1. You may have noticed things look a little different around here - we've switched to a new platform (XenForo) and have some new forum styles and features. This how-to guide will help you find your way around. If you find anything that looks strange, post it in this thread.

browser redirect virus/trojan

Discussion in 'Security and Anti-Virus Software' started by techman41973, Feb 27, 2012.

  1. techman41973

    techman41973 Notebook Consultant

    Reputations:
    0
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    30
    Over the past few days, and only occasionally when I try to access youtube.com or google.com, I get a redirect to the
    following domain partner37.mydomainadvisor.com/ or
    get a screen that says "Welcome to Nginx!"
    OR 404 Not Found nginx/0.6.32

    I did a a thorough scan with Avast anti-virus and a thorough spyware
    scan with Spybot search and destroy, none of these programs have been able to detect and remove this redirect virus/trojan

    I did a web search and most of the advice was to install another tool
    that promises to fix the problem, but I'm apprehensive about installing anything that's not trusted. I checked my hosts file, it's clean.
    And I ran Hijackthis and didn't find anything blatently suspicious.
    I'd be happy to post the log file output from Hijackthis, if anyone thinks it would be helpful

    Thanks
     
  2. JOSEA

    JOSEA NONE

    Reputations:
    4,013
    Messages:
    3,528
    Likes Received:
    167
    Trophy Points:
    131
    When you scanned did you do it in safe mode? It would help to see the log also if you have already scanned in safe mode.
     
  3. techman41973

    techman41973 Notebook Consultant

    Reputations:
    0
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    30
    Here is the log file from Hijack this. thanks


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:44:23 AM, on 7/22/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Windows\PLFSetI.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\TiVo\Desktop\TiVoServer.exe
    C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    C:\Program Files\TiVo\Desktop\TiVoNotify.exe
    C:\Program Files\Data Deposit Box\starter.exe
    C:\Program Files\Data Deposit Box\status.exe
    C:\Program Files\King Stairs\Jot+ Notes\JotPlus3.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\King Stairs\Jot+ Notes\JotPlus3.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Foxit Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
    O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
    O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe
    O4 - HKLM\..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
    O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    O4 - HKCU\..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
    O4 - HKCU\..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe
    O4 - HKCU\..\Run: [Free Internet Window Washer] C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Global Startup: Data Deposit Box.lnk = ?
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office

     
  4. JOSEA

    JOSEA NONE

    Reputations:
    4,013
    Messages:
    3,528
    Likes Received:
    167
    Trophy Points:
    131
    Do you have an image on an external drive that you can restore to (before the issue started) ?

    Also try running a detection program that runs outside of windows. Which browser(s) are you using?
     
  5. MrDJ

    MrDJ Notebook Nobel Laureate

    Reputations:
    2,580
    Messages:
    10,646
    Likes Received:
    305
    Trophy Points:
    501
    as mentioned did you run the scan in safe mode. F8 on boot up.
    also might be worth trying malwarebytes.

    also have you manually updated avast to version 7 released 2 days ago.
    go to summary and click update.
     
  6. techman41973

    techman41973 Notebook Consultant

    Reputations:
    0
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    30
    I did install the latest of Avast (7.0), yesterday in fact. Did a full scan as well.
    I also downloaded Malwarebytes last night, it didn't turn up anything.

    I'm going to do a full AV scan in safe mode, full scan of Malware bytes in safe mode and run hijack this again in safe mode.
    Thanks
     
  7. MrDJ

    MrDJ Notebook Nobel Laureate

    Reputations:
    2,580
    Messages:
    10,646
    Likes Received:
    305
    Trophy Points:
    501
    if its not showing anything up you might have cleared it already. one way to find out is to change your default page.
    in firefox go tools > options > general > change home page to whatever you want. if it reverts back to this dodgy page you know youve got a crafty one on your hands and can take some time to clear it. if it stays at the page you want hopefully its gone.
    still worth doing all the scans in safe mode just in case.
    also i wouldnt use a credit card online for now. if youve got the full avast internet you could use the safe zone for online purchases.
     
  8. Baserk

    Baserk Notebook user

    Reputations:
    2,503
    Messages:
    1,794
    Likes Received:
    1
    Trophy Points:
    56
    Nginx (engine-x) is used by quite some large sites to serve webpages from a cache.
    Author is Russian so you might see some 'Russia' references, no need to freak out though.
    See Wikipedia link.
    I've no idea why you'd see it when surfing to Youtube or Google, perhaps it's best to check if more subscribers to your particular ISP have the same issue. Perhaps query your ISP's forum/site for 'nginx'?

    And as mentioned before, I'd replace Spybot S&D and use Malwarebytes'Antimalware and/or HitmanPro3.
    Both programs are best run from a normal user account, not in safe mode.
    As you don't seem to have any issues, no need to use the MBAM chameleon option (link), just run the program as is.
     
  9. techman41973

    techman41973 Notebook Consultant

    Reputations:
    0
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    30
    It's not only Ning, sometimes, I get pages with references to Domain Advisor.
    It's clearly a harmful trojan.

    Very interesting discovery, it's only affecting Firefox. No issue with IE or Chrome. I may try doing an uninstall and reinstall of Firefox
     
  10. harrypoker

    harrypoker Notebook Enthusiast

    Reputations:
    0
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    5
    Use Chrome or Opera browser. Is the best.
     
  11. techman41973

    techman41973 Notebook Consultant

    Reputations:
    0
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    30
  12. TreeTops Ranch

    TreeTops Ranch Notebook Evangelist

    Reputations:
    270
    Messages:
    627
    Likes Received:
    16
    Trophy Points:
    31
    Not Chrome, it tracks your every move unless you opt out.
     
  13. Steven

    Steven God Amongst Mere Mortals

    Reputations:
    705
    Messages:
    989
    Likes Received:
    2
    Trophy Points:
    31
    Have you removed it?
    If not, use something like Malwarebytes to scan the system and remove it.
     
  14. phantomfox777

    phantomfox777 Newbie

    Reputations:
    0
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    5
    Okay I don't know all that much about computers... but I just wanted to tell you I HAD this awful virus! I couldn't fix it because it turned off my firewall and disabled all my antivirus programs. Eventually it crashed my computer and I lost EVERYTHING. I hope it's fixable.. I had to reset to factory settings to get rid of it and lost all my artwork. Best of luck.
     
  15. Greg

    Greg Super Moderator Super Moderator

    Reputations:
    7,857
    Messages:
    16,219
    Likes Received:
    57
    Trophy Points:
    466
    Next time, make regular backups of your data. Good luck to those affected.
     

Share This Page