Need help with Browser Hijack Malware on Win 7

[pjustice57]

I've been fighting to clean a virus off my wife's Win 7 laptop. We've battled to a standstill, but I believe the enemy is still lurking on the battlefield (the laptop) and I need the ultimate weapon to win this war!

I'm going to put the details of my battles to date here in case this helps someone else identify a similar problem and find a solution quicker that I have.

The Battle

I first noticed the malware when a click on a link in Google went to an obviously wrong website, but using (right-click)"Open in new tab" went to the correct webpage. I then looked for MSE in the systray to run a full scan, but it wasn't there. The malware was apparently disabling MSE and would also kill it immediately every time I tried to run MSE manually from the Start menu.

After some research (on another PC), I booted into Safe Mode and ran SuperAntiSpyware and Malwarebytes. Both were freshly downloaded on another PC and transferred to the infected PC via a USB stick. Neither scanner found anything.

Further research listed some possible suspects and a process to use to kill (even temporarily) the offending item. Running AUTORUNS (from MS Sysinternals), I found a suspicious .DLL in an unusual location. The file, BITSADMINQ.DLL, was located in the C:\Users\...\AppData\Roaming\ folder.

Now for the freaky part: I had not started AUTORUNS in Administrator mode, so I couldn't delete the item. I closed AUTORUNS and did (right-click)"Run as administrator" to run AUTORUNS with elevated privilege to eliminate the entry. I couldn't find the entry again! It was still there because, after renaming the file, on the next reboot I received a pop-up RUNDLL message that the file was missing, so there is an entry somewhere to run this file on start-up.

Using the information gained on the first run, I located the RUNDLL entry using Process Explorer and killed the process. I could then start MSE and I ran a full scan. Still no hits! However, with the process disabled, I was able to use AUTORUNS to locate the malware registry key in
"HKCU\Software\Microsoft\Windows\CurrentVersion\Ru n"
and remove it.

To verify this file was indeed malware, I uploaded the .DLL file to VirusTotal. The results were mixed. Only 7 of the 42 scanners run identified the file as malware: Avast 4 and 5, BitDefender, F-Secure, GData and Ikarus. The other scanners were happy with it. Thinking I now had a process that could completely identify and clean the offender, I burned the bootable BitDefender CD (again on another PC), and rebooted the infected PC using this CD. I was running the ISO file dated January 2011, but the CD did not detect my WiFi network connection so it couldn't download the updated signature list. This scan also didn't identify any malware, especially this .DLL file, so this file was still just "suspect".

Since running with the .DLL file renamed didn't appear to cause anything to break, I shredded the file, but I still get the feeling there may be pieces of malware lingering.

The Aftermath
I know it's impossible to prove a negative, but I'd like some way to feel good about this system again. I feel "icky" using that laptop because of my lingering doubts.

Also, I'm concerned the USB stick I used may have gotten infected, so I'm looking for advice to safely verify it is clean.

Suggestions and comments very welcome!

[Deadeye81]

Hi pjustice57,

You could run some online scanners as a supplementary check on possible malware remnants.
These are some possibilities, but there are others as well:

ESET Online Scanner

Norton Security Scan

Various other online scanners

Check out this How To Geek tutorial on creating a Kaspersky Rescue Disk. Burning and booting to this CD can be a great help. It will allow you to update definitions online after booting to the Rescue Disk. I have used it to clean systems recently, and it does a fine job.

If you want to scan your USB stick to verify it clean, disable autorun for USB devices in Windows 7, and allow the online scanners as well as the ones you have on your system, or better yet on a known clean system (after disabling autorun) to check the stick out. You could always reformat the stick if you don't feel confident it is clean after scanning.

You can also download SuperAntiSpyware Portable to a USB stick. The executable name changes daily so malware cannot recognize it, and each day fresh definitions are built into the executable. If you decide to use this, download it on another computer and copy the executable to a USB stick. It does not have to be "installed', and runs directly from the USB stick.

[pjustice57]

Thank you for reading and replying!

I did run ESET with no hits. I'll run the Kaspersky rescue CD this evening and let it also scan the USB stick (if that's an option) to verify both are clean.

I turned my wife loose on the PC again (with cautions about closing pop-ups only with Task Manager). I may change her browser from IE to Firefox with WOT and Noscript installed as an alternative to completely disabling Javascript, as it appears many web sites require JS. We suspect the initial infection came via a scan job listing found through INDEED.COM, so WOT may be a good preventative tool from what I've read.

I'll post an update should anything else come up.

Thanks again!

[SpiritWind]

Hi PJustice : After DeadEye "locked" this thread yesterday, I was going to recommend you use a program developed by a certified Malware Removal Specialist who goes by the "Name" of "suBs" called "Flash Disinfector" and available at http://experi3nc3.wordpress.com/2007...fector-by-subs

[robplum]

I run Kaspersky anti-virus on an occasion i was chatting with a member of there support staff, it was suggested that i could also run the Malwarebyte program; i have done ever since. You can download free version and or pay $27 for the full program that monitors your computer 24/7

[chowur]

This,FREE program will clear your flash cookies,internet cookies & much more.Here's the link;http://ccleaner.en.softonic.com/ The best of luck.

[rgrosz]

The Ccleaner software is actually produced by Piriform: http://www.piriform.com/ccleaner

[pjustice57]

Thanks again for all the suggestions.

Malwarebytes was one of the first tools I tried, but I've been informed by other sources (SevenForums) running again in normal mode (as opposed to Save Mode) will scan more thoroughly.

I rescanned using F-Secure instead of Kaspersky 10 Rescue CD due to reports of bugs and problems with that build.

The good news is I have not found any other malware hiding on the computer.

The bad news is now I'm going to have to spend the time to set up a user-friendly set of tools for her to use regularily.