Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nginx infection/Google redirect


  • Please log in to reply
5 replies to this topic

#1 in10z

in10z

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 03 April 2012 - 01:31 PM

Hello,

Have a Windows 7 system on Dual-core Gateway 64 bit system.

The dreaded "Welcome to Nginx" is present on a google startpage.

Ran Malwarebytes ysterday. Nothing found.

Then ran ESET, which discovered and cleaned:

win32/installCore.D application
win32/installCore.A application


But "Welcome to Nginx" still tethered to system.

Ran Nortons Boot Rescue. Nothing Found

Finally Kapersky's TDSkiller. Nothing Found.



Sure could use some help,


Thanks MUCH in advance. :)

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:03 AM

Posted 03 April 2012 - 01:40 PM

You're hosts file has been hijacked,before that lets make sure PC is clean

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Edited by narenxp, 03 April 2012 - 01:41 PM.


#3 in10z

in10z
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 03 April 2012 - 04:35 PM

Thanks NarenXP, Just as I finished the first post I went and ran a TDLFS on the TDSkiller, in addition to the scan I made without that option.
The Nginx appears to be gone! Yay!

Okay try a look at this, just the asw report(I tried to post the log and the forum software rejected it as being too large a post):


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-03 12:15:49
-----------------------------
12:15:49.706 OS Version: Windows x64 6.1.7601 Service Pack 1
12:15:49.706 Number of processors: 2 586 0x602
12:15:49.707 ComputerName:
12:15:50.793 Initialize success
12:16:55.060 AVAST engine defs: 12040301
12:17:57.664 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
12:17:57.667 Disk 0 Vendor: WDC_WD2500BEVT-22ZCT0 11.01A11 Size: 238475MB BusType: 11
12:17:57.686 Disk 0 MBR read successfully
12:17:57.688 Disk 0 MBR scan
12:17:57.694 Disk 0 Windows 7 default MBR code
12:17:57.697 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12291 MB offset 63
12:17:57.713 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 101 MB offset 25173855
12:17:57.728 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 226080 MB offset 25382700
12:17:57.752 Disk 0 scanning C:\Windows\system32\drivers
12:18:09.460 Service scanning
12:18:38.028 Modules scanning
12:18:38.036 Disk 0 trace - called modules:
12:18:38.076 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
12:18:38.083 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004352120]
12:18:38.088 3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> [0xfffffa80042db9b0]
12:18:38.094 5 ACPI.sys[fffff88000f7e7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80042d0680]
12:18:39.313 AVAST engine scan C:\Windows
12:18:42.203 AVAST engine scan C:\Windows\system32
12:22:41.725 AVAST engine scan C:\Windows\system32\drivers
12:22:58.414 AVAST engine scan C:\Users\-
12:24:06.053 AVAST engine scan C:\ProgramData
12:27:23.668 Scan finished successfully
12:29:42.854 Disk 0 MBR has been saved successfully to "------\MBR.dat"
12:29:43.018 The log file has been saved successfully to "------\aswMBR.txt"



And here is where the bugger was in a section of the TDSk(with TDLFS) as the forum software said my post was too long:

11:41:16.0681 1072 FreemakeUtilsService ( UnsignedFile.Multi.Generic ) - warning
11:41:16.0681 1072 FreemakeUtilsService - detected UnsignedFile.Multi.Generic (1)


This was deleted(or handled by) the Kaspersky.


Looks good then, yes?

Anyway I appreciate your help
Thanks

Edited by in10z, 03 April 2012 - 06:53 PM.


#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:03 AM

Posted 05 April 2012 - 04:51 AM

good

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

#5 sjsrobette

sjsrobette

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 12 April 2012 - 02:05 PM

I tried these steps, but it didn't help. Any other suggestions? My laptop has a 2.2GHz i7 processor and is running Windows 7 Home Premium with 6.1.7601 Service Pack 1 Build 7601. Thanks!

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:03 AM

Posted 12 April 2012 - 11:37 PM

sjsrobette

Create a new topic to avoid confusions

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users