patch 1.70 appeared

[Baaleos]

               Of course - there is no definitive way to prove either scenario.

If he downloads the current release of 1.70 - and compares file size, all this proves is that the one he has now, may be an earlier or later release of the 1.70 - OR it may indeed be a tempered version.

Now - acting as Devils Advocate here.
I can see where both ShaAaDow and Khandee are coming from.

I - Like Shadow - believe the best defense against hackers is common sense.
   Hackers dont have an online directory that they consult where they can find specific individuals to target. All of their targets make names for themselves, or do specific things that make them targets. Eg - Visit dodgy websites, install bad software, or hangs around with the wrong online community etc.      Its peoples behaviours online that often leads to mistakes, which leads to faults, which leads to 'Whoops... I guess I shouldnt have installed that Cracked Software....'
(Took that from ISTQB  ->  Developers make Mistakes -> Faults -> Defects )

But also - Like Khandee,
I do think its somewhat 'asking' for trouble to just rely on a firewall to protect you, and not have an extra layer of security. This is Shadooows personal preference, but I dont quite agree with it.
Anti-Virus software is specifically designed to be updated regularly with new virus definitions, where as more firewalls are not.
Anti-Virus software is designed to stop software the exhibit specific behaviors - where as firewalls target applications that make connections on ports.
An example of the distinction would be this:

An Anti Virus would be able to prevent a program I write, from closing your Anti-Virus, from accessing your Documents Folder, and Uploading them to a remote location.

A Firewall, would not prevent my program from closing your firewall, or from accessing your documents folder, although it may stop it from uploading the files to an external location: But wait.... didnt we close the firewall on step 1?

Firewalls provide very connection/network specific type of security, but still leaves you wide open to a number of different types of software type viruses.

A firewall wont stop me from writing a program that copies itself 10 times every 10 minutes, slowing draining your HDD Space over the course of a week, but an Anti-Virus may.

Anyway - play nice you two... you both have valid points, just different preferences.
               
               

               
            

[Legacy_Aelis Eine]

               Maybe you have file sends on some IM protocol set to auto accept and a friend sent it to you?
               
               

               
            

[Baaleos]

               I suggest checking the date it was created/modified to find out when it appeared, then check windows event viewer to see what happened around that time.
that will tell you if anyone was logged on etc
               
               

               
            

[Legacy_ehye_khandee]

               

SHOVA wrote...

I put forth that the OP clicked on shadows patch by accident, did not realize that it started the download process, and did not notice until the next day that it completed and placed it on his desk top. That alone is more plausible than someone root-kiting it onto his computer.

The OP stated NOBODY was on his computer at the time the strange file appeared on his desktop.


I posit the system may have been previously compromised, the miscreants could read what you have on your rig, and then doctor up software they think you might be tempted to use, and place it on your desktop hoping you might click it accidentally or out of curiosity. This is not a rare scenario either. Competant sorts can do things with your rig that would amaze most folks.
               
               

               

                     Modifié par ehye_khandee, 20 novembre 2012 - 04:53 .
                     
                  

            

[Legacy_SHOVA]

               if nobody was on his computer, then how did he notice it appear?
I get it eye, Perhaps something miscreant took place. But more likely, he miss clicked, went to bed, and saw the result of the miss click. It happens. It happens more than everyone likes to admit. I think that a miss click is by far more likely, than someone haking his computer, and placing some dangerous file renamed after shadows patch.
               
               

               
            

[Baaleos]

               

ehye_khandee wrote...

SHOVA wrote...

I put forth that the OP clicked on shadows patch by accident, did not realize that it started the download process, and did not notice until the next day that it completed and placed it on his desk top. That alone is more plausible than someone root-kiting it onto his computer.

The OP stated NOBODY was on his computer at the time the strange file appeared on his desktop.


I posit the system may have been previously compromised, the miscreants could read what you have on your rig, and then doctor up software they think you might be tempted to use, and place it on your desktop hoping you might click it accidentally or out of curiosity. This is not a rare scenario either. Competant sorts can do things with your rig that would amaze most folks.

Its certainly 'possible' that this happened.
But whether it is plausible is another question.

Just because a file appears, that the user cannot remember downloading, does not necessarilly proclude the possibility that he may have just downloaded it and forgot.

I've done that lots of times.
I've got hundreds of thousands of files on my machine, that I have gathered and downloaded over the years,
and there are even times when I download something on a saturday, then on the sunday, I have to double click on it to remind myself what it was.

Assuming a file is nefarious in nature, because its origins cannot be recalled, seems a little overkill.

I'd recommend he downloads a reasonably good Anti-virus (avast, or avg are good free ones)
scan the file, and trust the virus scanners determination - as it is not influeced by bias.
               
               

               
            

[Legacy_ehye_khandee]

               This is from m-w.com

1
: superficially fair, reasonable, or valuable but often specious <a plausible pretext>
2
: [omitted for relevancy]
3
: appearing worthy of belief <the argument was both powerful and plausible>


A healthy sense of paranoia will save you LOTS of computer headaches. It IS plausible that some miscreant could have done exactly what I've outlined and it is the fool who pretends it not so. It is better to be paranoid, test things well and be safe than to relegate your system to the whims of those who know more computer lore or have better scriptkiddie tools than you do.


The facts as stated by the OP are that the file appeared at a time when no-one was using the system, and that this file differs from the vault version in some unspecified way. Please make comments that at least stay within the known facts as stated by the OP.
               
               

               

                     Modifié par ehye_khandee, 20 novembre 2012 - 05:15 .
                     
