Jump to content


Photo

Adaware = Ransomware? Pay support $25 to fix your problem. Support Ticket GS#MBV-TqsX2-693


  • Please log in to reply
27 replies to this topic

#1 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 18 August 2010 - 06:05 PM

Support ticket, GS#MBV-TqsX2-693

My computer (Windows XP Pro) continously reboots after adaware quarantined several files, including "winlogon.exe" (I'm pretty sure I typed WINLOGON.EXE earlier and it got deleted without my authorization and without acknowledgement of the fact). I am unable to boot into safe mode or boot with the last known good configuration, because Adaware removed the necessary files from my restore point! I have removed the hard disk and have it connected as an external drive. How do I decrypt and uncompress the files that Adaware quarantined as the OS is unbootable.

This reminds me of getting infected with XP Antivirus, I had the option of paying the authors $40 to make the computer work again.

EDIT:
It appears that the mods/support staff here read/view posts without incrementing the view count so that mean one of you read my post, screwed with it, and didn't answer my question.

Attached Files


Edited by Aslan, 19 August 2010 - 05:36 AM.


#2 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 18 August 2010 - 09:00 PM

Ok, I solved my own problem, I removed the drive put it in an external drive cage, plugged it in to another computer copied the winlogon.exe file from c:\windows\servicepackfiles to c:\windows\system32 I'd previously installed XP SP3, and there was a copy there. I've removed Adaware and will now be using Malware Bytes.

So, problem solved, however I still want to know, how do I retrieve the quarantined files from the Quarantine folder without booting windows? How do I decompress and decrypt the files?

Thanks.

#3 visitor

visitor

    Advanced Member

  • Valued Member
  • PipPipPip
  • 2855 posts

Posted 19 August 2010 - 01:22 AM

I think Lavasoft will need to answer your question. I'd contact whoever opened your support ticket. They should not be charging $25 if you're using Pro or Total Security and have login access to the support center.
Before posting, please read the pinned topics atop the forums or check the Lavasoft searchable FAQs.

Lavasoft Support for Plus/Pro paid licenses.

Help fight malware! Upload Suspicious Files to Lavasoft.

Malware removal assistance? Please read this first.
After following the instructions, open a new thread in the HijackThis Forum where you can copy/paste your HJT log.
Note: do not bump HJT threads by replying - volunteer security advisors help the 0 reply threads on a first-come, first-served basis.

#4 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 19 August 2010 - 05:28 AM

Actually no, I haven't paid for the software or the support.

In this instance the computer was working fine until the quarantine actions recommended to be taken after the adaware scan. I do believe there was an infection of some sort, though it was causing me no trouble. Adaware improperly quarantined critical system files.

I do feel held at ransom though. Adaware's manual states that it compresses and encrypts the files, but no where is there any mention of how to decrypt and decompress those files in the event that Windows is rendered unbootable and Adaware cannot therefore be run. There is no command line utility that can be run from the recovery consul or any other appropriate utility. My files were held solely by Lavasoft leaving me no way to recover the system.

In this instance where Adaware renders a system unbootable I feel they should provide all necessary tools for me to recover said files or provide me priority support. Someone less capable than me would simply have had to fork over the cash or reinstall Windows.

#5 visitor

visitor

    Advanced Member

  • Valued Member
  • PipPipPip
  • 2855 posts

Posted 19 August 2010 - 12:02 PM

I agree - the only solution provided is to remove quarantined items using the GUI, so you're SOL if the system can't boot. Previously, I'd only heard of the McAfee *oops* with system files, this is the first I've heard Ad-Aware doing it.

If that ticket number means you paid $25, thanks for sharing the info here. I'll make an inquiry here to Lavasoft and link to this topic.

In the future, be sure not to scan while in Simple Mode since it automatically takes preferred action. Scans in Advance Mode provide the results, and let you choose what action to take from drop down menus before performing those actions.
Before posting, please read the pinned topics atop the forums or check the Lavasoft searchable FAQs.

Lavasoft Support for Plus/Pro paid licenses.

Help fight malware! Upload Suspicious Files to Lavasoft.

Malware removal assistance? Please read this first.
After following the instructions, open a new thread in the HijackThis Forum where you can copy/paste your HJT log.
Note: do not bump HJT threads by replying - volunteer security advisors help the 0 reply threads on a first-come, first-served basis.

#6 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 19 August 2010 - 05:06 PM

No, I didn't pay the money. I sent an email to their general support email which they haven't responded to yet that's where the support ticket number is from. In the time I've been on the internet, since 2000 I've heard of this happening with every major antivirus I can recall except Panda AV, and they're much newer.

Perhaps a solution here to the problem of a broken system restore point is to not touch the system restore files even if they are infected, until one successful boot after Adaware quarantines system files. Had Adaware not removed winlogon.exe from the System Restore Point I would have been able to boot eve with Adawares mistake.

