Avast WEBforum

Other => Viruses and worms => Topic started by: nanajana on April 21, 2012, 07:07:59 AM

Title: Welcome to NGINX
Post by: nanajana on April 21, 2012, 07:07:59 AM
Not sure if this is related or not but upon closing Firefox I get a box up that states "Warning:  Unresponsive Script"  A Script may be busy or it may have stopped responding.  You can stop the script now, or you can continue to see if the script will complete.
Script:chrome//browser/content/sanatize.js:135
, so what happens is I get this message and before long I get "Welcome to NGINX", instead of my homepage.  The address bar shows http:// and my homepage address but alas it does not go there or anywhere.  I believe this is an infection but it is not being picked up by antivirus.  Any ideas how I can get rid of this malware.

Thanks,
Title: Re: Welcome to NGINX
Post by: Asyn on April 21, 2012, 08:10:51 AM
I believe this is an infection but it is not being picked up by antivirus.  Any ideas how I can get rid of this malware.

Thanks,

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
Title: Re: Welcome to NGINX
Post by: nanajana on April 21, 2012, 05:29:32 PM
After this post I ran SuperAntiSpyware see attached log.  Since then I have my homepage back but everything is running slower than usual.  I have gotten this message twice now A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.
Script: chrome://browser/content/sanitize.js:133
, after shutting Firefox.  Usually this appears 3 or 4 times before my homepage is highjacked to the WELCOME TO NGINX page.  I  have been opening and closing Firefox but so far so good.  I do think the infection is still on my machine though.  I went to the page you referenced, ran MalwareBytes (I do have it installed on my computer) it says no malicious items found. See attached. 
Title: Re: Welcome to NGINX
Post by: nanajana on May 07, 2012, 06:47:08 AM
I have this problem again!  Welcome to nginx blocks my homepage, but I can go to any other site, either through favourites or typing in url.  It started this time by first redirecting me to Ad-Aware browsing, at top of page, and lists different sites, including my home page site but if I click on that site it doesn't do anything.  So this happened for a day and then today it brought up the Welcome to nginx page.  Nothing else on page and this appears at the top.  I have run malewarebytes, superanitspyware, ad-aware, spybot.  All say no threats on my computer and of course I have avast running all the time with no threats shown either.  I have gotten rid of it by clearing my DNS cache and refreshing page.  Info I have found online: "While Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server and the Welcome to nginx page does not belong to them.  Something must be wrong with your operating system settings, home router setup, or browser configuration, if you are trying to access a well known web site and what you get instead is “Welcome to nginx!”. This should NOT happen if your computers and network are clean and safe.

If changing DNS servers to Google Public DNS, flushing DNS resolver cache, fixing your browser configuration, or cleaning "hosts" file (when applicable) have helped, it might be that there's a malware somewhere on your PC or around. Find and clean it using your preferred anti-virus and anti-malware tools.


What do I do now? 


Title: Re: Welcome to NGINX
Post by: Pondus on May 07, 2012, 07:08:06 AM
Quote
What do I do now? 
follow the link Asyn gave you above....
attach the logs from malwarebytes / OTL / aswMBR

then one of the malware removers will help you when they arrive later today
Title: Re: Welcome to NGINX
Post by: nanajana on May 07, 2012, 08:42:26 AM
I did as suggested but everytime I tried to open OTL my computer crashed.  So I couldn't do it.  I successfully ran aswMBR, see attached.  But the first time I ran it it said   Scan error: Incorrect function. see attached.  Hope you can deal with the "infected file".
Title: Re: Welcome to NGINX
Post by: nanajana on May 07, 2012, 08:52:21 AM
Forgot to attach mbam log so here it is!
Title: Re: Welcome to NGINX
Post by: Pondus on May 07, 2012, 09:07:38 AM
well aswMBR show one infection as i can see.... a trojan sms.send
did you update malwarebytes before scan?
have you run a quick scan with avast?

anyway the malwarere removers will deal with it when they arrive
Title: Re: Welcome to NGINX
Post by: jeffce on May 07, 2012, 03:20:23 PM
Hi,

Be sure to run OTL per the instructions on the page given earlier by Asyn and then do the following...

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
----------
Title: Re: Welcome to NGINX
Post by: nanajana on May 07, 2012, 06:02:30 PM
I was finally able to run OTL in safe mode.  Twice when trying to run it Avast wouldn't allow it, felt it may be malicious but did try to run it in sandbox second time but still would not run it.  I even tried disabling avast for 10 mins but after that it crashed everytime I tried to run it - blue screen with message A problem has been detected and windows has been shutdown to protect your computer.

I didn't get an extras log only the one log which I have attached.  Prior to running a quick scan I inadvertently ran a full scan which did generate an extras log.  I will send it if you need it but it was too big of a file to send both at this time.

I will now continue with the rest of your instructions, Thanks!!
Title: Re: Welcome to NGINX
Post by: nanajana on May 07, 2012, 06:19:15 PM
Hi,

I ran TDSSKILLER.exe.  I got one suspicious event, object sptd (LockedFile.Multi.Generic).  I wasn't sure what to do so I copied it in quarantine, only other options were, skip and delete.  the file that copied is: C:\Windows\system32/Drivers\sptd.sys. 

I am waiting for further instructions.

Cheers!
Title: Re: Welcome to NGINX
Post by: jeffce on May 07, 2012, 07:46:38 PM
Hi,

Please download ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
Code: [Select]
:Services

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
IE - HKLM\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2653012
IE - HKLM\..\SearchScopes\{CB6F7A3F-076D-4CC4-B363-249E2C3393CA}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7
IE - HKLM\..\SearchScopes\{FD1AAA9E-C6FA-43E8-B3DD-914CFD0F4B72}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKCU\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2653012
FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://www.winnipegfreepress.com"
[2012/04/30 14:49:57 | 000,000,000 | ---D | M] (Vuze Remote Community Toolbar) -- C:\Users\Janice\AppData\Roaming\Mozilla\Firefox\Profiles\cys0nb0e.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2011/05/05 21:55:31 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Janice\AppData\Roaming\Mozilla\Firefox\Profiles\cys0nb0e.default\extensions\engine@conduit.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O15 - HKCU\..Trusted Domains: internet ([]about in Internet)
O15 - HKCU\..Trusted Domains: umanitoba.ca ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: winnipegfreepress.com ([www] https in Trusted sites)
O33 - MountPoints2\{15421b98-126e-11df-a52a-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{15421b98-126e-11df-a52a-001d6053f73f}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{a81b2902-5e1a-11df-a963-001d6053f73f}\Shell\AutoRun\command - "" = N:\Start.exe
O33 - MountPoints2\{adb96414-df5c-11dd-a76a-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{adb96414-df5c-11dd-a76a-001d6053f73f}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O33 - MountPoints2\{d465be05-dc37-11dd-b22b-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{d465be05-dc37-11dd-b22b-001d6053f73f}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{d465be13-dc37-11dd-b22b-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{d465be13-dc37-11dd-b22b-001d6053f73f}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{f115c707-e461-11e0-815c-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{f115c707-e461-11e0-815c-001d6053f73f}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2012/04/21 20:02:24 | 000,102,400 | ---- | M] () -- C:\Users\Janice\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/15 12:11:11 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\Azureus
[2009/05/05 23:28:59 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\IObit
[2009/12/28 16:57:59 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\LimeWire
[2012/04/21 20:31:30 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\uTorrent

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
Title: Re: Welcome to NGINX
Post by: nanajana on May 07, 2012, 09:41:06 PM
Hi,

I did as instructed but when I ran otl again and after I ran the fix I wasn't able to uncheck LOP & Purity boxes.  As soon as I checked all users it automatically checked these boxes.  Attached are the two logs generated.  Please advise what's next!

