CRC32 test. False positive?

Discussion in 'Trojan Defence Suite' started by fimoulia, Jul 4, 2005.

Thread Status:
Not open for further replies.
  1. fimoulia

    fimoulia Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    19
    CRC32 test says all the time - File doesn't exist: C:\WINDOWS\System32\regsvr32.exe
    But this file is in its place and always was there. File version 5.1.2600.2180
    Why is so? Any answer is highly appreciated. :)
     
  2. FanJ

    FanJ Guest

    Hi Fimoulia,

    Can you have a look at your file crcfiles.txt ?
    It is in the subdir Config of your TDS-3 directory.
    Is there a file mentioned:
    %WINSYSDIR%\regsvr32.exe

    What is your Windows version: ME or 98 or NT or 2000 or XP etc etc.

    There is a thread that tells a lot about the CRC32-test:
    https://www.wilderssecurity.com/showthread.php?t=13740

    You will see there for example:
    %WINSYSDIR% this means your Windows\System directory in Windows 95-98-ME and system32 in NT-2000-XP.

    What is the Attr of your file regsvr32.exe ?
    Is it perhaps hidden (h) ?
     
  3. fimoulia

    fimoulia Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    19
    Hello FanJ,

    Thank you very mach for the reply. Sorry for not being more detailed in my post. My OS is XPhome SP2. I have an entry %WINSYSDIR%\regsvr32.exe in crcfiles.txt. This file is not hidden by system and it is in C:\WINDOWS\System32 folder. It is a Microsoft(C) Register Server file. Next to its version is the following info: xpsp_sp2_rtm.040803-2158
    I've read your very good and useful article on CRC32 before I posted this thread. ;)
     
  4. FanJ

    FanJ Guest

    Hi fimoulia,

    Thanks for your reply and kind words ! ;)

    Hmmm, it is indeed strange....

    Could you try to replace:
    %WINSYSDIR%\regsvr32.exe
    with:
    C:\WINDOWS\System32\regsvr32.exe
    in your CRCfiles.txt

    I am curious whether that would help.
    Please let us know ;)

    Thanks !
    Cheers, Jan.
     
  5. FanJ

    FanJ Guest

    Another thought, just to be sure about this:

    Could you please check:
    1.
    whether you have the subdir \xDynamic\TDS.data in your TDS-3 directory,
    2.
    and is there a file crc32.bnk in that subdir ?

    In case you don't have that subdir TDS.data in xDynamic, then please make that subdir TDS.data in xDynamic manually.
    Then run the CRC32-test again. Then that file crc32.bnk should be created.
     
  6. fimoulia

    fimoulia Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    19
    Hi Jan,

    Thanks again! Your suggestion about CRCfiles.txt modification didn't help. About subfolder TDS.data in xDinamic folder. It was not there from beginning but I created it following your advice in your article and file crc32.bnk is there already for a while. ;)
    What I noticed in Attributes of this file is that the square "Hidden" is unchecked but greyed out and unfunctional though the same square in other files is clearly visible and functional. I don't know if it's relevant to the problem. :doubt:
     
  7. FanJ

    FanJ Guest

    Hi fimoulia,

    I guess that might indeed be relevant here; not quite sure however.

    Since I myself have only W98SE, I have asked for help.

    Cheers, Jan.
     
  8. fimoulia

    fimoulia Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    19
    Hi Jan,

    Will wait for more news from you.
    Thank you for taking time and trouble. Your dedication to help people is very much appreciated! :)
    Cheers!..
     
  9. FanJ

    FanJ Guest

    Hi fimoulia,

    Not sure whether this might help, but maybe worth a try (if you have not already done it):

    In Windows Explorer:
    1. Select "Tools" from the menu on top.
    2. Select "Folder Options".
    3. Select the "View" tab.
    4. Scroll down and Select "Show hidden files and folders".
    5. Unselect "Hide extentions for known file types".
    6. Unselect "Hide protected operating system files".
    7. If you get a "warning" prompt, say yes you want to do it anyway.
    8. Click Apply and Ok.

