brundleflyguy

Emsisoft Command Line Scanner doesn't remove anything

Recommended Posts

For some reason, on every machine I run the command line scanner, it finds things, but doesn't delete them.

 

Here's a sample log:

 

 

Emsisoft Commandline Scanner - Version 4.0
Last update: 2/26/2014 10:00:37 AM

Scan settings:

Scan type:                              Smart Scan
Objects:                                Rootkits, Memory, Traces, C:, D:, C:\Windows\, C:\Program Files\

Detect Potentially Unwanted Programs:   On
Scan archives:                          Off
ADS Scan:                               On
File extensions:                        On
Inclusion filter:  

|.asp|.bat|.cgi|.chm|.cla|.class|.cmd|.com|.cpl|.ini|.css|.dll|.elf|.exe|.hlp|.hta|.htm|.html|.wh|.js|.jse|.lnk|.ocx|.php|.pif|.xpi

|.reg|.scr|.sh|.shs|.src|.sys|.txt|.vbs|.vxd|.wmf|.doc|.docs|.xls|.xlsx|.ppt|.pptx|.pdf|
Advanced caching:                       Off
Direct disk access:                     Off

Scan start:                             2/26/2014 10:00:37 AM

C:\Program Files\TornTV.com     detected: Application.AppInstall (A)
C:\Users\XXXX\AppData\Local\Conduit     detected: Application.AppInstall (A)
C:\Users\XXXX\AppData\Local\genienext     detected: Application.AdGenie (A)
C:\Users\XXXX\AppData\Local\Mobogenie     detected: Application.AdGenie (A)
C:\Users\XXXX\My Documents\Mobogenie     detected: Application.AdGenie (A)
C:\Program Files\Mobogenie     detected: Application.AdGenie (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MOBOGENIEADD     detected: Application.AdGenie (A)
C:\Users\XXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\torntv.com     detected: Application.AdStart (A)
C:\ProgramData\conduit     detected: Application.AppInstall (A)
C:\Program Files\whitesmoke_new     detected: Application.AppInstall (A)
C:\Users\XXXX\AppData\Roaming\Mozilla\Firefox\Profiles\kvi9kexx.default\Extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}     

detected: Application.FireExt (A)
C:\Users\XXXX\AppData\Roaming\Mozilla\Firefox\Profiles\kvi9kexx.default\Searchplugins\conduit.xml     detected:

Application.SearchPlug (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{1BB8B3AE-757D-443F-B3A4-0629E709B0D9}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{739DF940-C5EE-4BAB-9D7E-270894AE687A}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\UPDATER.AMIUPD     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\UPDATER.AMIUPD.1     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CLTMNGSVC     detected: Application.AdServ (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\1CLICKDOWNLOAD     detected: Application.InstallAd (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WHITESMOKE_NEW     detected: Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-1368487019-2855412355-3284171518-1000\SOFTWARE\1CLICKDOWNLOAD     detected: Application.AdTool (A)
C:\Program Files\Conduit     detected: Application.AppInstall (A)
C:\Program Files\Searchprotect     detected: Application.AppInstall (A)
C:\Users\XXXX\AppData\Local\Searchprotect     detected: Application.AppInstall (A)
C:\Users\XXXX\AppData\Local\SwvUpdater     detected: Application.AppInstall (A)
C:\Users\XXXX\AppData\Roaming\Mozilla\Firefox\Profiles\kvi9kexx.default\searchplugins\conduit-search.xml     detected:

Application.Win32.WSearch (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected:

Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1368487019-2855412355-3284171518-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN -> OPTIMIZER PRO     

detected: Application.AdStart (A)
Key: HKEY_USERS\S-1-5-21-1368487019-2855412355-3284171518-1000\SOFTWARE\OPTIMIZER PRO     detected: Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-1368487019-2855412355-3284171518-1000\SOFTWARE\CONDUIT     detected: Application.InstallAd (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CONDUIT     detected: Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-1368487019-2855412355-3284171518-1000\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}     

detected: Application.Win32.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-1368487019-2855412355-3284171518-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-

4592-A95B-F44D3EE87FA9}     detected: Application.Win32.WSearch (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}     detected: Application.Win32.WSearch (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}     detected: Application.AdGenie (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}     detected: Application.Win32.WSearch (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{A0EE0278-2986-4E5A-884E-A3BF0357E476}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\SEARCHPROTECT     detected: Application.InstallAd (A)

Scanned            395125
Found              40
Removed            0


Scan end:          2/26/2014 10:24:46 AM
Scan time:         0:24:08
 

 

I'm running the following batch file:

a2cmd /u

a2cmd /f c: /smart /memory /traces /rk /ntfs /delete /pup /q=\firststep\a2scan\quarantine /l=c:\a2.log /x=asp,bat,cgi,chm,cla,class,cmd,com,cpl,ini,css,dll,elf,exe,hlp,hta,htm,html,wh,js,jse,lnk,ocx,php,pif,xpi,reg,scr,sh,shs,src,sys,txt,vbs,vxd,wmf,doc,docs,xls,xlsx,ppt,pptx,pdf
 

Any idea what I'm doing wrong?  It used to work fine.

