Help with "Welcome to nginx!"

I believe my computer is infected by “Welcome to nginx.”  Though, for awhile, I haven’t seen the plain white screen that only says Welcome to nginx, my computer has been much slower since then.  I guess I can tolerate my computer being more sluggish, but I’m afraid nginx will gain access to some of my personal files.

 

As directed on your website, I scanned my laptop using the aswMBR program and have attached the log.  Any help you can give me would be greatly appreciated.

Jeff B.

 

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-01 16:27:49
-----------------------------
16:27:49.250    OS Version: Windows 5.1.2600 Service Pack 3
16:27:49.250    Number of processors: 2 586 0xE08
16:27:49.250    ComputerName: JUSTJEFFB  UserName:
16:27:50.156    Initialize success
16:34:38.250    AVAST engine defs: 12060100
16:34:46.906    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
16:34:46.906    Disk 0 Vendor: TOSHIBA_MK8032GSX AS111G Size: 76319MB BusType: 3
16:34:46.937    Disk 1  \Device\Harddisk1\DR3 -> \Device\0000008f
16:34:46.937    Disk 1 Vendor: (  Size: 76319MB BusType: 0
16:34:46.937    Disk 2  \Device\Harddisk2\DR4 -> \Device\00000090
16:34:46.937    Disk 2 Vendor: (  Size: 76319MB BusType: 0
16:34:46.953    Disk 0 MBR read successfully
16:34:46.953    Disk 0 MBR scan
16:34:47.140    Disk 0 Windows XP default MBR code
16:34:47.140    Disk 0 Partition 1 00     12  Compaq diag NTFS         5592 MB offset 63
16:34:47.171    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        70723 MB offset 11454345
16:34:47.171    Disk 0 scanning sectors +156296385
16:34:47.343    Disk 0 scanning C:\WINDOWS\system32\drivers
16:35:06.546    Service scanning
16:35:42.265    Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
16:35:48.296    Service Tablet2k C:\WINDOWS\"%SystemRoot%\System32\Drivers\Tablet2k.sys" **LOCKED** 123
16:36:17.328    Modules scanning
16:36:49.031    Disk 0 trace - called modules:
16:36:49.078    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spve.sys >>UNKNOWN [0x87785938]<<
16:36:49.078    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8772dab8]
16:36:49.078    3 CLASSPNP.SYS[f75defd7] -> nt!IofCallDriver -> \Device\0000008c[0x87744030]
16:36:49.078    5 ACPI.sys[f733d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x87682940]
16:36:52.234    AVAST engine scan C:\WINDOWS
16:37:14.750    AVAST engine scan C:\WINDOWS\system32
16:43:12.781    AVAST engine scan C:\WINDOWS\system32\drivers
16:43:46.156    AVAST engine scan C:\Documents and Settings\Jeff P. Butler
17:08:23.937    AVAST engine scan C:\Documents and Settings\All Users
17:11:00.109    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jeff P. Butler\Desktop\MBR.dat"
17:11:00.140    The log file has been saved successfully to "C:\Documents and Settings\Jeff P. Butler\Desktop\aswMBR.txt"


 

Are you still infected??

 

Quads

Hello Quads!

Thanks for your reply.  Yes, I believe I'm still infected.  Though I don't see the "Welcome to nginx" screen as much now, my computer is reacting MUCH SLOWER since I've had the virus or trojan or whatever it is..Moving between pages and sites on Internet Explorer is PAINSTAKINGLY slow, as is opening Microsoft Word.  Any help you can give me would be greatly appreciated.

 

By the way, is the Norton Community the place I should be posting this information or is there another place I should use?

 

Thanks again and I look forward to your reply.

 

Jeff B.

Quads,

I forgot to mention that I get quite a few "not responding" messages while using Internet Explorer.  This has only happened for a few weeks now.

Thanks!

Jeff B.

Please do not run any tools unless instructed to do so. 

  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please read every post completely before doing anything. 

  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

 

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes :smileylol:)

  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

 

Lets see if this will free up Internet Explorer somewhat, so it becomes easier to surf and download anything via IE

Use this tool by Microsoft http://support.microsoft.com/kb/923737

 

Quads

Hey Quads!

Thanks for your quick reply.  It's been a crazy week, so I wasn't able to respond right away.  When I tried to download and run "Microsoft Fix It," I kept getting the following message..........."The installer has encountered an unexpected error installing this package.  This may indicate a problem with this package.  The error code is 2755."  I even tried downloading it from a different sight, but to no avail.  What is my next step?  I appreciate any help you can give me.

Jeff B.

On the download page http://support.microsoft.com/kb/923737

 

Go down and try the "Let me reset Internet Explorer myself"  and try that,  I am wanting the IE data gone  so that it is clean.

 

Quads

Hi Quads!

Thanks again for the reply.  I went to the Microsoft site indicated, but just like before, I wasn't able to download the "Microsoft Fix It" program.  I did follow the Internet Explorer resetting directions (using the "inetcpl.cpl" file).  IE seemed to reset, but still reacts slowly when I open new pages.  You mentioned that you want the IE data gone, but I wasn't sure what you wanted me to do next.  Do you want me to run the aswMBR program again and send you a new log?  I'll wait to hear from you and appreciate any help you can give me.

Jeff B. 

Slow is still better then keeps redirecting itself for now

 

Please read carefully and Slowly

 

 Please scan with ESET next 


I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Attach the resulting log in your next reply


If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it. 

