27 replies to this topic

[Aslan]

Support ticket, GS#MBV-TqsX2-693

My computer (Windows XP Pro) continously reboots after adaware quarantined several files, including "winlogon.exe" (I'm pretty sure I typed WINLOGON.EXE earlier and it got deleted without my authorization and without acknowledgement of the fact). I am unable to boot into safe mode or boot with the last known good configuration, because Adaware removed the necessary files from my restore point! I have removed the hard disk and have it connected as an external drive. How do I decrypt and uncompress the files that Adaware quarantined as the OS is unbootable.

This reminds me of getting infected with XP Antivirus, I had the option of paying the authors $40 to make the computer work again.

EDIT:
It appears that the mods/support staff here read/view posts without incrementing the view count so that mean one of you read my post, screwed with it, and didn't answer my question.

Attached Files

•  Scan_2010_08_15_11_56_43.log   49.65K   206 downloads
•  Scan_2010_08_17_03_25_11.log   31.03K   130 downloads

Edited by Aslan, 19 August 2010 - 05:36 AM.

[Aslan]

Ok, I solved my own problem, I removed the drive put it in an external drive cage, plugged it in to another computer copied the winlogon.exe file from c:\windows\servicepackfiles to c:\windows\system32 I'd previously installed XP SP3, and there was a copy there. I've removed Adaware and will now be using Malware Bytes.

So, problem solved, however I still want to know, how do I retrieve the quarantined files from the Quarantine folder without booting windows? How do I decompress and decrypt the files?

Thanks.

[visitor]

I think Lavasoft will need to answer your question. I'd contact whoever opened your support ticket. They should not be charging $25 if you're using Pro or Total Security and have login access to the support center.

[Aslan]

Actually no, I haven't paid for the software or the support.

In this instance the computer was working fine until the quarantine actions recommended to be taken after the adaware scan. I do believe there was an infection of some sort, though it was causing me no trouble. Adaware improperly quarantined critical system files.

I do feel held at ransom though. Adaware's manual states that it compresses and encrypts the files, but no where is there any mention of how to decrypt and decompress those files in the event that Windows is rendered unbootable and Adaware cannot therefore be run. There is no command line utility that can be run from the recovery consul or any other appropriate utility. My files were held solely by Lavasoft leaving me no way to recover the system.

In this instance where Adaware renders a system unbootable I feel they should provide all necessary tools for me to recover said files or provide me priority support. Someone less capable than me would simply have had to fork over the cash or reinstall Windows.

[visitor]

I agree - the only solution provided is to remove quarantined items using the GUI, so you're SOL if the system can't boot. Previously, I'd only heard of the McAfee *oops* with system files, this is the first I've heard Ad-Aware doing it.

If that ticket number means you paid $25, thanks for sharing the info here. I'll make an inquiry here to Lavasoft and link to this topic.

In the future, be sure not to scan while in Simple Mode since it automatically takes preferred action. Scans in Advance Mode provide the results, and let you choose what action to take from drop down menus before performing those actions.

[Aslan]

No, I didn't pay the money. I sent an email to their general support email which they haven't responded to yet that's where the support ticket number is from. In the time I've been on the internet, since 2000 I've heard of this happening with every major antivirus I can recall except Panda AV, and they're much newer.

Perhaps a solution here to the problem of a broken system restore point is to not touch the system restore files even if they are infected, until one successful boot after Adaware quarantines system files. Had Adaware not removed winlogon.exe from the System Restore Point I would have been able to boot eve with Adawares mistake.

(In truth the infection was very much my fault and I was in a part of the internet where I should not have been, downloaded files and forgot to scan them with AVG before I opened them. Of course AVG's realtime scanner should have caught that, but you can't count on that.)

While you're right about advanced mode verses simple mode, it's not that simple. That would require each user knowing what and where critical system files are. Many viruses / pieces of Adware have plausible looking names, as though they could be part of the OS, so you'd have to research the files, and then you'd have to deal with the possibility also of some critical driver that the computer wont start without possibly being misidentified too, and researching that. Necessitating the end user make a judgement call on a file represents in part a failing of the Antispyware. Typical users don't know what files make up their OS, and don't know except in bare generalities how it works. It's rather like saying real coders code in assembly. You may even compile your own OS from source if you use Linux, modifying the Kernel to your exact requirements, and compiling the other pieces from a tool-chain you build yourself. Even among otherwise very smart people few are such macho-ists.

We users use Adaware to reduce the complexity of dealing with our computing environment.

Edited by Aslan, 19 August 2010 - 05:10 PM.

[Computer wizard]

this is common problem with a lot of AV products cause they just delete the infection, regardless if the file infected is important, you need to use a tool that will disinfect/clean the infection away without removing the file. Dr Webs Cure it is very good at cleaning infections.

