acer\mobilityservices\file infected

[612163]

Hello, for the past few days I have been getting a red box message from Avast to say that I have a rootkit virus   SVC:mobilityservice win32:evo-gen(susp) and each time I say delete the file and then run the root scan. The first time I ran the root scan I did have 2 files shown as suspect so I deleted them, but I am still getting frequent red box messages with the same error message. Only once when I ran the avast quick scan did I get an error which again pointed to the mobilityservice file, so again I deleted it but have still been getting the red box message so I guess there is something else causing the problem. I have found and followed the text on the Avast forum on how to create logs for sending. I would appreciate any help possible as I appear to be running round in circles chasing this problem. Would a system restore to a point before the problem be any good at solving it ?   

[essexboy]

Could you upload this file to Avast as a false positive please C:\Acer\Mobility Center\MobilityService.exe

Click a blank space in the Avast virus chest
Select Add
Navigate to the file and select it
Once it is in the chest right click the file and select "Send to virus labs"

[612163]

Thanks for your reply, I have now uploaded the Mobility Service Exec to the virus labs, unfortunately I sent it first as potential malaware before re reading your post, so have now sent marked as false positive. Is there anything else I can do at the moment ? I am refraining from using the computer for anything important until sure.

[Pondus]

You can upload and test the file at www.virustotal.com  if tested before click new scan
Post link to scan result here.

[essexboy]

Nothing to do now but wait, hopefully it will be resolved fairly soon

[612163]

Hi, have done as requested, here is a link https://www.virustotal.com/en/file/5169c787b005c73d923160e1946f677705e1c65357b036c0b7c6f7f2fee56b44/analysis/

it looks like it had already been submitted, here was the text
SHA256:   5169c787b005c73d923160e1946f677705e1c65357b036c0b7c6f7f2fee56b44
SHA1:   fa1c01df4bcc1ce2b8efba8d5264657b86ed49ca
MD5:   1e9e656d0a0796f3ede8cd9eb029bce9
File size:   120.0 KB ( 122880 bytes )
File name:   file-6001860_exe
File type:   Win32 EXE
Tags:   peexe assembly
Detection ratio:    0 / 48
Analysis date:    2013-09-22 10:14:18 UTC ( 5 hours, 16 minutes ago )
0 0


I am still getting the red box alerts but does this mean that I can ignore them and that I do not really have an infection in mobility service exec ?.
Is it safe to resume normal use of the computer ?
Thanks very much for your help, much appreciated. 

[essexboy]

Yes ignore them or click the add to exclusions.  This is using the new evogen detection system..  A kind of heuristics so there are bound to be some false positives.  As you have now uploaded it, it should get fixed soon 

[612163]

Thanks for all your help yesterday, the problem now seems to be clear, I haven't had any messages since yesterday afternoon. The one thing that puzzles me is that one of the scans (aswmbr)  had the following line
 
10:29:35.724    Service MobilityService C:\Acer\Mobility Center\MobilityService.exe **INFECTED** Win32:Evo-gen

is this due to the false positive in avast and not really infected ?   sorry for my lack of know how in this.
regards

[essexboy]

AswMBR uses the Avast virus data base if it is installed, so it would see the same false positive