Cheers!
Title: Re: Welcome to NGINX
Post by: jeffce on May 08, 2012, 01:18:38 AM
Hi,

Run OTL.exe
Code: [Select]
:Services

:OTL
O2 - BHO: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O2 - BHO: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found.
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
[list=1]
ESET OnlineScan (http://eset.com/onlinescan)

scanning your computer. Please be patient as this can take some time.
http://www.eset.com/onlinescan/
----------

In your next reply please attach the logs made by OTL, Malwarebytes and ESET online scanner.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 08, 2012, 03:29:30 AM
Whew, this is a lot of work, lol!  Anyway I have run otl again but what's with this.  I try to run it on my computer, Avast terminates the program but it did run once before crashing my computer.  I ran it in safemode but it does not allow me to uncheck LOP or purity boxes.  They are unchecked until I click on quick scan and then they automatically check the boxes.  I updated and ran Mbam & I have attached the two logs and will continue on with your instructions
Title: Re: Welcome to NGINX
Post by: nanajana on May 08, 2012, 06:54:43 AM
Hi,
I am finally done!  Attached esat scan results.
Title: Re: Welcome to NGINX
Post by: jeffce on May 08, 2012, 01:41:03 PM
Hi,

Run OTL.exe
Code: [Select]
:Services

:Files
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch21.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch21.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip
C:\Users\Janice\AppData\Roaming\iolo\Installers\SystemMechanic7.exe
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[clearallrestorepoints]
[start explorer]
[Reboot]
In your next reply please attach the new OTL logs (don't worry if LOP and Purity is checked) and let me know how your system is running.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 08, 2012, 04:08:54 PM
Hi,

I did as requested and holy smokes Firefox opens immediately!!!  Thunderbird is opening faster too, don't know if this was part of all of this but hey I'm glad its all working faster!!  Thanks sooo much, truly appreciate all your help.

Attached is the final log and by the way I was able to open OTL without having to do it in safe mode each time.  I did have to shut Avast down as it still wanted to terminate it as suspicious.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 08, 2012, 04:25:01 PM
Hi,

What about being  sent to NGINX any longer? 

When you ran OTL the first time there should have been a log created named Extras.txt.  If you have that could you attach that please.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 08, 2012, 05:49:53 PM
HI,

It doesn't go to NGINX but I had flushed the DNS resolver cache and after that it stopped going to that page.  Then we started down our journey right after that and during all of that it never went to that page.

I have attached the extras page.  Is there anything else I should be doing.  I think one thing I learned is more is not necessarily better so I am just going to let Avast do its thing and maybe run an online scan from time to time.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 08, 2012, 05:56:43 PM
Quote
It doesn't go to NGINX but I had flushed the DNS resolver cache and after that it stopped going to that page.  Then we started down our journey right after that and during all of that it never went to that page.
Perfect.  :)
--------------

Quote
Is there anything else I should be doing.
Now please do the following so we can get some updates installed on your system:

You have an older version of Adobe Reader.  You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)

You may want to consider   Foxit Reader (http://www.foxitsoftware.com/downloads/index.php) instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)

In either case you should uninstall Adobe Reader 9.5.1 first. Be sure to move any PDF documents to another folder first though.
----------

Please download JavaRa (http://raproducts.org/click/click.php?id=1) to your desktop and unzip it to its own
folder
    click Remove Older Versions.
----------

In your next reply let me know if you had any problems with the instructions and once again how your system is running.  :)

Title: Re: Welcome to NGINX
Post by: nanajana on May 08, 2012, 07:35:16 PM
Hi,

Well hopefully I have done this right, I think I uninstalled Adobe Reader 9.5.1, anyway I couldn't find it anywhere when I searched for it and installed the latest version.  I will have a look at Foxit, checked it briefly.  I am the webmaster for an association I belong to and they have supplied me with Adobe Acrobat 9 which I don't find all that user friendly, does Foxit do the same thing?  I also hopefully updated Java, I followed your instuctions and then verified that I was downloading the correct JRE update, it is JRE 7ur4 I'm guessing though. 

Everything seems fine, Firefox opening to  my homepage and no Welcome to NGINX page.  Please advise if I need to do anything else.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 08, 2012, 07:55:47 PM
Hi,

Quote
does Foxit do the same thing?
Yes it just is lighter on resources. 
----------

Providing there are no other malware related problems...

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D  SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

This infection appears to have been cleaned, but I can not give you any absolute guarantees.  As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------

Clean up with OTL:
----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
2. Enable Protected Mode in Internet Explorer.  This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code.  To make sure this is running follow these steps:3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis.  With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly.  A tutorial on firewalls can be found here[/color] (http://www.bleepingcomputer.com/forums/tutorial60.html).  **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)

5. Make sure you keep your Windows OS currentWindows XP users can visit Windows update  (http://v4.windowsupdate.microsoft.com/en/default.asp)  regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems.  Without these you are leaving the back door open.

6.   WOT   (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites.  WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?  (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
 
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
Title: Re: Welcome to NGINX
Post by: nanajana on May 09, 2012, 01:18:29 AM
Hi,

I ran OTL and clicked on clean up.  Then I went to Internet Explorer, to the tools menu and Internet Options.  I had everything as you advised already in place but I couldn't find Installation of desktop items here?  I already had Protected Mode on, I run Site-Advisor as well as Spoofstick.  I have everything set to automatically send me updates and use cnet downloads and cnet updates for installed downloads.  I will install WOT I think I may have it  already or at least I did at one time.  I also installed outpost firewall & will turn off Windows firewall.

I just ran a quick scan by malewarebytes it said ok but then Avast came up with this message:  ROOTKIT FOUND  A suspicious hidden object (rootkit) has been detected on your computer.  This may be a sign of a malicious infection.  It is recommended to remove the object immediately.  File Name:  SVC:mbam Rootkit name: Rootkit.  I clicked on delete, only other option was to ignore.  I am now going to run a boot-time scan as suggested by Avast!!  Please advise what's next!!!!
Title: Re: Welcome to NGINX
Post by: jeffce on May 09, 2012, 02:37:57 AM
Hi,

What else did the warning say?  Did it give a file path or can you take a screen shot of the warning?
Title: Re: Welcome to NGINX
Post by: nanajana on May 09, 2012, 03:25:46 AM
Hi,

No file path, just what I told you, the Avast redbox came up and said to remove it immediately and that was by deleting it.  Its gone so I can't take a screen shot.  I just finished the boot-time scan which Avast told me to do.