Thank You

Computer Wizard

[Aslan]

Thank you Visitor and Computer Wizard for your help and suggestions.

I have received a response from Lavasoft, PAY CASH NOW OR YOU WON'T SEE ANY HELP FROM US. Actual response included at the end of this post.
Adaware Destroyed My Windows Install I Call For A Remedy Under US Consumer Product Law
This remedy is to include,
1. A Response from an employee of Lavasoft
2. Telling me how to decrypt and decompress the files that it quarantined in the absence of a bootable copy of Windows.
3. Should this necessitate using tools that are unavailable to the public I will be provided a copy by Lavasoft, and so will each user who faces this same situation henceforth.

LAVASOFT STAFF I AWAIT MY REMEDY

At present the behavior of Adaware and Lavasoft closely resemble that of the fake "XP Antivirus" Please see http://en.wikipedia....ki/XP_Antivirus

Thanks again to all those here who have helped me,
Aslan7147

generalsupport@lavasoft.com to me
show details 9:43 AM (4 hours ago)
We can not find your credentials in our customer database.
We need to determine that you hold a license to be able to help you further.

Please send us the email address you used while registering/purchasing our product.
You can also send us the receipt or the purchase ID you received with the email notification of your purchase.

NOTE: We do not offer support to our Freeware users.
Please, use our Support Forums for any questions you might have:

http://www.lavasoft..../supportforums/

Our FAQ's :
http://secure.lavaso...upport/faqs.php

You can purchase Lavasoft products here:
https://secure.lavas...rison_chart.php


Kind Regards,
Patrick - Lavasoft Support


Did you know that you can connect with Lavasoft on Facebook and Twitter? Follow us on Twitter or become a fan of Lavasoft on Facebook to get security news updates, Lavasoft Product information and exclusive offers!

Please Note:
Do not change the subject line of your e-mail when replying, this will result in you losing your place in the queue.
Abusive content will result in a rejection of the Support request.

Removed large font size ~ SpySentinel

Edited by SpySentinel, 16 September 2010 - 06:06 PM.
Removed large font size ~ SpySentinel

[Computer wizard]

as i stated above, as someone who deals with removing malware for clients of mine, this is a common issue with alot of AV products, that will detect a legit file that is infected and just delete it, instead of cleaning it first, im sure adaware does try too do this but it surely needs to be improved and should be made to clean the infection before deleting by default. this is why its important too back up your system. Ad-aware is made to detect and remove infections and that is clearly what it done, the file was legit but it was infected.

Thank You

Computer Wizard

Edited by Computer wizard, 22 August 2010 - 04:16 AM.

[casey_boy]

@Aslan,

As @Computer Wizard stated, this is a common problem. However, I do agree with you that critical Windows files, even when infected, do not get removed. Instead Ad-Aware should try and replace the infected file or leave alone.

For your future reference, if you do struggle with a situation like this again, you can download and use the Windows Recovery Console to copy another clean version of the core file (which as you know you can often find in the service pack folders).

visitor has brought this issue to Lavasoft's attention for you, through a private channel, and I'm sure he will respond here if he hears anything.

Casey

[Aslan]

This issue is unresolved. What is your response Lavasoft?

I am well aware of the Recovery console. With Windows XP Pro the recovery console is unable to preform any operations on the \Windows or \programs directory unless you have previously permitted those changes from within Windows. Microsoft's site provides no alternative way to provide the recovery console with the necessary permissions.

@Aslan,
...
For your future reference, if you do struggle with a situation like this again, you can download and use the Windows Recovery Console to copy another clean version of the core file (which as you know you can often find in the service pack folders).
...
Casey

Removed large font size ~ SpySentinel

[adwilli]

Just want to add:


This is a scary thread! It instills terror in me with regard to using Ad-aware's Total Security.

[Computer wizard]

i still somewhat fail too see what he expects lavasoft to do, at the end of the day Ad-aware found a legit file ( important ) that was patched/infected and deleted isn't that clearly what ad-aware is meant to do? of course it is.

[Aslan]

I believe I clearly spelled out what I would like Lavasoft to do in this instance

1. A Response from an employee of Lavasoft
2. Telling me how to decrypt and decompress the files that it quarantined in the absence of a bootable copy of Windows.
3. Should this necessitate using tools that are unavailable to the public I will be provided a copy by Lavasoft, and so will each user who faces this same situation henceforth.

Had I waited for help from Lavasoft at this point I'd have had a dead computer for three weeks now. I can see deprioritizing free users, but shouldn't the pain of waiting two weeks be enough? My request above is for the tools to decrypt the essential system files stored in Adaware's quarantine folder that I needed to return the computer to a running state so that I could work on it further. Also it requests any users who find themselves in this situation from now on are provided the tool to decrypt the files.

@adwilli I am amused. I do hope you're being sarcastic.

