something strange...

Discussion in 'Trojan Defence Suite' started by vindafarna, Sep 17, 2004.

Thread Status:
Not open for further replies.
  1. vindafarna

    vindafarna Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    2
    ...happened to me a few hours ago.
    Just started surfing: AVG& running, firewall up, TDS-3 with execution protection doing its bit to keep me safe and sound. Suddenly the ZoneAlarm Pro screen flashed into view and everything froze. All programs indicated Not Responding :eek:
    Rebooted, and ran some tests. Nothing showed as a nasty, but TDS-3 gave me a message i hadn't seen before.
    The screen informed me,immediately after the
    [CRC 32] scan (and it verified 31 files, as expected)
    of the following

    [locked file] couldn't open c:\documents and settings\me\application data\b??t?g.exe for read access file is locked
    Navigated to the location and discovered that the .exe had been created only minutes ago. Well, the file is gone now, though I had to remove it manually after closing it via ctrl+alt+delete. Oddly enough, it still doesn't show as dangerous/suspect/whatever on any scans i make of it.

    Ant suggestions as to what the wretched thing might represent?

    Confusedly,

    V
     
  2. TDSFan

    TDSFan Guest

    It would have been really nice if you'd SUBMITTED THE FILE TO DCS - BEFORE - MANUALLY DELETING IT!

    Kind of hard to help/tell you anything without a copy of whatever it was.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yes, please zip and submit and after you can delete the thing;
    did TDS scan find other things?
    What were you doing the moment the thing happened, opening an email, visiting a site, anything you remember?
    Maybe AVG alarm didn't show up but blocked the access to the file.
    During a scan with TDS for instance it is necessary to disable AVG completely. If another program like AVG is protecting a file TDS has no access to it to scan it and you'll see that "locked".
    So in your next TDS scan please do it without AVG. Hope you'll find nothing bad anymore. Was b??t?g.exe the name it gave or didn't you quite remember what it was? Is it still in the recyclebin or deleted from there as well?
     
  4. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Yes, maybe, but when people are suddently hit like that, the majority just want it OFF their PC without thinking about submitting, so I can understand the poster just wanting it gone. :D

    Cheers, TAS
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sure Tas, it would be my first idea too, absolutely, certainly with that complete system lock -- but after the first shock (maybe because of being used to TDS finding unexpected alarms at times over the many years of using it) i would try to locate and zip it so it can't do any harm (after having first of all stopped that nasty process of course!!
    Think you did the right steps:
    locating the running process, stopping it, deleting it.
    Did you dio in the mean time a full system scan with TDS and maybe one of the online scanners? And of course SpybotS&D and whatever you feel to, but in all cases please have AVG closed including it's resident protection during those scans.
    Can you see in your ZAPro log file what happened around that time, a portscan on a certain port maybe, something with your mailsafe?
    Trying to analyse what happened, does ZAPro see the AVG scanner as anti-virus? Could it have been the combined protection with ZAPro and AVG immediately locking that file for all further access? Expecting such an event written somewhere, maybe even in the windows event log!
    Did ZAPro lock the system because of an illigal intrusion or whatever what was happening?

    One other thing:
    did you disable system restore and reboot and enable it again, creating manually a new restore point, to avoid re-infection with whatever it might have been?

    Please post back how it goes now and what you might have found!
    If all scans are further ok, then you might trust it, and you might like to use HiJackThis to look into your log if there is anything unexpected.
     
  6. vindafarna

    vindafarna Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    2
    Dear peeps,

    Yup, in retrospect my reaction reeks of...well, panic, not to put too fine a point in it. I thought that I had provided myself with the equivalent of a cyber chastity belt, and when things went pear-shaped I did take the EEEEK! option, which was not well advised.
    Thank you for taking the time to respond, and for throttling back on the sighing and eye-rolling. I will say that the episode erupted immediately after I had closed a pop-up (maybe clicked on the wrong area out of carelessness?) and that the file concerned seemed to have a greek character wherever TDS showed the ? -Certainly the filename looked odd. Unfortunately in the course of my frenzied attacks on the beastie I also chucked the thing out of recycle. hell, I'd prolly have stamped on it if I had been able to :doubt:
    Can I close by observing that this was the first time in 2 years that TDS-3 did other than hold my hand and reassure me by kicking trojan/whatever butt; so yes, was I shocked to encounter something that caused such ructions. Even then, the prog alerted me to look in the right place to start the disinfection process.
    I shall sort around and assemble such logs as might be relevant to see if any useful info can be salvaged, and thanks once again, particularly for the advice re AVG7.

    Love'n'Kisses

    V
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Must have been the ZaPro safety system Lock, it's somewhere in it's settings, when it happens certainly scaring, but all possible damage prevented.
    I thought the system lock only disconnected immediately all internet traffic and leaving you the chances to do your stuff, had not thought of a complete freezing.

    BTW: the EEEEK! option doesn't sound very convincing in TDS. Type in the bottom
    speak "EEEEEEK!"
    and listen to the result. :cool:
     
    Last edited: Sep 19, 2004
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    that file is one of the newer adware trojans

    We see a lot of them looking at hjt logs

    I would advise doing this as it always comes with several other passengers

    go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it (repeat for every user name/account )

    and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well and everything in C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware SE from http://www.lavasoft.de/support/download


    and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml

    and run it before the main adaware scan and follow it's directions

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R8 13.09.2004 or a higher number/later date
    Then ........
    click the "Scan" button. and select full scan

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries. You can safely ignore any MRU entries though and not delete them

    reboot again

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/

    reboot again

    and tell us what was found
     
Thread Status:
Not open for further replies.