Autochk.exe detected as a Trojan

Dubh Geannain

I use AVG anti-virus and apart from the odd warning it hasn't detected an viruses to date. Been using Windows 7 for over a year now.

My GF borrowed the laptop yesterday as she's lent hers to a friend. She said she was browsing for clothes online.

Anyway today I'm getting this message from AVG:

Threat detected
c:\windows\system32\autochk.exe

Trojan

Downloader.Generic10.AYDQ

I know this is a system file but is there anyway that this could have been corrupted? Or is it a false alarm by AVG. It's annoying because the threat alert keeps popping up every half hour or so now :mad:

The antivirus warns me not to delete it because it's a system file.

Am I looking at having to do a Windows 7 repair or possibly a re-install to rectify this?

Edit: It's also finding the same problem in the recovery \ partition and the \Windows\winsxs folder on both partitions.

bhickey

Dubh Geannain wrote: »

I know this is a system file but is there anyway that this could have been corrupted? Or is it a false alarm by AVG.

Get a second opinion. Download, update & run a Malwarebytes Quick Scan and see what it says.

Dubh Geannain

Thanks Bhickey.

Malwarebytes returned zilch. I haven't used it before but would you recommend it as an alternative to AVG or Avast which I have used in the past for free?

bhickey

Dubh Geannain wrote: »

Malwarebytes returned zilch. I haven't used it before but would you recommend it as an alternative to AVG or Avast which I have used in the past for free?

No, Malwarebytes is an on-demand scanner which you'd run occasionally and you do need realtime protection too which is what AVG and Avast would provide.

How about a 3rd, 4th & 5th opinion then? Try SuperAntiSpyware and then try both Malwarebytes & SuperAntiSpyware again but this time after rebooting into 'Safe Mode with Networking'.

There are also some good online scanners. Try the Eset Online Scanner.

Dubh Geannain

Thanks again. I had just noticed that it didn't provide on-demand scanning.

I might be back again if it still gets flagged because I don't the thoughts of just deleting the file if it is corrupted.

bhickey

Dubh Geannain wrote: »

I might be back again if it still gets flagged because I don't the thoughts of just deleting the file if it is corrupted.

Well you mightn't have to. It could just be a false positive caused by an AVG update. You might even find that tomorrow AVG will be happy again. This is why it's never any harm to try a few different scans, especially if there's nothing odd going on.

For the crack, you could also e-mail the file to Virustotal and they'll send you back the results from all sorts of scanners.

Galway K9

search google "Download Stinger" to see if it picks it ip. Its prob a virus living of a host file therefore making it difficult to remove. Id recommend going into safe mode, rename the virus one, download a new autochk.exe, delete original and replace with new.


Restart

Dubh Geannain

Thanks for the help guys. I might just do what you suggested Galway K9.

Here's what I got back from Virus total:

AntiVir 7.10.14.220/20101207 found [RKIT/Undef.A]
AVG 9.0.0.851/20101207 found [Downloader.Generic10.AYDQ]
ClamAV 0.96.4.0/20101207 found [BC.Heuristics.Rootkit.B-9.SL5IT]
Rising 22.77.01.04/20101207 found [RootKit.Win32.Undef.crb]
Sophos 4.60.0/20101207 found [Sus/UnkPack-C]

The other 38 scans returned "nothin found". I didn't include them here for clarity.

Any further thoughts appreciated.

bhickey

Well that sounds fairly conclusive so replacing autochck.exe might be all you need to do. There are rootkit scanners like GMER that you could try but maybe try as Galway K9 suggested first.