Tuesday, October 4, 2011

Volmgr.exe, volmgr.dll: Trojan.Plongo and Google/Bing Redirects

Badvertisement and highly efficient click-fraud attacks have increased dramatically over the last year, especially during the Summer months. Web search engines are the primary method for most Internet users to find information on a particular topic. Cyber crooks who operate large groupings of hacked PCs can effectively monetize botnets redirecting Google, Bing and Yahoo! search results to completely irrelevant web pages full of advertisements or even adware. You can find multiple forum threads about this issue, commonly addressed as the Google redirect virus or just search redirect virus. Malware from the TDSS (TDL3 and TDL4) and ZeroAccess/Serifef families were involved in nearly all cases of those annoying redirects. However, yesterday we found another Trojan horse that may cause redirects too and may even replace the ZeroAccess/Serifef. Some of the hacked websites that were previously installing the ZeroAccess/Serifef Trojans and rootkits now distributed Trojan.Plongo, Trojan.Win32.Generic [Kaspersky]. It uses DLL injection and drops two files in %AppData% folder: volmgr.exe and volmgr.dll. Malware uses rootkit techniques to hide its presence from the victim and security products. However, GMER detects the hidden file without any problems.



What is more, Trojan.Plongo modifies Windows hosts file and DNS settings. It deletes default values and adds the following lines:
  • 95.64.61.155 www.google.com
  • 95.64.61.156 www.bing.com


A quick trace root 95.64.61.155 reveals that the server is physically located in Romania. Google may ask you if you would like to change your default search page to google.ro. However, cyber crooks can easily change servers and rebuild malware, so you may be redirected to other servers as well, not necessarily 95.64.61.155. Unfortunately, only ten security vendors out of forty three are able to detect this malware. Even less can effectively remove it from the infected computer. Thankfully, Norton Power Eraser does a great job of deleting Trojan.Plongo malware. The following removal guide has been created to help you to remove volmgr.exe, volmgr.dll and associated malware from your computer. If you have any questions, please leave a comment below. Good luck and be safe online!


Removal instructions:

1. Download Norton Power Eraser. Download link: http://security.symantec.com/nbrt/npe.aspx?

2. Double-click on the NPE.exe to run the utility. Please read the end user license agreement carefully and if you agree, click on the Accept button.



3. Click on the Scan button.



4. Rootkit scan is important this time, so click on the Restart button. Windows will now restart. You don't have to do anything. After a reboot it will continue to scan your computer for malicious software.



5. When Norton Power Eraser has finished, it will list all malicious files found on your computer. Important: select olmgr.dll to be fix too. Then click on the Fix button and then choose Restart. It will automatically reboot your computer again.


 


6. After a reboot, Norton Power Eraser will show you removal results. That's about it for the Trojan.Plongo malware. You can now close Norton Power Eraser.




Associated files and registry values:

Files:
  • %AppData%\volmgr.dll
  • %AppData%\volmgr.exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run volmgr = "%AppData%\volmgr.exe"
Share this information with other people:

No comments:

Post a Comment