what to do when you get notified by "filechecker" of changes with files?

Discussion in 'FileChecker & ID-Blaster Forum' started by wyx, Apr 23, 2003.

Thread Status:
Not open for further replies.
  1. wyx

    wyx Registered Member

    Joined:
    Apr 23, 2003
    Posts:
    4
    what to do when you get notified by "filechecker" of changes with files?

    mxpx
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi wyx,

    Welcome at Wilders. :)

    Can you tell us what file was reported as changed and what you were doing at the time?

    Regards,

    Pieter
     
  3. wyx

    wyx Registered Member

    Joined:
    Apr 23, 2003
    Posts:
    4
    i lost the logs but if i remembered it right, every file on the check list was allegedly changed "checksum change" etc. i just read a thread from "pin" and the case was similar to mine. if ever i got a malicious prog running up my sys that cant be detected by norton or spybot can it be the culprit on changeing those files checksums or what? i have this suspicious prog occasionally trying to connect to the internet, i cant read the the properties, and cant determine the location with zonealarm pro. it says it is not a valid file. :( cant figure it out. i had the suspicion that i got from sygate's site "test your firewall" feature. .. i think, i am not sure tho. just try out sygate and have your firewalls tested.
    ah.. if ever i got checksum changes. what to do?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Well, you're doing the right thing now. :)
    Trying to find out what's happening.
    Let's find out what is running and starting on your computer first.
    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  5. wyx

    wyx Registered Member

    Joined:
    Apr 23, 2003
    Posts:
    4
    Logfile of HijackThis v1.93.0
    Scan saved at 11:46:36 PM, on 4/23/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://geocities.com/a1telecoms"); (C:\Documents and Settings\me\Application Data\Mozilla\Profiles\default\aas3lsdg.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\me\Application Data\Mozilla\Profiles\default\aas3lsdg.slt\prefs.js)
    O2 - BHO: Powermarks - {6172E460-FAE3-11D2-B494-004005A47AAA} - C:\PROGRA~1\POWERM~1.5\iec.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - Startup: YahooPOPs.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .asp: D:\Program Files\Opera7\PLUGINS\NPFgc1.dll
    O12 - Plugin for .exe: C:\Program Files\Opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .zip: D:\Program Files\Opera7\PLUGINS\NPFgc1.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37725.504537037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. wyx

    wyx Registered Member

    Joined:
    Apr 23, 2003
    Posts:
    4
    there you go. everything is there. i can feel my soul.. naked :p
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Sorry to keep you exposed like that. :)
    Feel free to delete the list if you want. No malware in there.
    I´m not familiar with the Netscape home- and search-pages, but I guess you would have mentioned it if they were different from what you wanted.
    Your startups are short and sweet ( AV + firewall)
    This one looks a bit awkward:
    O4 - Startup: YahooPOPs.lnk = ?
    File missing?
    Did you check your Event logs if there were any mentionable errors just before FileChecker alerted you?

    Regards,

    Pieter
     
  8. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    FileChecker is just a file "watcher" - it currently doesn't offer the option to replace changed/altered files with known clean backup copies.

    If something does happen, you should probably scan your system with an up to date anti-virus program, and look for any unusual changes. You can also report it here (with a copy of your FileChecker log, hopefully) and I can take a look at it, assuming time permits. :)

    Best regards,

    -Javacool
     
  9. pin

    pin Registered Member

    Joined:
    Nov 4, 2002
    Posts:
    116
    if some of the files that were said changed were windows system files, then it may be a good idea to get a second opinion from MSINFO32's file verification util; it will let you know if your system files have been altered. another way is to open a command (CMD) window and type in sfc \scannnow. this will search your system files and replace ones that may be damaged or missing. can't hurt!
     
  10. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I suppose every Microsoft Udate will change those files o_O
     
  11. FanJ

    FanJ Guest

    Hi,

    FileChecker is an absolutely great, real nice program !

    I'll make now some more general remarks about what you could call "file-integrity-checkers".
    These are programs that will give you an alarm in case a file is changed.
    To be able to do that, that file has to be in the database of your "file-integrity-checker".

    A file might have been changed by some program-upgrade which you did by yourself.
    It could also have been caused by some "nasty".

    A "file-integrity-checker" gives you only the alert that a file has been changed.
    It's up to the user, you, to determine whether it was a "legal" change or not.

    In case you are not certain what has caused that change, it is highly recommanded to run a full system scan with your AV, AT, anti-spyware-program.

    To make it yourself a bit easier, it is advised to save your logs of your "file-integrity-checker"; assuming that it gives you that option.
    It is also recommanded to keep yourself somehow informed about your latest upgrades/updates/downloads.

    I myself use several "file-integrity-checkers".
    I run them very frequently.
    Some "file-integrity-checkers" are able to give you more or less real-time information about changes (that also depends on the OS you are running)
    Other "file-integrity-checkers" do that only on-demand: you have to start them manually somehow.

    Now an example of a mistake by myself:
    I upgraded/updated more than one program.
    My "file-integrity-checker" gave me an alert about a file-change.
    That "file-integrity-checker" was used on-demand.
    It was very difficult, if not impossible, to determine which of those upgrades/updates caused this.

    I hope this gave some more general info.
    I'm sure that Javacool, Joseph, and others can give you more info.
    (PS: you could also have a look at the guidelines for NISFileCheck at the special forum-section at this board. It might give you a bit more in depth info. But please keep in mind that FileChecker from Javacool is more or less a real-time "file-integrity-checker" while NISFileCheck runs only on-demand).
     
  12. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    FanJ,

    I thought that was a pretty good summarization, as it stands! ;) R2, over at DSLR Security Forum was just asking about javacool's program a few days ago. A few comments in line (these are off the top of me head as I'm still in the UK at the moment).
    Yes, this is the critical point. A simple file integrity checking utility simply identifies if a file scanned has changed (assuming it was in the database in the first place). It does not attempt to determine whether the change is 'normal' (as might be the case if one were to check .doc files which have been modified by the user, for instance), whether it is the result of some application update, whether it is a possible case of file corruption, or whether it's the consequence of some malware tampering with the file in question. That requires some further investigation on the user's part, as you suggest below.
    Yep. If reasonably competent AV, AT, anti-spyware, or anti-keylogger utilities (all recently updated, of course) find nothing, it's likely (but certainly not guaranteed) that whatever is responsible for the change is not malware. An initialization file for an application, for example, could be changed simply because you'd modified some settings for the application. An update to the application is almost invariably going to change some files. If neither of these ring a bell with the end-user, then there's always the bogeyman of some sort of file corruption glitch being caused by the machine itself.

    Various file integrity checking utilities work on the basis of one or more intrinsic file properties. File Size, File Date Last Modified, File Version (for most executable files), and some sort of file checksum (which can be anything from a simple CRC-32 to something as exotic as RIPEMD320) are the most likely parameters to be checked; and the file checksum is the most definitive parameter.
    That's another good point. The "on-demand" checkers are good for circumstances in which one prefers to screen a large number of files for modifications relatively quickly. Often this can be done by scheduling the scan for some time when you are unlikely to be using the machine. On slower machines, trying to do the same thing with a "real-time" checker can involve large overhead.

    On the other hand, if being notified immediately when a particular file (or a small number of selected files) has been changed (and possibly finding out what changed it), then the real-time scanners beat the "on-demand" scanners hands down. But it's crucial not to do "real-time" monitoring on too many files concurrently. Albert's File Change Alarm makes this point quite well for a Win 2000 Pro or Win XP machine -- the end-user is literally swamped with a never-ending series of alerts.

    . . . .
     
Thread Status:
Not open for further replies.