Overclock.net › Forums › Software, Programming and Coding › Networking & Security › "welcome to nginx!" hack/virus/malware?
New Posts  All Forums:Forum Nav:

"welcome to nginx!" hack/virus/malware?

post #1 of 12
6/21/12 at 11:29am
Thread Starter 
My mothers laptop was hijacked, email account/facebook/barnes&noble etc. stolen. The Fresh install of MSE (installed from a CD i gave her after it happened) and her old install of adaware dont detect anything when run in safe mode and since I have the computer ATM im trying malwarebytes now. We'll see how that goes, any other suggestions?

The thing that strikes me as odd about this is her original IE install and a newer install of firefox seem to be hijacked and automatically redirect from msn.com, yahoo.com and comcast.com to a white web page with only the words "Welcome to NginX!" across the top in huge font. These 3 pages were her previous home pages. All 3 sites maintain the normal URL OR IP in the address bar when displaying this page. The computer will also not stay on other websites for more than 5 minutes before returning to her "homepage" or just straight up losing connection.

Im about ready to wipe the drive and start fresh, i dont know why im investing time into this tbh but ive never seen this before so i guess im intrigued. Im a complete noob at this stuff as well so any other input? eh-smiley.gif
Archon
(14 items)
  		  
CPUMotherboardGraphicsRAM
i5 2500k @ 4.6ghz ASUS P8Z68V-Pro eVGA GTX470 (800|1600 1800m) 2x4gb 1600mhz G.Skill Ripjaws 
Hard DriveHard DriveOptical DriveOS
120gb Mushkin Chronos Seagate Barracuda 1tb ASUS Sata Combo drive Win7|Enterprise|64Bit 
MonitorKeyboardPowerCase
Acer H213H Black Widow Ultimate Corsair TX850|Rev.1 Lancool PC-K62 
MouseMouse Pad
Logitech MX518 Xtrac Ripper XL 
View all
  hide details  
Reply
Archon
(14 items)
  		  
CPUMotherboardGraphicsRAM
i5 2500k @ 4.6ghz ASUS P8Z68V-Pro eVGA GTX470 (800|1600 1800m) 2x4gb 1600mhz G.Skill Ripjaws 
Hard DriveHard DriveOptical DriveOS
120gb Mushkin Chronos Seagate Barracuda 1tb ASUS Sata Combo drive Win7|Enterprise|64Bit 
MonitorKeyboardPowerCase
Acer H213H Black Widow Ultimate Corsair TX850|Rev.1 Lancool PC-K62 
MouseMouse Pad
Logitech MX518 Xtrac Ripper XL 
View all
  hide details  
Reply
post #2 of 12
6/21/12 at 11:32am
Run Hijack This and post results.
Wrath the Stelthy Dragon
(16 items)
 
Greyhawk the metal dragon.
(8 items)
 
Ryuu, the invisible dragon (router)
(11 items)
 
CPUMotherboardGraphicsRAM
Phenom II X4 940 BE Gigabyte MA790X-UD4P AMD 6790 8 gb gskill PC-8500 @ 800mhz 4-4-4-10 @ 2.1v 
Hard DriveHard DriveHard DriveCooling
Seagate 500 GB 7200.12 Hiachi Coolspin 2 TB (storage) Westren digital Caviar Blue 500 gb (steam) Xiggy Dark kinght on 940  
OSMonitorKeyboardPower
Windows 7 Ultimate x64 23" ASUS VH236H Kinesis advantage Antec 550w  
CaseMouseOther
Antec 900 Razer deathadder IBM model M 
View all
CPUMotherboardGraphicsRAM
T8300 D630 NVS135 (8400 rebranded quattro) 4GB ddr 2. 
Hard DriveOptical DriveOSCase
32 GB SSD Secondary battery Mint 14 Magneseium aluminum alloy laptop case. 
View all
CPUMotherboardGraphicsRAM
AMD Turion ML-40 with heatspreader attached HP laptop socket 754 motherboard with RS480M ch... IGP that I don't use 512 mb ddr 
Hard DriveOptical DriveCoolingOS
4 GB patriot USB 2.0 flash drive None, don't need it. Scythe Ninja Mounted with zip ties.  Pfsense 2.0.2 nanobsd 
OtherOtherOther
gigabit USB NIC Atheros WLAN NIC Many zip ties. 
View all
  hide details  
Reply
Wrath the Stelthy Dragon
(16 items)
 
