I believe my computer is infected by “Welcome to nginx.” Though, for awhile, I haven’t seen the plain white screen that only says Welcome to nginx, my computer has been much slower since then. I guess I can tolerate my computer being more sluggish, but I’m afraid nginx will gain access to some of my personal files.
As directed on your website, I scanned my laptop using the aswMBR program and have attached the log. Any help you can give me would be greatly appreciated.
Jeff B.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software Run date: 2012-06-01 16:27:49 ----------------------------- 16:27:49.250 OS Version: Windows 5.1.2600 Service Pack 3 16:27:49.250 Number of processors: 2 586 0xE08 16:27:49.250 ComputerName: JUSTJEFFB UserName: 16:27:50.156 Initialize success 16:34:38.250 AVAST engine defs: 12060100 16:34:46.906 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e 16:34:46.906 Disk 0 Vendor: TOSHIBA_MK8032GSX AS111G Size: 76319MB BusType: 3 16:34:46.937 Disk 1 \Device\Harddisk1\DR3 -> \Device\0000008f 16:34:46.937 Disk 1 Vendor: ( Size: 76319MB BusType: 0 16:34:46.937 Disk 2 \Device\Harddisk2\DR4 -> \Device\00000090 16:34:46.937 Disk 2 Vendor: ( Size: 76319MB BusType: 0 16:34:46.953 Disk 0 MBR read successfully 16:34:46.953 Disk 0 MBR scan 16:34:47.140 Disk 0 Windows XP default MBR code 16:34:47.140 Disk 0 Partition 1 00 12 Compaq diag NTFS 5592 MB offset 63 16:34:47.171 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 70723 MB offset 11454345 16:34:47.171 Disk 0 scanning sectors +156296385 16:34:47.343 Disk 0 scanning C:\WINDOWS\system32\drivers 16:35:06.546 Service scanning 16:35:42.265 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32 16:35:48.296 Service Tablet2k C:\WINDOWS\"%SystemRoot%\System32\Drivers\Tablet2k.sys" **LOCKED** 123 16:36:17.328 Modules scanning 16:36:49.031 Disk 0 trace - called modules: 16:36:49.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spve.sys >>UNKNOWN [0x87785938]<< 16:36:49.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8772dab8] 16:36:49.078 3 CLASSPNP.SYS[f75defd7] -> nt!IofCallDriver -> \Device\0000008c[0x87744030] 16:36:49.078 5 ACPI.sys[f733d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x87682940] 16:36:52.234 AVAST engine scan C:\WINDOWS 16:37:14.750 AVAST engine scan C:\WINDOWS\system32 16:43:12.781 AVAST engine scan C:\WINDOWS\system32\drivers 16:43:46.156 AVAST engine scan C:\Documents and Settings\Jeff P. Butler 17:08:23.937 AVAST engine scan C:\Documents and Settings\All Users 17:11:00.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jeff P. Butler\Desktop\MBR.dat" 17:11:00.140 The log file has been saved successfully to "C:\Documents and Settings\Jeff P. Butler\Desktop\aswMBR.txt"
Thanks for your reply. Yes, I believe I'm still infected. Though I don't see the "Welcome to nginx" screen as much now, my computer is reacting MUCH SLOWER since I've had the virus or trojan or whatever it is..Moving between pages and sites on Internet Explorer is PAINSTAKINGLY slow, as is opening Microsoft Word. Any help you can give me would be greatly appreciated.
By the way, is the Norton Community the place I should be posting this information or is there another place I should use?
Please do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
Lets see if this will free up Internet Explorer somewhat, so it becomes easier to surf and download anything via IE
Thanks for your quick reply. It's been a crazy week, so I wasn't able to respond right away. When I tried to download and run "Microsoft Fix It," I kept getting the following message..........."The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2755." I even tried downloading it from a different sight, but to no avail. What is my next step? I appreciate any help you can give me.
Thanks again for the reply. I went to the Microsoft site indicated, but just like before, I wasn't able to download the "Microsoft Fix It" program. I did follow the Internet Explorer resetting directions (using the "inetcpl.cpl" file). IE seemed to reset, but still reacts slowly when I open new pages. You mentioned that you want the IE data gone, but I wasn't sure what you wanted me to do next. Do you want me to run the aswMBR program again and send you a new log? I'll wait to hear from you and appreciate any help you can give me.
