Completely Removing Trojan (Win32.Cryptor)?

gert21445

Distinguished
Jan 28, 2010
111
0
18,690
Hi, so after years of being very careful and performing virus scans with different software almost daily, I've been struck with a Trojan Horse. I think it was called Win32.Cryptor by AVG and on Microsoft's Virus Database, it states that it redirects or hijacks search results from Morzilla and IE--I was really stupid and did not copy down the name in Malwarebytes after scan and just deleted the logs.

Anyway, I first noticed the virus after seeing losts of rundlls running in Task Manager and RAM usage going right up to 2GB on windows 7 64 bit idle. I opened "Processes", selected "Command Line" column, and saw that they were all originating from <username>/appdata/local/<random folder name>/<random file name.dll>. Since the dll had no description, digital signature and was supposedly a part of a office suite I've never installed (it was called MouseOffice.dll or something along those lines), I quickly ran an MSE Scan.

MSE detected some Java expilot trojan in the Java folder (had many of these in the past) and sucessfully removed them, but i don't think it detected this weird dll file in my appdata).

I then proceeded to upload this strange dll from my appdata folder to Jotti and VirusTotal, and they reported a trojan (all I remember was AVG calling it Win32.Cryptor). I typed the name in, and I saw that it had many other names and the MSE database said that it hijacked/redirected search results from IE/Morzilla.

So fearing the worst, because I access many sensitive business email accounts from this computer, I ran Malwarebytes Free Edition, all updated, and it detected 4 threats, 2 files, 1 memory module running, and 1 registry key, and I quarntined and removed them. Out of stupidity, I deleted the logs and didn't bother to jot the infection, name down. So, I then proceeded to boot into same mode, and do the scans again (Malwarebytes full scan and MSE), they both detected nothing.

I checked MSCONFIG after these scans, and everything seemed to be normal, in the Services Tab, there were 2 non-Microsoft Servics running at boot (AMD Driver stuff), and in startup, I have hpsysdrv (HP driver), MSE, and AMD Catalyst Control-- All the usual stuff.

I also observe that on a normal boot, I have 43-45 processes running in the first few minutes, then dropping down to 40-41 after that time on idle...before the antivirus scans, I had upwards of 50, but now, they seem to go back to normal. RAM usage at idle is around 1.2 GB, which seems normal...no abnormal network activity on idle with no internet apps running

I checked the appdata folders (local and roaming), and deleted the folder which the trojan was (named QuickCertServ), as although malwarebytes deleted the trojan, it did not remove the empty folder that it has resided in. I then checked all other folders in appdata, and they were fine (genuine installed software).

So after doing all this, I rebooted again and am now running a MSE Full Scan, afterwards which I plan to run Malwarebytes full scan again to make sure that the trojan is definitely gone...just as a precaution.

If these scans turn out fine, can I be called Virus Free?

Thanks.



PS. I know to be truely virus-free guarenteed, I have to reformat, but that is out of the question, because of all the data that has to be reinstalled, apps, etc...

I just want to be sure that there are no keyloggers/rootkits hiding and waiting for me to enter sensitive data or automatically redownload the virus.



I also don't feel safe running all the other apps recommended such as Spybot, SuperAntiSpyware, Hitman, Combofix, because they do not really have reliable reputations.



Anyways, can I say that I have oblierated the virus and that my computer is secure once again? Thanks!

Edit: The timestamp on this trojan dll was January 5, 10:30PM, at which time I was on Youtube, and I had just downloaded a FSX addon from UKScenery2000 (which I trust as I had downloaded many other files from them over the years, but maybe this one got screwed up?). Earlier that night, I was on the internet when a java applet loaded in the background for no reason and I saw no java app on the screen (maybe that infected me)?

Thanks guys for your help! =)
 
"Virus Free" is hard to guarentee, as you said, the only way to know for sure is to reformat and try again, but it sounds as if you have gotten it.
Even if the virus code/file is still living on your HDD, it cannot do anything unless it is active in your registry (quarentening removes the registry entry while leaving the file alone). So if it is not in your start-up, and it is not running in the background, and Malwarebytes/MSE do not catch it then I would say you are likely OK. What is more important is knowing where it came from, and not doing whatever you did to catch it again. Also, make sure that you have a proper physical firewall/router in place to help as a first line of defense against such attacks. If you have a physical firewall, make sure that all the other computers on your end of the firewall are not infected as well.
 

gert21445

Distinguished
Jan 28, 2010
111
0
18,690
Thanks! I am currently doing the third full scan using MSE first (which reported nothing) and am now doing a Malwarebytes Scan as I type this(sounds paranoid, but I need to safeguard my busisness data). I also plan to run ESET online scanner to confirm the results of these two scanners...should this be enough? My friends and family joke that I am paranoid about computer security as I do virus scans everytime I go to a website that I have to enter a password in (eg. scan before checking my email...check email..exit email browser window...clear browsing data...scan again....check bank account balance....exit window...clear browsing data....scan again...etc), and so I literally do 3-4 quick scans a day. I use MSE and Malwarebytes quick scans, and check unrealiable sites with norton safeweb first. And yet, two years after starting this rigorious regime, a un-updated java gave me a virus via drive-by applet on some research website (as far as I can trace the trojan's orgin).

So, after this occurance, I've admitted to myself that no matter how much time one puts into security, malware are bound to slip in sometimes...so after all this, is 3 full mse and Malwarebytes scans with no findings (after the initial scans that found the virus)...so a total of 4 scans with mse and malwarebytes, enough? I also plan to use ESET online scanner once. Or should I do a cycle of reboot and rescan for the rest of the day before going on a banking website? (paranoia coming out again). Thanks!

P.S., I apologize if I'm being unhelpful, but I really need to make sure that my personal data is safe (I have Windows Firewall, turned all settings to max, same in MSE realitime protection, IE settings okay, automatic windows update, etc.).