Jump to content


Photo

Adaware = Ransomware? Pay support $25 to fix your problem. Support Ticket GS#MBV-TqsX2-693


  • Please log in to reply
27 replies to this topic

#21 visitor

visitor

    Advanced Member

  • Valued Member
  • PipPipPip
  • 2855 posts

Posted 17 September 2010 - 03:26 AM

The EICAR test file mentioned in Andy's process is a fake malware file - it should be detected by security software without actually being malicious.
Before posting, please read the pinned topics atop the forums or check the Lavasoft searchable FAQs.

Lavasoft Support for Plus/Pro paid licenses.

Help fight malware! Upload Suspicious Files to Lavasoft.

Malware removal assistance? Please read this first.
After following the instructions, open a new thread in the HijackThis Forum where you can copy/paste your HJT log.
Note: do not bump HJT threads by replying - volunteer security advisors help the 0 reply threads on a first-come, first-served basis.

#22 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 17 September 2010 - 07:19 AM

I'm sorry, I had some wine earlier in the evening, and I am having difficulty understanding and following the instructions provided by LS Andy. I'll have another look at this tomorrow. Until then I need to refrain from comment.

#23 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 21 September 2010 - 08:57 PM

Moderators, please remove my post http://www.lavasofts...s...st&p=122800 .

I worked on this a bit yesterday, but didn't get started soon enough and had to leave to get to the Monday night ride. It's a fun 30 mile ride through the streets of Columbus Ohio, the sixteenth largest city in the US with about 50 other mostly normal people on bicycles.

Here's a way for Lavasoft to avoid this issue almost all together. I would have been fine if I had been able to use the system restore feature. I was unable to however because Ad-aware helpfully removed the file from the system restore as well as the copy in the bootable windows folder. I propose instead that Ad-aware quarantines the files it detects in Windows as normal, but does not remove the files from the system restore until after one successful Windows startup.

Regarding the PDF documentation, http://www.lavasofts...a...ost&id=8313 , I don't feel that it's in a form yet that would allow a user to make use of it. With my broad technical knowledge and first hand knowledge of the problem I still failed to understand what the purpose of the instructions was. Directions written for the user should explicitly state nearly everything leaving nothing to imagination. Users do interesting things in such cases, where boring and expected is good. The user is the worlds laggiest most corruption prone terminal. Other than minor differences in screenshots such as window borders when the user might see a screen that is different than than presented it should be noted and the user told what to do in that particular case.

Regarding the text of the instructions provided

There's an overview of the steps provided but they never state the goal or an important requirement, that being that you have access to a second working computer with Windows XP or later. Also remind the user to make sure their computer has run Windows update and is in fact up to date (There was a virus recently that infected Windows computers merely by having a custom icon displayed in Explorer.)

Step 1. I'm using Ad-Aware Free Anniversary Edition. The screenshots and instructions provided are for a newer version. This makes little difference to the user as the user will see that the Adwatch live service is already disabled and from there can skip to the next step, however it should be explicitly stated. (Even when I had access to the Ad-watch live service I never felt that I had enough processing power to run that and antivirus without slowing down the computer so I've effectively never used it. My choice was always antivirus. I've never seen Adwatch live accomplish anything that Ad-aware can't after the fact.) So, for step 1 add, "If realtime protection is already off, continue to step 2".

Step 2. " The quarantine file is located in:" and " Copy the quarantine file" should be done on the original computer if that is possible. How would this be possible? By using the recovery consul found as a boot option on the Windows install disk or using a bootable linux distribution that reads and writes NTFS (slightly difficult I can't name one that does this by default off the top of my head) and copy the files to a flash drive, or remove the hard drive from the non bootable pc connecting it to a second working computer with a usb dongle/case. Note that nothing from the hard drive is able to infect the second computer if the user holds down shift while they connect the drive and for about 15 seconds or so beyond that, and as long as they refrain from opening viewing or double clicking any files other than the ones they are told to on the unbootable disk.

At this point it may be necessary to disable your antivirus software depending on it's settings if it's scanning downloads, or scanning all file system accesses. Alternatively you could just disable the realtime file access scanning part, but those instructions would devolve into instructions for a dozen different Antivirus programs.

So on the second computer, the one that works download the Eicar test file.

Step 3. Follow step 3 on the second computer as written.

