Help Request: malicious autochk.exe

Hi, I’m torbuk and I’m new to these forums.

I have a strong belief that my computer is infected by malware, but I’m not absolutely sure.
I tried to solve this issue by myself, first scanning my system at random, then following guidlines at www.techsupportalert.com but now I feel I need help. Sorry for the wall of text ahead, I tried to include all the details.

My system is Windows XP, Antivirus software ESET NOD32 5.
In the logs I posted, I replaced my computer name with “COMPUTER”, user name with “user” and name of another computer with “USERUSER”. If this is a problem, I may post original logs.

It started 3 weeks ago, April 17th, when I entered a suspicious website. Normally NOD blocks access to infected websites, but this time it didn’t. I didn’t click anything and closed that page. Then I scanned it with some url scanner to confirm that it was indeed malicious. It was, so I started to panic. I downloaded Malwarebytes Anti-Malware and Comodo Cleaning Essentials. Never heard about them before. I’m almost sure I also browsed through Chiron’s guides at www.techsupportalert.com about how to remove malware (around 1AM, April 18th according to my browser’s history), and that’s why I’ve chosen those programs. I didn’t follow any of these guides, because I couldn’t focus on reading at that time. I installed and ran a scan with Malwarebytes, it finished around 3AM, then I quarantined everything it found. (Attachment 1 - I’m sorry it’s in polish, I can roughly translate if requested) Then I ran CCE full scan, it finished around 7AM. I quarantined everything it found. Now I know that was very foolish and dangerous thing to do, but that’s what I did regardless. (Attachment 2) On the next day I did another full scan with CCE, it detected some registry keys it didn’t detect before. (Attachment 3) I didn’t quarantine anything this time. Now I suspect these keys are in fact items quarantined in previous scan, as the same names appear in both scans, like “Malware[at]#27yefg6kj0ojc”. Can anyone confirm that?

After that I decided I should read Chiron’s guides. However, when I tried to opened www.techsupportalert.com it crashed my computer with a blue screen. (I don’t know how to find crash dump log, so please instruct me if I need to post it) It happens every time now I try to open this site, and this site only. At first I was absolutely sure it’s sign of infection, but now I’m not. It might be happening because I quarantined something I shouldn’t, right?

After I calmed down a little I saved Chiron’s guides as .txt an another machine, downloaded some (if not all) anti malware software from these articles, moved them on pendrive to my computer and proceeded with “How to Know If Your Computer Is Infected”. TDSSKiller found nothing (Attachment 4), CCE smart scan found nothing (Attachment 5). Kill switch and Autorun analyzer found only unknown items. Each time I opened these scanners I had different results, but after few restarts they narrowed to 3 files which appeared every time. I posted them for whitelisting on these forums, and they are trusted now.

At that time I was feeling pretty safe so i decided to restore some files from CCE quarantine and send them here: Comodo Antivirus Database | Submit Files for Malware Analysis as false positives. Most of them are trusted now.

During next days I didn’t do much on this computer, mostly checking files with Valkyrie, Virustotal and scanning with TDSSKiller /CCE to make sure I’m safe. I didn’t open any suspicious files /websites.

However, on May 6th CCE smart scan detected 2 threats (file and registry key) and so did Autoruns. (Attachment 6) https://consumer.valkyrie.comodo.com/get_info?sha1=8aacf03f6ca9757091a4572141d21a67c6d2fcaa I sent this file to Comodo as false positive, but it was confirmed NOT a false positive. As a side note, In C:\WINDOWS\system32\ there 2 such files: autochk.exe and autochk(2).exe - the latter is considered safe by Valkyrie. https://consumer.valkyrie.comodo.com/get_info?sha1=b9d114f1b873fd40affc4f03ea3857959794bff2 I chose to clean malicious autochk.exe by CCE, but left the key alone. After system reboot the file didn’t appear in quarantine, but in \system32 the malicious autochk.exe was replaced with file identical to autochk(2).exe, SHA1 and everything. After several reboots/smart scans the malicious autochk.exe reappeared, so I let CCE smart scan clean both file and and the key. From this time onward, CCE smart scan was unable to detect this malicious file anymore, it doesn’t detect anything at all now. Then again, after several reboots I decided to run CCE full scan (smart scans didn’t detect a thing) and malicious autochk.exe was there, but with different SHA1 than the first one (Attachment 7) https://consumer.valkyrie.comodo.com/get_info?sha1=027cf6870c6d848000463ad01df942d759bc721e In the log there are also hidden files ending with :BAK and now I’m totally confused as to what these are. Are they part of quarantine, or are they malicious? I chose to clean those files: 2 keys and autochk.exe:BAK, as well as regular autochk.exe and 2 keys listed as the same malware. After reboot, 5 of those files appeared in CCE quarantine, except for autochk.exe (reglar, without :BAK). Then I did system reboot and another smart scan with CCE, it detected nothing, so did Kill switch / Autoruns. I ran CCE full scan, but when system rebooted to start the scan, the malicious autochk.exe was already there. https://consumer.valkyrie.comodo.com/get_info?sha1=6da84ffe7c061b27d063a08c60c783709ba666d3 I let it finish the scan to see the results, but after that I just closed the window without applying changes. So there’s no real log this time, only copy /paste the results. (Attachment 8) I didn’t want to reboot system or delete autochk.exe again, because I was curious if CCE smart scan will detect this file. It didn’t.