Greyhawk the metal dragon.
(8 items)
 
Ryuu, the invisible dragon (router)
(11 items)
 
CPUMotherboardGraphicsRAM
Phenom II X4 940 BE Gigabyte MA790X-UD4P AMD 6790 8 gb gskill PC-8500 @ 800mhz 4-4-4-10 @ 2.1v 
Hard DriveHard DriveHard DriveCooling
Seagate 500 GB 7200.12 Hiachi Coolspin 2 TB (storage) Westren digital Caviar Blue 500 gb (steam) Xiggy Dark kinght on 940  
OSMonitorKeyboardPower
Windows 7 Ultimate x64 23" ASUS VH236H Kinesis advantage Antec 550w  
CaseMouseOther
Antec 900 Razer deathadder IBM model M 
View all
CPUMotherboardGraphicsRAM
T8300 D630 NVS135 (8400 rebranded quattro) 4GB ddr 2. 
Hard DriveOptical DriveOSCase
32 GB SSD Secondary battery Mint 14 Magneseium aluminum alloy laptop case. 
View all
CPUMotherboardGraphicsRAM
AMD Turion ML-40 with heatspreader attached HP laptop socket 754 motherboard with RS480M ch... IGP that I don't use 512 mb ddr 
Hard DriveOptical DriveCoolingOS
4 GB patriot USB 2.0 flash drive None, don't need it. Scythe Ninja Mounted with zip ties.  Pfsense 2.0.2 nanobsd 
OtherOtherOther
gigabit USB NIC Atheros WLAN NIC Many zip ties. 
View all
  hide details  
Reply
post #3 of 12
6/21/12 at 11:52am
Thread Starter 
hijackthis.zip 3k .zip file
^^the log from "run scan and save log"


Yep, no idea what to do with that. tongue.gifredface.gif
Archon
(14 items)
  		  
CPUMotherboardGraphicsRAM
i5 2500k @ 4.6ghz ASUS P8Z68V-Pro eVGA GTX470 (800|1600 1800m) 2x4gb 1600mhz G.Skill Ripjaws 
Hard DriveHard DriveOptical DriveOS
120gb Mushkin Chronos Seagate Barracuda 1tb ASUS Sata Combo drive Win7|Enterprise|64Bit 
MonitorKeyboardPowerCase
Acer H213H Black Widow Ultimate Corsair TX850|Rev.1 Lancool PC-K62 
MouseMouse Pad
Logitech MX518 Xtrac Ripper XL 
View all
  hide details  
Reply
Archon
(14 items)
  		  
CPUMotherboardGraphicsRAM
i5 2500k @ 4.6ghz ASUS P8Z68V-Pro eVGA GTX470 (800|1600 1800m) 2x4gb 1600mhz G.Skill Ripjaws 
Hard DriveHard DriveOptical DriveOS
120gb Mushkin Chronos Seagate Barracuda 1tb ASUS Sata Combo drive Win7|Enterprise|64Bit 
MonitorKeyboardPowerCase
Acer H213H Black Widow Ultimate Corsair TX850|Rev.1 Lancool PC-K62 
MouseMouse Pad
Logitech MX518 Xtrac Ripper XL 
View all
  hide details  
Reply
post #4 of 12
6/21/12 at 11:57am
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL



R3 - URLSearchHook: FCToolbarURLSearchHook Class - {5963db80-6910-e734-3d61-9e997c263db5} - C:\Program Files\Shop to Win 31\Helper.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll



these looks suspicious to me from a quick glance, also have you tried running a program called malwarebytes ? its very good and may remove this issue automatically.