I also get a message about window live essentials everytime I reboot.  I don't think this means anything, I went on line to check it out and seems lots of people get this so I just ignore it.  Anyway here's what happens:  A warning box comes up titled WLStartup.exe - Entry point not found. Red circle with X in it - The procedure entry point ?GetHeight @CRMImage@@QBEHXZ could not be located in the dynamic link library UXCore.dll.  So I close that and get - Window Live Essentials has stopped working.  Check on line for a solution etc, or Close the program which is what I do.

Cheers, :-[
Title: Re: Welcome to NGINX
Post by: nanajana on May 09, 2012, 04:21:18 AM
Hi,

I do believe I have resolved the Windows Live Essential problem!  It was all about an outdated uxcore.dll.  I deleted the old one and replaced it with an updated uxcore.dll.  I hope that is the last of that because it is extremely annoying.
Title: Re: Welcome to NGINX
Post by: jeffce on May 09, 2012, 04:29:26 AM
Hi,

Ok...try the following:

Go into your "c:\program files\windows live\installer" and delete the uxcore.dll. Then go into "c:\program files\windows live\shared" and copy uxcore.dll from this directory. Go back to your installer directory and paste the file.
Should start without an issue...
Error is occuring from an outdated uxcore.dll file that is not being updated in the installer folder.
Title: Re: Welcome to NGINX
Post by: jeffce on May 09, 2012, 04:35:53 AM
 ;D  You beat me to the punch!! 
Title: Re: Welcome to NGINX
Post by: nanajana on May 09, 2012, 04:36:54 AM
Hi,

Yes that is exactly what I did about Windows Live Essentials!  I haven't changed any passwords yet because of Rootkit found? earlier by Avast.  So where am I with that?  I don't want to change anything until I am sure I'm clean

Cheers,
Title: Re: Welcome to NGINX
Post by: jeffce on May 09, 2012, 04:38:13 AM
Let's check for the rootkit...

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
----------
Title: Re: Welcome to NGINX
Post by: nanajana on May 09, 2012, 05:21:57 AM
Arrgghh, I could scream!!  Its that locked file, Service: sptd, suspicious object medium risk C:\Windows\system32\Drivers\sptd.sys.  I have run TDSSKiller 3 times, quarantined it twice, rebooted once, options are: Skip, Copy all to quarantine, or delete.  Not sure what to do about this third one sitting on my desktop because copying to quarantine does nothing.  Please advise.  Attached logs of same, apparently not as file is too big, hope this one gets to you.  Quarantined anyway.

Cheers,
Title: Re: Welcome to NGINX
Post by: jeffce on May 09, 2012, 01:55:48 PM
Don't worry about that.  It is part of the Daemon programs you have on your system.  Daemon programs will sometimes use rootkit technology that is picked up occasionally by antivirus programs.  It is a false positive.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 09, 2012, 02:11:03 PM
Hi,

Well that is good news!  I also ran a new eset last night and it didn't find any malicious threats, or for that matter, threats of any kind.  So this should be it, we can put this baby to bed!!  I will go ahead now and change my passwords, that is going to be a huge job but a necessary one. :(

Cheers, :)
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 09, 2012, 03:13:56 PM
Hi,

Glad that we could help!  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 09, 2012, 03:32:35 PM
Hi,

Your very welcome and I too am glad that you could help.  Thanks again!

Cheers
Title: Re: Welcome to NGINX
Post by: nanajana on May 11, 2012, 05:57:03 PM
Hi,

I was searching out win32 bagle.gen.zip worm which as you know I had on my computer.  TrojanDownloader:Win32/Bagle.gen!A creates the following registry subkeys and entries as part of its installation routine:
 
Adds value: "frstrunn"
With data: "1"
To subkey: HKCU\Software\bisoft
 
Adds value: "EnableLUA"
With data: "<value>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\Security Center\Svc
 
where <value> is a certain number.
 
Adds key: HKCU\Software\Local AppWizard-Generated Applications
 
and all its associated subkeys.
 
It may also create the following folders:
 

    %AppData%\drivers
    %AppData%\drivers\downld

So while preforming regedit, looking for any of this I come across Adds key: HKCU\Software\Local AppWizard-Generated Applications.  I found it in  HKEY users:  Software.  Tried looking for the rest but not sure if its not there or I'm not looking in the right spot.  Please advise what now!

Cheers
Title: Re: Welcome to NGINX
Post by: nanajana on May 11, 2012, 06:32:45 PM
Hi,

I ran aswMBR and then OTL, not sure if I should have run OTL first.  Attached logs from same.
Title: Re: Welcome to NGINX
Post by: jeffce on May 11, 2012, 07:51:43 PM
Hi,

Please double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".

(http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix-1.png) (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix.png)
[SIZE="1"]Click the image to enlarge it[/SIZE]
Title: Re: Welcome to NGINX
Post by: nanajana on May 11, 2012, 08:44:15 PM
HI,

I can't get the scan to finish, its frozen on 13:27  Scanning:  C:\Users\Janice\AppData\Local\Microsoft\Windows Live\Installer\catalog\.  That's all I can see, so should I click on fix or should I exit and start again.
Title: Re: Welcome to NGINX
Post by: jeffce on May 11, 2012, 08:47:09 PM
Start it over and see if it will finish.  If not, boot to Safe Mode and attempt to run the instructions that I provided. 
Title: Re: Welcome to NGINX
Post by: nanajana on May 11, 2012, 11:10:13 PM
Hi
 
still trying to run  this.  had to go out but left it running in safemode,  its taking forever and yesterday when i ran avast quick scan it ran for 45 mins and then said no threats!!!  anyway i  will check it out when i get home but if you don't hear from me i will be away til sunday, shut down the computer and tryagain.  if it works i will post the log

cheers
Title: Re: Welcome to NGINX
Post by: jeffce on May 11, 2012, 11:30:20 PM
Sounds like a plan.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 12, 2012, 12:12:58 AM
It completed but said it would damage the partition if I ran fixmbr.  So that's it for now, I need a break!!!!   Try again Sunday

Cheers
Title: Re: Welcome to NGINX
Post by: hrr4 on May 12, 2012, 05:33:53 AM
I was having the same problem


I was having the same problem tried almost everything in my case when i was deleting the cache through IE's Delete button it didnt fix my problem.
 
When i manually deleted all the files from
 
AppData\Local\Microsoft\Windows\Temporary Internet Files
 
The problem went away you might want to try deleting ur temp files manually.
 
 
 Same Problem another comp :
Another way i fixed it on my other computer is simply by rightclicking on the tab and refreshing.
Title: Re: Welcome to NGINX
Post by: jeffce on May 12, 2012, 10:16:55 PM
Hi,

Did aswMBR create a log?  If so attach that please.  :)

Title: Re: Welcome to NGINX
Post by: nanajana on May 13, 2012, 08:17:19 PM
HI,

I ran aswMBR, it completed but when I click on fix mbr I get a warning that tells me:  Writing a new master boot record to your system partition could damage your patritioin tables and cause your jpartitions to become inaccessible.

