browser redirect virus/trojan

Discussion in 'Security and Anti-Virus Software' started by techman41973, Feb 27, 2012.

Thread Status:
Not open for further replies.
  1. techman41973

    techman41973 Notebook Consultant

    Reputations:
    0
    Joined:
    Oct 14, 2007
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    30
    Over the past few days, and only occasionally when I try to access youtube.com or google.com, I get a redirect to the
    following domain partner37.mydomainadvisor.com/ or
    get a screen that says "Welcome to Nginx!"
    OR 404 Not Found nginx/0.6.32

    I did a a thorough scan with Avast anti-virus and a thorough spyware
    scan with Spybot search and destroy, none of these programs have been able to detect and remove this redirect virus/trojan

    I did a web search and most of the advice was to install another tool
    that promises to fix the problem, but I'm apprehensive about installing anything that's not trusted. I checked my hosts file, it's clean.
    And I ran Hijackthis and didn't find anything blatently suspicious.
    I'd be happy to post the log file output from Hijackthis, if anyone thinks it would be helpful

    Thanks
     
  2. JOSEA

    JOSEA NONE

    Reputations:
    4,013
    Joined:
    Feb 6, 2010
    Messages:
    3,528
    Likes Received:
    167
    Trophy Points:
    131
    When you scanned did you do it in safe mode? It would help to see the log also if you have already scanned in safe mode.
     
  3. techman41973

    techman41973 Notebook Consultant

    Reputations:
    0
    Joined:
    Oct 14, 2007
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    30
    Here is the log file from Hijack this. thanks


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:44:23 AM, on 7/22/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Windows\PLFSetI.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\TiVo\Desktop\TiVoServer.exe
    C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    C:\Program Files\TiVo\Desktop\TiVoNotify.exe
    C:\Program Files\Data Deposit Box\starter.exe
    C:\Program Files\Data Deposit Box\status.exe
    C:\Program Files\King Stairs\Jot+ Notes\JotPlus3.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\King Stairs\Jot+ Notes\JotPlus3.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Foxit Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
    O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
    O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe
    O4 - HKLM\..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
    O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    O4 - HKCU\..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
    O4 - HKCU\..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe
    O4 - HKCU\..\Run: [Free Internet Window Washer] C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Global Startup: Data Deposit Box.lnk = ?
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office

     
  4. JOSEA

    JOSEA NONE

    Reputations:
    4,013
    Joined:
    Feb 6, 2010
    Messages:
    3,528
    Likes Received:
    167
    Trophy Points:
    131
    Do you have an image on an external drive that you can restore to (before the issue started) ?

    Also try running a detection program that runs outside of windows. Which browser(s) are you using?
     
  5. MrDJ

    MrDJ Notebook Nobel Laureate

    Reputations:
    2,580
    Joined:
    Mar 23, 2008
    Messages:
    10,700
    Likes Received:
    317
    Trophy Points:
    501
    as mentioned did you run the scan in safe mode. F8 on boot up.
    also might be worth trying malwarebytes.

    also have you manually updated avast to version 7 released 2 days ago.
    go to summary and click update.
     
  6. techman41973

    techman41973 Notebook Consultant

    Reputations:
    0
    Joined:
    Oct 14, 2007
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    30
    I did install the latest of Avast (7.0), yesterday in fact. Did a full scan as well.
    I also downloaded Malwarebytes last night, it didn't turn up anything.

    I'm going to do a full AV scan in safe mode, full scan of Malware bytes in safe mode and run hijack this again in safe mode.
    Thanks
     
  7. MrDJ

    MrDJ Notebook Nobel Laureate

    Reputations:
    2,580
    Joined:
    Mar 23, 2008
    Messages:
    10,700
    Likes Received:
    317
    Trophy Points:
    501
    if its not showing anything up you might have cleared it already. one way to find out is to change your default page.
    in firefox go tools > options > general > change home page to whatever you want. if it reverts back to this dodgy page you know youve got a crafty one on your hands and can take some time to clear it. if it stays at the page you want hopefully its gone.
    still worth doing all the scans in safe mode just in case.
    also i wouldnt use a credit card online for now. if youve got the full avast internet you could use the safe zone for online purchases.
     
  8. Baserk

    Baserk Notebook user

    Reputations:
    2,503
    Joined:
    Mar 20, 2007
    Messages:
    1,794
    Likes Received:
    1
    Trophy Points:
    56
    Nginx (engine-x) is used by quite some large sites to serve webpages from a cache.
    Author is Russian so you might see some 'Russia' references, no need to freak out though.
    See Wikipedia link.
    I've no idea why you'd see it when surfing to Youtube or Google, perhaps it's best to check if more subscribers to your particular ISP have the same issue. Perhaps query your ISP's forum/site for 'nginx'?

    And as mentioned before, I'd replace Spybot S&D and use Malwarebytes'Antimalware and/or HitmanPro3.
    Both programs are best run from a normal user account, not in safe mode.
    As you don't seem to have any issues, no need to use the MBAM chameleon option (link), just run the program as is.
     
  9. techman41973

    techman41973 Notebook Consultant

    Reputations:
    0
    Joined:
    Oct 14, 2007
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    30
    It's not only Ning, sometimes, I get pages with references to Domain Advisor.
    It's clearly a harmful trojan.

    Very interesting discovery, it's only affecting Firefox. No issue with IE or Chrome. I may try doing an uninstall and reinstall of Firefox
     
  10. harrypoker

    harrypoker Notebook Enthusiast

    Reputations:
    0
    Joined:
    Jan 28, 2012
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    5
    Use Chrome or Opera browser. Is the best.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page