Sagispul and Vundo - help a fella out please

By TTR ยท 17 replies
Jan 3, 2009
  1. Hi there,

    First time poster but have found the info on this site to be so helpful.

    Few days ago I picked up sagispul bug (kept getting the pop ups) and following the 8 part process on this site, malwarebytes and SAS also picked up and removed Vundo. Have re-run them (fully updated) and doesnt seem to be picking anything up and also re run mcAfee and nothing coming up. Normally use mcafee with not problems at all so a little freaked out that it did not get them.

    Would be really grateful if someone could look at my logs attached and let me know if I have indeed got rif of them?

    Thanks in advance and happy new year!
  2. ascot54

    ascot54 TS Rookie Posts: 87

    Hi TTR,

    I'm still learnig the log files etc,
    however from experience, Mcafee stuffed my pc up big time..

    Personally, i then went to Norton, all was well for a whle, then same thing happened.

    now i have Avast, free updates...
    its recommended on here with Avira..

    Follow the 8 step guide as listed at start of forum...
    I have used it again this week for 2nd time and running clean again.

    worth going into "safe mode" (hit F8, before windows boot screen) and run the checks..

    also ensure the databases are up to date on Malware and SAS...
    if you still have probs
    run ComboFix the SDFix, links available on here

    I'd disable Mcafee while you do the above,

  3. TTR

    TTR TS Rookie Topic Starter

    thanks buddy.

    followed the steps and everything looks clean to me. All the databased were up to date. Not sure if anything in the hijack log would indicate if there is a problem there? anyone who can have a look I would be very grateful.
  4. ascot54

    ascot54 TS Rookie Posts: 87


    HJT log..
    i didnt see anything personally, mind you i'm comparing it to my recent attack.
    although a service on 23 caught my eye..

    looked ok

    few things there which presume you selected to quarantine and then delete..!!!



    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exes

    that was what caught my eye....
  5. rev_olie

    rev_olie TS Guru Posts: 560

    That file ascot is in fact the updater service for you need it :)
  6. ascot54

    ascot54 TS Rookie Posts: 87


    i bow to your superior knowledge of course...

    i dont recall seeing apple on my Windows pc...
    hence why it caught my eye....

    as i said, im learning...

    still a young jedi here lol

    altho was i correct on the SAS log...??
  7. rev_olie

    rev_olie TS Guru Posts: 560

    That's OK I'm still pretty new so i get it wrong as well.

    In this game remember Google is your friend :)

    The log with SAS has:
    in the name thereby giving us the knowledge it is a temporary file and so Superantispyware will generally automatically delete them.

    So mainly you were correct. Good first go.

    If you want to learn this stuff go to geekstogo and join the Malware removal university there. I started but was a bit to busy so couldn't finish but its good.
  8. TTR

    TTR TS Rookie Topic Starter

    thanks guys. I know about bonjour as I googled it myself!

    the cookies sas picked up were deleted automatically.

    Rev, does everything else look ok? Not having pop ups anymore but would value your thoughts on whether its ok?
  9. rev_olie

    rev_olie TS Guru Posts: 560

    Are you sure you are not having pop-ups any more?

    You have not removed anything from your PC to suggest the infection has been removed?

    Have you scanned with anything since posting that HJT log above? If so if a log was produced can you attach it here for me?

  10. TTR

    TTR TS Rookie Topic Starter

    Suprispul and Vundo Updated

    hi there,

    thanks for your reply. When I first got the sagispul bug I first ran malwarebytes anyway which picked it up and deleted it. I then read up on this site the 8 part process and basically did it from scratch, so I did pick the bugs up and delete them that why the malware scan attached is showing nothing.

    I have done the 8 part process again today, and have attached the scans. Malware showing nothing and SAS only showing a cookie which it deleted, so looks ok to me, but I really dont know if there is anything in the hijack log that would indicate there is a problem? Any help would be great and would put my mind at ease.

    Thanks a lot. TTR
  11. TTR

    TTR TS Rookie Topic Starter

    Sorry, but can one of the experts have a look at my hijack log and give me the all clear please if my system is now clean?

    Thanks a million.
  12. rev_olie

    rev_olie TS Guru Posts: 560


    Sorry i didn't get back to you quicker. You log overall seems clean.

    However. just to ask did you have notepad running when you scanned with HJT?.

    If you didn't then that's fine your clean. However if you did then there may be a problem. If you did then can you attach a new log. If not however your clean.

    Sorry about the wait.
  13. TTR

    TTR TS Rookie Topic Starter

    Hi rev,

    thanks for coming back to me. You are a gentleman.

    Pretty sure i did not have notepad open when I ran hijack but have done it again anyway now (definately nothing else apart from this site open) for you to check.

    Looks clean but if you can confirm that would be great.
  14. rev_olie

    rev_olie TS Guru Posts: 560

    Yep you did have it open its not there now :)

    Did you delete your 04 entries by the way because there are apparently no program opening on your machine when you turn it on and you don't have a web browser?

    Other than that there is no processes or NT services to worry about
  15. TTR

    TTR TS Rookie Topic Starter

    thats for coming back to me. You have been a real help buddy. Appriciate it.

    Not sure I understand re the 04 and the browser? What exactly and how do I delete them?
  16. rev_olie

    rev_olie TS Guru Posts: 560

    Right well if you open both of your Hijackthis logs on the first one you will see the list of running processes at the top and then a space and there will be a set of numbers at the side with 04 on.

    Now when you look at the latest scan you will find that there are no 04 entries in there...which isnt good :suspiciou

    Sorry to be a pain but i think something has gone wrong somewhere. Can you re scan with Hijackthis and post another log. If it does it again something isn't right :confused:.
  17. TTR

    TTR TS Rookie Topic Starter

    hi matey,

    attached the latest log.

    checked this latest scan and the 04's are back in there. Take it everything is normal now?

    You have been a real help. Lots of good karma headed your way.
  18. rev_olie

    rev_olie TS Guru Posts: 560

    Yes that looks like it to me :)

    Now every 2-3 weeks keep scanning with Malwarebytes and Superantispyware to make sure updating both before scanning.

    I would then advise you to clean your system with CCleaner.

    You can get the download along with my user guide HERE

    Happy surfing
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...