Win32:Trojan in autochk.exe

Hey guys normally I’m able to get rid of a problem with my computer but this one is stumping me!!! Ok first of all this is on my friends computer, he’s going through a divorce and his wife took the computer to someone in the IT field and had them take all of her things off the computer. He gets it back and is unable to use the internet at his house, talked to ISP no problems from their side of things they can talk to modem. So I tell him I will look at it. I put a clean install of Win7 on for him. (Delete partition, new partion, then format and install) So I put on Avast 4.8 Pro for him, first thing it comes up with is that c:\windows\system32\autochk.exe is a Trojan. Along with about 4 other similar files. I check my computer for same thing, since I used same install disk and nothing is found it’s clean so I assume there is something hidden on the computer somewhere that the X’s IT friend put on. So I have since tired Vista & Win7 all find same files infected. I pulled out XP and used it for it’s full format of the HD abilities. Still no good. I tried scanning it with TrendMicro’s Housecall, Ad-Aware, Spybot and they didn’t find anything. I’ve tried using DOS to create a new MBR, but I can’t get to the HD.

So I’ve attached this from the RootkitBuster. Any ides? Or do you need anything else?

Uploaded to VT see 3rd post for results.

±---------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.80.0.1077
±---------------------------------------------------

–== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==–
[FILE_STREAM]:
FullPath : C:\Windows\System32\autochk.exe:BAK:$DATA
FullPathLength: 31
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x20
ShareAccess : 0x0
Type : 0x0
[FILE_STREAM]:
FullPath : C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_e1ca436d2314b860\autochk.exe:BAK:$DATA
FullPathLength: 113
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x20
ShareAccess : 0x0
Type : 0x0
No hidden files found.

–== Dump Hidden Registry Value on HKLM ==–
No hidden registry entries found.

–== Dump Hidden Process ==–
No hidden processes found.

–== Dump Hidden Driver ==–
No hidden drivers found.

I don’t think the ex’s IT would put a rootkit your friend’s PC. This is a false positive.

Upload to VirusTotal and post results.

Well she have been making their divorce very hard, just being an evil witch, but change that w to a B. Since I put the 32 bit version of Win7 on this time. The other file isn’t on here, but I’ll put Avast back on and see what it finds this time.


UPDATEVirus scan came back negative. I will finish installing everything and see what I get again.****

Remember this is a fresh install went straight to VT and uploaded. Nothing else was done, HD had partition deleted then formated. Then straight to the upload.

File autochk.exe received on 2009.11.27 22:23:12 (UTC)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 5/41 (12.2%)
Loading server information…
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished. Email:

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.26 -
AhnLab-V3 5.0.0.2 2009.11.26 Win-Trojan/Rootkit.642560
AntiVir 7.9.1.78 2009.11.26 -
Antiy-AVL 2.0.3.7 2009.11.26 -
Authentium 5.2.0.5 2009.11.26 -
Avast 4.8.1351.0 2009.11.26 Win32:Trojan-gen
AVG 8.5.0.425 2009.11.26 -
BitDefender 7.2 2009.11.26 -
CAT-QuickHeal 10.00 2009.11.26 -
ClamAV 0.94.1 2009.11.26 -
Comodo 3044 2009.11.26 -
DrWeb 5.0.0.12182 2009.11.26 -
eSafe 7.0.17.0 2009.11.24 -
eTrust-Vet 35.1.7143 2009.11.26 -
F-Prot 4.5.1.85 2009.11.25 -
F-Secure 9.0.15370.0 2009.11.24 -
Fortinet 4.0.14.0 2009.11.26 -
GData 19 2009.11.26 Win32:Trojan-gen
Ikarus T3.1.1.74.0 2009.11.26 -
Jiangmin 11.0.800 2009.11.26 -
K7AntiVirus 7.10.905 2009.11.25 -
Kaspersky 7.0.0.125 2009.11.26 -
McAfee 5813 2009.11.25 -
McAfee+Artemis 5813 2009.11.25 -
McAfee-GW-Edition 6.8.5 2009.11.26 -
Microsoft 1.5302 2009.11.26 -
NOD32 4639 2009.11.26 -
Norman 6.03.02 2009.11.25 -
nProtect 2009.1.8.0 2009.11.26 -
Panda 10.0.2.2 2009.11.26 -
PCTools 7.0.3.5 2009.11.26 -
Prevx 3.0 2009.11.27 -
Rising 22.23.03.10 2009.11.26 -
Sophos 4.48.0 2009.11.26 Sus/Dropper-A
Sunbelt 3.2.1858.2 2009.11.26 -
Symantec 1.4.4.12 2009.11.26 -
TheHacker 6.5.0.2.079 2009.11.26 -
TrendMicro 9.100.0.1001 2009.11.26 -
VBA32 3.12.12.0 2009.11.26 suspected of Embedded.Trojan.DownLoader.17875
ViRobot 2009.11.26.2056 2009.11.26 -
VirusBuster 5.0.21.0 2009.11.25 -
Additional information
File size: 668160 bytes
MD5…: ab3901fa87245b31596a52dc8ededca2
SHA1…: 92e17c48057d309cd6c558be103b7b64190b2b2e
SHA256: d8b313037630f848aa909a3d089db2d7b865091eefa35b7168ba80ead2d85945
ssdeep: 12288:qztuhP6hUu8qMmjj14QM9UCqrom9JoyV+h9drYe:+t6ifhn1nCqU2zVUr7

PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1725
timedatestamp…: 0x44690165 (Mon May 15 22:32:05 2006)
machinetype…: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8d6 0xa00 5.57 cfcc107c231ea62d7a750e0ed2e09e10
.data 0x2000 0x1d4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.cdata 0x3000 0x4400 0x4400 6.01 48493571ccd95f9933bb64d1baa7eac4
.mdata 0x8000 0x300 0x400 1.98 4a956e5abb6f3f1566680d3112c1c4ab
.reloc 0x9000 0x50 0x200 1.30 332fd2c6501d47ebce156a63c9262cf5

( 1 imports )

ntdll.dll: NtCreateFile, wcscat, RtlQueryEnvironmentVariable_U, NtClose, NtDeleteFile, NtReadFile, NtSetValueKey, NtWriteFile, wcsrchr, RtlInitUnicodeString, NtCreateKey, NtTerminateProcess, wcscpy, RtlUnwind

( 0 exports )

RDS…: NSRL Reference Data Set

pdfid.: -
trid…: Generic Win/DOS Executable (50.0%)
DOS Executable Generic (49.9%)
sigcheck:
publisher…: n/a
copyright…: n/a
product…: n/a
description…: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

packers (F-Prot): embedded