Thanks again for your quick response. It sounds like I should just "hold tight" on doing anything more to my computer right now. Again, I appreciate your help and will let you know if my computer starts to act up again. I am attaching the log from my last ESET Online Scan on the chance you wanted to look at it..
ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=e19a45d6fcd18a4087869c9041f09f11 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2012-06-13 03:59:55 # local_time=2012-06-12 11:59:55 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1024 16777215 100 0 15239537 15239537 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=149266 # found=8 # cleaned=0 # scan_time=8630 C:\Documents and Settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I C:\Documents and Settings\Jeff P. Butler\Application Data\AVG\Rescue\AVG Disk Cleaner\120531222405390.rsc a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I C:\Documents and Settings\Jeff P. Butler\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I C:\Documents and Settings\Jeff P. Butler\My Documents\Downloads\winzip160.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I C:\Documents and Settings\Jeff P. Butler\My Documents\TECHNOLOGY\COMPUTER, ETC\SOFTWARE - SELDOM- or UN-USED DOWNLOADED PROGRAMS\Nero-9.4.12.3_free.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP2\A0000160.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I C:\WINDOWS\FixCamera.exe a variant of Win32/KillProc.A application (unable to clean) 00000000000000000000000000000000 I
Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
Close any open browsers and any other programs you might have running
Doiwnload the attached CFscript.txt, , For some browsers Right Click the attachment on the forum and select "Save AS" or similar to Download it. See screenshot below.
Now drag the CFScript.txt into the ComboFix.exe
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze****
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
*EXTRA NOTES*
If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)
It's been awhile. The last time we corresponded, you left me this message....."Slow is still better then keeps redirecting itself for now." Since then, my computer has been responding slower and slower. It's driving me crazy. Is there anything else that can be done to speed up my computer? Is there some way to see what's running on my computer and is possibly bogging it down. I ran the aswMBR program again and have attached the recently-produced log. Can you do anything for me? I'd sure appreciate it.
I've been away from my computer a number of weeks now and am just now getting back into the swing of it. When we last corresponded, I had run the aswMBR program a second time, which I now know was a no-no. I guess some lessons are harder to learn than others. Anyway, I'm hoping we can turn over a new leaf and start fresh. I haven't seen the "Welcome to nginx" virus rearing its ugly head directly, but I have noticed that my computer is responding much slower than it did prior to contacting the virus or trojan or whatever it is. In the hopes of starting over, can you recommend anything for me to do? As always, any help you can give me is greatly appreciated.
I hope things are well with you. My computer continues to run VERY slowly and it seems like its as a result of the "Welcome to nginx" virus that I became infected with a few months ago. Below, I've included a copy of my last correspondence to you regarding the problem I'm having. If there is anything you can recommend, I would appreciate it.
Thanks, Quads.
Jeff B.
Here is a copy of my previous post....
I've been away from my computer a number of weeks now and am just now getting back into the swing of it. When we last corresponded, I had run the aswMBR program a second time, which I now know was a no-no. I guess some lessons are harder to learn than others. Anyway, I'm hoping we can turn over a new leaf and start fresh. I haven't seen the "Welcome to nginx" virus rearing its ugly head directly, but I have noticed that my computer is responding much slower than it did prior to contacting the virus or trojan or whatever it is. In the hopes of starting over, can you recommend anything for me to do? As always, any help you can give me is greatly appreciated.
Well, Quads, it looks like we're not "doing business" anymore! I don't pretend to be very computer savvy and am open to any kind of help I can get. I also don't pretend to be perfect. Though any mistake I may have made in trying to follow your instructions was inadvertent. I felt that I was treated rudely and with no compassion. I guess hiding behind a keyboard can make one feel invincible and seemingly negates the need to show any sort of kindness.
Quads, I WILL find someone to help me with my "Welcome to ngnx" virus. Obviously, it won't be you! I'm just hoping that others who contact you for help have better luck than I did.
Well you did not do as I asked in a post at all, with the script, The instructions are there and not done at all, instead you ran a completely different program. I created a script and it was ignored ouright, the whole post was ignored, so no point to giving instructions that are just not done.
Messatge 11 was flat out bypassed by the user (not wanting to do it) instead ran aswMBR again.
Please read carefully Read all of this message first
Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
Close any open browsers and any other programs you might have running
Doiwnload the attached CFscript.txt, , For some browsers Right Click the attachment on the forum and select "Save AS" or similar to Download it. See screenshot below.
Now drag the CFScript.txt into the ComboFix.exe
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze****
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
*EXTRA NOTES*
If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)