I just ran ur log through an automated hijack this log analyzer and it does not like that Helper.DLL file either thumb.gif
Edited by HardwareDecoder - 6/21/12 at 12:02pm
Bending Unit
(15 items)
  		  
CPUMotherboardGraphicsRAM
Intel Core i5 3570K Z77 Extreme4 EVGA GTX 670  Gskill Rip Jaws 2x 4gb 
Hard DriveHard DriveHard DriveOptical Drive
Mushkin Chronos 120gb SSD Seagate 2TB SATA 3  intel 330 series Lite-On Ihas-124b 
CoolingOSMonitorKeyboard
Cooler Master 212 EVO  Win 7 64 LG HDTV  CM STORM Quick Fire Rapid  
PowerCaseMouse
Antec 620W NZXT Tempest 210  Logitech G400 
View all
  hide details  
Reply
Bending Unit
(15 items)
  		  
CPUMotherboardGraphicsRAM
Intel Core i5 3570K Z77 Extreme4 EVGA GTX 670  Gskill Rip Jaws 2x 4gb 
Hard DriveHard DriveHard DriveOptical Drive
Mushkin Chronos 120gb SSD Seagate 2TB SATA 3  intel 330 series Lite-On Ihas-124b 
CoolingOSMonitorKeyboard
Cooler Master 212 EVO  Win 7 64 LG HDTV  CM STORM Quick Fire Rapid  
PowerCaseMouse
Antec 620W NZXT Tempest 210  Logitech G400 
View all
  hide details  
Reply
post #5 of 12
6/21/12 at 12:04pm
Thread Starter 
yeah said in OP i was gonna give malwarebytes a whirl, its a pretty regular program in my lineup thumb.gif

thanks guys!
Archon
(14 items)
  		  
CPUMotherboardGraphicsRAM
i5 2500k @ 4.6ghz ASUS P8Z68V-Pro eVGA GTX470 (800|1600 1800m) 2x4gb 1600mhz G.Skill Ripjaws 
Hard DriveHard DriveOptical DriveOS
120gb Mushkin Chronos Seagate Barracuda 1tb ASUS Sata Combo drive Win7|Enterprise|64Bit 
MonitorKeyboardPowerCase
Acer H213H Black Widow Ultimate Corsair TX850|Rev.1 Lancool PC-K62 
MouseMouse Pad
Logitech MX518 Xtrac Ripper XL 
View all
  hide details  
Reply
Archon
(14 items)
  		  
CPUMotherboardGraphicsRAM
i5 2500k @ 4.6ghz ASUS P8Z68V-Pro eVGA GTX470 (800|1600 1800m) 2x4gb 1600mhz G.Skill Ripjaws 
Hard DriveHard DriveOptical DriveOS
120gb Mushkin Chronos Seagate Barracuda 1tb ASUS Sata Combo drive Win7|Enterprise|64Bit 
MonitorKeyboardPowerCase
Acer H213H Black Widow Ultimate Corsair TX850|Rev.1 Lancool PC-K62 
MouseMouse Pad
Logitech MX518 Xtrac Ripper XL 
View all
  hide details  
Reply
post #6 of 12
6/21/12 at 12:05pm
I'd definitely give Malwarebytes a go. It's really lite to where it doesn't bog down your system and still does a really good job of blocking/removing malware.

However, if everything has been stolen, I wouldn't trust running a AV or two then starting over. I would just do a fresh install of Windows to be 210% positive that it's not going to reoccur. (Assuming she doesn't download it or whatnot again..) tongue.gif
Psychotic Euphoria
(20 items)
 
Dell UltraSharp U2412M IPS Panel
Dell UltraSharp U2412M
Apple iPhone 5
(13 items)
 