 

 

Quads

Hi Quads!

Thanks again for your quick response.  It sounds like I should just "hold tight" on doing anything more to my computer right now. Again, I appreciate your help and will let you know if my computer starts to act up again.  I am attaching the log from my last ESET Online Scan on the chance you wanted to look at it..

 

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=e19a45d6fcd18a4087869c9041f09f11
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-06-13 03:59:55
# local_time=2012-06-12 11:59:55 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 15239537 15239537 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=149266
# found=8
# cleaned=0
# scan_time=8630
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Jeff P. Butler\Application Data\AVG\Rescue\AVG Disk Cleaner\120531222405390.rsc a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Jeff P. Butler\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Jeff P. Butler\My Documents\Downloads\winzip160.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Jeff P. Butler\My Documents\TECHNOLOGY\COMPUTER, ETC\SOFTWARE - SELDOM- or UN-USED DOWNLOADED PROGRAMS\Nero-9.4.12.3_free.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP2\A0000160.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\FixCamera.exe a variant of Win32/KillProc.A application (unable to clean) 00000000000000000000000000000000 I

 

Thanks again!

Jeff B.

 

Please read carefully Read all of this message first

 

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix


  • Ensure that Combofix is saved directly to the Desktop <--- Very important

  • Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
  • Close any open browsers and any other programs you might have running

Doiwnload the attached CFscript.txt, , For some browsers Right Click the attachment on the forum and select "Save AS" or similar to Download it. See screenshot below.

 

Right Click download.jpg

 

Now  drag the CFScript.txt into the ComboFix.exe  

 


  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

Hi Quads!

It's been awhile.  The last time we corresponded, you left me this message....."Slow is still better then keeps redirecting itself for now."  Since then, my computer has been responding slower and slower.  It's driving me crazy.  Is there anything else that can be done to speed up my computer?  Is there some way to see what's running on my computer and is possibly bogging it down.  I ran the aswMBR program again and have attached the recently-produced log.  Can you do anything for me?  I'd sure appreciate it.

Jeff B. 

You did not do as I asked, I did not tell you to run aswMBR again,   

 

Read my previous post,   Don't do as I ask that I can't do anything and you are on your own.

 

Quads

Hi again, Quads!

I've been away from my computer a number of weeks now and am just now getting back into the swing of it.  When we last corresponded, I had run the aswMBR program a second time, which I now know was a no-no.  I guess some lessons are harder to learn than others.  Anyway, I'm hoping we can turn over a new leaf and start fresh.  I haven't seen the "Welcome to nginx" virus rearing its ugly head directly, but I have noticed that my computer is responding much slower than it did prior to contacting the virus or trojan or whatever it is.  In the hopes of starting over, can you recommend anything for me to do?  As always, any help you can give me is greatly appreciated.

Jeff B.

You did not give any combofix log or run combofix, so you do not want to follow instructions or just disappear.

 

Bye

 

Quads

hi quads!
i am having the same problem as jeff could u help???

Hi again, Quads!

 

I hope things are well with you.  My computer continues to run VERY slowly and it seems like its as a result of the "Welcome to nginx" virus that I became infected with a few months ago.  Below, I've included a copy of my last correspondence to you regarding the problem I'm having.  If there is anything you can recommend, I would appreciate it.

 

Thanks, Quads.

 

Jeff B.

 

Here is a copy of my previous post....

I've been away from my computer a number of weeks now and am just now getting back into the swing of it.  When we last corresponded, I had run the aswMBR program a second time, which I now know was a no-no.  I guess some lessons are harder to learn than others.  Anyway, I'm hoping we can turn over a new leaf and start fresh.  I haven't seen the "Welcome to nginx" virus rearing its ugly head directly, but I have noticed that my computer is responding much slower than it did prior to contacting the virus or trojan or whatever it is.  In the hopes of starting over, can you recommend anything for me to do?  As always, any help you can give me is greatly appreciated.

Jeff B.

I am finished with this thread, the user still has not done what I asked.

 

Bye

 

Quads

Hello,

Well, Quads, it looks like we're not "doing business" anymore!  I don't pretend to be very computer savvy and am open to any kind of help I can get.  I also don't pretend to be perfect.  Though any mistake I may have made in trying to follow your instructions was inadvertent. I felt that I was treated rudely and with no compassion.  I guess hiding behind a keyboard can make one feel invincible and seemingly negates the need to show any sort of kindness.

 

Quads, I WILL find someone to help me with my "Welcome to ngnx" virus.  Obviously, it won't be you!  I'm just hoping that others who contact you for help have better luck than I did.

Jeff B.

Well you did not do as I asked in a post at all, with the script,   The instructions are there and not done at all, instead you ran a completely different program.   I created a script and it was ignored ouright, the whole post was ignored, so no point to giving instructions that are just not done.

 

Messatge 11 was flat out bypassed by the user (not wanting to do it) instead ran aswMBR again.


 

Please read carefully Read all of this message first

 

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix


  • Ensure that Combofix is saved directly to the Desktop <--- Very important

  • Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
  • Close any open browsers and any other programs you might have running

Doiwnload the attached CFscript.txt, , For some browsers Right Click the attachment on the forum and select "Save AS" or similar to Download it. See screenshot below.

 

Right Click download.jpg

 

Now  drag the CFScript.txt into the ComboFix.exe  

 

 

  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

Attachments:

 

Quads