Quantcast browser redirect virus/trojan

+ Reply to Thread
Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    Notebook Geek
    Join Date
    Oct 2007
    Posts
    93
    Rep Power
    17

    Default browser redirect virus/trojan

    Over the past few days, and only occasionally when I try to access youtube.com or google.com, I get a redirect to the
    following domain partner37.mydomainadvisor.com/ or
    get a screen that says "Welcome to Nginx!"
    OR 404 Not Found nginx/0.6.32

    I did a a thorough scan with Avast anti-virus and a thorough spyware
    scan with Spybot search and destroy, none of these programs have been able to detect and remove this redirect virus/trojan

    I did a web search and most of the advice was to install another tool
    that promises to fix the problem, but I'm apprehensive about installing anything that's not trusted. I checked my hosts file, it's clean.
    And I ran Hijackthis and didn't find anything blatently suspicious.
    I'd be happy to post the log file output from Hijackthis, if anyone thinks it would be helpful

    Thanks

  2. #2
    On the way out
    Join Date
    Feb 2010
    Location
    Parts Unknown
    Posts
    3,452
    Rep Power
    28

    Default Re: browser redirect virus/trojan

    When you scanned did you do it in safe mode? It would help to see the log also if you have already scanned in safe mode.
    Last edited by JOSEA; 27th February 2012 at 03:22 AM.
    Space open for rent
    Spoiler :
    Asus G73JH 8 GB RAM, Intel SSD + Sandisk SSD
    Sager NP2740 (Clevo W740SU) 16 GB RAM, Crucial M500, win 7 ORDERED from GentechPC _Arrived 2-6-2014 !!!
    http://www.flushthetpp.org//
    http://www.speedtest.net/my-result/3176215060

  3. #3
    Notebook Geek
    Join Date
    Oct 2007
    Posts
    93
    Rep Power
    17

    Default Re: browser redirect virus/trojan

    Here is the log file from Hijack this. thanks


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:44:23 AM, on 7/22/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Windows\PLFSetI.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\TiVo\Desktop\TiVoServer.exe
    C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    C:\Program Files\TiVo\Desktop\TiVoNotify.exe
    C:\Program Files\Data Deposit Box\starter.exe
    C:\Program Files\Data Deposit Box\status.exe
    C:\Program Files\King Stairs\Jot+ Notes\JotPlus3.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\King Stairs\Jot+ Notes\JotPlus3.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Foxit Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
    O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
    O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe
    O4 - HKLM\..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
    O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    O4 - HKCU\..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
    O4 - HKCU\..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe
    O4 - HKCU\..\Run: [Free Internet Window Washer] C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Global Startup: Data Deposit Box.lnk = ?
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office

    Quote Originally Posted by JOSEA View Post
    When you scanned did you do it in safe mode? It would help to see the log also if you have already scanned in safe mode.

  4. #4
    On the way out
    Join Date
    Feb 2010
    Location
    Parts Unknown
    Posts
    3,452
    Rep Power
    28

    Default Re: browser redirect virus/trojan

    Do you have an image on an external drive that you can restore to (before the issue started) ?

    Also try running a detection program that runs outside of windows. Which browser(s) are you using?
    Last edited by JOSEA; 27th February 2012 at 07:43 AM.
    Space open for rent
    Spoiler :
    Asus G73JH 8 GB RAM, Intel SSD + Sandisk SSD
    Sager NP2740 (Clevo W740SU) 16 GB RAM, Crucial M500, win 7 ORDERED from GentechPC _Arrived 2-6-2014 !!!
    http://www.flushthetpp.org//
    http://www.speedtest.net/my-result/3176215060

  5. #5
    Notebook Nobel Laureate
    Join Date
    Mar 2008
    Location
    London UK
    Posts
    10,044
    Rep Power
    58

    Default Re: browser redirect virus/trojan

    as mentioned did you run the scan in safe mode. F8 on boot up.
    also might be worth trying malwarebytes.

    also have you manually updated avast to version 7 released 2 days ago.
    go to summary and click update.
    >>>--- Everything you need to Monitor Temperatures & More ---<<<
    --> Free Burning Software <--
    --> How to manually update your Nvidia drivers <--
    -- (P150EM) : XMG P502 -mySN UK- i7 3720QM / 680GTX / 16GB Ram / 512GB Crucial SSD (The Dogz Dangley Bits)--


  6. #6
    Notebook Geek
    Join Date
    Oct 2007
    Posts
    93
    Rep Power
    17

    Default Re: browser redirect virus/trojan

    I did install the latest of Avast (7.0), yesterday in fact. Did a full scan as well.
    I also downloaded Malwarebytes last night, it didn't turn up anything.

    I'm going to do a full AV scan in safe mode, full scan of Malware bytes in safe mode and run hijack this again in safe mode.
    Thanks

  7. #7
    Notebook Nobel Laureate
    Join Date
    Mar 2008
    Location
    London UK
    Posts
    10,044
    Rep Power
    58

    Default Re: browser redirect virus/trojan

    if its not showing anything up you might have cleared it already. one way to find out is to change your default page.
    in firefox go tools > options > general > change home page to whatever you want. if it reverts back to this dodgy page you know youve got a crafty one on your hands and can take some time to clear it. if it stays at the page you want hopefully its gone.
    still worth doing all the scans in safe mode just in case.
    also i wouldnt use a credit card online for now. if youve got the full avast internet you could use the safe zone for online purchases.
    >>>--- Everything you need to Monitor Temperatures & More ---<<<
    --> Free Burning Software <--
    --> How to manually update your Nvidia drivers <--
    -- (P150EM) : XMG P502 -mySN UK- i7 3720QM / 680GTX / 16GB Ram / 512GB Crucial SSD (The Dogz Dangley Bits)--


  8. #8
    Notebook user
    Join Date
    Mar 2007
    Location
    NL
    Posts
    1,794
    Rep Power
    28

    Default Re: browser redirect virus/trojan

    Nginx (engine-x) is used by quite some large sites to serve webpages from a cache.
    Author is Russian so you might see some 'Russia' references, no need to freak out though.
    See Wikipedia link.
    I've no idea why you'd see it when surfing to Youtube or Google, perhaps it's best to check if more subscribers to your particular ISP have the same issue. Perhaps query your ISP's forum/site for 'nginx'?

    And as mentioned before, I'd replace Spybot S&D and use Malwarebytes'Antimalware and/or HitmanPro3.
    Both programs are best run from a normal user account, not in safe mode.
    As you don't seem to have any issues, no need to use the MBAM chameleon option (link), just run the program as is.
    ROMANES EUNT DOMUS

  9. #9
    Notebook Geek
    Join Date
    Oct 2007
    Posts
    93
    Rep Power
    17

    Default Re: browser redirect virus/trojan

    It's not only Ning, sometimes, I get pages with references to Domain Advisor.
    It's clearly a harmful trojan.

    Very interesting discovery, it's only affecting Firefox. No issue with IE or Chrome. I may try doing an uninstall and reinstall of Firefox

  10. #10
    Notebook Enthusiast
    Join Date
    Jan 2012
    Posts
    23
    Rep Power
    7

    Default Re: browser redirect virus/trojan

    Use Chrome or Opera browser. Is the best.

 

 
Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -4. The time now is 12:50 AM.
Powered by vBulletin® Version 4.2.2
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
SEO by vBSEO 3.6.1