Share this post


Link to post
Share on other sites

The computer is running in normal mode, and the scanner was started from an Admin prompt.

 

(Actually, I ran the scan twice, once from a System level command prompt, and once from a normal elevated prompt.  The same result from both.)

Share this post


Link to post
Share on other sites

The error in the cleaning engine log indicates that the cleaning helper driver was scheduled for removal, which prevents the command line scanner from loading it again, therefore preventing malware removal. Can you restart the system please and repeat the test with the command line you posted above without starting either the command line scanner or any other Emsisoft product first? If it still fails, please provide the new cleaning engine log (clean.log).

Share this post


Link to post
Share on other sites

From the look it appears that the command line scanner can't set the quarantine directory properly. The command line scanner tries to set the following path as the quarantine path:

c:\firststep\a2scan\quarantine

Is that the path you want the quarantine to be located? Does that path exist? Could you reboot and retry the scan but provide an absolute path name to the command line scanner this time that is sure to exist? Thanks.

Share this post


Link to post
Share on other sites

Yes, the folder c:\firststep\a2scan\quarantine exists and I have access to it.

 

So you want me to change the command to:

/q=c:\firststep\a2scan\quarantine

 

I'll give that a triy.

 

What would happen if I just skipped the quarantine switch completely?

Share this post


Link to post
Share on other sites

OK, I tried:

 

a2cmd /f c: /smart /memory /traces /rk /ntfs /delete /pup /q=c:\firststep\a2scan\quarantine /l=c:\a2.log /x=asp,bat,cgi,chm,cla,class,cmd,com,cpl,ini,css,dll,elf,exe,hlp,hta,htm,html,wh,js,jse,lnk,ocx,php,pif,xpi,reg,scr,sh,shs,src,sys,txt,vbs,vxd,wmf,doc,docs,xls,xlsx,ppt,pptx,pdf

 

and

 

a2cmd /f c: /smart /memory /traces /rk /ntfs /delete /pup /l=c:\a2.log /x=asp,bat,cgi,chm,cla,class,cmd,com,cpl,ini,css,dll,elf,exe,hlp,hta,htm,html,wh,js,jse,lnk,ocx,php,pif,xpi,reg,scr,sh,shs,src,sys,txt,vbs,vxd,wmf,doc,docs,xls,xlsx,ppt,pptx,pdf

 

No change, it won't delete the infections it finds.

 

With the quarantine switch in the command, I get the following in the clean.log file:

[02.27.2014-07:36:46] [EMSI][ERROR][0xc40].[0xa18]: (CEInitialize,256) CleanHlpInstallDriver failed. Error = 0x430.

 

BTW, it's doing the same thing on five different computers that I've tried so far (XP, Vista, and Windows 7), so it isn't related to this computer

 

Thanks again for your help.

Share this post


Link to post
Share on other sites

You will have to restart the system every time you run the command line scanner once. Otherwise it will fail to load the driver again. We are already working for a fix for that. This applies to runs without the /q parameter as well, as the cleaning engine and driver is used for normal deletions as well.

Share this post


Link to post
Share on other sites

You will have to restart the system every time you run the command line scanner once. Otherwise it will fail to load the driver again. We are already working for a fix for that. This applies to runs without the /q parameter as well, as the cleaning engine and driver is used for normal deletions as well.

 

Sorry, I missed this message.  Ok, let me start over.

Share this post


Link to post
Share on other sites

You fixed it!

 

With

a2cmd /f c: /smart /memory /traces /rk /ntfs /delete /pup /l=c:\a2.log /x=asp,bat,cgi,chm,cla,class,cmd,com,cpl,ini,css,dll,elf,exe,hlp,hta,htm,html,wh,js,jse,lnk,ocx,php,pif,xpi,reg,scr,sh,shs,src,sys,txt,vbs,vxd,wmf,doc,docs,xls,xlsx,ppt,pptx,pdf

 

After a restart, it worked fine.

 

Thanks for getting this resolved for me.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.