A way to delete more than 1 file at a time

Discussion in 'Trojan Defence Suite' started by Swann, Sep 4, 2004.

Thread Status:
Not open for further replies.
  1. Swann

    Swann Guest

    Hello, Everyone....

    I just finished doing my first Deep Full scan using TDS3, and I was amazed by all the positive identifications and suspicious filenames that came up. There has to be a couple thousand ,seriously. None the less... it will take me HOURS!! to right click on the file name and choose delete for each and everyone. Is there a way to delete everything TDS3 finds...all at once? or a way to pick and choose groups of file to delete through and using TDS?? If so..it will save me ALOT of time??
     
  2. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hello Swan.

    First, I definitely would not go on a "Right Clicking/Deleting Spree" just yet.
    You could be deleting stuff there is no need to do.

    A lot of the suspicious filenames will be benign, it reports them as 'suspicious' if say, there are 'Dual extensions' in the file name... it reads any extra periods [.] as an extension would be. Setup_v1.0.exe, something similar.

    Now... in the lists you have in bottom window.. right click on ANY of the files, Select Save as Text. [see pic]
    It will ask do you want to open up in Notepad, click OK.

    Then you could Save the txt file and upload it in here. If it's long, please do NOT copy/paste. Just do a Save As of it to say desktop, then Click on the 'Manage Attachments' at bottom left of you Post Reply window, a new window opens up, browse to the desktop and select your file, click Upload. Wait, it will let you know when finished, click Close this window, then back on main window, click Submit Reply as normal.

    Now, if it does not open in notepad automatically for some reason, open windows explorer, navigate to TDS main folder and look for 'Scandump.txt' file... that's it! Do as above.

    If, as you say you have a "couple of thousand" entries... then it needs to be assessed. Maybe once yiou upload the .txt file, it can be looked at, and one of the Gurus at DCS :) could help, but definitely needs checking first, as that sounds like an awful lot of entries even for a badly infected system.
     

    Attached Files:

    Last edited: Sep 4, 2004
  3. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Pic of Scandump.txt file.

    Also... Open Help in TDS, in the Contents, click on Trojan Detection and Removal section, hit Open, select Trojan & Detection Removal sub folder, hit Display and read the information in there.

    I do not know if there is a "multiple" selection available, but read the help file on the Trojan and Detection parts. ;)

    Cheers, TAS
     

    Attached Files:

    • 079.GIF
      079.GIF
      File size:
      13.3 KB
      Views:
      199
    Last edited: Sep 4, 2004
  4. Swann

    Swann Guest

    So, I'm going to have to send a hundred or so? suspicious file names to be looked at? :((. And the ones that do say positive ID., Those can be deleted ..almost for sure? and did you say their was a way to delete more than one at a time..because I did look in the help file and it didnt say.
     
  5. Swann

    Swann Guest

    I see :)... alright will I saved it all as text...now how or where do I go to send it? through the TDS3? or email? and how.. if through the TDS3?
     
  6. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    No, not the FILES.... the "report".... just the TEXT file report that you can generate as per instructions above. :)

    Follow the instructions above, upload the 'text file report' only...[single file] it can be looked at by someone in here. [see attached file, I uploaded this to show you].

    As to multiple file deletion, I cannot answer, never had to do it, and yes, it does not say in the help section. Maybe there could be an easier way?

    But you do need to get the 'report' checked out first. :)

    Cheers, TAS
     

    Attached Files:

  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Also.... if running NT based [W2K/XP] open Task Manager... look at the running Process lists, see if you detect any of the files reported in TDS that may be running in this list.

    Ctrl/Shift/Esc keys will bring up Task Manager. Select Process TAB.

    TAS
     

    Attached Files:

  8. swann

    swann Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    6
    Here it is then.. I dont know why I didnt understand what you where asking me the first time.. I had to read the post again. I dont know much about trojan protection and worms as well.. but I am learning. None the less.. I had already deleted some files, before I made this post. IN general..Where can I find out info or know which files dont need to be deleted..or should I leave that to the profesionals??

    Thanks alot for everyones input.

    AHH!!!
    The txt file itself is 1.56MB according to the uploader, which it says is to large to upload at once...So I'll have to cut and past it into several other notepad files.. give me a bit todo so.
     
  9. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    WHAT!!!.. text file 1.56Mb.... you sure.. man.. that's some report...:(

    how about you cut and paste a small sample in here... don't upload anything... just around 50 so lines from the text report... wow....

    Cheers, TAS.

    PS>.. make sure it includes some positive and suspicious detections.. need to see this for myself... that's one huge file...

    TAS :)
     
  10. swann

    swann Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    6
    Does the Forum accept any other file types that can be more than 100Kb and text?
     
  11. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Not to my knowledge Swan. 100Kb is limit.