CPUMotherboardGraphicsGraphics
Intel Core i7 3930K ASUS Rampage IV Formula EVGA GTX670 FTW 2GB SLI EVGA GTX670 FTW 2GB SLI 
RAMHard DriveHard DriveOptical Drive
Ripjaws Z 16GB 2133 Samsung 830 256GB  Samsung Spinpoint F3 Lite-On iHAS 124-B 
Optical DriveCoolingOSMonitor
Lite-On iHAS 424-B Corsair H100 Windows 7 Professional x64 Dell UltraSharp U2412M *AG REMOVED* 
MonitorKeyboardPowerCase
Crossover 27" 2560x1440 IPS Panel CM Quick Fire Rapid Corsair HX1050 Corsair 600T SE 
MouseMouse PadAudioAudio
Logitech G9x SteelSeries QcK Astro A40's ASUS Xonar STX 
View all
CPUMotherboardGraphicsRAM
A6 Dual-Core @ 1.2Ghz Apple PowerVR SGX 543MP3 Apple 1GB 
Hard DriveCoolingOSMonitor
16GB Internal Storage Passive iOS 6.1.2 640 x 1136 
KeyboardPowerCaseAudio
On-Screen 1440mAH Battery Apple iPhone 5 3.5mm Jack 
Other
Nano SIM 
View all
  hide details  
Reply
Psychotic Euphoria
(20 items)
 
Dell UltraSharp U2412M IPS Panel
Dell UltraSharp U2412M
Apple iPhone 5
(13 items)
 
CPUMotherboardGraphicsGraphics
Intel Core i7 3930K ASUS Rampage IV Formula EVGA GTX670 FTW 2GB SLI EVGA GTX670 FTW 2GB SLI 
RAMHard DriveHard DriveOptical Drive
Ripjaws Z 16GB 2133 Samsung 830 256GB  Samsung Spinpoint F3 Lite-On iHAS 124-B 
Optical DriveCoolingOSMonitor
Lite-On iHAS 424-B Corsair H100 Windows 7 Professional x64 Dell UltraSharp U2412M *AG REMOVED* 
MonitorKeyboardPowerCase
Crossover 27" 2560x1440 IPS Panel CM Quick Fire Rapid Corsair HX1050 Corsair 600T SE 
MouseMouse PadAudioAudio
Logitech G9x SteelSeries QcK Astro A40's ASUS Xonar STX 
View all
CPUMotherboardGraphicsRAM
A6 Dual-Core @ 1.2Ghz Apple PowerVR SGX 543MP3 Apple 1GB 
Hard DriveCoolingOSMonitor
16GB Internal Storage Passive iOS 6.1.2 640 x 1136 
KeyboardPowerCaseAudio
On-Screen 1440mAH Battery Apple iPhone 5 3.5mm Jack 
Other
Nano SIM 
View all
  hide details  
Reply
post #7 of 12
6/21/12 at 12:07pm
you should use the windows 7 hosts file ip address blocking that you can easily find with a google search it blocks thousands of places malware comes from in the first place and u hardly ever get pop ups after that also. Also works for XP
Bending Unit
(15 items)
  		  
CPUMotherboardGraphicsRAM
Intel Core i5 3570K Z77 Extreme4 EVGA GTX 670  Gskill Rip Jaws 2x 4gb 
Hard DriveHard DriveHard DriveOptical Drive
Mushkin Chronos 120gb SSD Seagate 2TB SATA 3  intel 330 series Lite-On Ihas-124b 
CoolingOSMonitorKeyboard
Cooler Master 212 EVO  Win 7 64 LG HDTV  CM STORM Quick Fire Rapid  
PowerCaseMouse
Antec 620W NZXT Tempest 210  Logitech G400 
View all
  hide details  
Reply
Bending Unit
(15 items)
  		  
CPUMotherboardGraphicsRAM
Intel Core i5 3570K Z77 Extreme4 EVGA GTX 670  Gskill Rip Jaws 2x 4gb 
Hard DriveHard DriveHard DriveOptical Drive
Mushkin Chronos 120gb SSD Seagate 2TB SATA 3  intel 330 series Lite-On Ihas-124b 
CoolingOSMonitorKeyboard
Cooler Master 212 EVO  Win 7 64 LG HDTV  CM STORM Quick Fire Rapid  
PowerCaseMouse
Antec 620W NZXT Tempest 210  Logitech G400 
View all
  hide details  
Reply
post #8 of 12
6/21/12 at 12:16pm
Hey download combo fix and run in in safe mode on that computer (with no network access), let it run through all the processes, when it's done it will restart the computer. After this run malware bytes, this should get you fixed up....

