CRC and Changed Program

Discussion in 'Trojan Defence Suite' started by gorgelink, Apr 3, 2005.

Thread Status:
Not open for further replies.
  1. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    I sure hope someone can help me ...:eek:((

    Yesterday I installed a totally legitimate program (SmartFTP, downloaded from their own Web site, checked and cross checked by NAV, TDS Anti-Trojan, and Adaware - it's clean).

    Immediately after I installed SmartFTP, I received an alert from my ZoneAlarm firewall that WINLOGON.EXE is changed.

    I checked winlogon.exe in the Windows/System32 folder. It has not changed since September 2004. TDS tells me that the CRC is OK.

    I checked winlogon.exe with NAV, TDS Anti-Trojan - nada. It is not infected.

    If winlogon.exe has not changed (according to its CRC check) - why the alert? Can the CRC check be wrong?

    Thank you very much for a great forum!

    Gorgelink
    Operating System: Windows XP Pro
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Gorgelink and welcome!
    When you click in Zonealarm on the Alerts > Programs > look if winlogon.exe is in the blocked/allowed list, if so click more info, any info on that?
    Or Zonealarm > Programs > is it there in the list or the components list there?
    You could also upload it at www.kaspersky.com/remoteviruschk and submit the file to submit@diamondcs.com.au to have lots of extra checks.
    Maybe you saw settings changes for the program, not changes in the file itself?
     
  3. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    Hi, Jooske,

    Thank you for the best anti-Trojan ever and for the kindliest and friendliest forum.

    Kaspersky confirms that the file is clean (OK).

    The most amazing thing:

    My ISP runs a multicast. When Winlogon NT tries to send a packet (using the Generic Host Process-GHP) to the multicast IP, ZoneAlarm regards winlogon.exe as CHANGED.

    When Winlogon NT tries to send a packet (again using the Generic Host Process) to my ISP's IP (not to the multicast) - ZoneAlarm considers it to be a NEW or REPEAT program.

    Of course, the file does not really change at all! It is exactly the same.

    Thank you for holding my hand. Modern computing can be nerve-wracking ...:eek:))

    Sam
     
  4. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    All links go to the same page, as long as you get that file scanned! :)
    I don't remember the Jotti site, it's mentioned all over in the forum (but euhmm where again?) and on my blogpage.


    The firewall part is exactly something for CrazyM and others who might be able to explain exactly that part how and what and why.

    Maybe ZA calculates checksums, considers it changed or new and there is your warning.
     
  6. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    Hi, Jooske,

    Indeed, ZA checks the MD5 Hash.

    You have been of great help. Many thanks!

    Gorgelink
     
  7. J at A

    J at A Guest

    It's me, FanJ (not at home at the moment).

    As for this file:
    C:\WINDOWS\system32\winlogon.exe
    I calculated its MD5 checksum (using Karen's Hasher) on a Dutch XP-SP2 system:
    732ED791711DF9C9DD15E5515BC681B8

    I don't have here TDS-3 (I would love to have it here on a friend's system, but alas the time that I could afford buying programs for others is history.....).

    To me that warning (that Gorgelink got from ZA) looks at the moment more a ZA issue than a TDS-3 issue.

    Cheers, Jan.
     
Thread Status:
Not open for further replies.