Step 4. The file URL provided in step 4 for Vista is incorrect "Vista: c:\Program Data\Lavasoft\Ad-Aware\Quarantine\". It should read "C:\ProgramData\Lavasoft\Ad-Aware\Quarantine" there shouldn't be any space between Program and Data. This probably needs to be corrected for Windows 7 as well, as it's really just Vista R2.

To delete the quarantined Eicar test file it may be necessary to have administrator rights in Vista and Windows 7.

Step 5. After following step 5 the Eicar Test file is added to Ad-aware's permanent ignore list. If one needs to restore another file now or in the future, you must remove the Eicar test file from that list. To do so go to Ad-aware's home screen click scan, click ignore list and from the action menu for the Eicar test file select remove, then click preform actions. When this is done you can use the Eicar test file to get more files back from quarantine.

Thoughts on the Decrypt_quarantine_file_workaround.pdf http://www.lavasofts...a...ost&id=8313

With the above modifications it works and is very useful. However it requires being comfortable with computers and having one of the following knowledge of how to use the Windows recovery consul and the appropriate permissions set in Windows to allow it's use (Windows XP Pro does not permit the recovery consul access to the Quarantine folder because of it's path, and it also does not permit access to the Windows directory, unless you explicitly granted it those permissions from within Windows before this happened. I can find no way to change those permissions from the Recovery Consul itself), or the ability to use a Linux live CD that has the ability to read and write NTFS file systems (can anyone name such a distro preferably with a GUI), or removing the boot hard drive from the unbootable computer and placing it in or attaching it to a second computer. For the user uncomfortable with this the one sentence solution is "Reinstall Windows" or, print this document and take it in for repair. As an alternative if Lavasoft were supporting the user would be out of band access to the computer with the Lantronix SecureLinx Spider. ( http://www.lantronix...nx-spider.html) Lavasoft would overnight the device to the user, and then the user merely needs to plug the device into their computer and provide the ip to Lavasoft to allow the Lavasoft tech access to the computer. This is complicated by the fact that the user does have to provide the address of the Spider. To eliminate this requirement connect a serial modem, the sort that works with Linux to the Spider and connect that to the phone line. When everything is plugged in they call Lavasoft confirm that things are set up properly, and provide Lavasoft the phone number. In several months Lantronix will be launching a new Spider and service called "Access my device" that can be customized by them with management software that connects back to Lantronix as soon as it's plugged in giving you access to the correct ip for the remote Spider. (Lantronix is extremely customer service oriented answering calls immediately with a live person who transfers you to the person you need to talk to without a moments delay)

I've verified to my satisfaction that the above instructions work with the modifications provided by stepping through them with live adware. Should you wish to verify the solution for yourself it is necessary to have a second file that Ad-aware detects as a positive. Therefore, I would have attached a quarantined dll file that I got from the iwon mywebsearch toolbar, however I'm not permitted to do that so... Note, the application as a whole has a TAI of 3, the same as a browser cookie.

An additional post will follow with an alternative suggestion for assisting users in this instance.
("`-''-/").___..--''"`-._
	   `6_ 6  )   `-.  (	 ).`-.__.`)
		(_Y_.)'  ._   )  `._ `. ``-..-'
	 _..`--'_..-_/  /--'_.' ,'
	(il),-''  (li),'  ((!.-'

Removed malware link ~ SpySentinel

Edited by SpySentinel, 23 September 2010 - 06:32 PM.
Removed malware link ~ SpySentinel


#24 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 21 September 2010 - 10:20 PM

So, the above instructions work for the knowledgeable computer user of moderate skill. That's not good enough though, there's still the users of less skill. For them we need a Mac like solution where they can click and it works, unfortunately they're using Windows. (humor) My suggestion is either the Lantronix Spider mentioned above or

Give them a boot disk that does nearly everything for them. This bootdisk would run Adware front and center automatically pointed at the hard drive that was the problem. Best case, It would be updated daily before the customer downloaded it with it's own set of definitions that would include false positives and files that are infected, but necessary to boot windows. When it is run it would attempt to connect to the internet through ethernet and wifi to obtain an even more recent set of definitions. With the new definitions Ad-aware automatically determines which file to restore. If it is unable to do so it gives control to the user and asks them which to restore. Second best case, the boot disk runs vanilla Ad-aware and the user navigates Ad-aware and chooses which quarantine file to restore. In either case if the file remains infected after being restored from quarantine it gets uploaded automatically to your "Threat network" for analysis.

