Re: exe programs
From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 07/24/05
- Next message: Thomas McLeod: "cannot apply KB901214"
- Previous message: worried by exe: "exe programs"
- In reply to: worried by exe: "exe programs"
- Next in thread: worried by exe: "Re: exe programs"
- Reply: worried by exe: "Re: exe programs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 24 Jul 2005 10:17:14 +0200
Hi,
On Windows XP most critical files are digitally signed by Microsoft
(unfortunately not all (yet)).
To check the digital signatures run
sigverif
Once the sigverif finishes check out the file SIGVERIF.TXT and look for a
files that you mention in your question (e.g. mqsvc.exe, spoolsv.exe
etc...).
In SIGVERIF.TXT file you should see something like...
********************************
Microsoft Signature Verification
Log file generated on 24.7.2005 at 9:59
OS Platform: Windows 2000 (x86), Version: 5.1, Build: 2600, CSDVersion:
Service Pack 2
Scan Results: Total Files: 3518, Signed: 2520, Unsigned: 54, Not Scanned:
944
File Modified Version Status
Catalog Signed By
------------------ ------------ ----------- ------------
----------- -------------------
spoolsv.exe 4.8.2004 2:5.1 Signed
sp2.cat Microsoft Windows
dumprep.exe 4.8.2004 2:5.1 Signed
sp2.cat Microsoft Windows
etc...
If Status is Signed then the file originates from Microsoft and wasn't
modified after release from Microsoft.
Note:
* before you remove any unsigned files -- do some research...
* if you have mqsvc.exe file in e.g. c:\windows\system32 trojan will not be
able to put it in this folder. So another sign of something strange going on
the computer is e.g. "mqsvc.exe"file (that is not digitally signed) and is
located outside Windows folder.
* you can prevent most infection with trojans and spyware etc. if you use
your computer as non-admin. Most trojans and spyware need write access to
registry and Windows folder -- and non-admins don't have these permissions.
Infection in this case will fail or at least won't be permanent (it will
only be persistent till reboot)...
-- Mike Microsoft MVP - Windows Security "worried by exe" <worried by exe@discussions.microsoft.com> wrote in message news:6D918F62-032F-470E-BE47-B0ACFC0C6958@microsoft.com... >I HAVE UPGRADED FROM WINDOWS 98 SE TO WINDOWS XP PRO SPACK2. > I HAVE NOTICED WITH XP A NUMBER OF EXE PROGRAMS THAT I DID NOT SEE BEFORE > UNDER WIN 98. > THESE APPEAR ON MY FIREWALL PROGRAM ZONEALARM. > I HAVE CHECKED THESE OUT AND ALTHOUGH ADVICE IS THAT WINDOWS HAVE PROGRAMS > WITH THESE NAMES, SO DO TROJANS. THEY WARN TO BLOCK/DELETE. > ARE THESE WINDOWS PROGRAMS OR NOT/?. HOW CAN I TELL?. > EXAMPLE...mqsvc.exe spoolsv.exe dumprep.exe > IN THE MEAN TIME I HAVE BLOCKED, BUT DO NOT KNOW IF THEY ARE OR WILL STOP > WINDOWS FROM OPERATING NORMALLY. > PLEASE ADVISE ME. > >
- Next message: Thomas McLeod: "cannot apply KB901214"
- Previous message: worried by exe: "exe programs"
- In reply to: worried by exe: "exe programs"
- Next in thread: worried by exe: "Re: exe programs"
- Reply: worried by exe: "Re: exe programs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
