filechecker massive false positives?

Discussion in 'FileChecker & ID-Blaster Forum' started by pin, Jan 26, 2003.

Thread Status:
Not open for further replies.
  1. pin

    pin Registered Member

    Joined:
    Nov 4, 2002
    Posts:
    116
    hey, something strange happened.. here's the situation.

    i installed a game and new video drivers. later on avg told me i got a trojan infection in my mirc. so i deleted it (mirc.exe) and did a fullwide scan with avg, came up all clean.

    edit: turns out the file it found may have been a false positive for avg that came with doing a definitions update:
    http://forums.techguy.org/t114558/s223061332ed24fee25ecc67a381f9cf8.html

    later on, i installed a codec pack. now filechecker is set to check every 60 minutes. now much later than 60 minutes after the install of the codec pack, filechecker starts telling me that every file that i have listed to be monitored has been edited, including my virus scanners, firewall, explorer, etc. checking the win.ini file did suggest some stuff from the codec was put in there i think. but ALL of the files being edited? i was suspicious there was a bug in filechecker so i ran msinfo32 on my XPhome machine and did a file verification. also i did a norton scan on those changed directories, and another avg scan. also the cleaner. all came up clean. so it seems like an error.

    everything seems to be running fine except for tcactive (the realtime monitor of moosoft's cleaner, which went ape and i shut it down).

    filechecker seems to have generated all these false positives.. any advice on what to do now? i am wondering if either the game or the codec pack or the video drivers or the avg update somehow caused filechecker to burp like that..
     
  2. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    There are many possibilities.

    But to diagnose any possible causes, I would need to know exactly what FileChecker told you was changed in those files. I'm guessing (since you said 60 minutes went by) that it was a checksum change?

    Best regards,

    -Javacool
     
  3. pin

    pin Registered Member

    Joined:
    Nov 4, 2002
    Posts:
    116
    hm although my log is now deleted (replaced by another log), if i remember correctly, they were indeed checksum changes (the last-dates seem to be the same, none of the files were deleted i think).

    here's something else i didn't say: the codec pack apparently came with a little virus scanner in the installer which i stopped in midscan because, well, i just didn't trust it. the codec pack is here:

    ftp://ftp.vein.hu/pub/windows/utils/media/codecs/ACEMCP501PROXP.EXE

    then a while later i started getting the FC notices.

    sorry i don't have any more info!
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Javacool and Pin....i thought i would ask in this thread because it seemed very similar to what i am experiencing, like what Pin said about FileChecker reporting every file in the list as having a Checksum Change.

    i haven't updated any drivers or anything though. But what seems to be triggering FileChecker to pop up warnings is Winamp for me. It starts with the winamp.ini saying there is a checksum change (this file has been edited), file size change, then a modified-date change warning.

    Sometimes it will only be for winamp.ini and winamp.exe, but usually it ends up going through several of the files i have listed in FileChecker, sometimes all of them, and just displaying the Cecksum Changed warning.

    This has been happening since about Feb 16 when i took the first screen capture of the warnings, and usually shortly after i close winamp. But this morning when i had winamp open and playing a CD, it happened again but this time "while" winamp was still playing and i got the warnings for almost every file listed in FC.

    The only way i am able to stop it from popping up the warnings is to turn FC off when i want to play winamp. :( It doesn't happen with any other program that i have noticed.

    The other night when it happened, i went to click on FC in the systray to close it, and received the attached error message. i clicked on the OK, and FC disappeared from the systray. i reopened it again and all was ok. i have had FileChecker v1.7, since last Dec without any problems at all, and never any of these warnings or error messages. (i haven't updated winamp or anything...it is still v2.81 and i've had it since Mar/02, and winamp is blocked by Sygate from calling home)

    i don't know if there is any similarities between what i am experiencing and what Pin has mentioned....but when i saw the word "codec"...i thought about how it happens when i play my winamp. There must be some connection there?

    best regards,

    snap
     

    Attached Files:

Thread Status:
Not open for further replies.