Re: exe programs

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 07/24/05


Date: Sun, 24 Jul 2005 10:17:14 +0200

Hi,

On Windows XP most critical files are digitally signed by Microsoft
(unfortunately not all (yet)).

To check the digital signatures run

sigverif

Once the sigverif finishes check out the file SIGVERIF.TXT and look for a
files that you mention in your question (e.g. mqsvc.exe, spoolsv.exe
etc...).

In SIGVERIF.TXT file you should see something like...

********************************

Microsoft Signature Verification

Log file generated on 24.7.2005 at 9:59
OS Platform: Windows 2000 (x86), Version: 5.1, Build: 2600, CSDVersion:
Service Pack 2
Scan Results: Total Files: 3518, Signed: 2520, Unsigned: 54, Not Scanned:
944

File Modified Version Status
Catalog Signed By
------------------ ------------ ----------- ------------
  ----------- -------------------
spoolsv.exe 4.8.2004 2:5.1 Signed
sp2.cat Microsoft Windows
dumprep.exe 4.8.2004 2:5.1 Signed
sp2.cat Microsoft Windows

etc...

If Status is Signed then the file originates from Microsoft and wasn't
modified after release from Microsoft.

Note:
* before you remove any unsigned files -- do some research...
* if you have mqsvc.exe file in e.g. c:\windows\system32 trojan will not be
able to put it in this folder. So another sign of something strange going on
the computer is e.g. "mqsvc.exe"file (that is not digitally signed) and is
located outside Windows folder.
* you can prevent most infection with trojans and spyware etc. if you use
your computer as non-admin. Most trojans and spyware need write access to
registry and Windows folder -- and non-admins don't have these permissions.
Infection in this case will fail or at least won't be permanent (it will
only be persistent till reboot)...

-- 
Mike
Microsoft MVP - Windows Security
"worried by exe" <worried by exe@discussions.microsoft.com> wrote in message 
news:6D918F62-032F-470E-BE47-B0ACFC0C6958@microsoft.com...
>I HAVE UPGRADED FROM WINDOWS 98 SE TO WINDOWS XP PRO SPACK2.
> I HAVE NOTICED WITH XP  A NUMBER OF EXE PROGRAMS THAT I DID NOT SEE BEFORE
> UNDER WIN 98.
> THESE APPEAR ON MY FIREWALL PROGRAM  ZONEALARM.
> I HAVE CHECKED THESE OUT AND ALTHOUGH ADVICE IS THAT WINDOWS HAVE PROGRAMS
> WITH THESE NAMES, SO DO TROJANS. THEY WARN TO BLOCK/DELETE.
> ARE THESE WINDOWS PROGRAMS OR NOT/?. HOW CAN I TELL?.
> EXAMPLE...mqsvc.exe   spoolsv.exe    dumprep.exe
> IN THE MEAN TIME I HAVE BLOCKED, BUT DO NOT KNOW IF THEY ARE OR WILL STOP
> WINDOWS FROM OPERATING NORMALLY.
> PLEASE ADVISE ME.
>
>