This application writed standard Windows MBR code?

Are you sure you want to fix the MBR?

So do I? I will leave everything as is til I hear from you,

Cheers
Title: Re: Welcome to NGINX
Post by: mchain on May 13, 2012, 08:28:43 PM
Hi,

jeffce needs to see the log and results of your last scan.  Only then will he be able to tell you what you need to do.
Title: Re: Welcome to NGINX
Post by: jeffce on May 13, 2012, 11:48:02 PM
No I asked you to press the Fix button....not FixMBR.  Do not do that yet.  Is the Fix button not working?
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 01:43:49 AM
Hi,

No I don't get a fix button just the fixMBR button. 
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 01:47:13 AM
Hi,

Here's the log from that run.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 14, 2012, 03:14:50 AM
Hi,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Code: [Select]
:file
F:\Release\TAPBIND1.SYS
C:\Windows\system32\jureg.exe
Note: The log can also be found on your Desktop entitled SystemLook.txt
----------

Please download MBRCheck.exe (http://"http://ad13.geekstogo.com/MBRCheck.exe") to your desktop.
----------

In your next reply please attach the logs made by SystemLook and MBRCheck. 
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 04:38:48 AM
Hi,

I ran SystemLook, see attached file, and tried to run MBRCheck.exe but I get "Server not found, Firefox can't find the server at http" so then I googled MBRCheck but not sure where I should download so will wait to hear from you!

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 06:22:35 AM
Hi,

I downloaded MBRCheck from geekstogo.  See attached file & I await further instructions.  I did as you instructed and just exited out for now.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 14, 2012, 01:45:44 PM
[list=1]
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 03:11:45 PM
HI,

Okay I did all of the above, see attached file.

Cheers,
Title: Re: Welcome to NGINX
Post by: jeffce on May 14, 2012, 03:17:50 PM
Sorry....I should have asked you to run MBRCheck again and attach the newly made log as well. 
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 03:26:43 PM
Okey-dokey will do, also I keep forgetting to tell you and not sure if it means anything but everytime I ran aswMBR I also got a file? titled MBR with a filmstrip and musical note over it.  I never opened it.  Rats, does this ever end!!!!  I have attached the second file :(

Cheers
Speaking of cheers, I'm going to be needing a drink soon, lol
Title: Re: Welcome to NGINX
Post by: jeffce on May 14, 2012, 03:31:18 PM
Quote
titled MBR with a filmstrip and musical note over it.
No that is fine.  Nothing to worry about with that. 
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 03:59:18 PM
Hi,

I am wondering what I should and shouldn't be doing on my computer.  I have stopped sending emails, I have stopped working on my website of which I am the webmaster.  Basically I am only on to hear from you and to look information from time to time.

Cheers
Title: Re: Welcome to NGINX
Post by: jeffce on May 14, 2012, 04:23:44 PM
Hi,

Just stick to what you are doing right now.  I am getting with a colleague about your system.  I will return as quickly as I can.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 04:30:05 PM
okay!

Cheers
Title: Re: Welcome to NGINX
Post by: jeffce on May 14, 2012, 07:50:21 PM
Hi,

What is your M drive?  Are you able to boot from that drive?  If so, please run MBRCheck on that drive and then post the log.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 08:09:10 PM
My M drive is an external hard drive where I save some of my files to.  I don't think I can boot from there.  How would I know?

Cheers
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 09:20:33 PM
Hi,

What about booting from a flash drive?  I did check out how to do this but will wait to hear from you although I guess I can do the same thing from my external hard drive.  Whatever works!

Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 14, 2012, 10:16:19 PM
Hi,

Download Combofix from either of the links below, and save it to your desktop. 
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here  (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
Title: Re: Welcome to NGINX
Post by: nanajana on May 14, 2012, 11:12:57 PM
Hi,

Holy smokes, that's quite the report!  When I opened Firefox it came up had my homepage url in the address bar but problem loading page.  I couldn't go anywhere on Firefox, yes my heart dropped!! so then I tried Explorer same story.  I then went off the net and went back on and everything came up correctly.  But now I have nothing showing in my right hand taskbar except my internet connection and Safely remove hardware icon.  Though Avast just came up and updated so I guess its still all there!

Cheers
Title: Re: Welcome to NGINX
Post by: jeffce on May 15, 2012, 04:28:43 PM
Hi,

Make sure the external hard drive you mentioned you had earlier is connected and then do the following:
Title: Re: Welcome to NGINX
Post by: nanajana on May 15, 2012, 04:42:37 PM
HI,

Just to confirm, I'm going to change the BIOS order and make my M drive first in the order?
Title: Re: Welcome to NGINX
Post by: jeffce on May 15, 2012, 05:03:33 PM
Hi,

No not yet.  Just run the instructions as posted. :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 15, 2012, 05:23:31 PM
HI,

Out of memory!Could not read disk!

Please advise next step!!! 

Cheers
Title: Re: Welcome to NGINX
Post by: nanajana on May 15, 2012, 09:58:45 PM
Hi,

I slapped myself and then reread your instructions, don't know where my head was!!  Anyway doing this again correctly but when I restart and try to run mbrcheck my computer crashes.  So I ran the first scan in safe mode and trying to run it again after restart.  I copied the blue screen results in case it means something to you. So will try to run this scan and send it right away.

Cheers
Title: Re: Welcome to NGINX
Post by: nanajana on May 15, 2012, 10:38:17 PM
Hi,

Okay here is the log from restart.

Cheers
Title: Re: Welcome to NGINX
Post by: nanajana on May 15, 2012, 11:36:53 PM
HI,

So where are we at?  Have the viruses or virus been taken care of and we are now just dealing with the fake mbr on my external hard drive?  If that's the case can I not just transfer to a dvd what I need from that drive and then wipe it clean.

Cheers
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 16, 2012, 12:26:58 AM
How is your system running otherwise...
Title: Re: Welcome to NGINX
Post by: nanajana on May 16, 2012, 01:25:25 AM
Hi,

You know I can't really tell.  Sometimes Firefox opens right away and then again it seems really sluggish.  Although I should probably check to see if my Avast ball is running when I'm slowed down.

Cheers
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 16, 2012, 02:53:18 AM
Hi,

Give your system a good run around and let me know how it's working in the morning.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 16, 2012, 06:39:26 AM
Hi,

I unplugged my M drive and ran MBRCheck, log attached.  I then ran aswMBR and looks like we are back to square one! log attached.  If the M drive is one problem fake MBR I can deal with that later.  I need to get my computer clean first.  I can leave my M drive unplugged til the virus is taken care of.  Please advise what's next.  Truly frustrated.

Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 16, 2012, 01:33:29 PM
Hi,

I know this can be frustrating...malware removal can take some time due to how the viruses will change daily.  I have been sitting in your shoes and feeling the same as you, but I do appreciate your patience.  :)
----------

OTL

netsvcs
%systemroot%\*. /rp /s
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT

----------

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
----------

In your next reply please attach the logs made by OTL and TDSSKiller.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 16, 2012, 03:05:12 PM
Hi,

Thanks, I needed to hear that this is not all in vain!!  Okay I ran OTL but no Extra came up.  Not in the OTL folder either.  I ran it twice thinking I missed something.  Anyway I have attached the log that I did get.  In the past the extras log has always shown up on my desktop.  I will run TSDDKiller now.  Also I was having problems with SuperAntiSpyware, ever since it picked up the 4 threats, it wouldn't run had missing files & I couldn't uninstall or reinstall but finally after much perserverance I installed it to my desktop and it runs.  Not sure where this fits in or if at all. 

Feeling better,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on May 16, 2012, 03:15:50 PM
Hi,

Ran TDSSKiller, found the locked file but only options, move to quarantine (which) I did or skip.  No cure option offered.  See log.

Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 16, 2012, 03:28:18 PM
Hi,

Ok let me look these over...as for the Extras.txt you don't need to worry about that.  It is normally only made on the first run of OTL.  If I need it we can get another copy.  :)
Title: Re: Welcome to NGINX
Post by: jeffce on May 16, 2012, 03:42:01 PM
Hi,

Please download DDS from either of these links

LINK 1 (http://"http://download.bleepingcomputer.com/sUBs/dds.com")
LINK 2 (http://"http://download.bleepingcomputer.com/sUBs/dds.scr")

and save it to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt

Attach.txt
----------
Title: Re: Welcome to NGINX
Post by: nanajana on May 16, 2012, 04:07:51 PM
Hi,

The links were broken so I went bleepingcomputers to download.  Attached logs as requested.  Also I couldn't run as admin had to just open and run.

Cheers
Title: Re: Welcome to NGINX
Post by: jeffce on May 16, 2012, 06:22:41 PM
Hi,

I am not seeing too much. 

I notice that you have several security programs....this could be hindering your performance that you are experiencing.  I see remnants of McAfee that we can remove.  I also see that you have AdAware antivirus running along with Avast...this will certainly hinder performance.

As a rule of thumb it is best to run 1 antivirus program, 1 firewall and have another antimalware program like Malwarebytes on your system running at once.  Any more and there will be problems.  Let me know what you would like to keep and I will remove the remaining programs.  :)
---------

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  VirusTotal (http://www.virustotal.com)

copy and paste the following into the upload a file box  (one at a time if more than one file is listed)

c:\users\janice\appdata\local\temp\Y.exe
c:\users\janice\appdata\local\temp\VFF.exe


scroll down a bit and click "send file", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

In your next reply please post the link to the results of VirusTotal and let me know which security programs you would like to keep.
Title: Re: Welcome to NGINX
Post by: nanajana on May 16, 2012, 06:50:53 PM
HI,

I couldn't copy & paste, when it asked for files to scan and when I clicked on it, it went to my desktop looking for file.  So I copied your request onto notepad and ran it that way so I don't know if this is correct.  I never got a send button so sent same as rest of scans.  If these results are incorrect please advise how to do this differently.

Now I see I'm totally paranoid!! That's a lot of virus checkers.....I want to keep Avast & Malwarebytes & Outpost firewall.  Some of these I don't have running but do run from time to time and update at that time as well.   Anyway get rid of everything else.

Cheers
Title: Re: Welcome to NGINX
Post by: jeffce on May 16, 2012, 07:12:57 PM
Hi,

You are running everything just fine.  :)
----------
Code: [Select]
KillAll::

ClearJavaCache::

DDS::
uStart Page = hxxp://www.umanitoba.ca/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRun: [Ad-Aware Antivirus] "e:\downloads\adaware\ad-aware antivirus\AdAwareLauncher" --windows-run

Firefox::
FF - ProfilePath - c:\users\janice\appdata\roaming\mozilla\firefox\profiles\cys0nb0e.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.winnipegfreepress.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

File::
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
E:\Downloads\AdAware\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
c:\PROGRA~1\mcafee\SITEAD~1\saui.exe
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Title: Re: Welcome to NGINX
Post by: nanajana on May 16, 2012, 07:42:40 PM
Hi,

I'm not sure what's happening here.  I did as you requested, dragged the file to combofix, turned off protection but Outpost comes on, asking about Combofix and whether to allow or block it I suspend it again after clicking on auto-learn. then combofix keeps coming up with an update so I say no at this time, not sure if it is legit and I just want to get this done.  I don't get a report, it doesn't reboot but goes to scan right away and lo and behold avast comes up to tell me there is a   "trojan name Cfiles.dat original location C:\Combofix".     What now!!!!  I don't know if I should reboot to get report, if a report ran, actually I did see it running.  Prior to all of this my system was running pretty quick (I kept forgetting to tell you and now it is slowed right down and not connecting right away etc etc etc. 

Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 16, 2012, 08:02:46 PM
Hi,

Right click on the Outpost icon in the tool tray (bottom right next to clock) >> select Suspend Protection >> choose Until Restart.  That should stop Outpost. 

Disable Avast by going to the Avast icon in the tool tray (near the clock) >> right click the icon >> avast shield controls >> Disable until computer restarts

Now run the same set of instructions I provided for ComboFix before and if asked, allow it to update.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 16, 2012, 09:20:12 PM
Hi,

Okay ran it, see attached.  Now should my homepages have changed on Firefox and Explorer.  I believe it changed to default.  I changed it back but just want to make sure nothing else is happening here.

Cheers,
Title: Re: Welcome to NGINX
Post by: jeffce on May 16, 2012, 09:33:39 PM
Hi,

Quote
Now should my homepages have changed on Firefox and Explorer.  I believe it changed to default.
Yes that would have happened.  Let me look this over and see what there is.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 16, 2012, 11:28:51 PM
HI,

I have been having a heck of a time since running combofix.  My desktop has been unstable, I had to call my ISP provider to reset my internet connection, I have rebooted so many times just trying to get things to work again.  I think I finally now have it under control  :), here's hoping!!!  What do you think this is about?  Anyway I think it had to do with SuperAntiSpyware which kept coming up as I rebooted, then windows installer came up and then there went my internet connection.  I closed it out put the shortcut in the recycle bin and fingers crossed everything seems to be working as it should.  Could this be the cause of all my grief!!!

Cheers
Title: Re: Welcome to NGINX
Post by: nanajana on May 17, 2012, 12:12:42 AM
HI,

Nope of course it couldn't be that easy.  This is what's happening, I click on my shortcut to connect to the internet and it does.  When I'm finished doing whatever, I click to disconnect from the internet on the same shortcut (which should work) but Windows intstaller comes up and then my computer freezes and I have to reboot it again and again and again.  The hourglass comes up and I'm toast.

More than frustrated,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on May 17, 2012, 04:36:08 AM
HI,

Well I have worked out a different way of disconnecting my computer from the internet that doesn't freeze my computer.  But if I right click my shortcut it still freezes up.  I can still open word, excel etc but that's about it.  Everything in my right hand taskbar is frozen and I have to reboot.

