November 13th, 2002, 04:12 AM
Strange sigverif.exe behavior
I've been brushing up on some Win2K certification stuff preparing to sit for some exams. This evening while going through some excercises from M$ course 2152bc (and notes from class) on a lark I ran sigverif.exe on my Windows XP Professional install on my laptop.
My install isn't running anything special by any stretch of the imagination, I run Norton Anti-Virus Corporate 8.0 with near daily sig file updates and the like... the only "non standard" piece of hardware I have is a cheap 802.11b wireless card from Hawking Technologies.
Anyway... I've attached a screen shot of the results of sigverif - make a note of that very first entry for a file named check.exe in c:\windows\system32
I've looked high and low trying to find this file on my machine, to no avail. I've forced explorer to show hidden and protected system files, and searched via the command line and am still not finding it. Any idea what this file is, where it came from, what it does, or why I can't ferret out more information on it?
Hoping for some off chance of a correlation I just ran into the other room and ran sigverif on the wife's WinXP Pro workstation... not a single unsigned file in her case. I'm stumped.
I did a google for check.exe just for grins, and found this reference that _could_ indicate virus activity I guess. http://www.vsantivirus.com/fbound-b.htm although not in english.
November 13th, 2002, 04:26 AM
Do you have a flashdisk? One other match on Google was this: "To disable the write protection, run CHECK.EXE (not CHKDSK) from the DOS prompt on your Palmtop. CHECK.EXE is a utility program that comes with HP FlashDisks. It should still be on the compressed portion of your flashcard. If you can't find it there, check the floppy disk that came with the FlashDisk."
Not sure if that helps!
Or, along the same lines you looked at already, page 2 of the google search for "check.exe" has the Symantec virus definition in English :-)
November 13th, 2002, 04:36 AM
Compact Flash Reader
Hrm... I think you might actually have it right.
I _do_ have a CompactFlash reader, it's a PCMCIA card I use to pull the 256MB CF card out of the digital camera and move images off quicker than USB with and such. (And I never forget the card, unlike that damned cable.)
This one is by SanDisk, but I haven't a clue who actually manufactures it... just threw a piece of CF in the slot, read files and such, and then looked to see if the check.exe file is around. Still not there, although sigverif still reports it. (Minus any details about the file other than the path to it.)
I'm starting to think this could be a stream perhaps...
Will prolly dig deeper on it tomorrow - gonna hit the books some more.
Thanks for the imput - will keep all interested posted on my findings.
November 13th, 2002, 05:21 AM
From what I saw in the article, the check.exe file resides on the actual Flashcard. HTH
November 13th, 2002, 05:29 AM
Ruling out the CompactFlash card reader
Given your comment about the file being stored on the card, I'd say that rules it out as the source of the annomilous (sp?) behavior.
This has certainly piqued my curiosity. I think I'll let this sit for the night, and if nobody else has good poop to offer on it I'll throw it out to some other locations for comment as well.
Thanks Bluebeard - your imput is appreciated.
November 13th, 2002, 05:46 AM
Just ran sigverif on my XP Pro laptop, which had a fresh re-install last week... No check.exe to be found. Did a search of the HDD, and NPSCHECK.EXE is the closest I have, which is a Norton file.
That file does not show up in sigverif, which means XP doesn't consider it "critical". Remember, sigverif has to do with "critical" system files, not every exe on the machine. I would take a hard look at that Symantec posting, rather than the CF card.
My .02 (Australian).
Put down the mouse......Step away from the keyboard!