Author Topic: Welcome to NGINX  (Read 21198 times)

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 335
  • Gender: Female
  • Health is Wealth
    • Personal Message (Offline)
Welcome to NGINX
« on: April 21, 2012, 05:07:59 AM »
Not sure if this is related or not but upon closing Firefox I get a box up that states "Warning:  Unresponsive Script"  A Script may be busy or it may have stopped responding.  You can stop the script now, or you can continue to see if the script will complete.
Script:chrome//browser/content/sanatize.js:135
, so what happens is I get this message and before long I get "Welcome to NGINX", instead of my homepage.  The address bar shows http:// and my homepage address but alas it does not go there or anywhere.  I believe this is an infection but it is not being picked up by antivirus.  Any ideas how I can get rid of this malware.

Thanks,
I love my computer but why do others want me to hate it!

Offline Asyn

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 24925
  • Frohe Ostern
    • >>>  avast! Forum - Deutschsprachiger Bereich  <<<
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #1 on: April 21, 2012, 06:10:51 AM »
I believe this is an infection but it is not being picked up by antivirus.  Any ideas how I can get rid of this malware.

Thanks,

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
XP SP3 - avast! 9.0.2018 - CIS 3.14 [FW/D+] - MBAM 1.75 [On Demand] - Firefox ESR 24.4 [NS/ABP/EHH/BP] - Thunderbird 24.4 [EM/CH]
Deutschsprachiger Bereich -> avast! Wissenswertes (Downloads, Anleitungen und Infos): http://forum.avast.com/index.php?topic=60523.0

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 335
  • Gender: Female
  • Health is Wealth
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #2 on: April 21, 2012, 03:29:32 PM »
After this post I ran SuperAntiSpyware see attached log.  Since then I have my homepage back but everything is running slower than usual.  I have gotten this message twice now A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.
Script: chrome://browser/content/sanitize.js:133
, after shutting Firefox.  Usually this appears 3 or 4 times before my homepage is highjacked to the WELCOME TO NGINX page.  I  have been opening and closing Firefox but so far so good.  I do think the infection is still on my machine though.  I went to the page you referenced, ran MalwareBytes (I do have it installed on my computer) it says no malicious items found. See attached. 
I love my computer but why do others want me to hate it!

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 335
  • Gender: Female
  • Health is Wealth
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #3 on: May 07, 2012, 04:47:08 AM »
I have this problem again!  Welcome to nginx blocks my homepage, but I can go to any other site, either through favourites or typing in url.  It started this time by first redirecting me to Ad-Aware browsing, at top of page, and lists different sites, including my home page site but if I click on that site it doesn't do anything.  So this happened for a day and then today it brought up the Welcome to nginx page.  Nothing else on page and this appears at the top.  I have run malewarebytes, superanitspyware, ad-aware, spybot.  All say no threats on my computer and of course I have avast running all the time with no threats shown either.  I have gotten rid of it by clearing my DNS cache and refreshing page.  Info I have found online: "While Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server and the Welcome to nginx page does not belong to them.  Something must be wrong with your operating system settings, home router setup, or browser configuration, if you are trying to access a well known web site and what you get instead is “Welcome to nginx!”. This should NOT happen if your computers and network are clean and safe.

If changing DNS servers to Google Public DNS, flushing DNS resolver cache, fixing your browser configuration, or cleaning "hosts" file (when applicable) have helped, it might be that there's a malware somewhere on your PC or around. Find and clean it using your preferred anti-virus and anti-malware tools.


What do I do now? 


« Last Edit: May 07, 2012, 04:59:58 AM by nanajana »
I love my computer but why do others want me to hate it!

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21731
  • Gender: Male
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #4 on: May 07, 2012, 05:08:06 AM »
Quote
What do I do now? 
follow the link Asyn gave you above....
attach the logs from malwarebytes / OTL / aswMBR

then one of the malware removers will help you when they arrive later today
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline nanajana

  • Sr. Member
  • ****
  • Posts: 335
  • Gender: Female
  • Health is Wealth
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #5 on: May 07, 2012, 06:42:26 AM »
I did as suggested but everytime I tried to open OTL my computer crashed.  So I couldn't do it.  I successfully ran aswMBR, see attached.  But the first time I ran it it said   Scan error: Incorrect function. see attached.  Hope you can deal with the "infected file".
I love my computer but why do others want me to hate it!

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 335
  • Gender: Female
  • Health is Wealth
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #6 on: May 07, 2012, 06:52:21 AM »
Forgot to attach mbam log so here it is!
I love my computer but why do others want me to hate it!

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21731
  • Gender: Male
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #7 on: May 07, 2012, 07:07:38 AM »
well aswMBR show one infection as i can see.... a trojan sms.send
did you update malwarebytes before scan?
have you run a quick scan with avast?

anyway the malwarere removers will deal with it when they arrive
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline jeffce

  • Probably Not A Bot
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2463
  • Gender: Male
  • Member of UNITE
    • Malware Removal
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #8 on: May 07, 2012, 01:20:23 PM »
Hi,

Be sure to run OTL per the instructions on the page given earlier by Asyn and then do the following...