Still smiling though and hope you are too!!
Cheers
Title: Re: Welcome to NGINX
Post by: jeffce on May 17, 2012, 01:51:56 PM
Hi,

Yes...still smiling. 

I am not positive this is a malware problem any longer but possible a software problem caused by the malware that was on your system.  We may just be getting the pieces back to working properly.  I am speaking with a colleague about what we are seeing and will return as soon as I can.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 17, 2012, 02:12:39 PM
Hi,

Okay it seems anything I right click now on my desktop freezes and I have to reboot.  I was thinking of doing a system restore but I will leave it in your capable hands.  Again, thanks so much for all your help, this too shall pass!

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on May 17, 2012, 03:25:58 PM
Hi,

I ran aswMBR again see attached.  I do have two other external harddrives which I haven't checked out yet.  I also have a backup I did 08/17/2011 on one of the two.  I think its a full backup (over 219 gigs, it says) but I do get impatient a times and may have stopped it.  I'm hoping not.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 17, 2012, 03:35:41 PM
Hi,

First open an elevated command prompt > Click Start and type cmd in Start Search.
When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.


Copy the contents of the code box > right click in the command window and select paste
Code: [Select]
del C:\Windows\system32\jureg.exe
Press Enter
Close the Command Prompt
----------

Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
.
----------
Title: Re: Welcome to NGINX
Post by: nanajana on May 17, 2012, 04:43:54 PM
Hi Jeff,

So I tried to run cmd but I can't right click, it freezes then I have to reboot.   On the plus side the reboots are faster, so far.  I can double click and get it cmd but then I guess its not running as admin.  So should I continue with the other scans.  At this point I'm waiting on your instructions. 

I was thinking what you are telling me that running aswMBR is just going to keep telling me the same thing every time so thanks for that little tidbit

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 17, 2012, 04:52:12 PM
Hi,

Please download OTM (http://oldtimer.geekstogo.com/OTM.exe) by OldTimer.
Code: [Select]
:Processes
explorer.exe

:Files
C:\Windows\system32\jureg.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

----------

Now run the instructions that I provided for GMER in the previous post.
---------

In your next reply please attach the logs made by OTM and GMER.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 17, 2012, 05:18:19 PM
Hi Jeff,

I absolutely cannot right click, immediately windows installer comes up and then I'm in the deep freeze,  Please advise if there's a way around this or what's next.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 17, 2012, 08:27:24 PM
Hi,

Please do the following...

Run OTL.exe
Code: [Select]
:Services

:OTL
SRV - (Y) -- C:\Users\Janice\AppData\Local\Temp\Y.exe File not found
SRV - (VFF) -- C:\Users\Janice\AppData\Local\Temp\VFF.exe File not found
SRV - (HIZOGLG) -- C:\Users\Janice\AppData\Local\Temp\HIZOGLG.exe File not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O2 - BHO: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found.

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Title: Re: Welcome to NGINX
Post by: nanajana on May 17, 2012, 09:29:09 PM
Hi Jeff,

I ran and pasted as you said.  I guess I forgot to save the log and just said yes to the reboot.  Is there somewhere else it would be.  So now opening my browser is really slow but I did wait it out and it did open.  Problem now is I can't open my otl to run the second scan.  I will keep trying but it seems like it isn't even connecting to problem, ie name doesn't turn blue and hourglass doesn't come up.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on May 18, 2012, 12:55:05 AM
Hi Jeff,

YAY!  success running OTL had to do it in safe mode, see atttached files.  Clicking on desktop getting better but still the occasional dreaded blue screen crash. Not sure why there's 3 reports but sending them all anyway.   Now do you want me to do the rest of the above instructions.  Please advise what's next.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 18, 2012, 12:57:15 AM
Yes...please continue with GMER.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 18, 2012, 03:04:20 AM
Hi Jeff,

I have a few issues now, first I still get windows installer when I try to right click.  I'm finding that when I go into safe mode and right click it sorta freezes but when I hit the start button I can then right click and run as admin.  So I did this with GMER and it started nothing said about rootkits so I proceeded, I printed this first but forgot to enlarge the window so I wasn't sure about the ADS button that was checked I think.  Anyway it started ran for a bit then shut down and blue screen.  How many times can I keep rebooting without damaging my computer.  Also and I can't remember if it was this time or not but pretty sure this was when the screen came up "Windows has shut down unexpectly etc"  the ribbon was defaulted on "Repair your computer" which I don't recall ever seeing before.  I didn't do because I didn't know if I should click on this or not.  Could this have to do with the windows installer keeping coming up on right click.  Next I go back here to enlarge that window so I can know exactly what to do in GMER then I get "problem loading page" and I then lost my internet connection, fortunately since this has happened a few times as well I now know how to deal with this problem without having to call my ISP.

So now do I leave my C drive checked  in Drives/Partition and uncheck D & E and nothing shows in "Show All" so is that how it should be.  I will wait to hear back before attempting this again and leave the ADS button checked?

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on May 18, 2012, 02:32:45 PM
Hi,

I tried running GMER as admin again, had to go to safe mode to do it and again right click then click on start to be able to then right click and run as admin.  I was able to get to the box and follow the instructions.  I did notice a difference when GMER opened at the top of the box before I ran the scan.  The box shows two lines at the top on your gmer scan but my box had 7 lines with the bottom line being the same as the first line you show. My lines start with Device/Driver/atapi etc and gives a value. I don't know if this means anything but if so I can give you what was being scanned.  It started scanning then almost immediately it stopped working & I had to reboot (but at least it didn't crash as it usually does) and  it also did not ask for gmer system driver.  Please advise what's next!

Cheers,
Title: Re: Welcome to NGINX
Post by: jeffce on May 18, 2012, 04:09:39 PM
Quote
The box shows two lines at the top on your gmer scan but my box had 7 lines with the bottom line being the same as the first line you show. My lines start with Device/Driver/atapi etc and gives a value.
This will vary from computer to computer...I have about 15 lines when I start GMER.  :)

Ok...Run GMER from Safe Mode again.  This time, in addition to the boxes originally asked to be unchecked, be sure to uncheck Libraries and Threads as well this time.  Then continue with the instructions.  If GMER produces a log attach that please.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 18, 2012, 05:12:23 PM
Hi Jeff,

Did as you said absolutely cannot run GMER, it shuts down once the scan runs for a 1/2 a minute or so!  This is in safe mode.  I also understand now that the "Repair your Computer" button comes up when you press F8 to start in safe mode.  So what's next?

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 18, 2012, 09:16:18 PM
In the run box type the following

diskmgmt.msc

When disc management opens expand it so that all drives are visible
Take a screenshot and post it here

Are you able to burn a CD on another computer ?
-------------
Title: Re: Welcome to NGINX
Post by: nanajana on May 22, 2012, 06:52:29 PM
Hi,

I'm not sure where I do this.  Is it after all the commands load up, I don't get a cursor there to type this in.  I'm assuming this is in GMER or do you mean somewhere else?  Please advise, and yes I could burn a CD on another computer.

