Sagipsul Popups, 8 Steps Completed Logs Attached

[daximus]

Thank you for the help in advance. These popups are driving me crazy.

 

[Bobbye]

Let's clean up some leftovers:
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

O4 - HKUS\S-1-5-19\..\Run: [toyayurela] Rundll32.exe "C:\WINDOWS\system32\titobigi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [toyayurela] Rundll32.exe "C:\WINDOWS\system32\titobigi.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: zukmyo.dll C:\WINDOWS\system32\rewikote.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Right click on Start> Explore> Windows System32> right click> delete on any of the files below if found:

titobigi.dll
toyayurela
saseneda.dll
zukmyo.dll
rewikote.dll >> Fraudulent Security Program

I cannot reliably identify this Domain. A search for 'ambusi' brings up this site:
http://www.wordcraftbook.com/writing_abi.php which then shows this URL within it:
http://www.ambusi.com/member/branding/2004/03/30/naming

There appears to be an organization named AmBusi which is the American Business Institute (AMBUSI) and internet site for layers. THAT URL is: http://www.netforlawyers.com/ambusi.htm

So the way it's set up on your system isn't correct and I need you to verify these entries:

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\Software\..\Telephony: DomainName = ambusi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ambusi.com

If AmBusi is your legitimate Domain, the entries are not set up correctly.

Open IE: Tools> Internet Options> Security tab> Trusted sites> Sites> remove these from the trusted zone:

O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: .sbcglobal.net[/url]

Reboot into Normal mode

Run SDFix:
SDFix: http://www.tech-101.com/viewtopic.php?f=18&t=38

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode

* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here

Update and rescan with Malwarebytes again following SDFix, the do a new scan with HijackThis. Attach all the logs when through.

 

[daximus]

Wow, thank you very much for taking the time to help me out Bobbye.

I did everything you suggested and have attached the new logs.

In regards to Ambusi...it is the former name of the company I work for. The domain is no longer in use, however we still have the domain name. Do I need to make any changes with the ambusi.com entries?

Thanks Again.

-Dax

 

[Bobbye]

The domain is no longer in use, however we still have the domain name.

Then the entries should be removed.

Did you find and delete any or all of these files?

Quote:
titobigi.dll
toyayurela
saseneda.dll
zukmyo.dll
rewikote.dll >> Fraudulent Security Program

I am concerned about the security you're running- all I see are the two Active X files loading for McAfee:

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab>> for McAfee Security Installer Control.
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab>> process info for McAfee Security Download Control.

But there are no McAfee programs entries and no McAfee Services running as there should be if you have the McAfee security installed. Can you fill me in on this please? Were you using this as part of a corporate network? Maybe the defunct Domain. Because it does not appear that you have a fully functioning security program.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n028p/EN/install/gtdownlr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\Software\..\Telephony: DomainName = ambusi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ambusi.com

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.


Regarding this entry:

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://parachute.webex.com/client/v_mywebex-t20/event/ieatgpc.cab
Please see the Cert Advisory on the potential buffer overflow. If you need an update, get it. If you need to disable the Active XD entry, do it.
WebexUCFObject ActiveX Control stack buffer overflow:
http://www.kb.cert.org/vuls/id/661827

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 11 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.
Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 11

What is the status of the original pop-ups. Have we resolved that issue? Are you having any other problems>