Full System Scan: Locked Files & Streams

Discussion in 'Trojan Defence Suite' started by JCC, Dec 29, 2003.

Thread Status:
Not open for further replies.
  1. JCC

    JCC Guest

    I did a full system scan. My results are below.

    As you can see, there are some locked files. If TDS cannot open them, how can it test them for Trojans?

    Also, what is the point of the "show all streams option" if TDS doesn't find Trojans or executables in them? Are streams dangerous even if TDS doesn't find executables and Trojans in them?

    I hope I don't sound to frustrated. I am having fun learning this program.
    Scan Results:

    23:37:13 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    23:37:13 [Init] Started 28-12-03 23:37:13 Pacific Standard Time (UTC: :cool:, Internet Time @1359.18
    23:37:13 [Init] Loading TDS-3 Systems ...
    23:37:13 [Init] Token successfully adjusted.
    23:37:13 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    23:37:13 [Init] • Plugins : OK. Loaded 13
    23:37:13 [Init] • Exec Protection : Not Installed
    23:37:13 [Init] WARNING: Your Radius.TD3 database needs to be updated!
    23:37:13 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
    23:37:13 [Init] Licensed users can use the Update facility from the TDS menu
    23:37:13 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    23:37:18 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    23:37:18 [Init] • Systems Initialised [30784 references - 10832 primaries/8859 traces/11093 variants/other]
    23:37:18 [Init] Radius Systems loaded. <Databases updated 27-12-2003>
    23:37:18 [Init] TDS-3 Ready.
    23:37:18 [Tip Of The Day] DiamondCS have, and continue to develop a wide range of software, including the world's original and still the strongest BO2K scanner. Visit http://www.diamondcs.com.au for free downloads!
    23:37:18 [TDS] Good evening Joe.
    23:37:21 [Mutex Memory Scan] Started...
    23:37:23 [Mutex Memory Scan] Finished (no trojan mutexes found).
    23:37:23 [Trace Scan] Started...
    23:37:30 [Trace Scan] Finished.
    23:37:30 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
    23:38:22 [CRC32] Started - verifying 29 files ...
    23:38:25 [CRC32] Test finished.
    23:40:05 [Memory Scan] Memory scan started, please wait a moment ...
    23:40:07 [Memory Scan] Memory scan complete.
    23:40:07 [Mutex Memory Scan] Started...
    23:40:09 [Mutex Memory Scan] Finished (no trojan mutexes found).
    23:40:09 [Trace Scan] Started...
    23:40:16 [Trace Scan] Finished.
    23:40:16 [ServiceScan] Scanning for services and drivers ...
    23:40:19 [ServiceScan] Scanned 302 services and drivers.
    23:40:19 [File Scan] Scanning in A:\ ...
    23:40:20 [File Scan] Scanned 0 files: 0 alarms in 1.085938 seconds (Avg 1. files/sec)
    23:40:20 [File Scan] Scanning in C:\ ...
    23:40:24 [NTFS ADS] Stream found - c:\documents and settings\all users\application data\microsoft\windows nt\msfax\sentitems\s-1-5-21-927890586-3685698554-67682326-1005$201c3c3defd6bea.tif:Xj1phwzh5qcwungrN45kt3kiCe
    23:40:24 [NTFS ADS] Stream found - c:\documents and settings\all users\application data\microsoft\windows nt\msfax\sentitems\s-1-5-21-927890586-3685698554-67682326-1005$201c3c3df944244.tif:Xj1phwzh5qcwungrN45kt3kiCe
    23:51:21 [Locked File] Couldn't open c:\windows\$ntuninstallq307274$\spuninst\spuninst.exe for read access, file is locked
    23:51:21 [Locked File] Couldn't open c:\windows\$ntuninstallq308131$\spuninst\spuninst.exe for read access, file is locked
    23:51:21 [Locked File] Couldn't open c:\windows\$ntuninstallq308402$\spuninst\spuninst.exe for read access, file is locked
    23:51:21 [Locked File] Couldn't open c:\windows\$ntuninstallq308677$\spuninst\spuninst.exe for read access, file is locked
    23:51:21 [Locked File] Couldn't open c:\windows\$ntuninstallq311345$\spuninst\spuninst.exe for read access, file is locked
    23:51:21 [Locked File] Couldn't open c:\windows\$ntuninstallq311455$\spuninst\spuninst.exe for read access, file is locked
    23:51:21 [Locked File] Couldn't open c:\windows\$ntuninstallq311889$\spuninst\spuninst.exe for read access, file is locked
    23:51:21 [Locked File] Couldn't open c:\windows\$ntuninstallq312368$\spuninst\spuninst.exe for read access, file is locked
    23:51:22 [Locked File] Couldn't open c:\windows\$ntuninstallq314412$\spuninst\spuninst.exe for read access, file is locked
    23:51:22 [Locked File] Couldn't open c:\windows\$ntuninstallq315000$\netsetup.exe for read access, file is locked
    23:51:22 [Locked File] Couldn't open c:\windows\$ntuninstallq315000$\spuninst\spuninst.exe for read access, file is locked
    00:00:36 [File Scan] Scanned 35127 files: 2 alarms in -85184.13 seconds (Avg .59 files/sec)
    00:00:36 [File Scan] Scanning in D:\ ...
    00:00:36 [File Scan] Scanned 0 files: 2 alarms in 9.998322E-03 seconds (Avg 1. files/sec)
    00:00:36 [Scan] Finished.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello JCC, welcome!
    Here is a nice explanation page about the streams:
    http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams
    Most users consider streams under 80 bytes not dangerous and ignore those in the settings.

    About the locked files am thinking what might be the cause. They seem uninstall files?

    You would certainly agree with all the fun we're having with TDS as well: security made a happy experience again!
    I'm sure you will love the other programs and tools too to work all together.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you able to send a zipped file (one of them) to support@diamondcs.com.au so they can look what kind of file it is and why it might be locked?
    It's the first time i see this so i don't think they appear this way on all other systems.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes they are. They are uninstall files produced by your computer should you ever wish to uninstall an MS update. They are compressed, hidden reado nly files & there are no known security risks as far as I am aware.
     
  5. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Yep, I believe they are uninstall files for Microsoft Patches.....nothing to worry about JCC :).

    Regards,
    Jade.
     
  6. JCC

    JCC Guest

    Thanks. Are those files locked on everyone's computers? And if they can't be scanned, how do we know that no trouan will ever hide in one?
     
  7. JCC

    JCC Guest

    :D Thanks. But now I'm curious. Why don't they show up when everyone does a scan? Why wouldn't they show up when Jooske does a scan?
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Jooske is running W98SE :) And probably deletes those files to save space :D

    Sorry Jooske, I could not resist ;)
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Pilli, you only dared thinking i was safely on my last day of the year shoppings like many people :)
    Back now with oliebollen (dumplings - bought them; google for images to know what they are)

    Win98SE seems not to keep them, guess that's part of the XP among others. I think to have seen at such systems at times warning messages about files intending to overwrite original files and asking permission etc etc, so that might be part of such files.
    You will notice in TDS several mysterious files too, which are vital and can be used to replace corrupted or lost originals.
     
Thread Status:
Not open for further replies.