Cheers
Title: Re: Welcome to NGINX
Post by: Pondus on May 22, 2012, 06:57:01 PM
lower left corner START > run > diskmgmt.msc    hit enter button

expand the box, take screenshot....... save as gif (that makes it small) and attach
Title: Re: Welcome to NGINX
Post by: nanajana on May 22, 2012, 06:59:46 PM
Sigh, no it does not respond.  I hit enter, nothing.

Cheers


Title: Re: Welcome to NGINX
Post by: Pondus on May 22, 2012, 07:07:38 PM
so you dont see a box like this?...... see screenshot


well, jeffce will be back and guide you   ;)
Title: Re: Welcome to NGINX
Post by: nanajana on May 22, 2012, 07:30:31 PM
Hi Jeff,

I ran this through Control Panel & administrative tools and YAY! success.  One small step on the road to recovery!!

See attached,
Cheers
Title: Re: Welcome to NGINX
Post by: nanajana on May 22, 2012, 09:24:21 PM
Hi Jeff,

Just to let you know I'm not crashing anymore, still have issues but this one seems resolved, fingers & toes crossed!

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on May 22, 2012, 10:28:23 PM
Hi Jeff,

It just keeps getting better & better,  I have my desktop back, I can right click left click and it all works.  I did try running GMER again but it still stopped although it has gone further than before.  Do you still want me to run command.exe, I can do it but not sure if we are past that now.  Actually what happened is I plugged my M drive back in, and I right click on my internet connection, windows installer came up and wanted to install AdAware.  It of course couldn't find the files and so I cancelled the installation and voila, windows installer is stopped now,  and right click is back, YAY!!  So now what's next?

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 23, 2012, 03:36:26 AM
Hi,

Sorry for the delay in responses...I have mandatory training with work this week and the hours are CRAZY!!  LOL!! 

Ok....the screenshot that you got looks just fine.  Since there are things that are running again explain exactly what problems you are still having.  :)

@Pondus:

Thanks for looking over this while I have been out.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 23, 2012, 04:18:56 AM
Hi,

Well starting this afternoon everything seems to be good.  It is quick to load up, browser comes up fast so I think everything is fine.  Do you think we are done?  Although I still have that file that would be associated with the virus I had namely win32 bagle.gen.zip worm and the file Adds key: HKCU\Software\Local AppWizard-Generated Applications.  So what does it mean to still have this if anything.  Also I have the false MBR on my M drive don't I?

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 23, 2012, 02:16:49 PM
Hi,

Could you give me the complete file path of the file you are referring to?  :)
----------

Code: [Select]
@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKCU\Software\Local AppWizard-Generated Applications"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0
Title: Re: Welcome to NGINX
Post by: nanajana on May 23, 2012, 03:18:18 PM
Hi Jeff,

Okay did as requested, see attached.  Also in one of the scans I did, I think it was aswMBR it shows a line that says "Unknown MBR code" .  Does that mean anything?  I am going to clean my M drive as soon as I finish downloading a few files to dvd's so hopefully that will take care of that fake MBR on that drive?

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on May 23, 2012, 06:43:26 PM
Hi,

I decided to run disk management with my M drive plugged in, see attached.  I'm assuming it is all good!  No need to worry about my M drive?

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 24, 2012, 03:05:42 AM
Hi,

The unknown MBR is showing from the external drive and since that drive is not used to boot so it is not actually a problem.  I am not seeing anything showing in the two screenshots you provided either so that is good.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 24, 2012, 04:44:59 AM
Hi,

Okay that's good.  So now here's the thing, I have some registry items that belong to the trojan win32/bagle.  They are HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications, under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000 (which I don't have) but under this key there are 6 subkeys and I have one ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1, don't know what any of this means.  I noticed I had a locked SPTD on one of the scans and when I researched this I read that this file could be part of Alcohol which was a program I had a few years ago and removed but again not sure about the locked part.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 24, 2012, 02:04:21 PM
Hi,

Yes the SPTD is related to a CD emulation program like Alcohol or Daemon.  That is nothing to worry about.  :)
---------

Did you ever follow these instructions so that I can look at that registry key?  I asked for this a couple of posts ago?
Quote
Click Start > Run type Notepad click OK.
This will open an empty Notepad file.
Copy/Paste the contents of the box below into Notepad.

@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKCU\Software\Local AppWizard-Generated Applications"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0

Click Format and ensure Wordwrap is unchecked.
Save as RegExp.bat
Save as file type All Files or it won't work.
Now double click on RegExp.bat to run it.
A file look.txt will open on your Desktop, please post the contents in your next reply.
Title: Re: Welcome to NGINX
Post by: nanajana on May 24, 2012, 02:10:50 PM
Hi Jeff,

Yes it is the scan at the top of this page.  I will do it again.  Same answer "Cannot find the file, etc"

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 25, 2012, 02:02:29 AM
Were you sure to save the File Type to All Files?   

I see where you registered at WTT.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 25, 2012, 02:58:19 AM
Hi Jeff,

Yes, I did it exactly as you said and that's what I got.  The cmd.exe comes up and pause and then the box "Cannot find file etc".
My computer is running really fast, reboots fast, internet connection is fast and browser opening fast.  So that is all good.  Just concerned about the registry entries now.

So you did notice that I registered at WTT.  I didn't know if you would or not, seems pretty interesting! :)

Cheers,
Janice   
Title: Re: Welcome to NGINX
Post by: jeffce on May 25, 2012, 03:50:20 AM
Hi,

Those entries...if they are what they might be...seem to just be left over parts and really aren't of any concern.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 25, 2012, 04:26:07 AM
Hi,

Okay, should I just leave them there, should I delete them?  It seems that everything is finally running as it should. :)

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 25, 2012, 04:55:31 AM
I really think that you will be ok with leaving them alone.  :)

Providing there are no other malware related problems...

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D  SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

This infection appears to have been cleaned, but I can not give you any absolute guarantees.  As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run  and copy/paste the following text into the Run box as shown and click OK.
  Combofix /Uninstall
  (Note: There is a space between the ..X and the /U that needs to be there.)

(http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg)
----------

Clean up with OTL:
----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
2. Enable Protected Mode in Internet Explorer.  This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code.  To make sure this is running follow these steps:3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis.  With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly.  A tutorial on firewalls can be found here[/color] (http://www.bleepingcomputer.com/forums/tutorial60.html).  **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)

5. Make sure you keep your Windows OS currentWindows XP users can visit Windows update  (http://v4.windowsupdate.microsoft.com/en/default.asp)  regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems.  Without these you are leaving the back door open.

6.   WOT   (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites.  WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?  (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
 
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
Title: Re: Welcome to NGINX
Post by: nanajana on May 25, 2012, 06:32:44 AM
HI,

Okay I ran uninstall combofix but it couldn't find it so I guess I must have removed it already.  I ran OTL cleanup.  So hopefully we are done with this, YAY! :)

Thanks sooooo much, to have a resource such as this is totally invaluable.  Pat yourself on the back!

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 25, 2012, 01:35:30 PM
Hi!!