Having been using computers on the internet since 1997 I've used a lot of Antivirus software, Norton, Symantec, AVG, PC Tools, McAffe, NOD32, Avira, and more ALL of those programs at some point failed and got themselves wiped out by a virus. Granted, I will allow that I had the Herunistic sp? scanning one notch below maximum wherever that was available, and also that I do not keep to the safe bits of the internet. There are two antivirus programs that have not failed me Clam AV USB stick standalone version. It's a good program, but lacks speed in the update of it's definitions, and only runs on command, only scanning files on disk, very limited. The other antivirus program which has not failed me yet is Kaspersky. I've been using that on my laptop for about two and a half years now it's seen extensive use and withstood it all. Do I expect that Kaspersky will never fail me? You're joking, at some point something new is going to come along and wipe out Kaspersky too.

At the end of the day I still recommend Adaware. Overall it's an excellent product and very simple to use. I'd trust it's recommendations on what to do about infections. This is the only time a recommended action has been invalid. I've been using and recommending Adaware since 2001 (I think the web address back then was lavasoft.de or perhaps it was a more German spelling I can't recall), the age of Kazaa, and believe me if you were running Kazaa, you used a hacking tool to chop off the popup spamming part of the program (it was that bad) and you wanted Adaware at your side to take care of the nasties that you were sure to encounter with your downloads. Now I use a mix of Adaware and Malware Bytes.

[erpguy6]

This is a scary thread! It instills terror in me with regard to using Ad-aware's Total Security.

well adwilli, you do have the option of using Ad-aware Free Internet Security program if you don't like using Ad-aware Total Security. less features in the free version of Adaware but has the most essential ones.

not sure why Aslan has to mention Kazaa as that's now obsolete and there are other alternatives to Kazaa (like Shareaza) that are far better and more compatible & reliable with newer versions of Windows.

certainly I too would like to see some improvements for Lavasoft customer support.

[LS Andy]

Hi Aslan,

You've had a huge amount of hassle. Not good. Let me see if I can help out.

This is Andy Browne - I'm team leader at Lavasoft's Malware Labs. I don't normally hang around the forum but I stumbled on this post and thought I'd try to help out and answer your questions.

Response from Lavasoft
Hello there!


Decrypting the quarantine file
You're right - there's no official support for doing this. I'll mention this issue to the development team to see if this is something we should consider for future versions of Ad-Aware. I know its a bit late to help you, but attached is a workaround that answers your question.

 Decrypt_quarantine_file_workaround.pdf   621.66K   487 downloads

Tool for decrypting quarantine file
I will pass this suggestion on to the development team for consideration.

I apologise for this false positive. It certainly caused you a lot of hassle. I would recommend that people post these kinds of things in the FP forum (link below) which the Lavasoft Malware Lab monitors and responds to.

http://www.lavasofts...hp?showforum=93


Andy
Lavasoft Malware Labs

[visitor]

I would recommend that people post these kinds of things in the FP forum (link below) which the Lavasoft Malware Lab monitors and responds to.

I moved a similar post from the 8.x users forum to False Positives:

http://www.lavasofts...showtopic=29988

LS_Anders referred user to General Support to fix registry error message rather than give directions to unquarantine and upload the files for analysis

[LS Andy]

Hey visitor,

Yeah, we spoke about his advice, we fought for a bit, I won, then I decided to write the guide. :-)

If someone thinks we've detected an FP, they should be posted at the FP forum here:

http://www.lavasofts...hp?showforum=93

We would respectfully request that they read the FP posting guide first (link below) - it makes us more inclined to help :-)

http://www.lavasofts...showtopic=18033

By the way, if you have any feedback on the decrypting quarantined files guide, can you PM me? Maybe I can post it somewhere more visible in the forum or as a blog post. Let me know!

Cheers,

Andy
Lavasoft Malware Labs

[Aslan]

Thanks for your reply Andy, I've been a little busy the past few days and haven't had an hour or two to test the offered solution. I haven't wanted to post a reply without evaluating the information/solution offered. I should have the time this evening however. The one thing I lack to step through the solution is a spyware/adware sample that will be detected by Adaware.

Unfortunately I've wiped the drive and reformatted. For a while it looked like nothing would come of the topic, so I just tried to quietly troll for replies by keeping the topic interesting/ open ended enough that others would reply and bump it for me (everything I said however was the truth). I might have caught a backup of the quarantined file, I'll look. The instructions I referenced did not say to upload the file.

Edited by SpySentinel, 16 September 2010 - 11:42 PM.
removed request for malware ~ SpySentinel

[SpySentinel]

Hi Aslan,

We do not send out real malware via the PM system to people. If you like to, you can search on google for a way to download mawlare but that is not recommended. It is not a good idea to test using real malware as you can get infected.

Thanks,
SpySentinel