(In truth the infection was very much my fault and I was in a part of the internet where I should not have been, downloaded files and forgot to scan them with AVG before I opened them. Of course AVG's realtime scanner should have caught that, but you can't count on that.)

While you're right about advanced mode verses simple mode, it's not that simple. That would require each user knowing what and where critical system files are. Many viruses / pieces of Adware have plausible looking names, as though they could be part of the OS, so you'd have to research the files, and then you'd have to deal with the possibility also of some critical driver that the computer wont start without possibly being misidentified too, and researching that. Necessitating the end user make a judgement call on a file represents in part a failing of the Antispyware. Typical users don't know what files make up their OS, and don't know except in bare generalities how it works. It's rather like saying real coders code in assembly. You may even compile your own OS from source if you use Linux, modifying the Kernel to your exact requirements, and compiling the other pieces from a tool-chain you build yourself. Even among otherwise very smart people few are such macho-ists.

We users use Adaware to reduce the complexity of dealing with our computing environment.

Edited by Aslan, 19 August 2010 - 05:10 PM.


#7 Computer wizard

Computer wizard

    Advanced Member

  • Valued Member
  • PipPipPip
  • 155 posts

Posted 20 August 2010 - 05:33 AM

this is common problem with a lot of AV products cause they just delete the infection, regardless if the file infected is important, you need to use a tool that will disinfect/clean the infection away without removing the file. Dr Webs Cure it is very good at cleaning infections.

Thank You

Computer Wizard
~*~The more you interact with your security solution the better protected you are - The less you interact the less protected you are!~*~

Need assistance with Stubborn infections? Create a new topic in - HiJack- This forum
Stumbled upon a false positive? Create a new topic in - False Positive - Ad aware forum

#8 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 20 August 2010 - 07:53 PM

Thank you Visitor and Computer Wizard for your help and suggestions.

I have received a response from Lavasoft, PAY CASH NOW OR YOU WON'T SEE ANY HELP FROM US. Actual response included at the end of this post.
Adaware Destroyed My Windows Install I Call For A Remedy Under US Consumer Product Law
This remedy is to include,
1. A Response from an employee of Lavasoft
2. Telling me how to decrypt and decompress the files that it quarantined in the absence of a bootable copy of Windows.
3. Should this necessitate using tools that are unavailable to the public I will be provided a copy by Lavasoft, and so will each user who faces this same situation henceforth.

LAVASOFT STAFF I AWAIT MY REMEDY

At present the behavior of Adaware and Lavasoft closely resemble that of the fake "XP Antivirus" Please see http://en.wikipedia....ki/XP_Antivirus

Thanks again to all those here who have helped me,
Aslan7147

generalsupport@lavasoft.com to me
show details 9:43 AM (4 hours ago)
We can not find your credentials in our customer database.
We need to determine that you hold a license to be able to help you further.

Please send us the email address you used while registering/purchasing our product.
You can also send us the receipt or the purchase ID you received with the email notification of your purchase.

NOTE: We do not offer support to our Freeware users.
Please, use our Support Forums for any questions you might have:

http://www.lavasoft..../supportforums/

Our FAQ's :
http://secure.lavaso...upport/faqs.php

You can purchase Lavasoft products here:
https://secure.lavas...rison_chart.php


Kind Regards,
Patrick - Lavasoft Support


Did you know that you can connect with Lavasoft on Facebook and Twitter? Follow us on Twitter or become a fan of Lavasoft on Facebook to get security news updates, Lavasoft Product information and exclusive offers!

Please Note:
Do not change the subject line of your e-mail when replying, this will result in you losing your place in the queue.
Abusive content will result in a rejection of the Support request.

Removed large font size ~ SpySentinel

Edited by SpySentinel, 16 September 2010 - 06:06 PM.
Removed large font size ~ SpySentinel


#9 Computer wizard

Computer wizard

    Advanced Member

  • Valued Member
  • PipPipPip
  • 155 posts

Posted 22 August 2010 - 04:14 AM

as i stated above, as someone who deals with removing malware for clients of mine, this is a common issue with alot of AV products, that will detect a legit file that is infected and just delete it, instead of cleaning it first, im sure adaware does try too do this but it surely needs to be improved and should be made to clean the infection before deleting by default. this is why its important too back up your system. Ad-aware is made to detect and remove infections and that is clearly what it done, the file was legit but it was infected.

Thank You

Computer Wizard

Edited by Computer wizard, 22 August 2010 - 04:16 AM.