You are more than welcome and glad that I could help.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 30, 2012, 02:29:28 PM
HI,

Last night Avast Screensaver scan showed virus Threat:  Win32.malware-gen.  It showed it as being in C:\Users\Janice\Desktop\OTL.exe.  I moved it to the virus chest and then ran a boot time scan and it came up clean.  Would this be a false positive or is the win32\bagle\gen still hanging around?  Anything I should be running now to check this out?  Please advise.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 30, 2012, 02:34:07 PM
Hi,

When I posted the instructions in this topic on how to remove OTL did you get that completed?  If not please do so.  Anyway, it will be a false positive and nothing to be concerned about.  If after you run the OTL cleanup instructions the icon is still there...just delete it, empty your Recycle Bin and that should fix you up.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on May 30, 2012, 02:37:01 PM
Hi Jeff,

Okay I'll check that out & make sure I remove as per instructions, thanks yet again!!!

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on May 30, 2012, 04:06:35 PM
 :)
Title: Re: Welcome to NGINX
Post by: nanajana on June 06, 2012, 05:31:05 PM
Hi Jeff,

I have been checking folders in my registry and came across a folder called Binary Noise.  So I checked to see what this is and came across this again for Win32/bagle trojan

These are the keys that are suspect:
        HKEY_CURRENT_USER\Software\Binary Noise
        HKEY_CURRENT_USER\Software\Binary Noise\mPlayer
        HKEY_CURRENT_USER\Software\Binary Noise\mPlayer\[filename of the sample #1] under here I have loader_pc_mprojector.exe & webshots_desktop_installer.exe. 

Now at one time I did have webshots installed.

So again not exactly sure if these are still active but am sure it shouldn't be there!

Please advise,
Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on June 06, 2012, 05:54:16 PM
Hi Jeff,

I don't seem to be seeing the .exe files though that go with these entries so would that mean that the virus is effectively gone.  I am totally freaked out at the moment!!! but hope that is what it means.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on June 06, 2012, 06:44:29 PM
Hi,

We can remove that if you wish?  I see where you are concerned.

Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Next I would like you to take the following steps:
Code: [Select]
Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Binary Noise]
Go ahead and check to be sure it is not there any longer and let me know. 
Title: Re: Welcome to NGINX
Post by: nanajana on June 06, 2012, 08:42:10 PM
Hi Jeff,

Did as suggested and it is gone!  Why would I have  a folder called HKEY_CURRENT_USER with sub folders SOFTWARE subfolder Microsoft subfolder Windows subfolder CurrentVersion subfolder RunOnce within the registry entry called HKEY_CURRENT_USER.  I don't recall seeing that before but....

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on June 06, 2012, 10:20:53 PM
Hi Jeff,

Can we also get rid of HKCU\Software\Local AppWizard-Generated Applications which is part of win32/bagle trojan.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on June 06, 2012, 11:01:38 PM
Code: [Select]
@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0
Title: Re: Welcome to NGINX
Post by: nanajana on June 07, 2012, 12:03:19 AM
HI Jeff,

Okay did as requested, see attached file.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on June 07, 2012, 12:22:30 AM
Registry keys are normally not enough to be infected.  Most of them look pretty strange but if you aren't experiencing any problems we should leave them alone.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on June 07, 2012, 01:10:40 AM
Hi Jeff,

By "Most of them look pretty strange" do you mean the entries that I attached in my last post?  The only entry there I recognize is Zoombrowser entry which is part of my Canon camera software.

TrojanDownloader:Win32/Bagle.gen!A creates the following registry subkeys and entries as part of its installation routine:
 
Adds value: "frstrunn"
With data: "1"
To subkey: HKCU\Software\bisoft  -  I DON'T HAVE THIS ONE
 
Adds value: "EnableLUA"
With data: "<value>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\Security Center\Svc  - I DON'T HAVE THIS ONE
 
where <value> is a certain number.
 
Adds key: HKCU\Software\Local AppWizard-Generated Applications
 
and all its associated subkeys.  I JUST HAVE THIS ONE
 
It may also create the following folders:
 

    %AppData%\drivers
    %AppData%\drivers\downld  - I DON'T KNOW ABOUT EITHER OF THESE AS I DON'T KNOW WHERE TO LOOK!

Anyway, sorry to be obsessing about this & being such a pest, I just want to be sure I'm free of this virus!
Well okay I will leave this alone.  You're the best, thanks soooo much yet again!

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on June 07, 2012, 01:19:52 AM
I understand your desire to be infection free. 

I feel confident that you are and I am glad that I could help.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on June 07, 2012, 01:33:06 AM
Hi Jeff,

If you are confident that I'm virus free then I am confident that I am virus free :) !

Thank you, thank you, thank you!

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on June 10, 2012, 02:36:13 AM
You are more than welcome.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on June 20, 2012, 09:47:31 PM
HI,

I'm not sure what is going on with my computer, I got the unresponsive script message "Warning:  Unresponsive Script"  A Script may be busy or it may have stopped responding.  You can stop the script now, or you can continue to see if the script will complete.  Script:chrome//browser/content/sanatize.js:133 but at least I don't get the "Welcome to NGINX" page yet.  I do have a few problems though.  From time to time I lose my disconnect from the internet button.  I look like I'm disconnected, my connection shows that I have to connect to go on the net but I am actually still on the net.  I'm not getting the blue screen of death this go round but I do have to reboot fairly often because things are hanging up and I can't get rid of them example:  I had deleted something I wanted back so I went to my trash to restore it, it restored but the restore command stayed on my desktop.  My clock will be slow by about 1/2 hr on one reboot but when I reboot again it will be correct.  My update from Avast (the green box that comes up), hangs up & I can't get rid of it either until I rebooted.  Clicking on the "x" does nothing. 

I will admit to being totally paranoid and hope the virus isn't back but don't know if I should run the tools again or if this is a different issue altogether! 

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: nanajana on June 21, 2012, 07:17:17 AM
Hi,

I hopefully have resolved my connection problem.  I called my ISP and even though I have to connect and disconnect differently than I did before they checked to make sure no one else was using my username and password so it's a relief to know that I'm all alone on my computer!  They couldn't tell me why this is happening though.  Upon reboot it was trying to connect to dial-up connection even though I am connected to broadband.

Cheers,
Janice

PS I am going to be away from my computer for a few days.  Will check when I get back.
Title: Re: Welcome to NGINX
Post by: nanajana on July 16, 2012, 11:11:15 PM
HI,

I have been experiencing a very slow computer and the dreaded BSOD at least 6 times in the last week or so.  Mostly comes up when I am trying to install a program.  I hope nothing is happening as above but I ran all the logs just to make sure.  I have attached below.

Cheers,
Janice
Title: Re: Welcome to NGINX
Post by: jeffce on July 17, 2012, 02:26:13 PM
Hi,

Could you start a new topic for this so that we don't get anything confused while fixing your system?  Thanks.  :)
Title: Re: Welcome to NGINX
Post by: nanajana on July 17, 2012, 02:28:11 PM
Yes I will, thanks.