Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

no digital signature on mqac.sys in %windows%\system32\drivers


  • Please log in to reply
3 replies to this topic

#1 dave4duncan

dave4duncan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 26 April 2014 - 10:54 AM

I ran rkill to check of problems with my system XP/SP3. The file mqac.sys does no have a valid digital signature. I have 6 copies of this file on my system from past sp's. how do  determine which one to use as a replacement? How do I check to see if it is signed, and if it is do I just swap them out?

 

Have already cleaned system, getting rid of old files, cleaning the registry, I.e. a deep cleaning to speed up my system and clear up problems. I have no malware or virus' that Avast and several other scan tools and detect.

Attached Files


Edited by hamluis, 27 April 2014 - 11:18 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 yu gnomi

yu gnomi

  • Members
  • 532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago suburb
  • Local time:10:19 AM

Posted 27 April 2014 - 12:04 AM

from what I can gather, mqac.sys is part of the message queing system (MSMQ) that is not part of a standard XP install, but is a free add-on (at least for XP Pro) if you wanted to install it. It might be part of something called 'Snap Desktop' (which I also don't have)

 

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/snap_desktop_msmq.mspx?mfr=true

 

Does this sound like something that you would have installed on your machine?

 

If so, I doubt that it's malware, even though there are multiple copies without signatures. I'm pretty sure I have a few Windows system files that aren't signed.

 

Unless you think they are harmful, I would just leave them be- don't fix what ain't broke. 


Edited by yu gnomi, 27 April 2014 - 12:16 AM.


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 27 April 2014 - 01:18 PM

How did you check for the absence of a digital signature? Via the properties tab?

 

Microsoft executables are often signed via a catalog file, and do not have a "Digital Signatures" properties tab. You need to use a tool like sigcheck.

 

I explain this all in my video:

 

The use of sigcheck is explained at the end of the video.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 dave4duncan

dave4duncan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 27 April 2014 - 02:18 PM

ran rkill which said the file did not have a digital signature. Does rkill not give true results? Your program gave the same result.

 

This file is a part of the message queing option in windows. Deleting message queing in add/remove windows componets does not delete the files (about 20 of them). As far as I can tell at this point Message queing is not running on my system.

 

System file checker wants to change these 20 files. I know how to redirect from to the location that they came from (i.e. not the cd drive but a directory). This will not change anything as they are not signed either.

 

Can I just delete them?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users