I'm not sure if I'm describing this correctly, but I think I am a victim of a browser hijack. It began after I got a message (which may have been fake) saying my firewall was disabled. Afterwards, I began receiving numerous pop-ups of blank browser pages with the following address:

http://sagipsul.com/go/?cmp=vm_mg_juan&uid=695DE46AD86E11DDA766166350CFFF FF&lid=1ZR4149E0309319881&url=suggestqueries.googl e.com%2Fcomplete%2Fsearch%3Foutput%3Dfirefox%26cli ent%3Dfirefox%26hl%3Den-US%26q%3D1ZR4149E0309319881&guid=0D4C29FA1D00414D9 AAC1F76B8E24CAD&affid=166350&rid=zdez&cl=superjuan


My System Restore also was disabled.

At the same time, when I clicked on links for any sites produced from a search using key words having to do with this problem, Firefox returned a “failed to connect” screen. Today that has changed, and I am able to access some of these tech-related sites, but I am prevented from downloading files, like Hijack This. So I am unable to go past Step Two in your Prework.


Here is the log file of detected threats from ESETNOD32:

1/1/2009 9:50:44 PM HTTP filter file http://chertilo.cachefly.net/bgl.exe a variant of Win32/TrojanDownloader.FakeAlert.TF trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 9:50:43 PM HTTP filter file http://chertilo.cachefly.net/k9261108.exe a variant of Win32/Cimag trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 9:35:43 PM HTTP filter file http://chertilo.cachefly.net/bgl.exe a variant of Win32/TrojanDownloader.FakeAlert.TF trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 9:35:42 PM HTTP filter file http://chertilo.cachefly.net/k9261108.exe a variant of Win32/Cimag trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 9:20:42 PM HTTP filter file http://chertilo.cachefly.net/bgl.exe a variant of Win32/TrojanDownloader.FakeAlert.TF trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 9:20:41 PM HTTP filter file http://chertilo.cachefly.net/k9261108.exe a variant of Win32/Cimag trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 9:05:40 PM HTTP filter file http://chertilo.cachefly.net/bgl.exe a variant of Win32/TrojanDownloader.FakeAlert.TF trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 9:05:40 PM HTTP filter file http://chertilo.cachefly.net/k9261108.exe a variant of Win32/Cimag trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 8:50:39 PM HTTP filter file http://chertilo.cachefly.net/bgl.exe a variant of Win32/TrojanDownloader.FakeAlert.TF trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 8:50:39 PM HTTP filter file http://chertilo.cachefly.net/k9261108.exe a variant of Win32/Cimag trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 8:35:38 PM HTTP filter file http://chertilo.cachefly.net/bgl.exe a variant of Win32/TrojanDownloader.FakeAlert.TF trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 8:35:37 PM HTTP filter file http://chertilo.cachefly.net/k9261108.exe a variant of Win32/Cimag trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 8:20:37 PM HTTP filter file http://chertilo.cachefly.net/bgl.exe a variant of Win32/TrojanDownloader.FakeAlert.TF trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 8:20:36 PM HTTP filter file http://chertilo.cachefly.net/k9261108.exe a variant of Win32/Cimag trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 8:05:35 PM HTTP filter file http://chertilo.cachefly.net/bgl.exe a variant of Win32/TrojanDownloader.FakeAlert.TF trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 8:05:34 PM HTTP filter file http://chertilo.cachefly.net/k9261108.exe a variant of Win32/Cimag trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 7:50:34 PM HTTP filter file http://chertilo.cachefly.net/bgl.exe a variant of Win32/TrojanDownloader.FakeAlert.TF trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 7:50:33 PM HTTP filter file http://chertilo.cachefly.net/k9261108.exe a variant of Win32/Cimag trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
1/1/2009 7:31:28 PM Real-time file system protection file C:\DOCUME~1\Joan\LOCALS~1\Temp\seneka1b62.tmp Win32/Agent.ODG virus deleted (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\DOCUME~1\Joan\LOCALS~1\Temp\incosnet.tmp.
1/1/2009 7:30:17 PM Real-time file system protection file C:\Documents and Settings\Joan\Local Settings\Temporary Internet Files\Content.IE5\OEUSS15N\apstpldr.dll[1].htm Win32/BHO.NKU trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/1/2009 7:30:17 PM Real-time file system protection file C:\Documents and Settings\Joan\Local Settings\Temporary Internet Files\Content.IE5\OEUSS15N\apstpldr.dll[1].htm Win32/BHO.NKU trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/1/2009 7:29:52 PM HTTP filter file http://childhe.com/pas/apstpldr.dll....AC1F76B8E24CAD Win32/BHO.NKU trojan connection terminated - quarantined LENOVO-4FBB296D\Joan Threat was detected upon access to web by the application: C:\WINDOWS\explorer.exe.
10/16/2008 12:30:57 AM HTTP filter archive http://online-scan.net/xv/?ie=utf-8&...ient=firefox-a Win32/Adware.Antivirus2008 application connection terminated LENOVO-4FBB296D\Joan Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
10/16/2008 12:30:52 AM HTTP filter archive http://online-scan.net/xv/?ie=utf-8&...ient=firefox-a Win32/Adware.Antivirus2008 application connection terminated LENOVO-4FBB296D\Joan Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
10/16/2008 12:30:42 AM HTTP filter archive http://online-scan.net/xv/?ie=utf-8&...ient=firefox-a Win32/Adware.Antivirus2008 application connection terminated LENOVO-4FBB296D\Joan Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.

I hope the links above are not a problem here. I unchecked the "parse links" option for posting, but they still appear in the log file.
My OS is XP Pro, SP
Thanks in advance for any assistance.

Run both these programs.

Please download Malwarebytes' Anti-Malware from one of these places:
|MG| Malwarebytes Anti-Malware 1.31
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

================================================== ===================================
================================================== ===================================

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please download from one of these webpages .
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
Double-click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thank you for the prompt response. But I am unable to download these two programs. When I click on the links, my browser will not go there. That is my problem! Well, one of them, anyway.

Sorry to jump in here but, have you tried downloading in safe mode or on another computer to a USB stick and installing that way?

I thought with Safe Mode there would be no internet access available.

Safe Mode With Networking will allow you internet access.

Cool. Thanks. I'll get on that now.