Encountered and terminated FAVORIT-NETWORK in C:\WINDOWS\system

[dd1164]

I received message on my computer and found this in the spybot log today:

26/09/2011 3:16:25 PM Encountered and terminated FAVORIT-NETWORK in C:\WINDOWS\system32\osk.exe!

The "on screen keyboard" icon has only been on my computer desktop for 3 days. Is this malware or not? How can I test if it is a problem or a normal process?

[imageek]

Upload the file to www.virustotal.com and check if it's a real malware or not.

Best regards,
Imageek

[tashi]

Hi there,

Also found this topic from 2008: http://forums.spybot.info/showthread.php?t=24981

After you have done as imageek suggested please let us know the result.

Best regards.

[dd1164]

The analysis showed the following:

MD5: 02972e153c4633be999d8f5890bea71e
Date first seen: 2009-02-15 20:51:49 (UTC)
Date last seen: 2011-09-18 17:36:26 (UTC)
Detection ratio: 0/44
What do you wish to do?

Is that an all clear?

[dd1164]

I reanalysed it and it came back as 0/44, which sounds like an all clear to me.

My son placed the on-screen keyboard onto the desktop from applications, so it didn't just appear. However, if it is not malicious, why was it detected by spybot.

Here is the result from VirusTotal:

Antivirus Version Last Update Result
AhnLab-V3 2011.09.26.01 2011.09.26 -
AntiVir 7.11.15.44 2011.09.26 -
Antiy-AVL 2.0.3.7 2011.09.26 -
Avast 4.8.1351.0 2011.09.26 -
Avast5 6.0.1289.0 2011.09.26 -
AVG 10.0.0.1190 2011.09.26 -
BitDefender 7.2 2011.09.26 -
ByteHero 1.0.0.1 2011.09.23 -
CAT-QuickHeal 11.00 2011.09.26 -
ClamAV 0.97.0.0 2011.09.26 -
Commtouch 5.3.2.6 2011.09.26 -
Comodo 10252 2011.09.26 -
DrWeb 5.0.2.03300 2011.09.26 -
Emsisoft 5.1.0.11 2011.09.26 -
eSafe 7.0.17.0 2011.09.26 -
eTrust-Vet 36.1.8582 2011.09.26 -
F-Prot 4.6.2.117 2011.09.26 -
F-Secure 9.0.16440.0 2011.09.26 -
Fortinet 4.3.370.0 2011.09.26 -
GData 22 2011.09.26 -
Ikarus T3.1.1.107.0 2011.09.26 -
Jiangmin 13.0.900 2011.09.26 -
K7AntiVirus 9.113.5195 2011.09.26 -
Kaspersky 9.0.0.837 2011.09.26 -
McAfee 5.400.0.1158 2011.09.26 -
McAfee-GW-Edition 2010.1D 2011.09.26 -
Microsoft 1.7702 2011.09.26 -
NOD32 6496 2011.09.26 -
Norman 6.07.11 2011.09.26 -
nProtect 2011-09-26.02 2011.09.26 -
Panda 10.0.3.5 2011.09.26 -
PCTools 8.0.0.5 2011.09.26 -
Prevx 3.0 2011.09.26 -
Rising 23.77.00.02 2011.09.26 -
Sophos 4.69.0 2011.09.26 -
SUPERAntiSpyware 4.40.0.1006 2011.09.26 -
Symantec 20111.2.0.82 2011.09.26 -
TheHacker 6.7.0.1.311 2011.09.26 -
TrendMicro 9.500.0.1008 2011.09.26 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.26 -
VBA32 3.12.16.4 2011.09.26 -
VIPRE 10591 2011.09.26 -
ViRobot 2011.9.26.4689 2011.09.26 -
VirusBuster 14.0.234.0 2011.09.26 -
Additional information
Show all
MD5 : 02972e153c4633be999d8f5890bea71e
SHA1 : 522426fe77d3e93d96a63310aa0d71193c78909b
SHA256: de35aafaeec9a73fa2f2921073439809ef2b06281d2d637284aef5ae7dbe421b
ssdeep: 6144:VVgvM5lwxS7wwEA/QHtNfaPnkxS7kdA0iRtsGhr9:IvuloS7zEAoHLiPcS7N0Uaa
File size : 215552 bytes
First seen: 2009-02-15 20:51:49
Last seen : 2011-09-26 20:44:08
TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: On-Screen Keyboard
original name: osk.exe
internal name: osk
file version.: 5.1.2600.5512 (xpsp.080413-2105)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1A9F1
timedatestamp....: 0x4802529C (Sun Apr 13 18:36:12 2008)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1AEF2, 0x1B000, 5.96, fd0e3bb11e5e0214b47a093dd766f4ef
.data, 0x1C000, 0x2FA8, 0x2E00, 2.00, 22fe86a71af738a2bfc9bd0d52eee1be
.rsrc, 0x1F000, 0x16650, 0x16800, 4.34, 4e312a52c1399be31fee18ced3548de1

