[Solved] Welcome to nginx!

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

Thursday, May 24th 2012, 7:29am

Welcome to nginx!

Hi,

lately Firefox hangs or redirects me to a blank page with only the text "Welcome to nginx!". This seems to be especially true with google, youtube, and maybe any page that is visited frequently. I am running Avira free ver 12.0.0.1125. I have tried just about any virus removal tool (Avira Free Antivirus, Malwarebytes, Kaspersky rescue cd, Fsecure rescue cd, Tdsskiller...) I have been able to find, but nothing seems to help. How can I get rid of it?

Go to the top of the page

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Internet Security

Operating System:
Windows XP/ Windows 7

2

Thursday, May 24th 2012, 8:43am

Hi markkuhu,

First of all, please check your TCP/IP settings and verify DNS servers configuration. They must match the valid one (suggested by your ISP).

Scotty is currently on patrol

Avira TechBlog

Go to the top of the page

markkuhu

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

3

Thursday, May 24th 2012, 9:19am

Hi Farger,

I am using ADSL, and both the IP-address and DNS-server address are provided automatically by the ADSL-box/service provider. Most of the time internet and most of the web sites seem to be working OK. This set up has been there for a while and I am not aware of any changes in it. Is this what you asked?

Go to the top of the page

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Internet Security

Operating System:
Windows XP/ Windows 7

4

Thursday, May 24th 2012, 11:26am

Hi,

Yes. I assume that now you don't get that warning, am I right?

Scotty is currently on patrol

Avira TechBlog

Go to the top of the page

markkuhu

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

5

Thursday, May 24th 2012, 11:36am

Hi,

unfortunately that is not the case.

My understanding is that there is something (a trojan?) that hijacks the browser
and pretends to be pretty similar to the "legal" nginx. There are a lot of recent questions about this in the web, but nobody seems to have the answers.

Go to the top of the page

markkuhu

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

6

Thursday, May 24th 2012, 11:43am

Hi,
just found this:

http://nginx.org/en/docs/welcome_nginx_facebook.html

This seems to apply to me and others.

Go to the top of the page

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Internet Security

Operating System:
Windows XP/ Windows 7

7

Thursday, May 24th 2012, 11:50am

Yeap. In most cases it is enough to check TCP/IP settings and verify DNS servers configuration and adjust them to the correct one because very often fake settings are inserted, for example 134.255.241.122

So, if you still receive "Welcome to nginx!", then you can follow the instructions from the link you have posted. If you don't get the warning anymore, please tell me this and we will make some logs to verify that everything is ok.

Scotty is currently on patrol

Avira TechBlog

Go to the top of the page

markkuhu

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

8

Thursday, May 24th 2012, 1:01pm

Hi,

I followed the instructions to the letter - did not help. I still get the same message.

Go to the top of the page

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Internet Security

Operating System:
Windows XP/ Windows 7

9

Thursday, May 24th 2012, 3:39pm

1. Download ATF Cleaner directly to your desktop it is stand alone so you do not have to set it up. Run it as follows.
Double click ATF-Cleaner.exe (dustbin icon) to run the program.
Choose "Select all" and click "Empty selected".

Disable antivirus, firewall etc.!!!

2. Download avz4.zip from here
- Unzip it to your desktop to a folder named avz4
- Double click on AVZ.exe to run it.
- Run an update by clicking the Auto Update button on the Right of the Log window:

- Click Start to begin the update

- Start AVZ.
- Choose from the menu File -> Standard scripts and select the "Advanced System Analysis with Malware removal mode enabled " check box.

- Click on the “Execute selected scripts”.
- Automatic scanning, healing and system check will be executed.
- A logfile (avz_sysinfo.htm) will be created and saved in the log folder in the AVZ directory as virusinfo_syscure.zip.

Restart PC!!!

- Start AVZ again
- Choose from the menu File -> Standard scripts and select the “Advanced System Analysis " check box.

- Click on the "Execute selected scripts".
- A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the log folder in the AVZ directory as virusinfo_syscheck.zip.
Download both virusinfo_syscure.zip and virusinfo_syscheck.zip to any file hosting service and post back the download links.

3. Please download RSIT by random/random from here
Double click on RSIT.exe to start the tool, select "3 months" and click Continue at the disclaimer.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Navigate to C:\rsit\ and upload both logs to any file hosting service and post back the download links

Scotty is currently on patrol

Avira TechBlog

Go to the top of the page

markkuhu

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

10

Thursday, May 24th 2012, 8:09pm

Hi,

please find the logs in:

https://docs.google.com/open?id=0B0iQpQYfqubaVVZOTHdYX3RnVDA
https://docs.google.com/open?id=0B0iQpQYfqubaV2taTXViTTdRSGs
https://docs.google.com/open?id=0B0iQpQYfqubaNVdpVzUydkpQT2c
https://docs.google.com/open?id=0B0iQpQYfqubaNUs0WV9kR0dyNUU

PS there is newer version of avz4 - you need to use it to be able to update the database.

