Hello, I'm having a malware-nightmare and hoping someone can advise. Thanks in advance.
I'm running Windows 7 Service Pack 1 64bit with Internet Explorer 9.
While browsing on 29th Oct 2011 at 15:08: my AV (Virgin Media Security) flagged a Trojan-detected message from the task bar; IE closed; (I think) Windows Live Mail shut down too; a persistent UCA promp came up and I eventually clicked 'Yes' – thinking it was something to fix the Trojan!
On booting up on 30th Oct a persistent UAC prompt re-appeared. From memory the Programme Name was Windows Command Processor and Publisher was Microsoft. The Programme Location I wrote down as "c:\Windows\SysWOW64\cmd.exe"C:\Users\*ME\AppData\Local\Temp\tncjsvcqajyvllqw.exe". I got rid of the prompt by continually pressing Esc, which eventually drives it down to taskbar.
All very wrong, so In safe-mode I deleted by hand all the (suspicious) files created at 15:08 on the 29th; I used System Restore to go back a few days; after booting normally I ran a full-scan with Microsoft Safety Scanner, it detected and removed Exploit:Java/CVE-2010-0840.EW & Exploit:Java/CVE-2010-0840.MZ. I ran a full-scan with Malwarebytes which came up clear, and clear again the next day.
All has been well until today. The same UAC promp appeared maybe one hour after booting. First off I've run a quick Malwarebytes scan which got the following results,
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CihOqtak (Trojan.Agent) -> Value: CihOqtak -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\*ME\AppData\Local\Temp\0.8044365899653985exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Local\tcpcgqqt\cihoqtak.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\cihoqtak.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Local\Temp\jar_cache2376547655565355977.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Local\Temp\tncjsvcqajyvllqw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
& I’ve just run a full-scan with Microsoft Safety Scanner which has removed Exploit:JS/Blacole.A and Exploit:Java/Blacole.AE.
I’m about to reboot and plan to use RKill before running another full Microsoft Safety Scanner scan. I’ve been looking at running ComboFix, how complicated is this? I’m also wondering if I’m running some dodgy version of Java? Cheers.
I'm running Windows 7 Service Pack 1 64bit with Internet Explorer 9.
While browsing on 29th Oct 2011 at 15:08: my AV (Virgin Media Security) flagged a Trojan-detected message from the task bar; IE closed; (I think) Windows Live Mail shut down too; a persistent UCA promp came up and I eventually clicked 'Yes' – thinking it was something to fix the Trojan!
On booting up on 30th Oct a persistent UAC prompt re-appeared. From memory the Programme Name was Windows Command Processor and Publisher was Microsoft. The Programme Location I wrote down as "c:\Windows\SysWOW64\cmd.exe"C:\Users\*ME\AppData\Local\Temp\tncjsvcqajyvllqw.exe". I got rid of the prompt by continually pressing Esc, which eventually drives it down to taskbar.
All very wrong, so In safe-mode I deleted by hand all the (suspicious) files created at 15:08 on the 29th; I used System Restore to go back a few days; after booting normally I ran a full-scan with Microsoft Safety Scanner, it detected and removed Exploit:Java/CVE-2010-0840.EW & Exploit:Java/CVE-2010-0840.MZ. I ran a full-scan with Malwarebytes which came up clear, and clear again the next day.
All has been well until today. The same UAC promp appeared maybe one hour after booting. First off I've run a quick Malwarebytes scan which got the following results,
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CihOqtak (Trojan.Agent) -> Value: CihOqtak -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\*ME\AppData\Local\Temp\0.8044365899653985exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Local\tcpcgqqt\cihoqtak.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\cihoqtak.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Local\Temp\jar_cache2376547655565355977.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\*ME\AppData\Local\Temp\tncjsvcqajyvllqw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
& I’ve just run a full-scan with Microsoft Safety Scanner which has removed Exploit:JS/Blacole.A and Exploit:Java/Blacole.AE.
I’m about to reboot and plan to use RKill before running another full Microsoft Safety Scanner scan. I’ve been looking at running ComboFix, how complicated is this? I’m also wondering if I’m running some dodgy version of Java? Cheers.
My Computer
- Computer Manufacturer/Model Number
- HP Z400
- OS
- win7 64bit
- CPU
- Intel Xeon W3550 3.06Ghz
- Memory
- 12GB
- Graphics Card(s)
- Quadro 4000
- Sound Card
- Asus Xonar HDAV 1.3
- Monitor(s) Displays
- 2x ViewSonic
- Hard Drives
- 2x 300GB internal.