I also scanned my computer with NOD32 at least twice during that time, but it didn’t detect anything. I mean, to be fully honest, it does detect some installers on a large .iso file, but so it does since a long time.

So I’ve reached the point where I have no clue as to what am I doing. I might continue with “How to Clean An Infected Computer”, but “How to Know If Your Computer Is Infected” does no longer apply, because since I deleted important registry key, CCE smart scan doesn’t detect autochk.exe anymore. So I have no means to tell if I’m still infected or not. I don’t even know if I ever were, If these autochk.exe files were actually infected, if :BAK files are malware… Because beside the fact that these files keep reappearing and CCE (full scan) keeps detecting them, there is only 1 other sign of malicious behaviour: crashing when I open www.techsupportalert.com.

What should I do?

memory dumps are going to be located in the Windows folder within the minidump folder or if set to do a kernel or complete dump you will find a file with a .dmp extension in the Windows directory. You should turn off system restore

You wouldn’t happen to know what website you visited that started the initial infection would you?

You’re most likely still infected and you should first delete all CCE quarantined items then run a full scan again than remove all threats listed from the full scan. To remove quarantined items go to tools menu and select quarantine times then choose delete all.

You should also disable system restore due to your system restore snapshots are also getting infected.

First I turned off windows restore.

Then I deleted everything from CCE quarantine and ran full scan. 4 items were detected (Log). I checked quarantine, only 3 items are there - all except autochk.exe, but C:\WINDOWS\system32\autochk.exe is the same as autochk(2).exe https://consumer.valkyrie.comodo.com/get_info?sha1=b9d114f1b873fd40affc4f03ea3857959794bff2
I deleted threats from quarantine again.

I thought this site was infected: VirusTotal but on April 17th I scanned it with www.avgthreatlabs.com which doesn’t accept full name of a site. Maybe it wasn’t infected at all.

I’m not allowed to post .dmp files on this forum.

zip the dumps into a archive using 7zip. Post the screenshot of quarantine items and also zip the quarantine folder and password protect it as infected and attach here. Does running a full scan again show any threats besides the ones in the quarantine folder? Which if the results only show the quarantine choose ignore.

edit: also when submitting websites to check with avg remove the http:// this is the report http://www.avgthreatlabs.com/ww-en/website-safety-reports/domain/co.cc/

I’m sorry I must have misunderstood you, because I already deleted all items from quarantine. I thought I’m supposed to do that.

This link you posted, I think it’s scan of this site VirusTotal

And here are the dumps

Ok after deleting the quarantine run a full scan again with CCE and if any threats are found again, quarantine them and zip the quarantine folder. I missed the part where you said you deleted quarantine again after the scan. But if the same threats are still coming up I would like to analyze it further. Also co.cc is/was? a hosting provider and your original url was a sub domain for co.cc

After another full scan only CCE quarantine was detected (Log), so I ignored it.

Unless you say otherwise, I think I should reboot/scan few more times to make sure all threats are gone now.

Thank you futuretech for your assistance so far, it was invaluable.

For the past few days I was almost constantly scanning my computer with CCE.

No threats were found except for CCE quarantine. Is it normal that CCE detects it’s own quarantine as dangerous, even when it’s empty?

Is there anything more I should do to make sure my system is clean?

No problem. You can safely delete the quarantine folder. CCE will warn of any risks it find regardless of which folder it is located in. You should be fine if nothing else is being detected by CCE. You should also update Windows XP to at least SP3 and update to latest version of the browser you’re using that is still available for XP.

As for other checks you can grab gmer and use it to can for rootkit hooks which I would do after temporary uninstalling any security software as it will be detected by gmer. When you open gmer for the first time it does an initial quick scan. When that is finished you should select System Sections IAT/EAT Processes and Services. When it says it has completed save the log and attach here for further examination.

I’ve read on another forum that you should never install SP on an infected system, so I’m not doing it right now. Making sure I’m clean is my top priority.

I also don’t want to uninstall NOD32 (security software) just yet, because I’m unsure if I will be able to install it again. That beeing said, if uninstalling it is really REALLY required, I may try to do it.

I’ve attached GMER log. I’m no kind of expert, but for me results look pretty much the same as on another 2 computers (with WinXP and NOD32 installed) I scanned with GMER.

Yeah it looks fine I jut wanted to make sure nothing else was infected especially in the kernel.