Search results redirect, possible Trojan.Agent/Gen vma.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by mps_42, Apr 8, 2010.

  1. mps_42

    mps_42 Private E-2

    Hello,
    My issue began (as far as I can tell) on Tuesday April 6th 2010. I believe I picked up a virus from another infected PC that I was browsing to across a home network. Symantec Anti-virus did pop-up an alert and quarantined the file(s), but apparently missed something. I had a fake Security Center window pop-up with an Anti-virus scanner telling me that viruses/spyware had been found and telling me to purchase their scanner, etc. I immediately killed the process - I believe the executable name was vma.exe. At this point, any time I would double-click on a shortcut (or run an application from the QuickLaunch, or Start Menu), vma.exe would start running again. If I ran an executable by using the Start..Run option, vma.exe did not start running - I then discovered that the HKEY_CLASSES_ROOT\exefile\shell\open\command (I *think* this was the key) had been modified to start up vma.exe, and I undid that change and any other vma.exe changes I found in the registry.

    After getting rid of that registry modification and deleting all instances of vma.exe, the fake virus scanner no longer runs. I am still having an issue though. With searches via Google or Bing (using Internet Explorer), all of the search results come back normally, but if I click a link in the results, I'm redirected to another page. I can go to the desired page if I copy the link and manually paste it into a browser window. I have not been able to determine the cause of this and haven't been able to fix it.

    I have been looking through posts in the forum and finally went through all of the READ & RUN ME FIRST steps. After completing the steps, I still have the browser redirect issue. My logs are attached to this post (and my next post I guess, since I can't attach them all to this one).

    Other notes: ComboFix was telling me that Symantec was running even though I had disabled the Symantec services and killed all of the Symantec processes (the "disable auto-protect" option seemed to keep coming back on"). So, in order to hopefully avoid issues with ComboFix, I uninstalled Symantec. Right now, I don't have an AV program running, but I'm going to install Avast unless you tell me to wait.

    Thanks for any help,
    Maat

    PS - love the "10 types of ppl" signature line
     

    Attached Files:

    mps_42, Apr 8, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I still need the logs from running MGTools.exe ---> C:\MGlogs.zip.
     
    TimW, Apr 9, 2010
    #2
  3. mps_42

    mps_42 Private E-2

    Yes you do... and here they are. I didn't want to post another message until asked - I was afraid that would be a BUMP.

    I also have an update - I think that the search results are only redirected when I perform the search via the "Search Provider" textbox in IE8 or by entering search terms directly in the URL textbox. If I did a normal search from Google's search page, I was not redirected. I didn't notice this until I saw that Google was no longer a search provider for me, and only Bing was. And then (I hope this doesn't upset you), I thought the issue might be a "fake" search provider masquerading as Bing. So, I added Google as a search provider, set it as the default, removed the Bing provider, then re-added Bing as a provider, set it as the default and removed Google. After this, I'm no longer getting re-directed results, but I'm not positive that I'm clean.

    Also, if you're going to ask whether or not the issue happened in Chrome, I don't know. I first noticed this whole problem when I was trying to use Chrome and it kept crashing and would not load at all. Right now Chrome is no longer on my system (I absolutely cannot remember uninstalling it, but I suppose I must have done so before I contacted majorgeeks).

    Anyway, here's the logs.

    I'm still running this PC with no firewall running and no AV software - should I leave it in that state until you're done with me or until you tell me to take a hike?

    Thanks,
    Matt
     

    Attached Files:

    mps_42, Apr 9, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know you got the browser issue resolved. You will need to install both an AV program as well as a firewall. You can do that now!!

    There is nothing that is showing as malware, but we can clean a few things up.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
LSIE
MSD
RKAXZ

File::
c:\documents and settings\Matt\LOCAL Settings\Temp\RKAXZ.exe
C:\Documents and Settings\All Users\Application Data\4W2k7t2Uo86
C:\Documents and Settings\All Users\Application Data\696744383
C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is
C:\Documents and Settings\Administrator\Desktop\settings.dat
C:\WINDOWS\Temp\fla36.tmp  
C:\WINDOWS\Temp\fla37.tmp

Folder::
C:\Documents and Settings\All Users\Application Data\4W2k7t2Uo86
C:\Documents and Settings\All Users\Application Data\696744383
C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Apr 10, 2010
    #4
  5. mps_42

    mps_42 Private E-2

    OK, I was hoping to be able to reply with "everything looks good now," but unfortunately it doesn't seem to be.

