Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Welcome to nginx blocks yahoo

Created: 12 Apr 2012 • Updated: 12 Apr 2012 | 19 comments

This problem started about a week ago. Anytime I try to access yahoo or my.yahoo I get the Welcome to nginx screen. I am able to access yahoo mail. I an running Symantec Endpoint Protection with current security definitions.

Can anyone help me with this?

Comments 19 CommentsJump to latest comment

Thomas K's picture

I suspect your system has been infected. Since you are running a Symantec product, I would start with downloading the latest Rapid Release definitions.

Next, boot into safe mode and running a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc.

Perform a full system scan in safe mode.
If that fails to detect and remove the threats, there are some useful tools provided by Symantec for helping with finding those hard to detect threats.

1. The Power Eraser Tool eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect.

2. The SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively.

3. The Load point Analysis Tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.

If you are unable to remove the threat(s) from your systems, please submit the suspected files to Symantec or ThreatExpert for analysis. New signatures will be created and included in future definition sets for detection.

http://www.symantec.com/business/security_response/submitsamples.jsp

http://www.threatexpert.com/submit.aspx

Keep us posted on the outcome.

Best,

Thomas

pete_4u2002's picture

are you using any toolbar? if yes, can you delete and check?

theexplorer's picture

I just did a online search about this... here is way you can work on..

C:\ Windows\System32\Drivers\Etc\

open the hosts with a notepad, right click hosts, click open with, click notepad

it should be like below

-------------------------------------------------------------------------------------------------------------

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1       localhost

----------------------------------------------------------------------------------------------

If you see any entry below the line # 127.0.0.1       localhost you have to delete that

to do that, you have follow below steps

if you see any entries below # 127.0.0.1       localhost

close the hosts notepad,

right click on the hosts file,

properties, uncheck readonly,

apply

open that again with the notepad

remove the entries below # 127.0.0.1       localhost

save that,

recheck the readonly

Good Luck!

Mithun Sanghavi's picture

Hello,

Quite Suspicious, if you are carrying the file "nginx.exe"

Could you check Start → All Programs → nginx.

Run the Symantec Support Tool in case if you are having any suspicion / suspicious file on the machine. Check this Article:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Jason1222's picture

This is not a virus.  It is a legitimate proxy. 

If you are getting the message it is because there was a problem with the site you were trying to visit and it is now stuck in your cache.

For firefox:

http://support.mozilla.org/en-US/kb/How%20to%20clear%20the%20cache

For Internet Explorer:

http://support.microsoft.com/kb/260897

* * * * * * *

Wiki on what is NGINX:

http://en.wikipedia.org/wiki/Nginx

* * * * * * * *

Google NGINX or what is NGINX and you will get much information on the system. Proxy, web server, load balancer, etc.

riva11's picture

I don't think is only a proxy issue, it could be something that force to redirect the home page to this portal. I tried to google the "Welcome to nginx " and there are many users with the same problem.

Bluehen's picture

I want to logon to Yahoo.  If I type http://www.yahoo.com, a screen appears, “Welcome to nginx!”  

If I use the secure http, https, and type https://www.yahoo.com, https reverts to http and becomes

http://www.yahoo.com/?s=https.   That takes me to Yahoo.   If I then try to logon to my mail, once I enter my

screen name and password, it goes back to “Welcome to nginx!”   If I return again to Yahoo with

https://www.yahoo.com I see that I am logged in to my e-mail account and can do my email.

When I click ‘Logout’ of e-mail I am returned to “Welcome to nginx!”  

What I have done that has not solved the problem:

1. I emptied the browser history, cookies and cache and re-booted.

2. I went to C:\Windows\System32\drivers\etc and restored the default host file and re-booted.  I confirmed

the contents of the host file at the Microsoft site.  The localhost is set to 127.0.0.1. 

3. I flushed the DNS cache.  I went to the command line, entered cmd, then ipconfig /flushdns

4.  I have run Norton Anti-virus and Norton Power Eraser.

Anvisoft says it is "a browser hijacker." 

I haven't tried the Anvisoft software because I am hoping that Norton will have a solution soon in an update.

