Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.



Windows 7: Need help with Browser Hijack Malware

07 Apr 2011   #1

Win 7 Home Premium 64 bit
 
 
Need help with Browser Hijack Malware

I've been fighting to clean a virus off my wife's Win 7 laptop. We've battled to a standstill, but I believe the enemy is still lurking on the battlefield (the laptop) and I need help to find the ultimate weapon to win this war!

I'm going to put the details of my battles to date here in case this helps someone else identify a similar problem and find a solution quicker that I have.

The Battle

In Internet Explorer 8, I first noticed the malware when I clicked on a link in Google that went to an obviously wrong website, but using (right-click)"Open in new tab" went to the correct webpage. I then looked for Microsoft Security Essentials (MSE) in the systray to run a full scan, but it wasn't there. The malware was apparently disabling MSE and would also kill it immediately every time I tried to run MSE manually from the Start menu.

After some research (on another PC), I booted into Safe Mode and ran SuperAntiSpyware and Malwarebytes. Both were freshly downloaded on another PC and transferred to the infected PC via a USB stick. Neither scanner found anything.

Further research listed some possible suspects and a process to use to kill (even temporarily) the offending item. Running AUTORUNS (from MS Sysinternals), I found a suspicious .DLL in an unusual location. The file, BITSADMINQ.DLL, was located in the C:\Users\...\AppData\Roaming\ folder. The malware was loaded via a registry key in
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
I used AUTORUNS to remove it.

Using the information from AUTORUNS, I located the RUNDLL entry using Process Explorer and killed the process. I could then start MSE and I ran a full scan. Still no hits!

To verify this file was indeed malware, I uploaded the .DLL file to VirusTotal. The results were mixed. Only 7 of the 42 scanners run identified the file as malware: Avast 4 and 5, BitDefender, F-Secure, GData and Ikarus. The other scanners were happy with it. Thinking I now had a process that could completely identify and clean the offender, I burned the bootable BitDefender CD (again on another PC), and rebooted the infected PC using this CD. I was running the ISO file dated January 2011, but the CD did not detect my WiFi network connection so it couldn't download the updated signature list. This scan also didn't identify any malware, especially this .DLL file, so this file was still just "suspect".

Since running with the .DLL file renamed didn't appear to cause anything to break, I shredded the file, but I still get the feeling there may be pieces of malware lingering.

The Aftermath
I know it's impossible to prove a negative, but I'd like some way to feel good about this system again. I feel "icky" using that laptop because of my lingering doubts.

Also, I'm concerned the USB stick I used may have gotten infected, so I'm looking for advice to safely verify it is clean.

Suggestions and comments very welcome!

My System SpecsSystem Spec
.

07 Apr 2011   #2

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64 Ubuntu 12.04 LTS Tri-Boot
 
 

Hi PJinFL,

You did a good job of hunting it down. So, to date:

Malwarebytes - no trace
MSE - no trace
VirusTotal - no trace on suspect DLL
Bootable BitDefender - no trace (usually these require the ethernet cable to be plugged in to update)

I'm not sure anything else is going to give you any better results than the 7/42 result from VirusTotal, but one last possibility is to do an online scan using ESET on line scanner.

Your last line of defense to be completely comfortable with your laptop again might be a secure wipe and reinstall. It sounds drastic, but perhaps its the only thing that might give you peace of mind.

Before you consider that, I am going to to request that some of our security experts (Corinne, Jaccee, or Carolyn) here have a look at this.

Hang tight - I have requested some help with this.

Regards,
Golden
My System SpecsSystem Spec
07 Apr 2011   #3

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Hi! PJinFL, welcome to 7F

I have had good results with SuperAntiSpyware you can use their on-line scanner here if you like.

Concerns with using the product? SAS Online Safe Scan - SUPERAntiSpyware Forums

For USB sticks. Whichever scan you use, check the letter of the Drive that it is occupying, and the scan will only do that Drive.
My System SpecsSystem Spec
.


