I've been fighting to clean a virus off my wife's Win 7 laptop. We've battled to a standstill, but I believe the enemy is still lurking on the battlefield (the laptop) and I need help to find the ultimate weapon to win this war!
I'm going to put the details of my battles to date here in case this helps someone else identify a similar problem and find a solution quicker that I have.
The Battle
In Internet Explorer 8, I first noticed the malware when I clicked on a link in Google that went to an obviously wrong website, but using (right-click)"Open in new tab" went to the correct webpage. I then looked for Microsoft Security Essentials (MSE) in the systray to run a full scan, but it wasn't there. The malware was apparently disabling MSE and would also kill it immediately every time I tried to run MSE manually from the Start menu.
After some research (on another PC), I booted into Safe Mode and ran SuperAntiSpyware and Malwarebytes. Both were freshly downloaded on another PC and transferred to the infected PC via a USB stick. Neither scanner found anything.
Further research listed some possible suspects and a process to use to kill (even temporarily) the offending item. Running AUTORUNS (from MS Sysinternals), I found a suspicious .DLL in an unusual location. The file, BITSADMINQ.DLL, was located in the C:\Users\...\AppData\Roaming\ folder. The malware was loaded via a registry key in
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
I used AUTORUNS to remove it.
Using the information from AUTORUNS, I located the RUNDLL entry using Process Explorer and killed the process. I could then start MSE and I ran a full scan. Still no hits!
To verify this file was indeed malware, I uploaded the .DLL file to VirusTotal. The results were mixed. Only 7 of the 42 scanners run identified the file as malware: Avast 4 and 5, BitDefender, F-Secure, GData and Ikarus. The other scanners were happy with it. Thinking I now had a process that could completely identify and clean the offender, I burned the bootable BitDefender CD (again on another PC), and rebooted the infected PC using this CD. I was running the ISO file dated January 2011, but the CD did not detect my WiFi network connection so it couldn't download the updated signature list. This scan also didn't identify any malware, especially this .DLL file, so this file was still just "suspect".
Since running with the .DLL file renamed didn't appear to cause anything to break, I shredded the file, but I still get the feeling there may be pieces of malware lingering.
The Aftermath
I know it's impossible to prove a negative, but I'd like some way to feel good about this system again. I feel "icky" using that laptop because of my lingering doubts.
Also, I'm concerned the USB stick I used may have gotten infected, so I'm looking for advice to safely verify it is clean.
Suggestions and comments very welcome!
I'm going to put the details of my battles to date here in case this helps someone else identify a similar problem and find a solution quicker that I have.
The Battle
In Internet Explorer 8, I first noticed the malware when I clicked on a link in Google that went to an obviously wrong website, but using (right-click)"Open in new tab" went to the correct webpage. I then looked for Microsoft Security Essentials (MSE) in the systray to run a full scan, but it wasn't there. The malware was apparently disabling MSE and would also kill it immediately every time I tried to run MSE manually from the Start menu.
After some research (on another PC), I booted into Safe Mode and ran SuperAntiSpyware and Malwarebytes. Both were freshly downloaded on another PC and transferred to the infected PC via a USB stick. Neither scanner found anything.
Further research listed some possible suspects and a process to use to kill (even temporarily) the offending item. Running AUTORUNS (from MS Sysinternals), I found a suspicious .DLL in an unusual location. The file, BITSADMINQ.DLL, was located in the C:\Users\...\AppData\Roaming\ folder. The malware was loaded via a registry key in
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
I used AUTORUNS to remove it.
Using the information from AUTORUNS, I located the RUNDLL entry using Process Explorer and killed the process. I could then start MSE and I ran a full scan. Still no hits!
To verify this file was indeed malware, I uploaded the .DLL file to VirusTotal. The results were mixed. Only 7 of the 42 scanners run identified the file as malware: Avast 4 and 5, BitDefender, F-Secure, GData and Ikarus. The other scanners were happy with it. Thinking I now had a process that could completely identify and clean the offender, I burned the bootable BitDefender CD (again on another PC), and rebooted the infected PC using this CD. I was running the ISO file dated January 2011, but the CD did not detect my WiFi network connection so it couldn't download the updated signature list. This scan also didn't identify any malware, especially this .DLL file, so this file was still just "suspect".
Since running with the .DLL file renamed didn't appear to cause anything to break, I shredded the file, but I still get the feeling there may be pieces of malware lingering.
The Aftermath
I know it's impossible to prove a negative, but I'd like some way to feel good about this system again. I feel "icky" using that laptop because of my lingering doubts.
Also, I'm concerned the USB stick I used may have gotten infected, so I'm looking for advice to safely verify it is clean.
Suggestions and comments very welcome!
My Computer
- OS
- Win 7 Home Premium 64 bit
and worry no more about such things.
