboFix.: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.

**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HijackThis after ComboFix and attach both logs.

 

[frhentb1]

combofix run

Bobbye

ran combofix as directed..when complete ran hijackthis...logs attached. thanks

 

[Bobbye]

Yeah! ComboFix got one of them:
- - ORPHANS REMOVED - - - -
HKU-Default-Run-msiexec.exe - msiconf.exe

But HijackThis is still showing:
O20 - AppInit_DLLs: sqeayo.dll
Which needs to be removed. It's a Registry entry. Hang tight for a bit. Let me see if someone can write code (I don't) to remove this. If not, you'll have to do a regedit.

Check and make sure the McAfee program is functioning correctly. Some 'orphan' files were removed in ComboFix.

You can update Adobe Reader in the meantime.
Update Adobe:

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

 

[kimsland]

I realize it's a registry entry
But have you tried searching your drive for sqeayo.dll (you will need to do an advanced search, including System and Hidden files and folders)

And then if found use this tool to remove it:
KillBox is a tool to delete in-use files, if the file is running, KillBox will attempt to end the process (close the running file) and delete it.

http://www.killbox.net/downloads/KillBox.exe

 

[Bobbye]

Thanks kimsland. The search was done on Post #9:

ran a search as directed for both msiconf.exe and sqeayo.dll and no results were found.

I had hopped that a removal of msiconf.exe would take the AppInit entry with it but no such luck.

 

[kimsland]

I'm just thinking aloud here:

O20 - AppInit_DLLs Registry value autorun

The AppInit_DLLs value is found in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

Ref: http://support.microsoft.com/default.aspx?scid=kb;en-us;197571



Using an Administrator account, can we manually check registry: (start->Run->Regedit)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
For any entry for sqeayo.dll
And then manually remove it from there

 

[frhentb1]

bobbye
great! thanks...will standby. i have run regedit once before but never actually editted the registry...i know this needs to be done with caution.

 

[Bobbye]

kimsland, I saw that site before asking for assistance. It was clear as mud to me! Seems to me someone here writes code to remove these entries, saving the user from working in the Registry.

frhentb1, kimsland is very knowledgeable. If you want to try the regedit, go ahead. But backup the Registry first.

I'm still looking for a 'code writer'.

 

[kimsland]

bobbye
great! thanks...will standby. i have run regedit once before but never actually editted the registry...i know this needs to be done with caution.

Well that's not a good sign, to start with :suspiciou
Just changing one little dot, in the registry can cause the entire Windows to stop working!

I'd like to wait, before doing this, in case others reply

The only thing I can suggest is re-search the entire drive (hidden and system files) again. If nothing found. Wait

 

[frhentb1]

rerunning search

kimsland and bobbye

i will rerun search when i get home this evening (posting reply from work)...i will ensure to search hidden files which i don't remember doing the first time. will post results....thanks

frhentb1

 

[Bobbye]

I have not been able to find an way for you to find and delete this file except for a regedit. But I am not recommending that for you. It would require locating and deleting the file- I can't send you to a specific file. At this point, consensus is either to get help with a regedit from an experienced person, or leave it alone.

Try one thing for me: right click on the taskbar> Task Manager> Processes tab> double click on the frame above the process names to sort> look for anything 'sqeayo'> if you see it, click to highlight> End task.

Then do a search again, but make sure hidden files and folders show:
Open search> files & Folders> then go up to Tools> Folder options> View tab> check 'show hidden files and folders'> now put sqeayo in the search field and search. IF you find it, do a right click> delete.

Go back and hide the files & folders again.

 

[frhentb1]

Searching 4 sqeayo

kimsland & bobbye

viewed all processes and did search across entire system including systems and hidden files for sqeayo and found nothing except references in all the log files from the tools we have been running. no trace outside of logfile reports for this dll.

will watch for further advice

many thanks

frhentb1

 

[kimsland]

Go to your User Accounts in Control Panel
Confirm under your name states: "Computer Administrator"
If it does not state this, you may need to do the following in Safe Mode, under the Administrator account.

Click on Start -> Run -> Regedit
Maximize the Registry Editor Window that opens (if not maximized already)

From starting at the original title "My Computer" (in Registry Editor still)
Click on each of the + signs to expand each tree on:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows NT
CurrentVersion
Windows <- Make sure this last one is highlighted

Right click on the "Windows" key (the yellow folders are called "keys")
Select Export
Choose Desktop as the location (for convenience)
Give it a name such as: KeyBackup
Ok

In the right hand pane, search for any entry with sqeayo.dll in any field
Right click on the found entry (if found)
Select Delete, then click Yes

At this stage I'd like you to Zip up the "KeyBackup.reg" file on your Desktop
And then attach it to a New Reply (even if the sqeayo.dll entry was not found)

Restart your computer
If you did make any alterations (ie deletions) in Registry Editor
Please now provide a new HJT log, in a new reply

 

[Bobbye]

Thanks kimsland.

frhentb1, go for it. kimsland has done a great job of laying it out for you and some of the risk element has been removed.