My Windows7 box is infected with "username.exe". Chronological details follow:
I downloaded a bad torrent a few days ago, didn't notice it was an .exe file (such a n00b mistake, i know)
I ran scans via MalwareBytes (free version) it did not detect anything (all drives selected, updated database, scanned for rootkits as well)
Later I noticed a process with my username with a .exe in my taskmanager, hogging up all processor usage. I traced it to the AppData/Roaming folder and found two encrypted .exe files
I downloaded Panda antivirus realtime protection and ran it. It found a virus called "amde.exe" and told me to reboot as it would attempt to delete it
When I tried rebooting, my Windows7 kept freezing on the startup screen and would not run
I went into Safemode and restored my OS to a previous version
It is now stable, I have both the username.exe files blocked via Comodo firewall, but I have NOT deleted them as I think that might make my system unstable again
I have since logged numerous events in my firewall of this username.exe attempting to modify files, although it seems to quiet recently
I've searched for the username.exe files on all of my other harddrives, but it's only present on my C drive
It also tries to copy itself into my startup folder but I keep removing it from that folder manually
How do I safely remove this thing without making my system unstable, or completely re-installing Windows?
Windows 7 64 bit
Comodo Firewall 7.03 (free version)
MalwayreBytes Anti Malware (free version, no real time protection)
Location of Trojan: C > Users > Username > AppData > Roaming
Both files with 2 usernames look like winzip files (even though they are .exe) and are encrypted (password protected). I can still open both the files with a Vim Editor, but the code inside is ineligible.
p.s. I know I should have realtime protection, but my previous free antivirus program wouldn't let me run Virtualbox so I had to uninstall it. Installing Panda after infection clearly didn't work.
Edited by Ghost117, 16 October 2014 - 08:52 AM.