[[ 11 import(s) ]]
msvcrt.dll: _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, _controlfp, _initterm, __getmainargs, _acmdln, exit, _cexit, __setusermatherr, _XcptFilter, _exit, _c_exit, wcscpy, _wcsicmp, free, _ftol, malloc
ADVAPI32.dll: RegOpenKeyExA, RegQueryValueExA, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, InitializeAcl, AddAccessAllowedAce, SetSecurityDescriptorDacl, RegCreateKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, AllocateAndInitializeSid, FreeSid, OpenThreadToken, OpenProcessToken, GetTokenInformation, CheckTokenMembership
KERNEL32.dll: lstrlenW, GetSystemWindowsDirectoryW, LocalFree, LocalAlloc, GetCurrentProcess, GetLastError, GetCurrentThread, GetProcAddress, CloseHandle, lstrcmpiW, WaitForMultipleObjects, CreateThread, GetCurrentThreadId, OpenEventW, CreateEventW, SetEvent, CreateMutexW, SetLastError, GetCommandLineW, GetWindowsDirectoryW, lstrcmpW, ExitProcess, GetVersionExW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, lstrcatW, GetNumberFormatW, lstrcpyW, LoadLibraryA
GDI32.dll: CreateFontIndirectW, CreatePenIndirect, SetTextColor, BitBlt, SetBkColor, CreateSolidBrush, CreateCompatibleDC, SetMapMode, TextOutW, GetTextMetricsW, SetBkMode, RealizePalette, SelectPalette, GetObjectW, StretchBlt, CreateBitmap, DeleteDC, CreateRoundRectRgn, SelectObject, Polyline, DeleteObject
USER32.dll: FindWindowW, MapVirtualKeyW, GetAsyncKeyState, GetMenu, SetTimer, SendMessageW, GetDlgItem, EndDialog, LoadStringW, EnableWindow, MessageBoxW, DialogBoxParamW, IsWindow, GetKeyboardLayout, GetWindowThreadProcessId, wsprintfW, CheckDlgButton, GetClientRect, DestroyWindow, InvalidateRect, WinHelpW, GetKeyboardType, SetClassLongW, RegisterClassW, GetClassInfoW, LoadCursorW, CreateWindowExW, GetSystemMetrics, SetWindowPos, SetWindowLongW, GetKeyState, wsprintfA, DrawIconEx, LoadImageW, SetWindowRgn, ToUnicodeEx, LoadIconW, GetWindowLongW, GetSysColor, ReleaseDC, GetDC, MapVirtualKeyExW, CloseDesktop, GetUserObjectInformationW, OpenDesktopW, OpenInputDesktop, PostMessageW, SetThreadDesktop, GetThreadDesktop, EndPaint, BeginPaint, DefWindowProcW, SetProcessWindowStation, OpenWindowStationW, GetProcessWindowStation, CloseWindowStation, MoveWindow, GetDesktopWindow, GetWindowRect, AllowSetForegroundWindow, SetForegroundWindow, GetForegroundWindow, ShowWindow, IsIconic, DispatchMessageW, TranslateMessage, GetMessageW, UpdateWindow, RegisterWindowMessageW, KillTimer, EnableMenuItem, CheckMenuRadioItem, CheckMenuItem, ReleaseCapture, SetCapture, SetCursor, ChildWindowFromPointEx, ScreenToClient, GetCursorPos, PostQuitMessage, SendInput, ActivateKeyboardLayout
MSSWCH.dll: -, -, -, -, -, -, -, -
comdlg32.dll: ChooseFontW
WINMM.dll: PlaySoundW
SHELL32.dll: -, ShellExecuteW
COMCTL32.dll: -
ole32.dll: CoUninitialize, CoInitialize
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 110592
CompanyName: Microsoft Corporation
EntryPoint: 0x1a9f1
FileDescription: On-Screen Keyboard
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 210 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2105)
FileVersionNumber: 5.1.2600.5512
ImageVersion: 5.1
InitializedDataSize: 104448
InternalName: osk
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: osk.exe
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 5.1.2600.5512
ProductVersionNumber: 5.1.2600.5512
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:04:13 20:36:12+02:00
UninitializedDataSize: 0

[tashi]

Hello dd1164,

Could you start a topic in the False Positives forum please providing a link back to this thread.

First see How to report Possible False Positives

Best regards.