That's what needs to happen, how will it be accomplished? There's three options all fraught with varying degrees of license, patent, and or legal landmines. My first choice would be a custom remix of a Linux distro. This Linux Distro would be lightweight, have a GUI, be able to read and
write NFTS disks. You would add to that Wine so that Ad-aware could run unmodified. Ad-aware's environment would be configured in such a way that it would know what disk it needed to do it's work on. Second choice, Windows PE. It's a version of Windows that exists to run off a cd and do things to it without needing to boot windows from the hard drive to do things like backup, diagnosis, and other maintenance tasks. It runs standard Windows code. Third choice, BartPE. Bart PE is a program that takes a Windows install disk, the programs you want to run on it combines it together and spits out a bootable disk. It runs a modified version of Xp. http://www.nu2.nu/pebuilder/ .

An alternative to this alternative is to code a version of Ad-aware works from a freedos bootdisk with the bare minimum the program needs to remove a file from quarantine and restore it to it's original location.

So, how do you deliver this boot disk to the user? Two options, physical or virtual. Virtual is the cheapest so therefore preferred. You take your bootdisk and package it with a CD burning program with verification. Put this in a self extracting executable that when it's run, verifies itself, extracts, and is scripted to run the cd burning program. The program then tells the user to insert a blank cd. The user does, and the program senses it and starts burning. So what the user would do in this process, download the file, double click, be prompted to insert a blank cd, and that's it. I suggest limiting the burn speed to 4x to get a better burn, and then verifying the data on the dis afterwards just to make sure. You could also make a version of the above for flash drives as there are a few computers out there without optical drives, or at least cd burners.

Second option is the physical one. Print the boot cd's yourself and overnight them to the users that need them.

How do you reduce the size of he downloads? Use 7z for compression it's the most efficient of the non fractal compression programs. Ad-aware itself is now over a 200MB initial download between the program in the definitions, have you noticed that? That's going to be something like a 20 hour download on a 56k modem itself alone. You might be able to include just the Ad-aware program on the boot disk and grab the definitions from the hard drive, or you might just be able to run the copy of Ad-aware from the hard drive with it's definitions which would cut the size of the boot disk by 200MB.

I hope that helps. Thanks to LS Andy for the workaround above. It was too late for me, but I hope it helps others.

("`-''-/").___..--''"`-._
	   `6_ 6  )   `-.  (	 ).`-.__.`)
		(_Y_.)'  ._   )  `._ `. ``-..-'
	 _..`--'_..-_/  /--'_.' ,'
	(il),-''  (li),'  ((!.-'

Edited by Aslan, 21 September 2010 - 10:24 PM.


#25 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 21 September 2010 - 11:17 PM

Sorry for the multi-post here, but each one addresses a different subject. This one should wrap up my posting for the moment.

...
not sure why Aslan has to mention Kazaa as that's now obsolete and there are other alternatives to Kazaa (like Shareaza) that are far better and more compatible & reliable with newer versions of Windows.
....

While using Kazaa I discovered my need for an anti adware program in addition to antivirus. I mentioned this to estabolish that I've been using Ad-aware for eight or nine years now.

If you like to, you can search on google for a way to download mawlare but that is not recommended. It is not a good idea to test using real malware as you can get infected.
...

Thanks for being so helpful SpySentinel. Please quote me where in the rules it says I am not permitted to request an adware sample for testing purposes. I attempted to be responsible in doing so by asking it be sent by pm, such that it would not affect anyone else. Without a second sample of adware I was unable to test the method presented by LS Andy. In fact I can't even find where in the rules it states not to post links to adware at the moment. As for using Google to find adware, that's essentially not possible as Google removes pages from it's index for hosting viruses and adware. Getting infected was the point of testing with real malware. I wasted three hours browsing with my antivirus off to locate some. What would have been nice is if someone could have provided a link to adware Ad-aware was already familiar with that was mostly harmless and I could have worked with that.

The volunteer moderators of this board are quite edit happy. I will thank you at least for noting when you've modified my posts, and I'm not 100% sure what happened with the initial one.
("`-''-/").___..--''"`-._
	   `6_ 6  )   `-.  (	 ).`-.__.`)
		(_Y_.)'  ._   )  `._ `. ``-..-'
	 _..`--'_..-_/  /--'_.' ,'
	(il),-''  (li),'  ((!.-'

Edited by Aslan, 21 September 2010 - 11:25 PM.