    Cheers, Jan.
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Very strange, it could be a bug if the file is hidden as Jan mentioned. You can use the command prompt (cmd.exe) to force it to be not hidden, not system, not read-only :

    C:\Windows\System32\> attrib -r -s -h regsvr32.exe
     
  11. fimoulia

    fimoulia Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    19
    Hi Jan, :)

    I've done all what you said but it doesn't help. BTW when I select "Don't show hidden files and folders" this file is still show himself in the folder. Looks like it is not hidden. But this greyed out square ''Hidden" in Attributes looks strange. Perhaps this file is somehow corrupted. :doubt:

    Gavin, :)

    I tried to pass your line in the command prompt (cmd.exe). I am not very familiar with this job. I went to Run_cmd.exe and in the opened window copied your line. But the line is not recognised as a command and flags are not recognised neither. :doubt:
     
  12. FanJ

    FanJ Guest

    Hi fimoulia,

    Step 1: Click on the Start Menu

    Step 2: Click on the Run option

    Step 3: Type cmd.exe

    Step 4: Click on the OK button

    Step 5: Type C:\Windows\System32\> attrib -r -s -h regsvr32.exe

    If step 5 does not work for some reason, try this instead:
    attrib -r -s -h C:\Windows\System32\regsvr32.exe


    PS:
    Tutorial for the Command Prompt:
    http://www.bleepingcomputer.com/forums/index.php?showtutorial=76
    Tutorial for the command attrib:
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/attrib.mspx
     
  13. FanJ

    FanJ Guest

    Hi Gavin,

    As far as I know the CRC32-test cannot handle hidden files, at least on my W98SE machine.

    Let us take an example.
    I make a simple test file with Notepad:
    C:\Testing\test.txt
    That file has the attr a.
    I put that file in my crcfiles.txt
    I change that file.
    The CRC32-test has no problem with it:
    [CRC32] -ALERT- File has changed: C:\Testing\test.txt
    Now I change the attr of that file from a to h.
    Now the CRC32-test has a problem:
    [CRC32] File doesn't exist: C:\Testing\test.txt

    Another example is C:\WINDOWS\SYSTEM\WSOCK32.DLL
    I still use the old SockLock from PSC.
    When I enable SockLock’s protection, then the CRC32-test has a problem:
    [CRC32] File doesn't exist: C:\WINDOWS\System\wsock32.dll
    Many years ago, at the old Becky’s forum, I helped some people about this who were also using TDS-3 and SockLock.


    There is also an old thread in the archived NISFileCheck forum:
    https://www.wilderssecurity.com/showthread.php?t=7287


    Hey, I really would like to tell that I absolutely love my TDS-3 !!! :D
    Not any doubt about that !!!
    And I do like the CRC32-feature of it !


    I am a little bit in the dark about that greyed-out square ''Hidden" in Attributes at fimoulia's system :oops:

    Cheers, Jan.
     
  14. fimoulia

    fimoulia Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    19
    Hi Jan, :)

    The family business kept me from posting sooner. Thank you for the links about working with command prompt program (oooh!.. there is so much still to learn!..and so little time...).

    Well, it's like that now. I was able to load command in the command prompt in this way:
    attrib -r -s -h C:\Windows\System32\regsvr32.exe.
    The greyed-out square ''Hidden" in Attributes became normal and functional. CRC32-test found the file and came out clean.

    Then I changed this file to "Hidden" by selecting this square in Attributes. CRC-test came with
    "File doesn't exist: C:\WINDOWS\System32\regsvr32.exe".
    Probably this file was in fact in hidden state and with some kind of bug in it.
    Also looks like CRC32-test has a problem to handle hidden files.

    After all this I also looked inside a crc32.bnk file. Each of 29 files in my crcfiles.txt has there some kind of cod beneath like:
    C:\WINDOWS\System32\wsock32.dll
    68C733A9
    Except regsvr32.exe. It has no cod and it is the last entry in the file.

    My last question (and sorry if it's silly): does this regsvr32.exe file after manipulation in the command prompt remain operational and correct for the system?

    Looks like the topic is done. :)
    Thank you for your fruitful and very kind intervention (Gavin too). :)
    My highest appreciation!!! :)

    It's a great forum! And TDS-3 is fantastic! :)
     
  15. FanJ

    FanJ Guest

    Hi Fimoulia,

    My pleasure !
    I'm glad it is solved !
    All credits for solving your issue should go to Gavin; he came with the solution (big thanks Gavin !!!) :)

    As for the file crc32.bnk :
    Please leave that file alone; not any need to touch that file ! ;)

    As for your question
    "does this regsvr32.exe file after manipulation in the command prompt remain operational and correct for the system?"
    My guess would be: yes to both questions.

    As for whether you want regsvr32.exe to be hidden or not:
    I would say that's up to you.
    You know now how to make it unhidden.
    As you have seen on your system, the CRC32-test can only test it if it is not hidden.
    The choice is up to you what you want.
    On my (old) W98SE system I have it not hidden; (on my W98SE it is in C:\WINDOWS\SYSTEM\ ).

    Yes, I agree: TDS-3 is fantastic! :) :D

    Cheers, Jan.
     
  16. fimoulia

    fimoulia Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    19
    Cheers!!! :)
    Thanks Gavin !!! ;)
     
Thread Status:
Not open for further replies.