    I ran C:\MGTools\analyse.exe as directed, followed by ComboFix. Then I installed avast AV and Comodo Firewall. After that, I was trying to download Spyware Blaster from the link on majorgeeks.com, and this is where things started happening. I think I clicked on the middle "download@MajorGeeks" link, and when the file started to download, IE redirected the page to a different site. avast popped up a virus warning that a Trojan had been intercepted. I can give you the link if you want it, but I wasn't sure if I should post it (i don't want anyone accidently clicking on it - tigerrosedirect is the domain). I went back to the download page again and tried the download - this time nothing unexpected happened, and I did install Spyware Blaster, update it, and set all the protections.

    After all this, I noticed that the original search results redirect issue is back - it still only seems to be an issue if I do the search via the Search Provider box.

    Other information that may be relevant: Chrome does not work on this PC - it runs, and the firewall reports that it is trying to contact the internet, but it will not open any web pages - it just hangs. Also, after a restart, avast reports that the Mail Shield and Web Shield are not active (even though they should be) and it takes at least 3 minutes for them to activate after I try to start them. Also, on every reboot, the "Find New Hardware" wizard is popping up - Device Manager shows and "Unknown Device" under "Other devices" with the yellow question mark/exclamation point icon - the Device instance ID is Root\VClone_2\0000 and I believe this is related to Virtual CloneDrive (and all that was disabled by Defogger) so it probably isn't an issue. There's also about a 2 to 5 minute delay (after I login) before anything will run.

    Any ideas?

    Thanks,
    Matt
     
    mps_42, Apr 10, 2010
    #5
  6. mps_42

    mps_42 Private E-2

    Also, forgot to mention a strange looking file. It's a 0KB file with the name Ÿ;Ÿ; located in C:\Documents and Settings\Administrator. The same file used to be in the other user's folders as well, but I'm not seeing them anymore.

    Scanning it with avast doesn't find a threat, but avast reports that it scanned 2 files.

    Matt
     
    mps_42, Apr 10, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Since it is back, you need to run all the scans again. Attach the requested logs and let's see what is happening.
     
    TimW, Apr 11, 2010
    #7
  8. mps_42

    mps_42 Private E-2

    OK will do. Same process as in READ & RUN ME FIRST I assume.

    I won't have access to the PC until Thursday at the earliest, so you won't hear from me again until then.

    Matt
     
    mps_42, Apr 12, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I'll be here.
     
    TimW, Apr 13, 2010
    #9
  10. mps_42

    mps_42 Private E-2

    OK, I started running the Read Me First steps again. Spywareblaster found one thing (a false positive I think, since the .exe it found was one I have the source code for), Malware bytes found nothing, and Combo Fix crashed at some point, and now I'm just getting a blue screen when I boot up - Safe Mode results in the blue screen, Normal mode results in a blue screen, and trying to get into the recovery console results in a blue screen ("A problem has been detected and windows has been shut down to prevent damage to your computer").

    Any ideas?

    Matt
     
    mps_42, Apr 17, 2010
    #10
  11. mps_42

    mps_42 Private E-2

    OK, I was able to use the "last known good configuration" to get windows to boot up. Windows error reporting told me:

    Here's the logs I have so far. Should I run combofix again, move on to the next step, or do something else? Also, I've noticed a C:\cmdcons folder that I don't recall seeing before, and a ComboFix folder that essentially redirects to "My Computer".
     

    Attached Files:

    mps_42, Apr 17, 2010
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Apr 17, 2010
    #12
  13. mps_42

    mps_42 Private E-2

    It's been running now for about 5 hours. When it started up, the C: drive was selected, but D and E were not. I'm assuming that's what was intended?

    At the current rate, I don't think it will be done until sometime tomorrow morning.

    Matt
     
    mps_42, Apr 17, 2010
    #13
  14. mps_42

    mps_42 Private E-2

    I let GMER run all night. This morning, the computer screen was black (I had the screen saver off, but I guess power management kicked in) and the keyboard was locked and I could not get back into the PC without rebooting it.

    Should I try running again (with power management off?)?
     
    mps_42, Apr 18, 2010
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It should not take that long to run a scan. Run ComboFix and attach that log as well as a new MGLogs.zip. ( Double click the C:\MGtools\GetLogs.bat file --> if using Vista, don't double click, use right click and select Run As Administrator).
     
