I've been fighting to clean a virus off my wife's Win 7 laptop. We've battled to a standstill, but I believe the enemy is still lurking on the battlefield (the laptop) and I need the ultimate weapon to win this war!
I'm going to put the details of my battles to date here in case this helps someone else identify a similar problem and find a solution quicker that I have.
I first noticed the malware when a click on a link in Google went to an obviously wrong website, but using (right-click)"Open in new tab" went to the correct webpage. I then looked for MSE in the systray to run a full scan, but it wasn't there. The malware was apparently disabling MSE and would also kill it immediately every time I tried to run MSE manually from the Start menu.
After some research (on another PC), I booted into Safe Mode and ran SuperAntiSpyware and Malwarebytes. Both were freshly downloaded on another PC and transferred to the infected PC via a USB stick. Neither scanner found anything.
Further research listed some possible suspects and a process to use to kill (even temporarily) the offending item. Running AUTORUNS (from MS Sysinternals), I found a suspicious .DLL in an unusual location. The file, BITSADMINQ.DLL, was located in the C:\Users\...\AppData\Roaming\ folder.
Now for the freaky part: I had not started AUTORUNS in Administrator mode, so I couldn't delete the item. I closed AUTORUNS and did (right-click)"Run as administrator" to run AUTORUNS with elevated privilege to eliminate the entry. I couldn't find the entry again! It was still there because, after renaming the file, on the next reboot I received a pop-up RUNDLL message that the file was missing, so there is an entry somewhere to run this file on start-up.
Using the information gained on the first run, I located the RUNDLL entry using Process Explorer and killed the process. I could then start MSE and I ran a full scan. Still no hits! However, with the process disabled, I was able to use AUTORUNS to locate the malware registry key in
and remove it.
To verify this file was indeed malware, I uploaded the .DLL file to VirusTotal. The results were mixed. Only 7 of the 42 scanners run identified the file as malware: Avast 4 and 5, BitDefender, F-Secure, GData and Ikarus. The other scanners were happy with it. Thinking I now had a process that could completely identify and clean the offender, I burned the bootable BitDefender CD (again on another PC), and rebooted the infected PC using this CD. I was running the ISO file dated January 2011, but the CD did not detect my WiFi network connection so it couldn't download the updated signature list. This scan also didn't identify any malware, especially this .DLL file, so this file was still just "suspect".
Since running with the .DLL file renamed didn't appear to cause anything to break, I shredded the file, but I still get the feeling there may be pieces of malware lingering.
I know it's impossible to prove a negative, but I'd like some way to feel good about this system again. I feel "icky" using that laptop because of my lingering doubts.
Also, I'm concerned the USB stick I used may have gotten infected, so I'm looking for advice to safely verify it is clean.
Suggestions and comments very welcome!