#26 SpySentinel

SpySentinel

    Valued Member and HJT Analyst

  • Volunteer Security Advisor
  • PipPipPip
  • 1082 posts

Posted 23 September 2010 - 06:37 PM

Thanks for being so helpful SpySentinel. Please quote me where in the rules it says I am not permitted to request an adware sample for testing purposes.


Sure I can quote a few:

"We have the ability to remove objectionable messages and we will make every effort to do so, within a reasonable time frame, if we determine that removal is necessary."

"You agree, through your use of this service, that you will not use this BB to post any material which is knowingly false and/or defamatory, inaccurate, abusive, vulgar, hateful, harassing, obscene, profane, sexually oriented, threatening, invasive of a person's privacy, or otherwise in violation of any law."


The volunteer moderators of this board are quite edit happy. I will thank you at least for noting when you've modified my posts, and I'm not 100% sure what happened with the initial one.


We do not allow you to post active links to malware that can harm our members here. That is why they have been removed. If you have an issue with this, you can send a PM and we can discuss it.

Thanks,
SpySentinel :angry:
PM for support will not be answered, please post in the appropriate forum, thank you.

Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#27 Ole H. Rostad

Ole H. Rostad

    Member

  • Members
  • PipPip
  • 15 posts

Posted 05 October 2010 - 04:09 PM

Well, I have the exact same problem as Aslan and I guess I am one of those less advanced users.
I have never in my life seen a bug that actually screws up your boot function this way, leaving you totally helpless.

My discs containaed all my pictures, I'm an idiot for not making backups but I have always been able to access my files (through live disc), no matter how severe the problem.

Aslan, I guess you have another machine with fitting hw for your disc, I don't have that luxury - only a laptop running win7 64 (my wrecked pc had Vista 32).
Any suggestions how I can get my pictures back and get my boot function repaired?

#28 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 07 October 2010 - 03:33 PM

This could be fun. This boards reactions to posts is rather sssssslllllloooooowwwwww. When I was with the Centurions posts never went more than 6-12 hours without being noted and an appropriate response if one was necessary, being taken. Let's see, "Exact same problem as you" implies quite a lot. There's a lot of reasons why a Windows machine might not boot. Here's what I'd like you to do. Think about everything that happened leading up to this, what you did, what the Lavasoft program did, and then recall what product you were using by Lavasoft did it just have antimalware, or did it also have Antivirus. Did the Antimalware or antivirus remove something before the computer was restarted? If it did, that is likely your problem. If it was the Antimalware that removed the file read the guidelines in http://www.lavasofts...hp?showforum=93 and post your issue, if it was the Antivirus, then do the same for http://www.lavasofts...p?showforum=168 . Would you be able to post your logs from the program? Combined with your description of what happened those will be very helpful. Bugs like this are rare, but happen with any product of this sort at some point.

Please tell me which of the following you have if any. Answer as best as you are able.

Does the desktop have a floppy drive?
Does it have two CD drives one of them being a burner?
Do you have an XP SP1 install disc?
Do you have an external 3.5 inch drive cage?
What interface is the hard drive and what capacity?
Is it connected by Ethernet or Wifi to the internet?
If Wifi could you connect it to the internet by Ethernet?

In the meantime would you download and burn Ubuntu at http://www.ubuntu.co...ubuntu/download if you have the time and resources? Grab the 32-bit version, it's all we need. If other solutions don't work it may help greatly. It's Linux, but don't worry about that it's real friendly and setup somewhat similar to Windows. If we need to use it I'll tell you how.

Don't worry your files are still there if things are as you described. Oh and thanks for asking me for help. I'd have gotten back to you sooner, but it seems like thread notification updates are not being sent out as they should be. PMs still seem to work so if you would, kindly PM me a link to each of your posts related to this issue.

Well, I have the exact same problem as Aslan and I guess I am one of those less advanced users.
I have never in my life seen a bug that actually screws up your boot function this way, leaving you totally helpless.

My discs containaed all my pictures, I'm an idiot for not making backups but I have always been able to access my files (through live disc), no matter how severe the problem.

Aslan, I guess you have another machine with fitting hw for your disc, I don't have that luxury - only a laptop running win7 64 (my wrecked pc had Vista 32).
Any suggestions how I can get my pictures back and get my boot function repaired?

Aslan7147
("`-''-/").___..--''"`-._
	   `6_ 6  )   `-.  (	 ).`-.__.`)
		(_Y_.)'  ._   )  `._ `. ``-..-'
	 _..`--'_..-_/  /--'_.' ,'
	(il),-''  (li),'  ((!.-'





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users