Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: need help to remove malware please.

09 Nov 2011   #1

win7 64bit
need help to remove malware please.

Hello, I'm having a malware-nightmare and hoping someone can advise. Thanks in advance.

I'm running Windows 7 Service Pack 1 64bit with Internet Explorer 9.

While browsing on 29th Oct 2011 at 15:08: my AV (Virgin Media Security) flagged a Trojan-detected message from the task bar; IE closed; (I think) Windows Live Mail shut down too; a persistent UCA promp came up and I eventually clicked 'Yes' Ė thinking it was something to fix the Trojan!

On booting up on 30th Oct a persistent UAC prompt re-appeared. From memory the Programme Name was Windows Command Processor and Publisher was Microsoft. The Programme Location I wrote down as "c:\Windows\SysWOW64\cmd.exe"C:\Users\*ME\AppData\Local\Temp\tncjsvcqajyvllqw.exe". I got rid of the prompt by continually pressing Esc, which eventually drives it down to taskbar.

All very wrong, so In safe-mode I deleted by hand all the (suspicious) files created at 15:08 on the 29th; I used System Restore to go back a few days; after booting normally I ran a full-scan with Microsoft Safety Scanner, it detected and removed Exploit:Java/CVE-2010-0840.EW & Exploit:Java/CVE-2010-0840.MZ. I ran a full-scan with Malwarebytes which came up clear, and clear again the next day.

All has been well until today. The same UAC promp appeared maybe one hour after booting. First off I've run a quick Malwarebytes scan which got the following results,

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CihOqtak (Trojan.Agent) -> Value: CihOqtak -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\*ME\AppData\Local\Temp\0.8044365899653985exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Local\tcpcgqqt\cihoqtak.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\cihoqtak.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Local\Temp\jar_cache2376547655565355977.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Local\Temp\tncjsvcqajyvllqw.exe (Trojan.Agent) -> Quarantined and deleted successfully.

& Iíve just run a full-scan with Microsoft Safety Scanner which has removed Exploit:JS/Blacole.A and Exploit:Java/Blacole.AE.

Iím about to reboot and plan to use RKill before running another full Microsoft Safety Scanner scan. Iíve been looking at running ComboFix, how complicated is this? Iím also wondering if Iím running some dodgy version of Java? Cheers.

My System SpecsSystem Spec
09 Nov 2011   #2
Microsoft MVP

Windows 7 Ultimate 32bit SP1

I'm going to suggest that you go to ... and request help in this forum: Am I infected? What do I do? -

DO NOT run combofix without 'trained' instructions.
My System SpecsSystem Spec

 need help to remove malware please.

Thread Tools

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:51 AM.
Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App