Jump to content

File signature checking


Guest BlairWitch
 Share

Recommended Posts

Guest BlairWitch

Hello. I just downloaded the tool sigcheck from sysinternals and started scanning my system32 folder for unsigned files and it seems that there are over 100 of them so i just thought is there any tool that would automatically copy the unsigned files to a specific folder? That would make it easier to examine them or upload them all to virustotal. Thanks.

Link to post
Share on other sites

  • Root Admin

It is built into Windows already. It's not uncommon to have unsigned files and does not necessarily mean anything is wrong.

Click on
START - RUN
and type in
SIGVERIF
and click OK

This is a Microsoft File Signature Verification program that will check some file status for us.
  • Click on the START button and let it run.
  • It will popup a box when it's done to show the status, you can close that box.
  • Close the File Signature Verification application.
  • On Windows XP find and attach the file C:\WINDOWS\SIGVERIF.TXT to your reply.
  • On Windows 7 find and attach the file C:\Users\Public\Documents\SIGVERIF.TXT to your reply.
  • DO NOT post the log directly into your reply, attach the file please.

Link to post
Share on other sites

  • Root Admin

Just to confirm please run the following.

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 right click and select Run as administrator

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.


    When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file in most cases.

Link to post
Share on other sites

  • Root Admin

Well the logs would seem to indicate that you're either infected or are running some software that is causing conflicts with other software.

If you look at the bottom of the ATTACH.TXT log file you'll see where you're having a lot of errors loading things.

That could just be conflicts or a sign of an infection.

I would recommend investigating further to see if you have software conflicting or check further for a possible infection.

Link to post
Share on other sites

Guest BlairWitch

Well the logs would seem to indicate that you're either infected or are running some software that is causing conflicts with other software.

If you look at the bottom of the ATTACH.TXT log file you'll see where you're having a lot of errors loading things.

That could just be conflicts or a sign of an infection.

I would recommend investigating further to see if you have software conflicting or check further for a possible infection.

Thanks for the information. I scanned my computer with mbam, trendmicro housecall, nod32 online scanner and tdss killer allthough i did not use the scan loaded modules option because then i would have had to restart my computer and i am too tired to do that now. There were no viruses found. I also scanned with hitman pro and it did not find anything. I havent scan yet with my main antivirus program dr.web but maybe will when i have time. I guess i need to search for those software conflicts and errors and such things. I will report about my findings then.

Link to post
Share on other sites

Guest BlairWitch

Well i was in an experimental mood and started to dump the memory of some drivers in system32/drivers directory. I used the program Xuetr to dump them and some of the files were detected when i uploaded them to virustotal but was it just because i used the Xuetr to dump them... well that is a mystery.

Anyways here is the virustotal report for ntoskrnl.exe that was dumped with Xuetr...

https://www.virustotal.com/file/e92af20552826e6d7e9556cf18f89896e5cb67e709e425c45b698d0709034ed6/analysis/1344958827/

So there was 4 detections...

and then some other driver files that i dumped... Here are the results...

https://www.virustotal.com/file/697aeb89317cf44185b6c9d6f565c7feee353b46411fac040cd1dc4a261611d9/analysis/1344958633/

Here is the result for the Xuetr https://www.virustotal.com/file/6aca2a5dedc04786ff47976d81d4909739478bc4da9655ec1efc98cc3ed828d9/analysis/1344959515/

It's detected by 9 scanners...

https://www.virustotal.com/file/6aca2a5dedc04786ff47976d81d4909739478bc4da9655ec1efc98cc3ed828d9/analysis/1344959515/

Here is the file... XueTr.zip

Here is the ntoskrnl.exe that i dumped with the Xuetr... ntoskrnl.zip

So if any expert here can examine this mystery then i would be very grateful. Thanks.

:o

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.