~*~The more you interact with your security solution the better protected you are - The less you interact the less protected you are!~*~

Need assistance with Stubborn infections? Create a new topic in - HiJack- This forum
Stumbled upon a false positive? Create a new topic in - False Positive - Ad aware forum

#10 casey_boy

casey_boy

    Volunteer Helper/Moderator

  • Volunteer Security Advisor
  • PipPipPip
  • 3565 posts

Posted 25 August 2010 - 05:38 PM

@Aslan,

As @Computer Wizard stated, this is a common problem. However, I do agree with you that critical Windows files, even when infected, do not get removed. Instead Ad-Aware should try and replace the infected file or leave alone.

For your future reference, if you do struggle with a situation like this again, you can download and use the Windows Recovery Console to copy another clean version of the core file (which as you know you can often find in the service pack folders).

visitor has brought this issue to Lavasoft's attention for you, through a private channel, and I'm sure he will respond here if he hears anything.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Malware Removal Help * If you'd like to say thanks *Lavasoft Customer Support


#11 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 02 September 2010 - 03:39 AM

This issue is unresolved. What is your response Lavasoft?

I am well aware of the Recovery console. With Windows XP Pro the recovery console is unable to preform any operations on the \Windows or \programs directory unless you have previously permitted those changes from within Windows. Microsoft's site provides no alternative way to provide the recovery console with the necessary permissions.

@Aslan,
...
For your future reference, if you do struggle with a situation like this again, you can download and use the Windows Recovery Console to copy another clean version of the core file (which as you know you can often find in the service pack folders).
...
Casey


Removed large font size ~ SpySentinel

#12 adwilli

adwilli

    Member

  • Members
  • PipPip
  • 12 posts

Posted 06 September 2010 - 10:29 PM

Just want to add:


This is a scary thread! It instills terror in me with regard to using Ad-aware's Total Security. :P

#13 Computer wizard

Computer wizard

    Advanced Member

  • Valued Member
  • PipPipPip
  • 155 posts

Posted 07 September 2010 - 12:21 PM

i still somewhat fail too see what he expects lavasoft to do, at the end of the day Ad-aware found a legit file ( important ) that was patched/infected and deleted isn't that clearly what ad-aware is meant to do? of course it is.
~*~The more you interact with your security solution the better protected you are - The less you interact the less protected you are!~*~

Need assistance with Stubborn infections? Create a new topic in - HiJack- This forum
Stumbled upon a false positive? Create a new topic in - False Positive - Ad aware forum

#14 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 07 September 2010 - 10:38 PM

I believe I clearly spelled out what I would like Lavasoft to do in this instance

1. A Response from an employee of Lavasoft
2. Telling me how to decrypt and decompress the files that it quarantined in the absence of a bootable copy of Windows.
3. Should this necessitate using tools that are unavailable to the public I will be provided a copy by Lavasoft, and so will each user who faces this same situation henceforth.

Had I waited for help from Lavasoft at this point I'd have had a dead computer for three weeks now. I can see deprioritizing free users, but shouldn't the pain of waiting two weeks be enough? My request above is for the tools to decrypt the essential system files stored in Adaware's quarantine folder that I needed to return the computer to a running state so that I could work on it further. Also it requests any users who find themselves in this situation from now on are provided the tool to decrypt the files.

@adwilli I am amused. I do hope you're being sarcastic.

Having been using computers on the internet since 1997 I've used a lot of Antivirus software, Norton, Symantec, AVG, PC Tools, McAffe, NOD32, Avira, and more ALL of those programs at some point failed and got themselves wiped out by a virus. Granted, I will allow that I had the Herunistic sp? scanning one notch below maximum wherever that was available, and also that I do not keep to the safe bits of the internet. There are two antivirus programs that have not failed me Clam AV USB stick standalone version. It's a good program, but lacks speed in the update of it's definitions, and only runs on command, only scanning files on disk, very limited. The other antivirus program which has not failed me yet is Kaspersky. I've been using that on my laptop for about two and a half years now it's seen extensive use and withstood it all. Do I expect that Kaspersky will never fail me? You're joking, at some point something new is going to come along and wipe out Kaspersky too.

At the end of the day I still recommend Adaware. Overall it's an excellent product and very simple to use. I'd trust it's recommendations on what to do about infections. This is the only time a recommended action has been invalid. I've been using and recommending Adaware since 2001 (I think the web address back then was lavasoft.de or perhaps it was a more German spelling I can't recall), the age of Kazaa, and believe me if you were running Kazaa, you used a hacking tool to chop off the popup spamming part of the program (it was that bad) and you wanted Adaware at your side to take care of the nasties that you were sure to encounter with your downloads. Now I use a mix of Adaware and Malware Bytes.

