Hi, so after years of being very careful and performing virus scans with different software almost daily, I've been struck with a Trojan Horse. I think it was called Win32.Cryptor by AVG and on Microsoft's Virus Database, it states that it redirects or hijacks search results from Morzilla and IE--I was really stupid and did not copy down the name in Malwarebytes after scan and just deleted the logs.
Anyway, I first noticed the virus after seeing losts of rundlls running in Task Manager and RAM usage going right up to 2GB on windows 7 64 bit idle. I opened "Processes", selected "Command Line" column, and saw that they were all originating from <username>/appdata/local/<random folder name>/<random file name.dll>. Since the dll had no description, digital signature and was supposedly a part of a office suite I've never installed (it was called MouseOffice.dll or something along those lines), I quickly ran an MSE Scan.
MSE detected some Java expilot trojan in the Java folder (had many of these in the past) and sucessfully removed them, but i don't think it detected this weird dll file in my appdata).
I then proceeded to upload this strange dll from my appdata folder to Jotti and VirusTotal, and they reported a trojan (all I remember was AVG calling it Win32.Cryptor). I typed the name in, and I saw that it had many other names and the MSE database said that it hijacked/redirected search results from IE/Morzilla.
So fearing the worst, because I access many sensitive business email accounts from this computer, I ran Malwarebytes Free Edition, all updated, and it detected 4 threats, 2 files, 1 memory module running, and 1 registry key, and I quarntined and removed them. Out of stupidity, I deleted the logs and didn't bother to jot the infection, name down. So, I then proceeded to boot into same mode, and do the scans again (Malwarebytes full scan and MSE), they both detected nothing.
I checked MSCONFIG after these scans, and everything seemed to be normal, in the Services Tab, there were 2 non-Microsoft Servics running at boot (AMD Driver stuff), and in startup, I have hpsysdrv (HP driver), MSE, and AMD Catalyst Control-- All the usual stuff.
I also observe that on a normal boot, I have 43-45 processes running in the first few minutes, then dropping down to 40-41 after that time on idle...before the antivirus scans, I had upwards of 50, but now, they seem to go back to normal. RAM usage at idle is around 1.2 GB, which seems normal...no abnormal network activity on idle with no internet apps running
I checked the appdata folders (local and roaming), and deleted the folder which the trojan was (named QuickCertServ), as although malwarebytes deleted the trojan, it did not remove the empty folder that it has resided in. I then checked all other folders in appdata, and they were fine (genuine installed software).
So after doing all this, I rebooted again and am now running a MSE Full Scan, afterwards which I plan to run Malwarebytes full scan again to make sure that the trojan is definitely gone...just as a precaution.
If these scans turn out fine, can I be called Virus Free?
Thanks.
PS. I know to be truely virus-free guarenteed, I have to reformat, but that is out of the question, because of all the data that has to be reinstalled, apps, etc...
I just want to be sure that there are no keyloggers/rootkits hiding and waiting for me to enter sensitive data or automatically redownload the virus.
I also don't feel safe running all the other apps recommended such as Spybot, SuperAntiSpyware, Hitman, Combofix, because they do not really have reliable reputations.
Anyways, can I say that I have oblierated the virus and that my computer is secure once again? Thanks!
Edit: The timestamp on this trojan dll was January 5, 10:30PM, at which time I was on Youtube, and I had just downloaded a FSX addon from UKScenery2000 (which I trust as I had downloaded many other files from them over the years, but maybe this one got screwed up?). Earlier that night, I was on the internet when a java applet loaded in the background for no reason and I saw no java app on the screen (maybe that infected me)?
Thanks guys for your help! =)
Anyway, I first noticed the virus after seeing losts of rundlls running in Task Manager and RAM usage going right up to 2GB on windows 7 64 bit idle. I opened "Processes", selected "Command Line" column, and saw that they were all originating from <username>/appdata/local/<random folder name>/<random file name.dll>. Since the dll had no description, digital signature and was supposedly a part of a office suite I've never installed (it was called MouseOffice.dll or something along those lines), I quickly ran an MSE Scan.
MSE detected some Java expilot trojan in the Java folder (had many of these in the past) and sucessfully removed them, but i don't think it detected this weird dll file in my appdata).
I then proceeded to upload this strange dll from my appdata folder to Jotti and VirusTotal, and they reported a trojan (all I remember was AVG calling it Win32.Cryptor). I typed the name in, and I saw that it had many other names and the MSE database said that it hijacked/redirected search results from IE/Morzilla.
So fearing the worst, because I access many sensitive business email accounts from this computer, I ran Malwarebytes Free Edition, all updated, and it detected 4 threats, 2 files, 1 memory module running, and 1 registry key, and I quarntined and removed them. Out of stupidity, I deleted the logs and didn't bother to jot the infection, name down. So, I then proceeded to boot into same mode, and do the scans again (Malwarebytes full scan and MSE), they both detected nothing.
I checked MSCONFIG after these scans, and everything seemed to be normal, in the Services Tab, there were 2 non-Microsoft Servics running at boot (AMD Driver stuff), and in startup, I have hpsysdrv (HP driver), MSE, and AMD Catalyst Control-- All the usual stuff.
I also observe that on a normal boot, I have 43-45 processes running in the first few minutes, then dropping down to 40-41 after that time on idle...before the antivirus scans, I had upwards of 50, but now, they seem to go back to normal. RAM usage at idle is around 1.2 GB, which seems normal...no abnormal network activity on idle with no internet apps running
I checked the appdata folders (local and roaming), and deleted the folder which the trojan was (named QuickCertServ), as although malwarebytes deleted the trojan, it did not remove the empty folder that it has resided in. I then checked all other folders in appdata, and they were fine (genuine installed software).
So after doing all this, I rebooted again and am now running a MSE Full Scan, afterwards which I plan to run Malwarebytes full scan again to make sure that the trojan is definitely gone...just as a precaution.
If these scans turn out fine, can I be called Virus Free?
Thanks.
PS. I know to be truely virus-free guarenteed, I have to reformat, but that is out of the question, because of all the data that has to be reinstalled, apps, etc...
I just want to be sure that there are no keyloggers/rootkits hiding and waiting for me to enter sensitive data or automatically redownload the virus.
I also don't feel safe running all the other apps recommended such as Spybot, SuperAntiSpyware, Hitman, Combofix, because they do not really have reliable reputations.
Anyways, can I say that I have oblierated the virus and that my computer is secure once again? Thanks!
Edit: The timestamp on this trojan dll was January 5, 10:30PM, at which time I was on Youtube, and I had just downloaded a FSX addon from UKScenery2000 (which I trust as I had downloaded many other files from them over the years, but maybe this one got screwed up?). Earlier that night, I was on the internet when a java applet loaded in the background for no reason and I saw no java app on the screen (maybe that infected me)?
Thanks guys for your help! =)
Facebook
Twitter
Instagram