emsisoftrocks!

Emsisoft Command Line with 8.x engine has removal bug?

Recommended Posts

Hey all,

 

Love your product!! I think your scanner is super awesome :)

 

I've been using your command line scanner for a while but recently discovered a big bug, and was wondering if you could help me out. On a large number of machines, I've noticed that since the scanner started using the v8 engine it has stopped properly removing traces.

 

Steps to Reproduce:

 - Go to http://mywebtattoo.com

 - Install the toolbar/adware thing

 - Download latest Emsisoft Emergency Kit or just the command line scanner (like from download5.emsisoft.com/a2cmd.zip)

 - Run a2cmd.exe /t /d

(just some example, simple switches to repro)

 - Scanner will find around 11 traces but only remove 2

 

 

That's one case, but I'm seeing basically universally, adware type infections as well as some Trojans are being skipped. If I run the same scan with a copy of the v7 engine the removals work well.

 

I've attached some example log files.

 

Any ideas as to what's going on?

 

Thanks!!

Emsisoft rocks!

Share this post


Link to post
Share on other sites

I tested it on my test systems and the malware is removed just fine. Did you check that a2cmd is actually run from an elevated command prompt that has Administrator rights? Otherwise it would be obvious while some registry traces (all that are located inside HKEY_LOCAL_MACHINE to be more precise) can't be removed. Simply because the command line scanner wouldn't have write access to that location.

Share this post


Link to post
Share on other sites

Sure. Yes, on these machines I am running from an Administrator command prompt. I've attached another log file as an example - this was from an Administrator command prompt on a Windows 8 x64 box, though I am not uniquely seeing this on Windows 8 but on many operating systems and machines.

 

I will also attach a Process Monitor log for you that should show that this is not an permission / access issue. Been having problems uploading it though. I'm not sure why you weren't able to see what I'm seeing.. I had some luck I suppose and was able to reproduce it on the first try haha :)

 

Any suggestions on where to go from here? Thank you!

Share this post


Link to post
Share on other sites

Hey Fabian!

 

Thanks for the update! I just got back from a week in some trainings and had a chance to test out the beta updates. I have good news and bad news there! Good news is, significantly more infection traces were removed with the beta version! With the My Web Tattoo example, the traces were cleaned out completely!!

There was bad news too though, I'm still getting errors cleaning up entries in Image File Execution Options. I've tested on a few Windows 8 machines and have steps to reproduce:

 

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Create a new key called adaware.exe

Create a new string value called Debugger

Set the string's contents to notepad.exe

Run a2cmd.exe /t /d

 

 

In this case, the 'infection' is found but there are errors trying to clean it up. I've attached a clean.log again (it's super long for some reason, but the error is at the bottom).

 

Any ideas?

 

Thank you!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.