program or website to verify "known good" MD5 of sys or DLL files?

Discussion in 'other security issues & news' started by LuckMan212, Nov 6, 2008.

Thread Status:
Not open for further replies.
  1. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Hello,
    I am fighting with a strange problem with errors in my Vista x64 event log (ID:3002):
    "Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system."

    I have not had any adverse effects from this but it has me worried and a bit obsessed. I have completed a SFC scan of the system using an Administrative command prompt, result:

    C:\Windows\system32>sfc /verifyonly
    Beginning system scan. This process will take some time.
    Beginning verification phase of system scan.
    Verification 100% complete.
    Windows Resource Protection did not find any integrity violations.


    I have also scanned my entire filesystem for tcpip.sys and computed the MD5 sums (in green) of all results:

    C:\Windows\System32\drivers\tcpip.sys : 8e041924441ff8755e5b4f135c8c3767
    C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_0f3cadd61ec3b22c\tcpip.sys : 7a1183fbb802f5abad7fa18bc67e0858
    C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18063_none_0efecf2c1ef1a5d7\tcpip.sys : 8e041924441ff8755e5b4f135c8c3767
    C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22167_none_0f8c6d1f380baafd\tcpip.sys : f10a60005fb50698e33a1940c6ebb010
    C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18063_none_0efecf2c1ef1a5d7_tcpip.sys_3339bd51 : 8e041924441ff8755e5b4f135c8c3767


    My tcpip.sys contains a valid digital signature:
    http://img87.imageshack.us/img87/8618/sshot1cx9.png

    searching the web for those MD5 hashes or a site/program that can verify them agains a "known good" I came up empty. Can anyone with a fully-patched Vista x64 (SP1) verify these for me or help me out with a way to 100% confirm that these tcpip.sys' are not hijacked/infected in some way? Is there a good reliable way to do this?
     

    Attached Files:

  2. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    If you downloaded from a site does that site's numbers match these (assuming the download page of the site has them listed)?

    Also, not sure if you have this little context menu add on but it is handy for me sometimes and works in my Vista, although x32.

    http://beeblebrox.org/hashtab/
     
  3. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    I did not 'download' tcpip.sys - it is part of the operating system. The reason for the different versions present on my system, I presume is because of patches/updates released by Microsoft via Windows Update. I am familiar with the HashTab extension (I used to use it) and while it is very good, I ran some speed tests on large files and found that the febooti FileTweak extensions are faster (by 2-3x) and offer additional features as well (hex editor, file attribute modifications etc) and also run native 64-bit.

    But I don't want to get off-topic. Back to the original question: is there a website or program that verifies local system files (dlls/ocx/sys/etc) against known-good hashes?
     
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    sorry- I should have read your post closer.
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Beyond SFC, I know of no alternative way to verify system files. I stopped obsessing a long time ago over Vista's tcpip.sys hash-related event log errors. For me, those errors have appeared occasionally on various machines since Vista's release candidates. I would ignore them. Here's the most useful explanation I've read on the subject: Discuss: Windows Security Log Event ID 5038.

    Nick
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Could uploading the file to Virus Total be of any use as you can recheck the md5 under "Additional Information".

    Below is from my Vista 32 bit.
     
  7. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi,

    SecCheck: http://mynetwatchman.com/tools/sc/

    You have with SecCheck: Text report ( with file SHA1 dump ), XML report ( dll's description with SHA1 ), Hash analysis.

    Don't forget: Forum software & services; thread Your NEW BEST Free Softwares ... #90 ... It's for you!
     
    Last edited: Nov 7, 2008
  8. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    besides the other suggestions you might find that http://fileadvisor.bit9.com useful for the purpose in question... you can search by file name, md5 hash or sha1 hash...

    also, the valid digital signature from microsoft suggests it's fine...
     
    Last edited: Nov 7, 2008
  9. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Thanks- that bit9 website it almost exactly what I was looking for. If they had a desktop counterpart that verified hashes against their database of known-good that would be perfect. But this is still good. Too bad their downloadable right-click shell extension is x86 only (I run Vista x64 so the shell extension is not supported unless I run my explorer.exe process in 32bit mode, which I don't). Either way, it's a useful tool to add to my arsenal. Thanks :cautious:
     
  10. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
Loading...
Thread Status:
Not open for further replies.