08 Apr 2011   #4

Win 7 Home Premium 64 bit
 
 

@Golden & Anak - Thanks for taking time to read my (rather length) post!

SuperAntiSpyware was one of the first scanners I tried, but it also found nothing, even with the "suspect" .DLL still on the system.

I have run ESET online scanner successfully with nothing found.

I'd really like to avoid the "nuclear option", so I'll probably tell the Better Half to go ahead and use the PC cautiously, but do not click anything on popups! We suspect a scam job listing (she recently was searching jobs in INDEED.COM) was the source of the problem. With so many sites requiring Javascript I'm not sure turning JS completely would be an option, but I am considering switching her browser from IE to Firefox with WOT and Noscript plugins.

I'll probably use one the Kaspersky rescue CD to rescan the laptop and also the USB stick before I plug it in anywhere else. I'll post a follow-up should anything else come up.

Thanks again for the advice!
My System SpecsSystem Spec
08 Apr 2011   #5

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

You could give Norton Power Eraser a shot, just use it carefully:

http://security.symantec.com/nbrt/npe.asp?lcid=1033

Quote:
Because the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.
My System SpecsSystem Spec
08 Apr 2011   #6

Win 7 64 premium
 
 

Emsisoft has a free scanner that may work for you.
When your computer is clean again, do yourself a favor and install Sandboxieand worry no more about such things.
My System SpecsSystem Spec
08 Apr 2011   #7

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Quote:
We suspect a scam job listing (she recently was searching jobs in INDEED.COM) was the source of the problem. With so many sites requiring Javascript I'm not sure turning JS completely would be an option, but I am considering switching her browser from IE to Firefox with WOT and Noscript plugins.
I will have to keep that in mind. I am using INDEED also.

You can check here to Verify Java Version

There has also been recent updates to Adobe.
This one is for Verifying Adobe - Flash Player
................for Adobe - Test Adobe Shockwave Player

There has also been an update to Adobe Air if you are wondering if you really need it see This .

I felt just like the OP. When I went to uninstall Air it did tell me Reader would stop working.
The only reason I keep Air is because the DW likes Reader, and is comfortable with it.

WOT, and QFX Software - Anti-Keylogging Software will work in IE.
Both work in all versions of Windows 7, 32 or 64bit.
My System SpecsSystem Spec
08 Apr 2011   #8

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64 Ubuntu 12.04 LTS Tri-Boot
 
 

Quote   Quote: Originally Posted by PJinFL View Post
I'll probably use one the Kaspersky rescue CD to rescan the laptop and also the USB stick before I plug it in anywhere else.
Hi,

If its the free Kaspersky Rescue Disk 10, can I suggest you give that a miss? Its extremely problematic at the moment : see

Kaspersky Rescue Disk 10 ISO problems?

Instead, try the F-Secure bootable rescue disk. Its robust and rock solid.

Regards,
Golden
My System SpecsSystem Spec
08 Apr 2011   #9

Windows 7 & Windows Vista Ultimate
 
 

Hi, PJinFL.

You have most likely eliminated the problem, but I suggest you now run updated Malwarebytes Anti-Malware in normal mode. MBAM does its most thorough findings in normal mode. If anything is detected, please post the log here as a reply.

I also suggest you follow Anak's advice to verify the most current versions of Java and Adobe products are installed on the laptop. There are critical vulnerabilities in older versions of those products.
My System SpecsSystem Spec
Reply

 Need help with Browser Hijack Malware





Thread Tools



Similar help and support threads for2: Need help with Browser Hijack Malware
Thread Forum
Browser malware can't delete Browsers & Mail
browser hijack. System Security
Browser Hijack System Security
Solved sharewareisland browser hijack Browsers & Mail
Browser Hijack issue Browsers & Mail
check browser plugin if it's malware Browsers & Mail
Yaa! DLL Hijack Auditor: For Microsoft DLL hijack vulnerability System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:06 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33