Thomas K's picture

@Bluehen,

Have you tried running a scan with the Norton Bootable Recovery Tool?

http://security.symantec.com/nbrt/nbrt.aspx?lcid=1033

Bluehen's picture

I have downloaded it but don't have time today to do the re-boot. 

I appreciate the suggestion and will let you know how it works.

Bluehen's picture

I downloaded it to a flash drive and re-booted.  The system didn't boot from the flash drive. 

Can I run the NBRTStrt.exe file anyway?

Jason1222's picture

Seems this is turning into a nasty bugger.  Quoted as being a fast mutating bug that is keepnig itself ahead of the pack and like a hydra, has many heads and forms. 

There are many companies that are insisting they can remove the thing.  Some are more shady than others.

Have you tried running MakwareBytes or something else similar?

Bluehen's picture

Jason1222,

I have tried Norton Internet Security, Norton Power Eraser, Spybot, SuperAntiSpyware, and Ad-Aware.   Nothing works so far. 

Bluehen

theexplorer's picture

Hi try below steps

go to safe mode

start run

Type %temp%

delete all the files in the user temp folder

type temp

delete all the files here(some may not get deleted, you can ignore them.

open internet explorer

it it's ie 8, click tools, internet options, advanced, reset, delete personal settings also(it's up to you about personal settings)

restart ie.

run diskcleanup

right click c drive, properties, diskcleanup, remove pervious system restore files.

reboot the machine

check for that,,

if this doesn' t work, create a new admin account and use that and see if u still get the pop up..

Good Luck!

Bluehen's picture

Thanks for the suggestion, but it didn't work. 

I don't know how to create a new administrator account.

lakat's picture

Jason's advice solved my issue. Cleaning the broswer cache cleared my problem. Thanks everyone for your advice. I was tearing ny hair out!

Bluehen's picture

The problem is on my personal laptop.  If the problem were at work, I would just call IT. 

I haven’t yet tried Symantec’s Endpoint Recovery Tool.  I have backed up everything.  I have been careful not to log onto any webpages that might have financial information (e.g., credit card numbers).  I have a real job and don’t have time to work on this, much as I would like to understand the problem.

To answer a question and give more information that might help someone who also encounters this problem: 

  1. Nginx (pronounced “Engine-X”) is found at Nginx.org. It’s an open-source server program.  They must have lots of mail from people trying to log on to Facebook because nginx.org has a webpage devoted to the problem.  http://nginx.org/en/docs/welcome_nginx_facebook.html
     
  2. At http://www.totalchoicehosting.com/forums/index.php?showtopic=41150&st=0&p=245983&hl=nginx&fromsearch=1&#entry245983

            TCH-Alex writes:  ‘The errors like ""404 page not found" "Welcome to nginx !!!" are common 404 
             errors on nginx server, when hit on invalid pages etc.’   

           I wonder if I have a virus that is sending me to pages that don’t exist anymore because the pages
           have been removed from that server.

  1. An expert I know says that I have a BHO (browser helper object) virus.  He recommended that I use BHODemon available at http://majorgeeks.com/download3550.html.  I haven’t done that because it is unsupported.   Anyone know a BHO program that is supported?  I ran HijackThis but I can’t interpret what the BHO lines mean.
     
  2. The problem is in Internet Explorer.  It doesn’t appear in Opera or Firefox.  Nginx.org recommends switch to another browser.
     
  3. @Pete_4u2002, I don’t have any toolbars installed.
     
  4. @Jason1222, I have not tried MakwareBytes.
     
  5. @lakat, clearing browser history using MSIE doesn’t solve the problem.
     
  6. Next, I will use the Symantec Endpoint Recovery Tool.

To be continued.

lakat's picture

I know you probably already tried this, but make sure you cleared your internet cache. I fought this problem for over a week and was sure I had a virus but clearing the cache resolved this issue.

Bluehen's picture

Thanks for the suggestion but that didn't work.

hrr4's picture

I was having the same problem tried almost everything in my case when i was deleting the cache through IE's Delete button it didnt fix my problem. 

When i manually deleted all the files from

AppData\Local\Microsoft\Windows\Temporary Internet Files

The problem went away you might want to try deleting ur temp files manually.

Another way i fixed it on my other computer is simply by rightclicking on the tab and refreshing.