Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus recurrs in Autochk.exe and cannot be removed.


  • Please log in to reply
4 replies to this topic

#1 Louiscypher

Louiscypher

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 13 August 2016 - 09:33 PM

I'll leave out all the trouble I have had over the past week and just bring it down to what I know now.  I can reload my laptop with a clean install of Win 7 and install Avast. After the the first reboot, c:\windows\system32\autochk.exe is infected with Win32:Malware-gen. This is real infection because the hash of the file changes, autochk will not run at boot, and  it is not repairable with SFC /runnow. If fact, after running that sfc scan,  c:\windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_4019f2b8d860ad30\autochk.exe is also infected.

 

I can replace both files and sfc /scannow runs fine and there is no infection. After I reboot, it starts all over again.

 

I have deleted the MBR before loading with Super Fdisk.

 

I have fully run Malwarebytes and Avast

 

I have run rootkit repair programs - Adwcleaner, aswMBR, Combofix, and Tdsskiller.   Nothing changes

 

Does anyone have any other ideas?



BC AdBot (Login to Remove)

 


#2 technonymous

technonymous

  • Members
  • 2,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:45 AM

Posted 13 August 2016 - 11:46 PM

Run a barrage of scans against it. http://www.bleepingcomputer.com/forums/t/540376/recommended-offline-scanners/ Some you can put on a bootable cd and others you want to run it in safe mode with networking so the virus program can get a index update.



#3 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,407 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:45 AM

Posted 14 August 2016 - 12:20 PM

Please post the Malwarebytes log and the TDSSKiller log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  Copy and paste the log in your topic.
 
 
 
emsisoft%201_zpsoqojjiws.png
 
Please download Emsisoft Emergency Kit and save it to your desktop. 
 
Double click on Emsisoft Emergency Kit file on your desktop.  emsisoft%203_zpsoox6uxmj.png
 
When the installation starts you see a image like the one below, click on Install.
 
Emsisoft%207_zpsmbuolk9r.png
 
The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
 
When the update is complete, click on MALWARE SCAN under Scan.  When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes.
 
Emsisoft%20scan_zpsifqyozhf.png
 
Emsisoft Emergency Kit will start scanning.
 
When the scan is completed click on Quarantine.
 
When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.  Copy the log and paste it in your topic.



Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
    here
    .
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Edited by dc3, 14 August 2016 - 12:21 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#4 Louiscypher

Louiscypher
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 15 August 2016 - 04:33 PM

I think I have identified the problem and I'm afraid that you probably can't help me.

 

This problem is coming from the Lojack code in the BIOS. I talked to Lojack tech support today and they explained that some manufacturers, like Acer, turn on the code from the factory although it is supposed to be turned off until the customer buys a subscription.  They may be doing this to prevent internal theft.  In any case, many, many laptops are running around with a resource hungry service and various programs running all the time transmitting information to Lojack for no reason at all.

 

To make matters worse, there is some bad code out there that mistakenly inserts a Trojan into autochk.exe. Anti-virus programs already know to ignore the normal Lojack code but not the defective code so it shows up as a Trojan and as SFC non repairable. If you remove all of this code, it just comes back on the next boot. So what I got is defective BIOS code that is turned on for no real reason. I'm waiting on Lojack to send a signal to turn off this code. We'll see if this works.

 

Th only reason I know about this is because I got defective code. For some large number of people out there, Lojack code is running sending your personal information to Lojack for no reason at all. Just search your laptop for this - "rpcnetp". If you find:

 

UPGRD.exe
rpcnetp.exe
rpcnetp.dll"
rpcnet.dll"

 

Then Lojack is running on your laptop without your permission. Next time, I will work to find a laptop that does not come with malware built into the BIOS. They don't tell anybody about this because Lojack is supposed to be a secret.

 

Remember this for the next time somebody is screwed over by this secretive Lojack nonsense.



#5 technonymous

technonymous

  • Members
  • 2,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:45 AM

Posted 15 August 2016 - 10:50 PM

Computrace or lojack should disable itself. However, some things can cause it not to do that like a bios update. They should be able to help you turn it off with the laptops serial number & hardware info. Some laptops have a service number in the bios that you can give tech and they can turn it off with that alone. It completely slipped my mind, but yes the autochk.exe is altered by the computrace/lojack, once it is disabled the real one is replaced. It's not necessarily a bad thing to have in laptops or vehicles that get stolen. Those items that police get back are because of that tracer. In corporate business it is usually required for the laptops they loan out. Buying used laptops it's important to ask if the bios has computrace enabled and/or is the bios locked out. Buying from ebay you never know what you are going to get.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users