Need help with Browser Hijack Malware

PJinFL · 07 Apr 2011

I've been fighting to clean a virus off my wife's Win 7 laptop. We've battled to a standstill, but I believe the enemy is still lurking on the battlefield (the laptop) and I need help to find the ultimate weapon to win this war!

I'm going to put the details of my battles to date here in case this helps someone else identify a similar problem and find a solution quicker that I have.

The Battle

In Internet Explorer 8, I first noticed the malware when I clicked on a link in Google that went to an obviously wrong website, but using (right-click)"Open in new tab" went to the correct webpage. I then looked for Microsoft Security Essentials (MSE) in the systray to run a full scan, but it wasn't there. The malware was apparently disabling MSE and would also kill it immediately every time I tried to run MSE manually from the Start menu.

After some research (on another PC), I booted into Safe Mode and ran SuperAntiSpyware and Malwarebytes. Both were freshly downloaded on another PC and transferred to the infected PC via a USB stick. Neither scanner found anything.

Further research listed some possible suspects and a process to use to kill (even temporarily) the offending item. Running AUTORUNS (from MS Sysinternals), I found a suspicious .DLL in an unusual location. The file, BITSADMINQ.DLL, was located in the C:\Users\...\AppData\Roaming\ folder. The malware was loaded via a registry key in
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
I used AUTORUNS to remove it.

Using the information from AUTORUNS, I located the RUNDLL entry using Process Explorer and killed the process. I could then start MSE and I ran a full scan. Still no hits!

To verify this file was indeed malware, I uploaded the .DLL file to VirusTotal. The results were mixed. Only 7 of the 42 scanners run identified the file as malware: Avast 4 and 5, BitDefender, F-Secure, GData and Ikarus. The other scanners were happy with it. Thinking I now had a process that could completely identify and clean the offender, I burned the bootable BitDefender CD (again on another PC), and rebooted the infected PC using this CD. I was running the ISO file dated January 2011, but the CD did not detect my WiFi network connection so it couldn't download the updated signature list. This scan also didn't identify any malware, especially this .DLL file, so this file was still just "suspect".

Since running with the .DLL file renamed didn't appear to cause anything to break, I shredded the file, but I still get the feeling there may be pieces of malware lingering.

The Aftermath
I know it's impossible to prove a negative, but I'd like some way to feel good about this system again. I feel "icky" using that laptop because of my lingering doubts.

Also, I'm concerned the USB stick I used may have gotten infected, so I'm looking for advice to safely verify it is clean.

Suggestions and comments very welcome!

Golden · 07 Apr 2011

Hi PJinFL,

You did a good job of hunting it down. So, to date:

Malwarebytes - no trace
MSE - no trace
VirusTotal - no trace on suspect DLL
Bootable BitDefender - no trace (usually these require the ethernet cable to be plugged in to update)

I'm not sure anything else is going to give you any better results than the 7/42 result from VirusTotal, but one last possibility is to do an online scan using ESET on line scanner.

Your last line of defense to be completely comfortable with your laptop again might be a secure wipe and reinstall. It sounds drastic, but perhaps its the only thing that might give you peace of mind.

Before you consider that, I am going to to request that some of our security experts (Corinne, Jaccee, or Carolyn) here have a look at this.

Hang tight - I have requested some help with this.

Regards,
Golden

Anak · 07 Apr 2011

Hi! PJinFL, welcome to 7F :)

I have had good results with SuperAntiSpyware you can use their on-line scanner here if you like.

Concerns with using the product? SAS Online Safe Scan - SUPERAntiSpyware Forums

For USB sticks. Whichever scan you use, check the letter of the Drive that it is occupying, and the scan will only do that Drive.

PJinFL · 08 Apr 2011

@Golden & Anak - Thanks for taking time to read my (rather length) post!

SuperAntiSpyware was one of the first scanners I tried, but it also found nothing, even with the "suspect" .DLL still on the system.

I have run ESET online scanner successfully with nothing found.

I'd really like to avoid the "nuclear option", so I'll probably tell the Better Half to go ahead and use the PC cautiously, but do not click anything on popups! We suspect a scam job listing (she recently was searching jobs in INDEED.COM) was the source of the problem. With so many sites requiring Javascript I'm not sure turning JS completely would be an option, but I am considering switching her browser from IE to Firefox with WOT and Noscript plugins.

I'll probably use one the Kaspersky rescue CD to rescan the laptop and also the USB stick before I plug it in anywhere else. I'll post a follow-up should anything else come up.

Thanks again for the advice!

Borg 386 · 08 Apr 2011

You could give Norton Power Eraser a shot, just use it carefully:

http://security.symantec.com/nbrt/npe.asp?lcid=1033

Because the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

I be he · 08 Apr 2011

Emsisoft has a free scanner that may work for you.
When your computer is clean again, do yourself a favor and install Sandboxie

and worry no more about such things.

Anak · 08 Apr 2011

We suspect a scam job listing (she recently was searching jobs in INDEED.COM) was the source of the problem. With so many sites requiring Javascript I'm not sure turning JS completely would be an option, but I am considering switching her browser from IE to Firefox with WOT and Noscript plugins.

I will have to keep that in mind. I am using INDEED also.

You can check here to Verify Java Version

There has also been recent updates to Adobe.
This one is for Verifying Adobe - Flash Player
................for Adobe - Test Adobe Shockwave Player

There has also been an update to Adobe Air if you are wondering if you really need it see This .

I felt just like the OP. When I went to uninstall Air it did tell me Reader would stop working.
The only reason I keep Air is because the DW likes Reader, and is comfortable with it.

WOT, and QFX Software - Anti-Keylogging Software will work in IE.
Both work in all versions of win7, 32 or 64bit.

Golden · 08 Apr 2011

PJinFL said:

I'll probably use one the Kaspersky rescue CD to rescan the laptop and also the USB stick before I plug it in anywhere else.

Hi,

If its the free Kaspersky Rescue Disk 10, can I suggest you give that a miss? Its extremely problematic at the moment : see

Kaspersky Rescue Disk 10 ISO problems?

Instead, try the F-Secure bootable rescue disk. Its robust and rock solid.

Regards,
Golden

Corrine · 08 Apr 2011

Hi, PJinFL.

You have most likely eliminated the problem, but I suggest you now run updated Malwarebytes Anti-Malware in normal mode. MBAM does its most thorough findings in normal mode. If anything is detected, please post the log here as a reply.

I also suggest you follow Anak's advice to verify the most current versions of Java and Adobe products are installed on the laptop. There are critical vulnerabilities in older versions of those products.