Hey guys normally I’m able to get rid of a problem with my computer but this one is stumping me!!! Ok first of all this is on my friends computer, he’s going through a divorce and his wife took the computer to someone in the IT field and had them take all of her things off the computer. He gets it back and is unable to use the internet at his house, talked to ISP no problems from their side of things they can talk to modem. So I tell him I will look at it. I put a clean install of Win7 on for him. (Delete partition, new partion, then format and install) So I put on Avast 4.8 Pro for him, first thing it comes up with is that c:\windows\system32\autochk.exe is a Trojan. Along with about 4 other similar files. I check my computer for same thing, since I used same install disk and nothing is found it’s clean so I assume there is something hidden on the computer somewhere that the X’s IT friend put on. So I have since tired Vista & Win7 all find same files infected. I pulled out XP and used it for it’s full format of the HD abilities. Still no good. I tried scanning it with TrendMicro’s Housecall, Ad-Aware, Spybot and they didn’t find anything. I’ve tried using DOS to create a new MBR, but I can’t get to the HD.
So I’ve attached this from the RootkitBuster. Any ides? Or do you need anything else?
Uploaded to VT see 3rd post for results.
±---------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.80.0.1077
±---------------------------------------------------
–== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==–
[FILE_STREAM]:
FullPath : C:\Windows\System32\autochk.exe:BAK:$DATA
FullPathLength: 31
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x20
ShareAccess : 0x0
Type : 0x0
[FILE_STREAM]:
FullPath : C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_e1ca436d2314b860\autochk.exe:BAK:$DATA
FullPathLength: 113
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x20
ShareAccess : 0x0
Type : 0x0
No hidden files found.
–== Dump Hidden Registry Value on HKLM ==–
No hidden registry entries found.
–== Dump Hidden Process ==–
No hidden processes found.
–== Dump Hidden Driver ==–
No hidden drivers found.