application changed?

Started by ghormoon, December 02, 2010, 10:34:31 AM

Previous topic - Next topic

ghormoon

Is it possible that PL somehow updated/whatever itself without prompting?
I don't know about any malware in my pc (however, it's not impossible) and my firewall (ESET Smart Security) warns me, that ProcessLasso.exe has been changed.
It's in version 4.00.16 now
Thanks, Ghor

Edit: MD5 e4a7641fd6f69a1c8a49cf7d4e724312 *ProcessLasso.exe
(64bit version)

Jeremy Collake

No auto-update NOR any writes to itself, so that is very strange - and suggests something else modified Process Lasso. Or maybe it is just picking up on your last update a bit late?
Software Engineer. Bitsum LLC.

ghormoon

it happened again now, but the MD5 is still the same, so it may be a problem with the firewall, thanks ;)

Jeremy Collake

Thanks for the update. It sounds strange and I don't know what to tell you. It would seem the Firewall is malfunctioning in some way. If the MD5 is the same, but it is telling you the file changed, then something fishy is going on.

I suppose maybe it could also look at the file attributes and file times, but they shouldn't be changing either (except 'last accessed' time maybe if you have it enabled.. but that would be true of every program run).

Now, it might check the 'last write' time, and perhaps that got changed by a program that opened the file for writing, but then didn't actually do any modification.

As for malware, some malware is very good at hiding its presence, specifically root-kits. Once you get that stuff on your system, it can be very difficult to remove because it is hiding itself at a very low-level using API hooks or NT dispatch table hooks. That's a worst case assumption, but is possible. You know all about this I'm sure, as you seem to be the techie type.

Then again maybe your firewall just has a bug. Is it saying only Process Lasso changed, or does this happen for other applications too? If you have any registry cleaner in regular use, try disabling it just to be safe, as accidentally deleting the wrong key can have unpredictable consequences and maybe the firewall's previously stored info on Process Lasso is getting deleted.
Software Engineer. Bitsum LLC.