                  

            

[Baaleos]

               I think you mis-understood my use of the word plausible.

Yes - Plausible can be likend to

Possible that someone could have done it.
Plausible that someone could have done it.

My use was more along the lines of
Is it plausible that someone has done it.

Paranoia may save you computer head aches, but experience tells me it causes alot more stress headaches.
               
               

               
            

[Legacy_SHOVA]

               I will agree to disagree, until the OP runs anti-virus, and looks at the logs. If there is no actual threat found by the anti-virus, then Eye, your opinion is way out there. If there is something nefarious in it, I will of course tell everyone how right you are.
               
               

               
            

[Legacy_ehye_khandee]

               No, my opinion is simple; test do not guess. I advocate GOOD COMPUTER USER HABITS, you are pressing 'just trust it' and that is an EPIC FAIL in the making.

Testing as I advocate is the right thing to do REGARDLESS of the outcome of the test.

ALWAYS use a long spoon when supping with the Devil.

The internet is the devil's own banquet, bring suitable flatware or play the stooge, these are the choices.
               
               

               

                     Modifié par ehye_khandee, 20 novembre 2012 - 05:25 .
                     
                  

            

[Legacy_Shadooow]

               Its you who is guessing there Ehye. OP already scanned his computer with some AV - maybe even with AVG you suggested to him - we don't know.

All of this is pure speculation. Maybe if we knew the CP170 file size, we could come to the closure - what I think is that OP somehow get to the initial 1.70 release. Maybe someone send it to him via MSN, maybe it was packaged with some NWN-related package. Hard to say - we don't even know in which directory this was found. If this was in NWN directory it might be even possible that the file is there longer (assuming, someone else is using OP's computer - which we also don't know). And now he downloaded 1.71beta release which has different size - and smaller because the initial release is exe file containing all languages. This makes sense, what you are however trying to prove do not.
               
               

               
            

[Legacy_Dwayne]

               Here is all the info I have. I was not using the internet at all but I was on my computer. All of a sudden a file appeared on my desktop. It was labeled as a patch for nwn. I am a very experenced uses who knows how to be safe. I have Norton 360 installed along with other measures.

Here is the info on the maybe false file. It looks exactly like the real updater but it is labeled as nwnpatch170 and the real one is labeled as NWNPatch170. The false file is 39.2 mb and the real one is 39.4 mb. I hope I didn't post this incorrectly earlier.Using Norton Insight on the false file says it does not know where it was downloaded from and my downloader has no record of it. The real file is listed as being downloaded from the proper place.

Here is the Norton File Insight information on the false file. I guess the origin does not copy.
Full Path: C:\\Users\\Dwayne\\Desktop\\nwnpatch170.exe
____________________________
____________________________
Developers Not Available
Version Not Available
Identified 12/11/2011 at 3:22:08 PM
Last Used Not Available
Startup Item No
____________________________
____________________________
Unknown
This program crash history is not known.
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
Very New
This file was released less than 1 week ago.
____________________________
Good
Norton has given this file a favorable rating.
____________________________
Source File:
nwnpatch170.exe
____________________________
File Thumbprint - SHA:
9d7c4d4313743612595b00a4c0a407e1e3a140815db66b1f16e750f9ff4ef0ef
____________________________
File Thumbprint - MD5:
f7f979409be220cca0a449aa6d24b53f
____________________________
               
               

               
            

[Legacy_SHOVA]

               I suppose the real question Dwayne is this, Do you want to use Shadows 1.70 patch? If the answer is no, delete it and move on. If yes, then the question of what you were downloading, and or visiting comes to question, long before I will blindly assume that someone is haking your computer. If you do want to use Shadows patch, but are not sure if you trust the one you have, delete it, and download it from shadows vault page.  

On a side note, I personally wouldn't trust Norton to protect against anything. From my experience, AVG is better.
               
               

               
            

[Baaleos]

               Not wanting to hit a dead horse with a stick or anything...
But...

Identified 12/11/2011 at 3:22:08 PM

This either relates to the file having appeared on the machine on that date

which is a year old.
Or
The file was compiled/created a year ago.

Which would explain the size discrepency.
Im sure ShadoOoW has added alot more content to it since that date.


It really boils down to the following options.

1. Delete it cause you dont trust it (norton says its fine, Id check with avg or avast to be certain though)
2. Use it, despite the fact it is out of date - hey its up to you?
3. Download the most up to date version - if you want?

As it stands, besides the fact that it appeared on your machine - there is nothing else to suggest its a dodgy file.
Looks like a Duck, Quacks like a Duck... it just might be a Duck.

Also - I know we are all dancing around the idea that this file is dangerous - but... has anyone tried running it?

Believe it or not - its actually quite difficult to infect a binary, while maintaining its original functionality.
Its not a simple matter of - hey here is a exe in the same folder as me, lets copy myself into it....

If you find that the exe doesnt run properly = potential virus/trojan
In anycase - if you do want the 1.70 patch, the smart thing to do, is to get the latest version anyway - this one is clearly at least a year old.
               
               

               
            

[Legacy_MrZork]

               I'm not an expert, but it should be pretty easy to use a wrapper that has a virus infect to a system and then pass execution on to the original binary. But, even if there isn't some hacker's tool that automates creating that wrapper, there's still the problem that running an executable is a risky way to check whether it's infected. By the time the user confirms that the binary isn't doing what one would expect it to, it may have caused all sorts of trouble that's a pain to fix.

I certainly agree that the most straightforward course of action for installing the CP would be to download  ShaDoOoW's official release from the Vault and use that instead of any potentially suspect or obsolete file.