ntos.exe - locked files not scanned?

Today when using SysInternals AutoRuns program, I noticed registry entries for ntos.exe (c:\windows\system32\ntos.exe). An internet search quickly revealed this might be something bad. Scanning with ESET simply skipped the file, which was 'locked'. A quick visit to download.com and download of the unlocker program (by Cedrick Collomb) later and an unlock of this file was all it took. Less than 1 second later ESET picked up on this and tossed it into Quarantine.

So my question is this. There are alot of files that get skipped by ESET because they are locked etc... Is this the responsibility of the Smart Security users to investigate? Or is this an exception rather than the norm.

Perhaps ESET could contact Mr. Collomb and request some assistance in integrating unlocking type code into Smart Security. I don't know how hard it is for a virus to lock itself, but if that is all it takes for one to avoid detection as it goes about its business...

Dramastic

 

Hi!

Maybe there can be driver, which protects this file. There will be good, when you make log by ESET SysInspector and check it.

Best regards

 

Found this virus in additional locations now:

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP395\A0036843.exe probably a variant of Win32/Spy.Agent trojan

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP395\A0036862.exe probably a variant of Win32/Spy.Agent trojan

C:\WINDOWS\cals.exe probably a variant of Win32/Spy.Agent trojan


Dramastic

 

1) Switch off system restore (Control panel => System => System restore => Disable) and restart OS. After it you can switch on system restore again.

2) Go to safe mode (Restart OS and before logo Windows appears, press F8 and choose safe mode) and remove that file (C:\WINDOWS\cals.exe).

 

Thank you Kosak for your assistance!

Actually though it is already in quarantine, so it should be taken care of now.

Interestingly the Quarantine considers most of the above mentioned files (and a few newly found ones) "a variant of Win32/ServU-Daemon application", while the log says "probably a variant of Win32/Spy.Agent trojan".

But I digress, I really am looking for an answer to the question of who is responsible for the "locked files" on a system? Is ESET supposed to handle these or should I be setting aside an afternoon to investigate each and every locked file on my system manually?

Dramastic

 

https://www.wilderssecurity.com/showthread.php?t=210014

Above Thread is a good start at answering your question. If ever bored or impatient for an answer, I found it by doing an Advanced Search in this Forum for "locked".

Note: Ironically and unfortunately a Search for - locked files - will give you (as far as I know) every thread with just "files" in it as well as Threads with "locked", so future Searches should have "Key Word" stated with that in mind.

 

Perhaps scanning the disk in safe mode might help. In normal mode, some threats can be quite persistent against accessing/deletion that booting to safe mode or from a clean media is inevitable.

 

I tried scanning in "SAFE MODE"
It doesn't work running Windows Vista Business
and SS 3.0.657. So I suppose it won't also work in XP.
I have many locked files under both OS.
So where do we go from here?

 

I have also found that files can also be locked in safe mode. I think ESS should be able to unlock the files and scan them otherwise every virus writer will be using that method to infect machines. Very concerning.

 

It depends on which files you mean. The operating system protects crucial files agains tampering with them (ie. the swap file, system log files, etc.). If an antivirus program cannot access them, neither can a virus.

 

I don't mean the crucial operating system files as I realise they are protected but a quick example is a large number of Google Desktop files which ESS cannot open.