I am receiving this error, Ad-Aware says the file C:\Windows\System32\Check.exe is infected by this trojan.
Check.exe is probably a file used by Acer (I have an Acer notebook.)
My antivirus (Avast!) doesn't consider the file infected. I tried:
Virus Total
http://www.virustotal.com/
JOTTI
http://virusscan.jotti.org/
Scoring 4/32 on Virustotal (these 4 found the file suspicious, but came up with different names) and 3/20 on Jotti (same here.
Is this a false positive? Appearently the worm you're referring too is a WoW keylogger which may keylog other things too, it's unknown. I doubt I have such a file on my PC (and I don't have WoW installed anyway).
What should I do? Check.exe appearently isn't a "vital" file for the system, but not something I should delete so easily either. It's probably part of some secondary-importance file for the Acer Suite.
What should I do? Is it a false-positive as I believe, or is the file really infected?
Win32.trojanpws.wow
Started by
Akumasama
, Sep 30 2007 09:58 PM
5 replies to this topic
#2
LS Pekka
-
- Members
-
- 452 posts
Advanced Member
Posted 01 October 2007 - 03:04 AM
Hi Akumasama!
Thanks for posting!
The file Check.exe may be associated to Acer eRecoveryService which allows
the user to restore the operating system or backup the current system profile. (http://www.castlecop...eryService.html)
It is not a system critical file, it is up to the user to start it if necessary.
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: [eRecoveryService] C:\Windows\System32\Check.exe)
Would it be possible for you to send the file to research@lavasoft.com so that we can analyze it further? If so, could you please zip it (with password 'infected') and send it to research@lavasoft.com.
This would be much appreciated!
Could you also please post the complete log file from the Ad-Aware scan where the file was detected
If our analysis shows that it is a false positive we will remove the file from detection as of the next definition file release.
Regards,
LS Pekka
Thanks for posting!
The file Check.exe may be associated to Acer eRecoveryService which allows
the user to restore the operating system or backup the current system profile. (http://www.castlecop...eryService.html)
It is not a system critical file, it is up to the user to start it if necessary.
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: [eRecoveryService] C:\Windows\System32\Check.exe)
Would it be possible for you to send the file to research@lavasoft.com so that we can analyze it further? If so, could you please zip it (with password 'infected') and send it to research@lavasoft.com.
This would be much appreciated!
Could you also please post the complete log file from the Ad-Aware scan where the file was detected
If our analysis shows that it is a false positive we will remove the file from detection as of the next definition file release.
Regards,
LS Pekka
#3
Akumasama
-
- Members
-
- 3 posts
Newbie
Posted 01 October 2007 - 02:14 PM
I'm sending the file now, hoping my crappy ISP is not in your anti-spam list. My email is my current nickname (the one I'm using on this board) @tin.it a crappy italian ISP (but, sadly, it's the most important one in my country).
Thanks a lot for the support. This happened after the ad-aware upgrade I downloaded hmm... september the 27th? I don't remember exactely.
I'm still pretty confident the structure of this file is probably similar as that trojan, and hence Ad-Aware detects it as such. Still... the result I got from VirusTotal and Jotti do not give me total warranty.
On the 4 results I scored on Virus total, 2 of those antivirus use heuristics, so they don't count. But the other two which detected my file I don't know... and who knows if they use heuristics or not? If they don't, my file might indeed be infected.
Well ok, let me quit with all this paranoia. Thanks for your attention and your prompt help once again!
Thanks a lot for the support. This happened after the ad-aware upgrade I downloaded hmm... september the 27th? I don't remember exactely.
I'm still pretty confident the structure of this file is probably similar as that trojan, and hence Ad-Aware detects it as such. Still... the result I got from VirusTotal and Jotti do not give me total warranty.
On the 4 results I scored on Virus total, 2 of those antivirus use heuristics, so they don't count. But the other two which detected my file I don't know... and who knows if they use heuristics or not? If they don't, my file might indeed be infected.
Well ok, let me quit with all this paranoia. Thanks for your attention and your prompt help once again!
#4
LS Pekka
-
- Members
-
- 452 posts
Advanced Member
Posted 01 October 2007 - 03:48 PM
Hi again Akumasama!
Thanks for the file
File info:
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: [eRecoveryService] C:\Windows\System32\Check.exe)
COMMENTS: OBRCheck
COMPANY NAME: acer Inc.
FILE DESCRIPTION: OBRCheck
FILE FOLDER: %SYSTEM%
FILE NAME: check.exe
FILE SIZE: 245,760 KB
FILE VERSION: 1.0.0.1
INTERNAL NAME: OBRCheck.exe
LEGAL COPYRIGHT: acer Inc. All rights reserved.
MD5 SIGNATURE: 61142fe8173a8b244aa5bfafba34aa0b
ORIGINAL FILE NAME: OBRCheck.exe
PRODUCT NAME: OBRCheck
PRODUCT VERSION: 1.0.0.1
SPECIAL FOLDER: SYSTEM
We have removed the file from detection.
This issue is fixed in the current releases, 0024.0000 and SE1R194.
Thanks once again for bringing this to our attention
Regards,
LS Pekka
Lavasoft Research
Thanks for the file
File info:
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: [eRecoveryService] C:\Windows\System32\Check.exe)
COMMENTS: OBRCheck
COMPANY NAME: acer Inc.
FILE DESCRIPTION: OBRCheck
FILE FOLDER: %SYSTEM%
FILE NAME: check.exe
FILE SIZE: 245,760 KB
FILE VERSION: 1.0.0.1
INTERNAL NAME: OBRCheck.exe
LEGAL COPYRIGHT: acer Inc. All rights reserved.
MD5 SIGNATURE: 61142fe8173a8b244aa5bfafba34aa0b
ORIGINAL FILE NAME: OBRCheck.exe
PRODUCT NAME: OBRCheck
PRODUCT VERSION: 1.0.0.1
SPECIAL FOLDER: SYSTEM
We have removed the file from detection.
This issue is fixed in the current releases, 0024.0000 and SE1R194.
Thanks once again for bringing this to our attention
Regards,
LS Pekka
Lavasoft Research
#5
Akumasama
-
- Members
-
- 3 posts
Newbie
Posted 01 October 2007 - 06:52 PM
Thank you SO VERY MUCH for your kindness and support! I'm glad it was just a false positive
Keep up the good work!
Keep up the good work!
#6
LS CalamityJane
-
- Members
-
- 8814 posts
Former Lavasoft Staff
Posted 09 October 2007 - 12:52 PM
Thank you for posting, Akumasama!
Since this issue appears resolved, I'll go ahead and move this thread to the "Resolved" archive (read only).
If you should have any futher issues, please feel free to post a new topic
Since this issue appears resolved, I'll go ahead and move this thread to the "Resolved" archive (read only).
If you should have any futher issues, please feel free to post a new topic
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.
Look for the *New Topic* Button near the top right when viewing the forums.
Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center
Microsoft MVP/Windows - Security 2003-2009
Look for the *New Topic* Button near the top right when viewing the forums.
Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center
Microsoft MVP/Windows - Security 2003-2009
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