Combofix Download Link thumb.gif

http://www.bleepingcomputer.com/download/combofix/
Sandy Rigster
(19 items)
 
Little Big Rig
(5 items)
 
My Portable Appendage
(0 items)
CPUMotherboardGraphicsRAM
Intel Core i7 2600K P8P67 LE Radeon 7870 XT w/ Boost Corsair  
RAMRAMRAMHard Drive
Corsair  Corsair  Corsair  WD Caviar Black 
Hard DriveOSMonitorMonitor
Crucial M4  Windows 7 Ultimate x64 Asus 24" VS248H-P 19" Hanspree 
MonitorKeyboardPowerMouse
19" Hanspree Logitech G510 Cooler Master eXtreme Power Plus 700-Watt Logitech G700 
View all
CPUGraphicsRAMOS
Intel Core 2 Quad Q6600 Ati Radeon HD 4770 OCZ Gold DDR2 800 Windows Vista Ultimate x64 
Monitor
Philips 42" LCD TV 2ms 120hz 
View all
  hide details  
Reply
Sandy Rigster
(19 items)
 
Little Big Rig
(5 items)
 
My Portable Appendage
(0 items)
CPUMotherboardGraphicsRAM
Intel Core i7 2600K P8P67 LE Radeon 7870 XT w/ Boost Corsair  
RAMRAMRAMHard Drive
Corsair  Corsair  Corsair  WD Caviar Black 
Hard DriveOSMonitorMonitor
Crucial M4  Windows 7 Ultimate x64 Asus 24" VS248H-P 19" Hanspree 
MonitorKeyboardPowerMouse
19" Hanspree Logitech G510 Cooler Master eXtreme Power Plus 700-Watt Logitech G700 
View all
CPUGraphicsRAMOS
Intel Core 2 Quad Q6600 Ati Radeon HD 4770 OCZ Gold DDR2 800 Windows Vista Ultimate x64 
Monitor
Philips 42" LCD TV 2ms 120hz 
View all
  hide details  
Reply
post #9 of 12
6/21/12 at 3:51pm
You guys do know nginx is a webserver software right? There's no virus about it; it's the default nginx webpage when you install it. Just like Apache's "It works!" page.
Server
(13 items)
  		  
CPUMotherboardGraphicsRAM
Intel Core i7 2600k Intel H67DE PNY Verto 9600GT (Thanks to ihasfip!) 16GB G.Skill Ripjaws 1333Mhz 
Hard DriveOSMonitorPower
(3) Seagate 7200K 1TB (2) Hitachi 7200K.12 1TB Proxmox Samsung 17" Corsair GS600 
Case
Chenbro tower 
View all
  hide details  
Reply
Server
(13 items)
  		  
CPUMotherboardGraphicsRAM
Intel Core i7 2600k Intel H67DE PNY Verto 9600GT (Thanks to ihasfip!) 16GB G.Skill Ripjaws 1333Mhz 
Hard DriveOSMonitorPower
(3) Seagate 7200K 1TB (2) Hitachi 7200K.12 1TB Proxmox Samsung 17" Corsair GS600 
Case
Chenbro tower 
View all
  hide details  
Reply
post #10 of 12
6/21/12 at 6:30pm
  • Joined: Jan 2008
  • Location: Canada
  • Posts: 1,839
  • Rep: 110 (Unique: 104)
  • Folding Team Rank: 1,822
  •  
    Name Team Rank Points / May Work Units / May
    linkinparkfan007 1,822 585,400 / 0 1,197 / 0
     
  • Select All Posts By This User
Quote:
Originally Posted by ZFedora View Post

You guys do know nginx is a webserver software right? There's no virus about it; it's the default nginx webpage when you install it. Just like Apache's "It works!" page.