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------
« Last Edit: May 07, 2012, 01:25:45 PM by jeffce »

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 335
  • Gender: Female
  • Health is Wealth
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #9 on: May 07, 2012, 04:02:30 PM »
I was finally able to run OTL in safe mode.  Twice when trying to run it Avast wouldn't allow it, felt it may be malicious but did try to run it in sandbox second time but still would not run it.  I even tried disabling avast for 10 mins but after that it crashed everytime I tried to run it - blue screen with message A problem has been detected and windows has been shutdown to protect your computer.

I didn't get an extras log only the one log which I have attached.  Prior to running a quick scan I inadvertently ran a full scan which did generate an extras log.  I will send it if you need it but it was too big of a file to send both at this time.

I will now continue with the rest of your instructions, Thanks!!
I love my computer but why do others want me to hate it!

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 335
  • Gender: Female
  • Health is Wealth
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #10 on: May 07, 2012, 04:19:15 PM »
Hi,

I ran TDSSKILLER.exe.  I got one suspicious event, object sptd (LockedFile.Multi.Generic).  I wasn't sure what to do so I copied it in quarantine, only other options were, skip and delete.  the file that copied is: C:\Windows\system32/Drivers\sptd.sys. 

I am waiting for further instructions.

Cheers!
I love my computer but why do others want me to hate it!

Offline jeffce

  • Probably Not A Bot
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2463
  • Gender: Male
  • Member of UNITE
    • Malware Removal
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #11 on: May 07, 2012, 05:46:38 PM »
Hi,

Please download ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
IE - HKLM\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2653012
IE - HKLM\..\SearchScopes\{CB6F7A3F-076D-4CC4-B363-249E2C3393CA}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&amp;entrypoint={referrer:source?}&amp;FORM=HVDUS7
IE - HKLM\..\SearchScopes\{FD1AAA9E-C6FA-43E8-B3DD-914CFD0F4B72}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKCU\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2653012
FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://www.winnipegfreepress.com"
[2012/04/30 14:49:57 | 000,000,000 | ---D | M] (Vuze Remote Community Toolbar) -- C:\Users\Janice\AppData\Roaming\Mozilla\Firefox\Profiles\cys0nb0e.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2011/05/05 21:55:31 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Janice\AppData\Roaming\Mozilla\Firefox\Profiles\cys0nb0e.default\extensions\engine@conduit.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O15 - HKCU\..Trusted Domains: internet ([]about in Internet)
O15 - HKCU\..Trusted Domains: umanitoba.ca ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: winnipegfreepress.com ([www] https in Trusted sites)
O33 - MountPoints2\{15421b98-126e-11df-a52a-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{15421b98-126e-11df-a52a-001d6053f73f}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{a81b2902-5e1a-11df-a963-001d6053f73f}\Shell\AutoRun\command - "" = N:\Start.exe
O33 - MountPoints2\{adb96414-df5c-11dd-a76a-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{adb96414-df5c-11dd-a76a-001d6053f73f}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O33 - MountPoints2\{d465be05-dc37-11dd-b22b-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{d465be05-dc37-11dd-b22b-001d6053f73f}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{d465be13-dc37-11dd-b22b-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{d465be13-dc37-11dd-b22b-001d6053f73f}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{f115c707-e461-11e0-815c-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{f115c707-e461-11e0-815c-001d6053f73f}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2012/04/21 20:02:24 | 000,102,400 | ---- | M] () -- C:\Users\Janice\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/15 12:11:11 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\Azureus
[2009/05/05 23:28:59 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\IObit
[2009/12/28 16:57:59 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\LimeWire
[2012/04/21 20:31:30 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\uTorrent

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 335
  • Gender: Female
  • Health is Wealth
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #12 on: May 07, 2012, 07:41:06 PM »
Hi,

I did as instructed but when I ran otl again and after I ran the fix I wasn't able to uncheck LOP & Purity boxes.  As soon as I checked all users it automatically checked these boxes.  Attached are the two logs generated.  Please advise what's next!

Cheers!
I love my computer but why do others want me to hate it!

Offline jeffce

  • Probably Not A Bot
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2463
  • Gender: Male
  • Member of UNITE
    • Malware Removal
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #13 on: May 07, 2012, 11:18:38 PM »
Hi,

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
O2 - BHO: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O2 - BHO: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found.
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
      • Then click the Run Fix button at the top
      • Let the program run unhindered, reboot when it is done
      • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
      ----------

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
  • Do not use this instance of your browser for anything besides doing this scan
  • When the scan is complete and the results saved, close that instance of your browser
  • Open a new one the usual way and post the results in this topic.
[list=1]
  • Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin

scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Back button.
  • Push Finish
http://www.eset.com/onlinescan/
----------

In your next reply please attach the logs made by OTL, Malwarebytes and ESET online scanner.  :)

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 335
  • Gender: Female
  • Health is Wealth
    • Personal Message (Offline)
Re: Welcome to NGINX
« Reply #14 on: May 08, 2012, 01:29:30 AM »
Whew, this is a lot of work, lol!  Anyway I have run otl again but what's with this.  I try to run it on my computer, Avast terminates the program but it did run once before crashing my computer.  I ran it in safemode but it does not allow me to uncheck LOP or purity boxes.  They are unchecked until I click on quick scan and then they automatically check the boxes.  I updated and ran Mbam & I have attached the two logs and will continue on with your instructions
I love my computer but why do others want me to hate it!

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now