    But please just copy and paste a few lines in here from the report... say about a half a screen depth... that will cover quite a few lines and give anyone here an idea of what you have reporting.

    Cheers, TAS
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Swann,
    No, larger files can't be uploaded, you could paste a part in a posting, say the 50 or 100 lines Tassie asked for, and do yourself and others a big favor and paste it between [ code ] and [ /code ] (without the spaces between the [] to make it scrollable in the message itself.

    I like to ask a few questions about the conditions of your scan:
    Do you run a XP system for instance, with several users on it?
    Did you install TDS from the Admin account and also do this scan from the Admin account or from a user account?
    This can be done, but then it's best to use the "run as" option so the user gets for that activity Admin options. If not you can get lots of non-existing alarms.

    Another one: did you check all the scan options, including all the NTFS ADS Streams? Can imagine in a first scan you want to see everything, but you can safely ignore NTFS streams smaller then 188 bytes, and under 256 bytes in most cases are innocent as well; you'll see them often for instance added to images for some identifications, and some AV scanners add them to files probably to identify modifications.

    If you look at your settings this way, would that reduce your alarms list and keep only valid alarms and suspicious alerts?
    Then for sure do post the Scandump.TXT so we can help you looking again.
     
    Last edited: Sep 4, 2004
  13. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Thanks Jooske for the [ code ] input stuff and extra info. I had intended asking re NTFS Ads Streams, but wanted to wait until he posted some lines of results. :)

    One thing Swan, you do have the latest radius.td3 defs?

    You did not say if registered or not. If registered/paid for TDS, update via the program... if not.. you have to go to TDS page at DCS and download the radius.td3 file and place in main TDS folder overwriting existing one.

    Cheers, TAS
     
  14. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi again Swan...

    If there appears to be that many number of infections, are you sure you have the absolute latest radius.td3 file?

    As there was a corrupted database back a while... although surely you have updated since then?

    THIS THREAD

    I would definitely go to DCS HERE
    and grab the latest...

    DO a rescan, double check, ok.

    Cheers, TAS
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Waiting for a few lines of alerts, then we know more......
     
  16. swann

    swann Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    6
    Here is a smigit/very small portion of the files found. about 80kb, of about 1.5mb of .txt. None the less it seems alot of the files have pornographic endings.... I was told they where from my little causin downloading something he shouldnt have..which spreaded abunch of popups/crap my father couldnt get off of his computer... none the less.. take a look. Again, I'm wondering if all of them need to be delete., I cant attach the whole file for you to see...because it is too big. And...is there a way to delete more than one file at a time using TDSo_O

    Thanks :ninja:
     

    Attached Files:

  17. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Swan....

    OK... It appears you were hit by netsky and bagle predominantly, which should have easily been detected by your McAfee AV [I see McAfee in the shared documents /all users/, so presume that's the AV you are running? Or did have at one time.]

    Speaking of AV, did you do a full system scan by your AV?
    Did it ever find anything?

    How is your system running? Normal, sluggish, etc.?

    This seems unusual, did you note that each of the alerts in scandump start with [Deleted]?

    Did you try deleting, or your AV alerted in any way?

    These few samples:

    ====================================
    (DELETED) Suspicious Filename: Dual extensions
    File: c:\documents and settings\all users\start menu\programs\mcafee\mcafee shared features\winxp ebook.doc.exe

    (DELETED) Positive identification: Worm.NetSky.c
    File: c:\documents and settings\all users\start menu\programs\mcafee\mcafee shared features\adobe photoshop 9 full.exe

    (DELETED) Positive identification: Worm.Bagle.j
    File: c:\documents and settings\all users\start menu\programs\mcafee\mcafee shared features\winamp 5 pro keygen crack update.exe

    (DELETED) Positive identification: Worm.Bagle.j
    File: c:\documents and settings\all users\start menu\programs\mcafee\mcafee shared features\windown longhorn beta leak.exe

    ================================================

    note the Positive IDs of Netsky and/or Bagle but also how the suspicious filenames kick in with double extensions.

    ebook.doc.exe Office document [.doc] indicated, but real extension is an executable. {.exe} Very easily infected that way.

    Someone has downloaded 'KeyGens' [Serial Key Generators to crack a program] with this: winamp 5 pro keygen crack update.exe

    Also this: windown longhorn beta leak.exe [note spelling Window [n] ] cracked version.

    Your best bet is to do an ONLINE scan first [your AV may have been compromised if it did not detect these, or they hve been detected/quarantined and remnants being detectd by TDS?], clean up what you can with at least two of the following:

    TREND'S HOUSECALL Look on right side, click 'Scan Now' under More Info heading and follow the prompts.

    SYMANTEC'S ONLINE SCAN Click the 'GO' button ;)

    PANDA ONLINE VIRUS SCAN Click the animated 'FREE Online Virus Scan' gif

    BITDEFENDER SCAN ONLINE Click on the "I AGREE" at bottom.