#15 erpguy6

erpguy6

    Advanced Member

  • Members
  • PipPipPip
  • 70 posts

Posted 13 September 2010 - 06:15 PM

This is a scary thread! It instills terror in me with regard to using Ad-aware's Total Security. :o


well adwilli, you do have the option of using Ad-aware Free Internet Security program if you don't like using Ad-aware Total Security. less features in the free version of Adaware but has the most essential ones.

not sure why Aslan has to mention Kazaa as that's now obsolete and there are other alternatives to Kazaa (like Shareaza) that are far better and more compatible & reliable with newer versions of Windows.

certainly I too would like to see some improvements for Lavasoft customer support.

#16 LS Andy

LS Andy

    Lavasoft Staff/Forum Overlord

  • Root Admin
  • 1515 posts

Posted 14 September 2010 - 04:36 PM

Hi Aslan,

You've had a huge amount of hassle. Not good. Let me see if I can help out.

This is Andy Browne - I'm team leader at Lavasoft's Malware Labs. I don't normally hang around the forum but I stumbled on this post and thought I'd try to help out and answer your questions.

Response from Lavasoft
Hello there!


Decrypting the quarantine file
You're right - there's no official support for doing this. I'll mention this issue to the development team to see if this is something we should consider for future versions of Ad-Aware. I know its a bit late to help you, but attached is a workaround that answers your question.

Attached File  Decrypt_quarantine_file_workaround.pdf   621.66KB   546 downloads

Tool for decrypting quarantine file
I will pass this suggestion on to the development team for consideration.

I apologise for this false positive. It certainly caused you a lot of hassle. I would recommend that people post these kinds of things in the FP forum (link below) which the Lavasoft Malware Lab monitors and responds to.

http://www.lavasofts...hp?showforum=93


Andy
Lavasoft Malware Labs
irc.geekshed.net /join #MalwareLab

Twitter: @LSAndyB
unsolicited@tenalia.com

#17 visitor

visitor

    Advanced Member

  • Valued Member
  • PipPipPip
  • 2855 posts

Posted 16 September 2010 - 03:26 AM

I would recommend that people post these kinds of things in the FP forum (link below) which the Lavasoft Malware Lab monitors and responds to.

I moved a similar post from the 8.x users forum to False Positives:

http://www.lavasofts...showtopic=29988

LS_Anders referred user to General Support to fix registry error message rather than give directions to unquarantine and upload the files for analysis :huh:
Before posting, please read the pinned topics atop the forums or check the Lavasoft searchable FAQs.

Lavasoft Support for Plus/Pro paid licenses.

Help fight malware! Upload Suspicious Files to Lavasoft.

Malware removal assistance? Please read this first.
After following the instructions, open a new thread in the HijackThis Forum where you can copy/paste your HJT log.
Note: do not bump HJT threads by replying - volunteer security advisors help the 0 reply threads on a first-come, first-served basis.

#18 LS Andy

LS Andy

    Lavasoft Staff/Forum Overlord

  • Root Admin
  • 1515 posts

Posted 16 September 2010 - 04:07 PM

Hey visitor,

Yeah, we spoke about his advice, we fought for a bit, I won, then I decided to write the guide. :-)

If someone thinks we've detected an FP, they should be posted at the FP forum here:

http://www.lavasofts...hp?showforum=93

We would respectfully request that they read the FP posting guide first (link below) - it makes us more inclined to help :-)

http://www.lavasofts...showtopic=18033

By the way, if you have any feedback on the decrypting quarantined files guide, can you PM me? Maybe I can post it somewhere more visible in the forum or as a blog post. Let me know!

Cheers,

Andy
Lavasoft Malware Labs
irc.geekshed.net /join #MalwareLab

Twitter: @LSAndyB
unsolicited@tenalia.com

#19 Aslan

Aslan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 16 September 2010 - 09:31 PM

Thanks for your reply Andy, I've been a little busy the past few days and haven't had an hour or two to test the offered solution. I haven't wanted to post a reply without evaluating the information/solution offered. I should have the time this evening however. The one thing I lack to step through the solution is a spyware/adware sample that will be detected by Adaware.

Unfortunately I've wiped the drive and reformatted. For a while it looked like nothing would come of the topic, so I just tried to quietly troll for replies by keeping the topic interesting/ open ended enough that others would reply and bump it for me (everything I said however was the truth). I might have caught a backup of the quarantined file, I'll look. The instructions I referenced did not say to upload the file.

Edited by SpySentinel, 16 September 2010 - 11:42 PM.
removed request for malware ~ SpySentinel


#20 SpySentinel

SpySentinel

    Valued Member and HJT Analyst

  • Volunteer Security Advisor
  • PipPipPip
  • 1082 posts

Posted 16 September 2010 - 11:41 PM

Hi Aslan,

We do not send out real malware via the PM system to people. If you like to, you can search on google for a way to download mawlare but that is not recommended. It is not a good idea to test using real malware as you can get infected.

Thanks,
SpySentinel :huh:
PM for support will not be answered, please post in the appropriate forum, thank you.

Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users