Locked Files, help

Discussion in 'Trojan Defence Suite' started by Simkid, Aug 14, 2004.

Thread Status:
Not open for further replies.
  1. Simkid

    Simkid Registered Member

    Joined:
    Aug 14, 2004
    Posts:
    1
    I just download the evaluation version of TDS-3 after my copy of AVG started reporting some trojans it couldn't handle. The three trojans are startpage.8.ak in system.exe, dialer.10.bf in wintime.exe and dropper.small.4.bm in tvmsys.exe. My problem is that when I run a scan, these files are all locked and can't be scanned, they are the only files that report this, help doesn't seem to have any mention of this, what can I do?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Simkid and welcome to the forum.
    when you scan with one scanner, make sure all the other scanners are completely closed, including their resident protection, to give the other scanner you're using complete access to all files.
    In the case with AVG: open the GUI, uncheck all the marks theer and close it again, the systray icon should be grey now, and you can scan with TDS.
    Make sure you have set your windows folder options to show all files and extensions (in any browser > view > folderoptions > show all hidden files, show all extensions - OK)
    For TDS:
    TDS > System Testing > Scan Control > check all possible options on both tabs, OK
    Make sure you got the latest database from the site after install and reload TDS.
    Now you're ready for the Full system Scan. Can take a while so go walk the dog or have a coffee, close all unnecessary programs and browsers to give TDS all room to speed up the scanning process.
    In the end, in the bottom console you'll see several alerts; rightclick on one of them and save to text; this scandump.txt you can post in your next posting so we can help you cleaning out.
    If there are still locked files which will probably be warned for in the main console, you can copy those parts too (highlight them, contr+C, contr+V in your posting is the easiest way)
     
  3. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    these are more ad/spyware. Jooske, does tds-3 detect/remove this stuff ?

    http://www.sophos.com/virusinfo/analyses/trojstartpgay.html
    for the startpage trojan

    if anything else fails, we'll need to see your hijackthis log

    do you have adaware or spybot installed?
    if the answer is no then:

    Download the latest version of Ad-Aware:
    http://www.lavasoft.de/support/download/

    After installing AAW, and before running the program.
    Please be sure to update the reference file following the instructions here:
    http://www.lavahelp.net/howto/updref/

    Reconfigure Ad-Aware for Full Scan:

    Launch the program, and click on the Gear at the top of the start screen.

    Click the "Scanning" button.
    Under Drives, Folders and Files, select "Scan within Archives".
    Click "Click here to select Drives + folders" and select your installed hard drives.

    Under Memory & Registry, select all options.
    Click the "Advanced" button.
    Under "Log-file detail level", select all options.
    Click the "Tweaks" button.

    Under "Scanning Engine", select the following:
    "Unload recognized processes during scanning."
    Under "Cleaning Engine", select the following:
    "Let Windows remove files in use after reboot."
    Click on 'Proceed' to save these Preferences.

    Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.
    ----------------------------------------------------------
    SPYBOT SEARCH & DESTROY

    1. Next, download and install Spybot Search and Destroy .

    2. Go to Start > Programs >Spybot - Search & Destroy and choose ‘Spybot S&D - easy mode’

    3. Close ALL windows except Spybot S&D

    4. Click the button to ‘Search for Updates’ and download and install the Updates.

    5. Next click the button ‘Check for Problems’

    6. When Spybot is complete, it will be showing ‘RED’ entries ‘BLACK’ entries and ‘GREEN’ entries in the window

    7. Put a check mark beside the RED entries ONLY.

    8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

    9. REBOOT

    looks like you'll have to temporarily disable your antivirus for the spyware scanners to be able to do their job properly, as well as for tds.

    by the way did you update your tds before scanning? it doesn't help you if you scan with an old radius td3 database.

    how to update: first close tds
    download the update from here
    important: right click the link and select save as..
    Save the downloaded radius.td3 file to your TDS directory( where you installed tds), over-writing the existing radius.td3

    You can then start TDS and it will load the new database.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Illukka, thanks for jumping in.
    Yes. TDS does detect a lot of adware/spyware these days, as lot is trojan-like currently. Although Gavin recommends to use additionally SpyBotS&D and Ad-Aware for complete removal, especially where it goes to checking the registry with those i guess.

    It's always advisable during install and scanning to disable anti-virus and other scanners for a proper installation and scanning.
    AVG for instance found a nasty, blocks all access to it by anything else, hence the "locked files". Further makes AVG it's finds completely hidden for other scanners and logs, including HJT log. So also when creating a HJT log, the AVG should really be closed. It's not a bad scanner, but it should be disabled temporary in these conditions.
    I would close it too during the Ad-Aware and SpyBotS&D scans.
    And it's imperative all files are showing in the folder options, or people might think they don't have certain nasty files or with which you spyware fighters would recognise in among others a HJT log what's going on.
    There might be more scanners with those hiding habits :)
    Thanks for jumping in, with if necessary a HJT log i feel more convinced of a clean system saved for internet again.
     
Thread Status:
Not open for further replies.