    Follow each of the site's prompts during scanning. With Trend's Housecall, check Auto Detect/Delete option, I think it is. The others, I have not used those for a very long time, so forget the options, you will have to decide. :)

    Then download the latest TDS radius.td3 file and scan again with TDS.

    This way, the online scans will get rid of any of the more common bugs in your system first.

    Then we can go from there :)

    Cheers, TAS
     
    Last edited: Sep 5, 2004
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes an online virus scan to remove the worms first should take care of most of this ! thanks Taz :)
     
  19. swann

    swann Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    6
    Ok, The "DELETE" lines are from files I had already deleted after TDS ran its scan.... sorry. The computer didnt have Mcaffe on it when "I" believe the computer started acting funny... in fact my father only put it on not 2 1/2 weeks ago... and yes we ran it... and it didnt seem to find anything close to the amount of infected files TDS3 has found. Also, I have updated TDS3 before running the scan. The Cpu does all sorts of wierd things...very..very sluggish...sometimes it shuts itself down... I've noticed it does this alot when entering "networkplace". As far as what I've done so far... I've ran McAffe... I've ran Wormguard...and TDS3. Just dont know what I should delete after TDS3 scans... I'm thinking everything...which will be a time consuming pain, but I am getting compensated, so Owell.n I'm also planning on putting a program called "spysweeper" by Webroot for anti-spam, and Bitdefender for anti-virus... both are "suppose" to be very good at what they do? I just got done loading them on my computer..and I'm much happier with them, then with Norton Anti-Virus. I'll also run 2 of those online tests that you suggested...if I can get the damn computer online without big problems.
    If you think you need to see more I can email you the whole .txt scan file... up to you.

    thanks, Swann
     
  20. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Netsky.c and Bagle.j are the most common detections here
    Run the free removal tool below - click any link and download the file, run it, should clean all COMMON viruses/worms. Then reboot and run it again just in case :)

    http://www.kaspersky.com/removaltools

    Proceed with TDS full scan and let us know
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Some remarks:
    McAfee doesn't install on an infected system, i was told.
    Which woiuld mean the system was either not infected by that time,
    or the install went wrong and TDS found parts of Mcafee infected afterwards -- was going to say the McAfee databases or the Quarantine area, but that is not true looking at the locations.
    So your Mcafee installation is very unreliable at the moment too, maybe it was attacked by the infections too. So after Gavin's advice and when all clear you will have to uninstall and reinstall Mcafee all again. Or one that does protect you really for how did the system get infected if mcafee had done it's work properly.
    Anyway, there is hope.
     
  22. swann

    swann Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    6
    Well, I ended up Uninstalling Mcaffee, Its firewall program was keeping the computer from accessing the internet...and after re-running its virus checker and still comming up with nothing....I went with yuor advise that something was wrong. I am at this moment Running A new Ant-Virus called BitDefender... so far it has found 4912 Virus Bodies and is attempting to disinfect them...and delete if it fails at that. YAYA!! its still going tooo!! Die Worms...die! none the less after this, I'll get on line and run some of the free online checkeers just to be even safer, via your everyones advise. Thanks alot everyone. Oh , can anyone suggest a good firewall program?

    Thanks, Swann
     
  23. swann

    swann Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    6
    its up to 7278 identified virus bodies..2 identified viruses
     
  24. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Oh dear, I can picture it now, kneedeep in blood and virus guts. :D

    Sounds like you are having some fun at last Swan. :)

    Just make sure you do those online scans.

    One more point, are you running System Restore.

    If so, you will need to turn that off after you finished scanning/deleting and before rebooting, as a reboot will clear all restore points. You don't want to go to all the trouble of cleaning, only for SysRestore putting them all back again. ;)

    Do your online scans, then rescan with TDS.

    Once you are satisified system is clear, you can turn Restore back on and make a new point.

    Cheers, TAS
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Wait a moment, restore points. If the mcafee was properly installed on a clean system 2,5 weeks ago, weren't you able to go to an old restorepoint from say 3 weeks ago before all this happened?
    Anyway, let the onlide scanners do their job. There is a little risk of false positives on innocent files, but in this case........unless you think to be really sure of some individual files which you can check online...... let the housecall and bitdefender do their cleansing and you'll be lots further. Gavin mentioned somewhere a free (?) scanner from KAV which does lots of cleansing too.
    When all this is done and cleansed and a fully updated TDS scan might show some more.
    Looking forward to a new scandump, hope it will be really small now!

    Firewall is a personal taste. Mcafee firewall seems not to block much as far as i read comments about that, and it does not want to cooperate with Port Explorer.
    I like the ease of ZoneAlarm Pro, others prefer Kerio 2.... something, an older version anyway and that is free. Think this part you ask maybe best in the Other Firewalls Forum.
     
Thread Status:
Not open for further replies.