It doesn't go to NGINX but I had flushed the DNS resolver cache and after that it stopped going to that page. Then we started down our journey right after that and during all of that it never went to that page.

Is there anything else I should be doing.

You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 9.5.1 first. Be sure to move any PDF documents to another folder first though.

Please download JavaRa to your desktop and unzip it to its own
folder
[*]Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
[*]Accept any prompts.
[*]Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
[*]Select Update Using Sun Java’s Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer.

In your next reply let me know if you had any problems with the instructions and once again how your system is running.

Hi,

Well hopefully I have done this right, I think I uninstalled Adobe Reader 9.5.1, anyway I couldn’t find it anywhere when I searched for it and installed the latest version. I will have a look at Foxit, checked it briefly. I am the webmaster for an association I belong to and they have supplied me with Adobe Acrobat 9 which I don’t find all that user friendly, does Foxit do the same thing? I also hopefully updated Java, I followed your instuctions and then verified that I was downloading the correct JRE update, it is JRE 7ur4 I’m guessing though.

Everything seems fine, Firefox opening to my homepage and no Welcome to NGINX page. Please advise if I need to do anything else.

Cheers,
Janice

Hi,

does Foxit do the same thing?

Providing there are no other malware related problems…

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!!

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

Clean up with OTL:

[*]Double-click OTL.exe to start the program.
[*]Close all other programs apart from OTL as this step will require a reboot
[*]On the OTL main screen, press the CLEANUP button
[*]Say Yes to the prompt and then allow the program to reboot your computer.

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren’t cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

[*]From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*]Next press the Apply button and then the OK to exit the Internet Properties page.

2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
[*]Open Internet Explorer
[*]Click on Tools > Internet Options
[*]Press Security tab
[*]Select Internet zone then place check next to Enable Protected Mode if not already done
[*]Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
[*]Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here. **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. WOT (Web of Trust) As “Googling” is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT’s color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7.Finally, I strongly recommend that you read TonyKlein’s good advice So how did I get infected in the first place?

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Hi,

I ran OTL and clicked on clean up. Then I went to Internet Explorer, to the tools menu and Internet Options. I had everything as you advised already in place but I couldn’t find Installation of desktop items here? I already had Protected Mode on, I run Site-Advisor as well as Spoofstick. I have everything set to automatically send me updates and use cnet downloads and cnet updates for installed downloads. I will install WOT I think I may have it already or at least I did at one time. I also installed outpost firewall & will turn off Windows firewall.

I just ran a quick scan by malewarebytes it said ok but then Avast came up with this message: ROOTKIT FOUND A suspicious hidden object (rootkit) has been detected on your computer. This may be a sign of a malicious infection. It is recommended to remove the object immediately. File Name: SVC:mbam Rootkit name: Rootkit. I clicked on delete, only other option was to ignore. I am now going to run a boot-time scan as suggested by Avast!! Please advise what’s next!!!

Hi,

What else did the warning say? Did it give a file path or can you take a screen shot of the warning?

Hi,

No file path, just what I told you, the Avast redbox came up and said to remove it immediately and that was by deleting it. Its gone so I can’t take a screen shot. I just finished the boot-time scan which Avast told me to do.

I also get a message about window live essentials everytime I reboot. I don’t think this means anything, I went on line to check it out and seems lots of people get this so I just ignore it. Anyway here’s what happens: A warning box comes up titled WLStartup.exe - Entry point not found. Red circle with X in it - The procedure entry point ?GetHeight @CRMImage@@QBEHXZ could not be located in the dynamic link library UXCore.dll. So I close that and get - Window Live Essentials has stopped working. Check on line for a solution etc, or Close the program which is what I do.

Cheers, :-[

Hi,

I do believe I have resolved the Windows Live Essential problem! It was all about an outdated uxcore.dll. I deleted the old one and replaced it with an updated uxcore.dll. I hope that is the last of that because it is extremely annoying.

Hi,

Ok…try the following:

Go into your “c:\program files\windows live\installer” and delete the uxcore.dll. Then go into “c:\program files\windows live\shared” and copy uxcore.dll from this directory. Go back to your installer directory and paste the file.
Should start without an issue…
Error is occuring from an outdated uxcore.dll file that is not being updated in the installer folder.

;D You beat me to the punch!!

Hi,

Yes that is exactly what I did about Windows Live Essentials! I haven’t changed any passwords yet because of Rootkit found? earlier by Avast. So where am I with that? I don’t want to change anything until I am sure I’m clean

Cheers,

Let’s check for the rootkit…

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

Arrgghh, I could scream!! Its that locked file, Service: sptd, suspicious object medium risk C:\Windows\system32\Drivers\sptd.sys. I have run TDSSKiller 3 times, quarantined it twice, rebooted once, options are: Skip, Copy all to quarantine, or delete. Not sure what to do about this third one sitting on my desktop because copying to quarantine does nothing. Please advise. Attached logs of same, apparently not as file is too big, hope this one gets to you. Quarantined anyway.

Cheers,

Don’t worry about that. It is part of the Daemon programs you have on your system. Daemon programs will sometimes use rootkit technology that is picked up occasionally by antivirus programs. It is a false positive.

Hi,

Well that is good news! I also ran a new eset last night and it didn’t find any malicious threats, or for that matter, threats of any kind. So this should be it, we can put this baby to bed!! I will go ahead now and change my passwords, that is going to be a huge job but a necessary one.

Cheers,
Janice

Hi,

Glad that we could help!

Hi,

Your very welcome and I too am glad that you could help. Thanks again!

Cheers

Hi,

I was searching out win32 bagle.gen.zip worm which as you know I had on my computer. TrojanDownloader:Win32/Bagle.gen!A creates the following registry subkeys and entries as part of its installation routine:

Adds value: “frstrunn”
With data: “1”
To subkey: HKCU\Software\bisoft

Adds value: “EnableLUA”
With data: “”
To subkey: HKLM\SOFTWARE\Microsoft\Windows\Security Center\Svc

where is a certain number.

Adds key: HKCU\Software\Local AppWizard-Generated Applications

and all its associated subkeys.

It may also create the following folders:

%AppData%\drivers
%AppData%\drivers\downld

So while preforming regedit, looking for any of this I come across Adds key: HKCU\Software\Local AppWizard-Generated Applications. I found it in HKEY users: Software. Tried looking for the rest but not sure if its not there or I’m not looking in the right spot. Please advise what now!

Cheers

Hi,

I ran aswMBR and then OTL, not sure if I should have run OTL first. Attached logs from same.

Hi,

Please double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose “Run as administrator”.

[*]Click the Scan button to start scan.
[*]When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix-1.png

Click the image to enlarge it

HI,

I can’t get the scan to finish, its frozen on 13:27 Scanning: C:\Users\Janice\AppData\Local\Microsoft\Windows Live\Installer\catalog. That’s all I can see, so should I click on fix or should I exit and start again.