Go to the top of the page

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Internet Security

Operating System:
Windows XP/ Windows 7

11

Thursday, May 24th 2012, 9:13pm

Hi,

Please resubmit virusinfo_syscure.zip and virusinfo_syscheck.zip to any other file hosting service, e.g. filefactory because I need the logs "as it is" which is not possible with the google docs.

P.S. I have posted the link to the latest avz version.

Scotty is currently on patrol

Avira TechBlog

Go to the top of the page

markkuhu

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

12

Thursday, May 24th 2012, 10:57pm

new try

http://www.filefactory.com/file/1eh4mm7ecz0d/n/info.txt
http://www.filefactory.com/file/69jbgayk6klt/n/log.txt
http://www.filefactory.com/file/4ocfh4in…nfo_syscure.zip
http://www.filefactory.com/file/5ks40jol…fo_syscheck.zip

Go to the top of the page

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Internet Security

Operating System:
Windows XP/ Windows 7

13

Friday, May 25th 2012, 2:47pm

Hi,

1. Do you recognize all these files:

c:\program files\mobiililaajakaista\mobiililaajakaista\bechelperservice.exe
c:\program files\openwide\openwide.exe
C:\Program Files\Mobiililaajakaista\Mobiililaajakaista\Wilog.exe
C:\Documents and Settings\markkuhu\Desktop\PCtyцkalut\Terminal.exe
C:\WINDOWS\winstart.bat

2. Did you set these settings by yourself:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost:6464;*.local

3. Please open HiJackThis -> Do a system scan only -> select all these items and press Fix checked:

Quoted

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2645238

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)

O24 - Desktop Component 0: (no name) - (no file)

4. Start AVZ. In the menu choose:
File -> Custom Scripts
In the window that opens copy/paste everything inside the quotebox below (don't copy the word "Source code")

	Source code
1 2 3	begin DelBHO('{1E796980-9CC5-11D1-A83F-00C04FC99D61}'); end.

Click on the Run and wait for the script execute.

Restart your PC.

Scotty is currently on patrol

Avira TechBlog

Go to the top of the page

markkuhu

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

14

Friday, May 25th 2012, 3:26pm

Hi,

1. all but the last item seem to be legitimate. As for the last item- there are some additional similar .bat plus one .ini -files that I know nothing of. Judging by the file date they have been around for some time. They are from the year 2008.

2. Not knowingly

3. done

4. done

Go to the top of the page

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Internet Security

Operating System:
Windows XP/ Windows 7

15

Friday, May 25th 2012, 4:44pm

Submit winstart.bat to virustotal and post back the result.

So, if you don't know these entries and you didn't set these settings

Quoted from "Farger"

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost:6464;*.local

then open HJT -> Do a system scan only -> select those items and press Fix checked!

Scotty is currently on patrol

Avira TechBlog

Go to the top of the page

markkuhu

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

16

Friday, May 25th 2012, 5:29pm

Hi,

virustotal results:
http://www.filefactory.com/file/2bhotc5j…ustotal_scan_do

Both R1's are fixed

Go to the top of the page

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Internet Security

Operating System:
Windows XP/ Windows 7

17

Friday, May 25th 2012, 7:20pm

Hi,

What is the current situation?

Scotty is currently on patrol

Avira TechBlog

Go to the top of the page

markkuhu

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

18

Friday, May 25th 2012, 7:32pm

Hi,
at the moment it is OK, but the way it has been behaving is that it has it's good moments and bad moments. I would not close this today. What do you think - we give it two days and I will be informing you after that?

Go to the top of the page

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Internet Security

Operating System:
Windows XP/ Windows 7

19

Friday, May 25th 2012, 7:46pm

Hi,

No problems

Scotty is currently on patrol

Avira TechBlog

Go to the top of the page

markkuhu

Date of registration:
May 24th 2012

Version:
Avira Free Antivirus

Operating System:
xp sp3

20

Tuesday, May 29th 2012, 3:11pm

Hi Farger,

this one seems to solved. I have experienced zero redirections and also the sluggishness to get to a site seems to have gone! Great job!

Thank you very much,
Markku

Go to the top of the page

Avira Support Forum

Welcome to nginx!

Quoted

Source code

Quoted from "Farger"