Sagipsul Virus - Have solved some problems, but I need more help

By cbizz ยท 4 replies
Jan 4, 2009
  1. I have been infected with some type of "Sagipsul" virus. My computer has the following symptoms:

    -Porn icons used to come up on the desktop. A virus scan from Symantec antivirus, followed by a delete or quarantine fixed this issue.

    -Sometimes, my computer would initiate a shutdown with a 60 second timer. I got around this issue by opening a command prompt, and then typing "shutdown -a" to abort the shutdown.

    -Also, I used to be getting some type of error in svchost.exe, but opening windows in safe mode, doing a symantec scan, and removing the infected files fixed this.

    Even after all this, I still think I have some type of infection because I still am getting popups to go to sites like:
    sagipsul dot com /go/...

    I think I have something called the "SuperJuan" virus:
    antispyware dot com /glossary_details.php?ID=133826

    However, when I try to run the SuperJuan removal tool, I am greeted with the following message:
    "The Windows Installer Service could not be accessed. This can occur if you are running Wndows in safe mode or if the Windows installer is not correctly installed. Contact your support personnel for assistance."

    Lastly, I am unable to view the homepages for companies like Symantec or Norton. I receive this message:
    "Server Error in '' Application.
    HTTP Error 404 - Not Found.
    Version Information: Autodesk EDM Web Server "

    Note that you can go through a proxy to fix this problem, but that is only a temporary solution. I have attached my hijack this log. If anyone can help, please do so! If I come across any way to fix it, I will post it here.

  2. peteC

    peteC TS Rookie

    There are more characteristics for the virus.

    1) multiple random named dll files are created under windows/system32

    The randomness makes instructions on removal difficult because
    you can't say remove file aaqrxdht.dll because all files will be different
    for everyone. All the DLLs are identical and have the same number
    of bytes, created at the same time, and if you can do a "check sum"
    command have identical checksums (means they are identical)

    2) There is a registry entry that starts a number of these random named .dll
    files. I don't recall exactly where but a search for juan or sagipsul should
    show you them.

    3) The scheduled tasks under control panel starts up a random
    named dll. Remove that scheduled task.

    4) Sites like avg,,, windows update, even
    will be blocked. HOWEVER,, the numeric IP does get you to the site.
    Also, a Google search may show you a link but the link will be
    blocked, BUT, can be worked around if a "cached" link is available.
    The cached link is not seen as a direct link to the blocked site.

    5) Related to #4. You might be able to download a virus protection .exe,
    BUT, if that .exe calls on a web site that is blocked, your install wil fail.

    6) I believe there is one random named .dll that resists removal/renaming
    because it is in use. I think there is an AppInit registry entry that
    may be called by windowslogin. That regustry entry may have been
    changed to point to the random named .dll. I'm not an expert but
    I think that may be the case. Other registry entries may exist but
    I have no idea if it can be deleted or the value changed to a safe

    Pete C

    I forgot one

    7) Restore points are lost
  3. rf6647

    rf6647 TS Maniac Posts: 829

    Case of Difficulty - Malware Removal sites not reachable
    See this post
    See messages 3 & 4.
    Something as simple as renaming application's executable or using another computer to obtain programs could do it.

    • Following the Guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions creates a common beginning for an initial assessment.

    • Seeing is believing - complaining of sagipsul -
      • Without supporting logs, anything caught by HJT is used to suggest changes.
      • However, the MBAM and/or SAS logs will improve handling of this thrreat.
        • Scan with this pair (MBAM, SAS) until clean or until it uncovers something that won't clear
      • Scan with HJT. Tick & Fix. Restart the computer.
      O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
      O4 - HKLM\..\Run: [Wkuvetofi] rundll32.exe "C:\WINDOWS\Wwujilominixigot.dll",e
      O4 - HKLM\..\Run: [Vrokufi] rundll32.exe "C:\WINDOWS\ofelilunut.dll",e
      O4 - HKLM\..\Run: [444cef88] rundll32.exe "C:\WINDOWS\system32\rkedfiiw.dll",b
      O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL itaweq.dll
      O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}
      Start > run  [B]control desk.cpl,,0[/B]  > customize desktop  >  web  > click bad reference & delete
    Delete files - if present - from the list inside code box

    Post new logs if problems are still present.
  4. peteC

    peteC TS Rookie

    I'll explain.

    The blocking being done, prevents any install .exe from accessing their
    web site for either software to install, modules and files to install or
    virus database files that detect and correct.

    It is not the name of the .exe, it's what that install file .exe does to install the
    anti-virus programs.

    For example: If symantec. com has a sagipsul virus removal tool
    called sagi-remove. You could be instructed by symantec .com to download
    the install program. That install program say being named setup.exe. That
    program would be the one that installs sagi-remove.exe that will fix the virus.

    1) The sagipsul site blocking will prevent you from accessing www. symantec. com.

    You can then choose to use another PC to download setuo.exe from www. semantec. com
    as a work around. You put that on a flash disk USB thumb drive.

    You put that setup.exe on the infected PC. You execute it. That setup.exe
    program does an install by accessing the internet to get to the symantec. com
    location that has all the module files and virus detection and prevention database
    files. The infected PC blocks access to the symantec. com domain, as you remember.
    Result, your install fails because essential access to symantec. com by setup.exe
    is blocked. Renaming setup.exe won't fix that.

    Let's try another approach, install setup.exe on the good computer. If you
    do that, do you know what files to copy to the infected PC, and what about
    things like registry entries that setup.exe made or other changes to existing
    files not just the new files? Can you reproduce by hand copies, text and
    maybe binary edits the actions that setup.exe did?

    If the anti-virus is truly simple and self contained (that is portable) you could
    install it all (MAYBE) on a thumb drive. That's not going to be from the big anti-virus software makers.

    The thing to do is find out HOW is that virus blocking access to microsoft,
    mcafee, norton, symantec, malwarebytes, techguy, avgt, and all the rest.
    If that can be fixed FIRST. Then you can get the sagipsul removal anyone it
    can be found.
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Great info peteC. Although it may be best placed in the Meeting Spot forum (not actually sure)

    Probably best for rf6647 try to get back to resolving the issue now ;)
    Presently waiting for cbizz to "Post new logs" to be reviewed by support.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...