Sorry to bother you all once again, but your knowledge knows no limit, and once again I am in need of it!
My girlfriend just called me all worried, appearently Ad-Aware found a malware in the file c:\windows\system32\check.exe
I checked on internet, it’s a non-vital process by Acer (she has an Acer notebook indeed).
Ad-Aware tells her that the file is infected with the win32.trojanPWS.wow worm.
Checking on internet I saw this malware is a keylogger I think? Logs informations about WoW ID and password and sends them to a remote server, but appearently it’s unknown if it keylogs other things too.
She had just performed a full system scan with Avast, I had her scan with avast the single file once again.
Nothing detected.
I then told her to scan the file with kapersky online, nothing detected.
What is happening? Avast is missing this malware, or Ad-Aware is just being too cautious and messing up with a false-positive?
If as you say the file belongs to acer then it isn’t a case of avast missing it but possibly adaware misidentifying it. Which it is you need to confirm.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.
As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be carefull, you should ‘exclude’ that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file - there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.
What would have been nice was what these detections were as some of those might have been heuristic detections which are more prone to FPs.
For the VT results, I think eSafe and Ikarus are multi engine scanners with heuristics also, Panda isn’t bad on detection rate but I don’t know anything about VBA32. So the jury is still out I afraid.
Appearently it was just a false positive (too many coincidences).
I’m glad to say that, once again, Avast! didn’t fail me!
I’m so incredibly satisfied and happy I decided to install this antivirus on my PC and all of my relatives’s PCs. I Can’t help it… each time I think Avast! is good there he comes and shows me he’s even better than I thought he was!
Thanks for the update, I had a suspicion it was probably a false positive. Which just goes to strengthen the fact that all detections should be investigated and never rush to action, never delete, but quarantine, etc. So you can recover from any mis-detections.
I have to say that is one of the quickest responses on the Lavasoft forum, I reported some false detections some time ago and it took absolutely ages to even get a response much less a resolution. Looks like they are improving.