Yep he's right it's just a more efficient version of Apache. Nothing to worry about.
The big websites like Facebook and etc. all use nginx too smile.gif
The Workstation.
(19 items)
 
UOIT School Lappie
(14 items)
 
The pFsense Firewall
(7 items)
 
CPUMotherboardGraphicsRAM
Intel Pentium G630 (i7 coming when Haswell Arri... ASRock Z68 Extreme 3 Gen 3 Zotac GTX 560 1GB GDDR5 256Bit Mem Kingston 8GB Blu 
RAMHard DriveHard DriveHard Drive
GSKILL 4GB Ripjaw 2X 500GB Caviar Blues (Win.ESXi) 2X 2TB Caviar Green 500GB Momentus XT (OSX Mountain Lion) 
Optical DriveOSMonitorMonitor
2X LG GH24NS95  7™ Ultimate 64-Bit + OSX Mountain Lion 10.8 + ... Acer G235HL Acer 1916W 
KeyboardPowerCaseMouse
Coolermaster CMStorm Rapid Quickfire Cherry MX ... Thermaltake TR2 430W Bitfenix Merc Alpha Razer Deathadder 3.5G 2008 Model 
Audio
Creative Recon3D 
View all
CPUMotherboardGraphicsRAM
Intel Core i7 2640M Foxconn Quadro NVS 4200M 8GB DDR3 1333MHZ 
Hard DriveOptical DriveCoolingOS
Seagate Momentus XT Sony Optiarc DVD Super Mult Enhanced 8X Ultrabay Thermaltake Massive 23 LX Windows 8 Pro 64-Bit 
MonitorMonitorPowerMouse
Acer G235HL 23.6 LED 5MS 1080p 15.6 1600*900 LED Display (Internal) Lenovo 20V 90W Microsoft Explorer Mini Mouse /w Bluetrack 
View all
CPUMotherboardGraphicsRAM
Intel Pentium 4 2.4GHZ Intel Mobo Onboard 1GB Kingston  
Hard DriveOSOther
Maxtor 40GB IDE Won't DIE! pFsense 2.0.1 Dual Intel NICS 
View all
  hide details  
Reply
The Workstation.
(19 items)
 
UOIT School Lappie
(14 items)
 
The pFsense Firewall
(7 items)
 
CPUMotherboardGraphicsRAM
Intel Pentium G630 (i7 coming when Haswell Arri... ASRock Z68 Extreme 3 Gen 3 Zotac GTX 560 1GB GDDR5 256Bit Mem Kingston 8GB Blu 
RAMHard DriveHard DriveHard Drive
GSKILL 4GB Ripjaw 2X 500GB Caviar Blues (Win.ESXi) 2X 2TB Caviar Green 500GB Momentus XT (OSX Mountain Lion) 
Optical DriveOSMonitorMonitor
2X LG GH24NS95  7™ Ultimate 64-Bit + OSX Mountain Lion 10.8 + ... Acer G235HL Acer 1916W 
KeyboardPowerCaseMouse
Coolermaster CMStorm Rapid Quickfire Cherry MX ... Thermaltake TR2 430W Bitfenix Merc Alpha Razer Deathadder 3.5G 2008 Model 
Audio
Creative Recon3D 
View all
CPUMotherboardGraphicsRAM
Intel Core i7 2640M Foxconn Quadro NVS 4200M 8GB DDR3 1333MHZ 
Hard DriveOptical DriveCoolingOS
Seagate Momentus XT Sony Optiarc DVD Super Mult Enhanced 8X Ultrabay Thermaltake Massive 23 LX Windows 8 Pro 64-Bit 
MonitorMonitorPowerMouse
Acer G235HL 23.6 LED 5MS 1080p 15.6 1600*900 LED Display (Internal) Lenovo 20V 90W Microsoft Explorer Mini Mouse /w Bluetrack 
View all
CPUMotherboardGraphicsRAM
Intel Pentium 4 2.4GHZ Intel Mobo Onboard 1GB Kingston  
Hard DriveOSOther
Maxtor 40GB IDE Won't DIE! pFsense 2.0.1 Dual Intel NICS 
View all
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › "welcome to nginx!" hack/virus/malware?