ntos.exe - locked files not scanned?

Discussion in 'ESET Smart Security' started by Dramastic, Jun 15, 2008.

Thread Status:
Not open for further replies.
  1. Dramastic

    Dramastic Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    7
    Today when using SysInternals AutoRuns program, I noticed registry entries for ntos.exe (c:\windows\system32\ntos.exe). An internet search quickly revealed this might be something bad. Scanning with ESET simply skipped the file, which was 'locked'. A quick visit to download.com and download of the unlocker program (by Cedrick Collomb) later and an unlock of this file was all it took. Less than 1 second later ESET picked up on this and tossed it into Quarantine.

    So my question is this. There are alot of files that get skipped by ESET because they are locked etc... Is this the responsibility of the Smart Security users to investigate? Or is this an exception rather than the norm.

    Perhaps ESET could contact Mr. Collomb and request some assistance in integrating unlocking type code into Smart Security. I don't know how hard it is for a virus to lock itself, but if that is all it takes for one to avoid detection as it goes about its business...

    Dramastic
     
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi!

    Maybe there can be driver, which protects this file. There will be good, when you make log by ESET SysInspector and check it.

    Best regards
     
  3. Dramastic

    Dramastic Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    7
    Found this virus in additional locations now:

    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP395\A0036843.exe probably a variant of Win32/Spy.Agent trojan

    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP395\A0036862.exe probably a variant of Win32/Spy.Agent trojan

    C:\WINDOWS\cals.exe probably a variant of Win32/Spy.Agent trojan


    Dramastic
     
  4. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    1) Switch off system restore (Control panel => System => System restore => Disable) and restart OS. After it you can switch on system restore again.

    2) Go to safe mode (Restart OS and before logo Windows appears, press F8 and choose safe mode) and remove that file (C:\WINDOWS\cals.exe).
     
  5. Dramastic

    Dramastic Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    7
    Thank you Kosak for your assistance!

    Actually though it is already in quarantine, so it should be taken care of now.

    Interestingly the Quarantine considers most of the above mentioned files (and a few newly found ones) "a variant of Win32/ServU-Daemon application", while the log says "probably a variant of Win32/Spy.Agent trojan".

    But I digress, I really am looking for an answer to the question of who is responsible for the "locked files" on a system? Is ESET supposed to handle these or should I be setting aside an afternoon to investigate each and every locked file on my system manually?

    Dramastic
     
  6. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    https://www.wilderssecurity.com/showthread.php?t=210014

    Above Thread is a good start at answering your question. If ever bored or impatient for an answer, I found it by doing an Advanced Search in this Forum for "locked".

    Note: Ironically and unfortunately a Search for - locked files - will give you (as far as I know) every thread with just "files" in it as well as Threads with "locked", so future Searches should have "Key Word" stated with that in mind.
     
    Last edited by a moderator: Jun 16, 2008
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Perhaps scanning the disk in safe mode might help. In normal mode, some threats can be quite persistent against accessing/deletion that booting to safe mode or from a clean media is inevitable.
     
  8. Shankle

    Shankle Registered Member

    Joined:
    May 2, 2006
    Posts:
    510
    I tried scanning in "SAFE MODE"
    It doesn't work running Windows Vista Business
    and SS 3.0.657. So I suppose it won't also work in XP.
    I have many locked files under both OS.
    So where do we go from here?
     
  9. Jenee

    Jenee Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    185
    I have also found that files can also be locked in safe mode. I think ESS should be able to unlock the files and scan them otherwise every virus writer will be using that method to infect machines. Very concerning.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It depends on which files you mean. The operating system protects crucial files agains tampering with them (ie. the swap file, system log files, etc.). If an antivirus program cannot access them, neither can a virus.
     
  11. Jenee

    Jenee Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    185
    I don't mean the crucial operating system files as I realise they are protected but a quick example is a large number of Google Desktop files which ESS cannot open.
     
Thread Status:
Not open for further replies.