CRC and Changed Program

I sure hope someone can help me ...((

Yesterday I installed a totally legitimate program (SmartFTP, downloaded from their own Web site, checked and cross checked by NAV, TDS Anti-Trojan, and Adaware - it's clean).

Immediately after I installed SmartFTP, I received an alert from my ZoneAlarm firewall that WINLOGON.EXE is changed.

I checked winlogon.exe in the Windows/System32 folder. It has not changed since September 2004. TDS tells me that the CRC is OK.

I checked winlogon.exe with NAV, TDS Anti-Trojan - nada. It is not infected.

If winlogon.exe has not changed (according to its CRC check) - why the alert? Can the CRC check be wrong?

Thank you very much for a great forum!

Gorgelink
Operating System: Windows XP Pro

 

Hi there Gorgelink and welcome!
When you click in Zonealarm on the Alerts > Programs > look if winlogon.exe is in the blocked/allowed list, if so click more info, any info on that?
Or Zonealarm > Programs > is it there in the list or the components list there?
You could also upload it at www.kaspersky.com/remoteviruschk and submit the file to submit@diamondcs.com.au to have lots of extra checks.
Maybe you saw settings changes for the program, not changes in the file itself?

 

Hi, Jooske,

Thank you for the best anti-Trojan ever and for the kindliest and friendliest forum.

Kaspersky confirms that the file is clean (OK).

The most amazing thing:

My ISP runs a multicast. When Winlogon NT tries to send a packet (using the Generic Host Process-GHP) to the multicast IP, ZoneAlarm regards winlogon.exe as CHANGED.

When Winlogon NT tries to send a packet (again using the Generic Host Process) to my ISP's IP (not to the multicast) - ZoneAlarm considers it to be a NEW or REPEAT program.

Of course, the file does not really change at all! It is exactly the same.

Thank you for holding my hand. Modern computing can be nerve-wracking ...))

Sam

 

Hi, Jooske,

Just one question:

Is this the right URL?

http://www.kaspersky.com/remoteviruschk

Or this:

http://www.kaspersky.com/remoteviruschk.html

Or this:

http://www.kaspersky.com/scanforvirus

Thanks.

Sam

 

All links go to the same page, as long as you get that file scanned!
I don't remember the Jotti site, it's mentioned all over in the forum (but euhmm where again?) and on my blogpage.


The firewall part is exactly something for CrazyM and others who might be able to explain exactly that part how and what and why.

Maybe ZA calculates checksums, considers it changed or new and there is your warning.

 

Hi, Jooske,

Indeed, ZA checks the MD5 Hash.

You have been of great help. Many thanks!

Gorgelink

 

It's me, FanJ (not at home at the moment).

As for this file:
C:\WINDOWS\system32\winlogon.exe
I calculated its MD5 checksum (using Karen's Hasher) on a Dutch XP-SP2 system:
732ED791711DF9C9DD15E5515BC681B8

I don't have here TDS-3 (I would love to have it here on a friend's system, but alas the time that I could afford buying programs for others is history.....).

To me that warning (that Gorgelink got from ZA) looks at the moment more a ZA issue than a TDS-3 issue.

Cheers, Jan.