Hi, I’m torbuk and I’m new to these forums.
I have a strong belief that my computer is infected by malware, but I’m not absolutely sure.
I tried to solve this issue by myself, first scanning my system at random, then following guidlines at www.techsupportalert.com but now I feel I need help. Sorry for the wall of text ahead, I tried to include all the details.
My system is Windows XP, Antivirus software ESET NOD32 5.
In the logs I posted, I replaced my computer name with “COMPUTER”, user name with “user” and name of another computer with “USERUSER”. If this is a problem, I may post original logs.
It started 3 weeks ago, April 17th, when I entered a suspicious website. Normally NOD blocks access to infected websites, but this time it didn’t. I didn’t click anything and closed that page. Then I scanned it with some url scanner to confirm that it was indeed malicious. It was, so I started to panic. I downloaded Malwarebytes Anti-Malware and Comodo Cleaning Essentials. Never heard about them before. I’m almost sure I also browsed through Chiron’s guides at www.techsupportalert.com about how to remove malware (around 1AM, April 18th according to my browser’s history), and that’s why I’ve chosen those programs. I didn’t follow any of these guides, because I couldn’t focus on reading at that time. I installed and ran a scan with Malwarebytes, it finished around 3AM, then I quarantined everything it found. (Attachment 1 - I’m sorry it’s in polish, I can roughly translate if requested) Then I ran CCE full scan, it finished around 7AM. I quarantined everything it found. Now I know that was very foolish and dangerous thing to do, but that’s what I did regardless. (Attachment 2) On the next day I did another full scan with CCE, it detected some registry keys it didn’t detect before. (Attachment 3) I didn’t quarantine anything this time. Now I suspect these keys are in fact items quarantined in previous scan, as the same names appear in both scans, like “Malware[at]#27yefg6kj0ojc”. Can anyone confirm that?
After that I decided I should read Chiron’s guides. However, when I tried to opened www.techsupportalert.com it crashed my computer with a blue screen. (I don’t know how to find crash dump log, so please instruct me if I need to post it) It happens every time now I try to open this site, and this site only. At first I was absolutely sure it’s sign of infection, but now I’m not. It might be happening because I quarantined something I shouldn’t, right?
After I calmed down a little I saved Chiron’s guides as .txt an another machine, downloaded some (if not all) anti malware software from these articles, moved them on pendrive to my computer and proceeded with “How to Know If Your Computer Is Infected”. TDSSKiller found nothing (Attachment 4), CCE smart scan found nothing (Attachment 5). Kill switch and Autorun analyzer found only unknown items. Each time I opened these scanners I had different results, but after few restarts they narrowed to 3 files which appeared every time. I posted them for whitelisting on these forums, and they are trusted now.
At that time I was feeling pretty safe so i decided to restore some files from CCE quarantine and send them here: Comodo Antivirus Database | Submit Files for Malware Analysis as false positives. Most of them are trusted now.
During next days I didn’t do much on this computer, mostly checking files with Valkyrie, Virustotal and scanning with TDSSKiller /CCE to make sure I’m safe. I didn’t open any suspicious files /websites.
However, on May 6th CCE smart scan detected 2 threats (file and registry key) and so did Autoruns. (Attachment 6) https://consumer.valkyrie.comodo.com/get_info?sha1=8aacf03f6ca9757091a4572141d21a67c6d2fcaa I sent this file to Comodo as false positive, but it was confirmed NOT a false positive. As a side note, In C:\WINDOWS\system32\ there 2 such files: autochk.exe and autochk(2).exe - the latter is considered safe by Valkyrie. https://consumer.valkyrie.comodo.com/get_info?sha1=b9d114f1b873fd40affc4f03ea3857959794bff2 I chose to clean malicious autochk.exe by CCE, but left the key alone. After system reboot the file didn’t appear in quarantine, but in \system32 the malicious autochk.exe was replaced with file identical to autochk(2).exe, SHA1 and everything. After several reboots/smart scans the malicious autochk.exe reappeared, so I let CCE smart scan clean both file and and the key. From this time onward, CCE smart scan was unable to detect this malicious file anymore, it doesn’t detect anything at all now. Then again, after several reboots I decided to run CCE full scan (smart scans didn’t detect a thing) and malicious autochk.exe was there, but with different SHA1 than the first one (Attachment 7) https://consumer.valkyrie.comodo.com/get_info?sha1=027cf6870c6d848000463ad01df942d759bc721e In the log there are also hidden files ending with :BAK and now I’m totally confused as to what these are. Are they part of quarantine, or are they malicious? I chose to clean those files: 2 keys and autochk.exe:BAK, as well as regular autochk.exe and 2 keys listed as the same malware. After reboot, 5 of those files appeared in CCE quarantine, except for autochk.exe (reglar, without :BAK). Then I did system reboot and another smart scan with CCE, it detected nothing, so did Kill switch / Autoruns. I ran CCE full scan, but when system rebooted to start the scan, the malicious autochk.exe was already there. https://consumer.valkyrie.comodo.com/get_info?sha1=6da84ffe7c061b27d063a08c60c783709ba666d3 I let it finish the scan to see the results, but after that I just closed the window without applying changes. So there’s no real log this time, only copy /paste the results. (Attachment 8) I didn’t want to reboot system or delete autochk.exe again, because I was curious if CCE smart scan will detect this file. It didn’t.
I also scanned my computer with NOD32 at least twice during that time, but it didn’t detect anything. I mean, to be fully honest, it does detect some installers on a large .iso file, but so it does since a long time.
So I’ve reached the point where I have no clue as to what am I doing. I might continue with “How to Clean An Infected Computer”, but “How to Know If Your Computer Is Infected” does no longer apply, because since I deleted important registry key, CCE smart scan doesn’t detect autochk.exe anymore. So I have no means to tell if I’m still infected or not. I don’t even know if I ever were, If these autochk.exe files were actually infected, if :BAK files are malware… Because beside the fact that these files keep reappearing and CCE (full scan) keeps detecting them, there is only 1 other sign of malicious behaviour: crashing when I open www.techsupportalert.com.
What should I do?