    TimW, Apr 18, 2010
    #15
  16. mps_42

    mps_42 Private E-2

    Here's the ComboFix log and MGLogs zip file.

    When ComboFix started up, it reported that rootkit activity was detected and it rebooted and ran the scan.

    I also attached GMER_stoppedAfter7Hours.log - don't know if it will be useful, but just in case.

    Matt
     

    Attached Files:

    mps_42, Apr 19, 2010
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now please download SystemLook from one of the links below and save it to your Desktop.

    Download Mirror #1


    Download Mirror #2

    • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
    • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
    • Copy and Paste the content of the following codebox into the main textfield under "File":

    Code:
    :filefind
termdd.sys
    • Please Confirm everything is copied and Pasted as I have provided above
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
    • Please attach this log in your next reply.

    Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task.
     
    TimW, Apr 19, 2010
    #17
  18. mps_42

    mps_42 Private E-2

    Here's the SystemLook log file.

    Also, at some point while this PC has been connected to the internet, it downloaded some Windows Updates - should I hold off on installing any of them for now?

    Matt
     

    Attached Files:

    mps_42, Apr 19, 2010
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's get you clean before you do any updates.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\termdd.sys | C:\WINDOWS\system32\drivers\termdd.sys
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now re-run GMER.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * GMER log
    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 19, 2010
    #19
  20. mps_42

    mps_42 Private E-2

    OK will do, thanks.

    With GMER, should I have the "Files" option clicked and should all of the hard-drives (C, D, E) be selected? That will be roughly 160GB total of files to be scanned.

    Matt
     
    mps_42, Apr 19, 2010
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just the C drive.
     
    TimW, Apr 19, 2010
    #21
  22. mps_42

    mps_42 Private E-2

    OK, here are the new ComboFix, GMER, and MgTools logs. ComboFix again reported rootkit activity and rebooted before continuing.

    As to how the system is performing now: I tried logging in as all of the different users on the PC and ran IE and Chrome (chrome does run now). I did not see the search redirect behavior anymore with IE (or with Chrome, but I don't think Chrome was doing it before anyway). Fast user switching is off, so I was logging in and then logging out for each user.

    Some potentially suspicious behaviors:
    - on the first inital logon for a user after a reboot, the Find New Hardware wizard is showing up (and it takes a long time... 5 mintues or so to show up and the system isn't really usable until it does). I believe this may be related to the daemon tools scsi drivers being disabled, so this may not be an issue.

    - for one user only (matt), when I login, Windows Explorer opens and it is opened in the c:windows\system32 folder

    - when starting Windows Explorer the first time (manually) and clicking on C:, the desktop goes blank (all icons disappear) for a second and then refreshes

    Matt
     

    Attached Files:

    mps_42, Apr 20, 2010
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looking much better, though we have just a few more things to remove.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now use windows explorer to find and delete:
    C:\WINDOWS\system32\CBMZUAAQYA
    C:\WINDOWS\system32\DIKCPHLDMXO
    C:\WINDOWS\system32\PXXHN

    Let me know if you have any problem doing that.

    If you don't, then, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Apr 20, 2010
    #23
  24. mps_42

    mps_42 Private E-2

    OK, I was able to successfully remove the registry entries (got a "Information in C:\Documents and Settings\Administrator\Desktop\fixME.reg has been successfully entered into the registry." message). I was also able to delete the listed files from system32.

    The only thing I really notice now is that the Windows Explorer window still opens (in C:\windows\system32) when the 'matt' user logs in. I suppose there could be something in that user's startup settings, but I haven't investigated yet.

    Do you think that's just innocuous behavior and it's OK for me to go ahead with all the final steps?

    Thanks for all your help!

    Matt
     
    mps_42, Apr 20, 2010
    #24
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sounds like a good question for the software folks. I don't recall anything in your logs that would be set to do that.

    And you are very welcome. :)
     
    TimW, Apr 20, 2010
    #25
  26. mps_42

    mps_42 Private E-2

    I figured out the system32 explorer window thing (with help from the MS KB):

    http://support.microsoft.com/kb/170086

    The same behavior can occur under HKCU which explains why it only happened for one user for me.

    Well, onto the cleanup now. Thanks again - you've got a great, well organized site.

    Matt
     
    mps_42, Apr 20, 2010
    #26
  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. :)
     
    TimW, Apr 20, 2010
    #27

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds