VirtualNomad.ga Browser Hijack Vexing Me - No Malware Detected or Other Reports

[DefRef]

The other day I launched Chrome and the all my previous tabs were gone, replaced with a www dot virtualnomad dot ga (Gabon) page that makes Chrome as if I want to translate it. It also popped an error that Chrome hadn't shut down properly and would I like to reopen it? Doing so makes Chrome crash and reopen to either a blank start page or this VirtualNomad page.

Launch Firefox and the metric shitton of saved tabs there are annihilated, replaced by this same interloper. Huh? Run a Malwarebytes scan which comes up with a few unrelated PUPs. Check about:config and find the start page has been changed. Blank that out and restored an old sessionstore file to get most of my tabs back.

I can't find a single reference to this thing anywhere with Google. Trying to find a source, the only software I'd updated concurrent with this starting last Saturday (it's Thursday now; first work trying to fix was Tuesday and Wednesday nights) was my Gigabyte App Center updated. Had a corrupted update slipped through? Am I the only one using this junk? On a hunch, I uninstalled all the utilities and initially it appeared to fix things; I thought I'd licked it.

Nope! Last night and into tonight, it's back again, crashing Chrome and eating Firefox. Searched the URL in Registry and found IE's home page had been changed. (Never use IE; Edge seems unaffected.) Other than those two hits, nada. Updated MWB and rescanned in hopes a later def file would spot it and nothing.

Right now, Chrome seems clear, but it seemed that way before. I'm posting from Firefox, so can't retest it. Anyone have any suggestions for sorting this out and swatting this malware?

Rig in sig. TIA!

 

[Ketchup]

Malwarebytes is good, but isn't the only software for this type of thing. Superantispyware is another good one.
I don't like to run it all the time personally, but the free version of AVG is also good at ridding this sort of thing.

Lastly, ones like these usually hide in your user temp folder. So if you clean out the folder, and it gets stuck on a suspicious exe, check and see if you can end it from task manager, as that might be the rascal you are looking for.
Bear in mind my tips are in no particular order. Nowadays I like to see if I can rid this stuff manually before waiting on scans to complete.

 

[DefRef]

Thank you for your reply.

I was going to try SuperAntiSpyware, but in the past I've been annoyed at how it stays resident and whines that you buy it. Getting home tonight, I had the bright idea to roll back to an earlier System Restore point from a week ago, before the weirdness started and so far, so good. Chrome and Firefox both launched without issue. Fingers crossed.

 

[deustroop]

My experience suggests that the few times this system fell victim was from web pages or content therefrom and not by way of infected applications from known publishers. A removal tool I have used with success is Hijackthis
https://sourceforge.net/projects/hjt/

 

[VirtualLarry]

Some malware, actually re-writes the shortcuts to the browsers, and adds a parameter to open those web pages upon launch. That can be annoying to get rid of, since Malwarebytes generally won't report malware, because there's no EXE or registry entries for any sort of malware.

 

[DefRef]

Some malware, actually re-writes the shortcuts to the browsers, and adds a parameter to open those web pages upon launch. That can be annoying to get rid of, since Malwarebytes generally won't report malware, because there's no EXE or registry entries for any sort of malware.

My experience suggests that the few times this system fell victim was from web pages or content therefrom and not by way of infected applications from known publishers. A removal tool I have used with success is Hijackthis
https://sourceforge.net/projects/hjt/

I tried Hijackthis and didn't see anything amiss in its scan, but then thanks to MWB's forcing a trial of their Premium package on me, I discovered a clue which appears to have led me to some discoveries.

I noticed it was popping up a notice that it was blocking an outbound connection to a site called coinuri[dot]com:50928. Try to enter that and it got blocked. Digging into the reports found something called C:\ProgramData\mvfm\mvfm.exe was making the call. Looking at that, it showed no ID info and nothing on Google to legitimize it, so I renamed it .exe-BAD and the block alerts ceased immediately.

Searching the Registry for that file turned up four hits:

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Computer\HKEY_USERS\S-1-....\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

C:\ProgramData\mvfm\mvfm.exe
--------------
Computer\HKEY_CURRENT_USER\Software\mvfm.exe
Computer\HKEY_USERS\S-1-....\Software\mvfm.exe

NAME DATA
03L4FtDy724Kj5X || HYFraC-YNeb-{Ha(jLiI-:EZw|6=8?o+c>9{&r<I6)*1
cgy9alI8x4ZfrrLkk3ZdJ9K0Sv3 || 1AXFvaI(k'f8o_r8jFZLM{!dH]S!%;#?|Dm>3~[\e+:YzlBWQb\aB|'}}8)F+r`H6sGfT2FvI)`fyh=%7$-16.&*
NqIIp || I&TN"4X\z['PD@#MygcE`$Q *O&W'jd'mb?c:mf*Inih?)?I8`Mm#c;Fe;**g"bTPQ:ZZ<W)h:],&EvQ:;%G
oyJMgE9p2a4xytQaJhIhkGXeI0t1n || B@35\^0e#x0'rn8fS{EKCGh@2ZwY1xCi#8^gU(@W<q)ftONQ'JC#n+pzcb!cFP^#4T5%hctxYs`&;R4KsSBGH{eN

(sorry about the wrapping; there are four keys - the || separate name from data)

Judging from the gibberish and context, I'm guessing something non-English in nature. Going to that folder and even directly scanning that exe with Windows Defender, Malwarebytes and SuperAntiSpyware ALL report it as benign. (Whut?)

Re-running HijackThis and looking for the critter found this entry: O4 - Startup: Dirk.lnk = C:\ProgramData\mvfm\mvfm.exe

HJT info on the item screams exactly what has been happening: It can load a Registry script, change IE start pages, etc. Used HJT to remove that item and repair the IE start-page.

Hard-deleted the mvfm.exe file (which was 204MB!) and Windows said it was a system file. Yeah, right.

Deleted the four keys from Registry, getting an error about not being able to open one of them. Did second sweep and found no entries.

Reset home page in Firefox back to what I wanted.

Rebooting....

After reboot, no mvfm folder or exe. Registry show neither that nor the hijacked URL. Chrome launched OK, but Firefox came up with just the pinned tabs and the correct homepage. IE launches to MSN page.

/fingers crossed

 

[mikeymikec]

Run some more scans now that you think you've found the culprit because other stuff may be detected now (though it would be likely to be part of the original malware package).

Running a scan in safe mode might not be a bad idea either.

 

[deustroop]

Nicely done. You live to fight another day.

 

[RYJCO]

Hi,
I actually have this issue now but the steps you took to remove it have not worked for me.

If anyone has any suggestions for removing this virtualnomad.ga tab that always opens when I start chrome please let me know

Nothing I have tried has removed it I've scanned and scanned countless things to try and get rid of this headache tab