Jump to content

a-squared no longer detecting any threats


Recommended Posts

A couple weeks ago, I noticed my nightly a-squared Deep Scans weren't bringing up any results. Usually it detects viruses, and at the very least detects numerous cookies on a nightly basis. I update nightly before scanning, and since the scans kept bringing up zero results, I decided to try Malwarebytes, and then later Stopzilla, both of which detected trojans.

Malwarebytes claimed to delete these trojans on restart, yet they kept showing up in subsequent scans. I then tried Stopzilla, which found them, but would not remove them unless I opted to buy the $50 software subscription. So I'm wondering why a-squared doesn't seem to notice any of this, or anything else for that matter.

Here are the attachments requested. I'm also including the most recent Malwarebytes log.

Link to post
Share on other sites
So I'm wondering why a-squared doesn't seem to notice any of this, or anything else for that matter.
This is the main reason why: a-squared Anti-Malware 4.5. Update to Emsisoft Anti-Malware 5.1. You need to keep your protection software up-to-date.


javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 26.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop. Users of Windows Vista/7 64-bit can install both the 32-bit and 64-bit JRE without conflicts.
    Windows x86 Offline (jre-6u26-windows-i586.exe)
    Windows Intel Itanium (jre-6u26-windows-ia64.exe)
    Windows x64 (jre-6u26-windows-x64.exe)
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")


The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.


Using Add or Remove Programs in the Control Panel; uninstall the following:

Java(TM) 6 Update 11
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Adobe Reader 8.3.0


Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
    [2011/06/16 23:38:36 | 000,001,312 | -HS- | M] () -- C:\ProgramData\2jfc8wwm7ycpfm031iq1747w633v26o7v3ik
    [2011/05/29 02:35:35 | 000,001,260 | -HS- | C] () -- C:\ProgramData\80n70x50l01od3etil60gw51se8kpkiyh3h30b436qut
    [2011/05/22 10:29:41 | 000,001,436 | -HS- | C] () -- C:\ProgramData\mssfsi1vlq8g1bx8lmkcbl8
    [2011/05/15 12:01:29 | 000,001,288 | -HS- | C] () -- C:\ProgramData\0d0w4kk54c0b50x30s4tl5v
    
    :Commands
    [Purity]
    [EmptyFlash]
    [ResetHosts]
    [start Explorer]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

That's odd... the Security Status screen says I've got version 5.1.0.16, was there something in the log that indicated version 4.5?

I updated Java to Java 6 update 26, and updated Adobe Reader to 9.4.0 (I wasn't sure if something called X 10.1 was for my system or not.)

I uninstalled Java 6 Update 11, Update 6, Update 7, and Adobe Reader 8.3.0 and then ran OTL, pasted the text, and chose Run Fix as directed. I let it run, and had it reboot when it prompted me to, but this time no log was ever produced, before or after reboot.

I just ran a Quick Scan in a-squared, with no results. I'll let it run the Deep Scan later tonight since it takes a few hours & see if it comes up with anything. But I am puzzled at my version showing up as 4.5 to you.

Should I restart the entire process?

Edited by ShadowPuterDude
Removed unnecessarily quoted post
Link to post
Share on other sites

Okay, the Deep Scan locked up at 4% of the Traces Scanned stage. I then remembered having a similar problem long ago with lockups, so I decided to uninstall & reinstall, which fixed the problem back then. And when I looked in my Control Panel's Uninstall Programs list, there I saw a-squared 4.5 as the only version there. Again, the Security Status screen in a-squared shows 5.1.0.16, so something's obviously wrong.

I downloaded the current installer from the Emsisoft page, uninstalled 4.5, and installed 5.1. I only had time before work to run the Quick Scan, which yielded no results. I'll have to run the Deep Scan later tonight after work, just wanted to let you know what this morning's status is.

Link to post
Share on other sites

I noticed the following listed in Extras.txt:

"TCP Query User{2D9445C5-AA92-4490-89A2-92BCA4A14629}C:\users\bastard_2\downloads\keygen.a-squared.anti-malware.4.5.0.63.exe" = protocol=6 | dir=in | app=c:\users\bastard_2\downloads\keygen.a-squared.anti-malware.4.5.0.63.exe | 
"UDP Query User{E8AB73D3-0AE3-4852-964A-D48E7CC42630}C:\users\bastard_2\downloads\keygen.a-squared.anti-malware.4.5.0.63.exe" = protocol=17 | dir=in | app=c:\users\bastard_2\downloads\keygen.a-squared.anti-malware.4.5.0.63.exe | 

You're probably using a cracked copy of Emsisoft Anti-Malware. Please buy a full version in our online shop in order to keep your PC free of malware.


Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{04E7C3C6-D934-49CE-BD43-A5C743D65E98}"=-
    "{42680D41-921D-4F63-B543-64DA92A16909}"=-
    "{F92C54B3-3589-48E6-A9F3-AFA97F426899}"=-
    "{F96C0E6F-50C3-4454-92F9-3EC54F78C35D}"=-
    
    :Files
    c:\users\bastard\appdata\local\temp\ntexplore.exe
    c:\users\bastard\appdata\local\temp\mvnetdhcp.exe
    
    :Commands
    [ClearAllRestorePoints]
    [CreateRestorePoint]
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [ResetHosts]
    [start Explorer]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

I'll paste that in when I get home tonight.

I do want to state though, that while I did use a cracked version initially, I've been a paying subscriber for close to 2 years now. I can provide billing statements if it matters.

Link to post
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.


Attach logs for:

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Ok, I -think- I ran Combo-Fix. I downloaded ComboFix, saved it as "Combo-Fix.exe", disabled a-squared, and ran ComboFix. I got called away a few minutes into running it, and when I came back there was a Microsoft window that said "Registry Editor has stopped working. Windows is checking for a solution." I closed that window, taking care to not click anywhere else.

Once the ComboFix log was generated, the same Registry Editor error window came up again, so I clicked it closed & saved the log. I hope it didn't interfere with the ComboFix process, but here's the log I saved.

I don't know if this was supposed to happen, but once it was all done, my Desktop icons were rearranged, with some missing and some that I hadn't had there for a long time. There are also two "desktop.ini" files from June 2010. There seem to be a lot of other changes throughout my system, I'm assuming this is part of the process.

::EDIT:: And after restarting, all the icons, folders, bookmarks etc seem to be right where they were before running ComboFix.

Link to post
Share on other sites

Now we need to use ComboFix to remove some stuff.

  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

Folder::
C:\32788R22FWJFW

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"LocalServiceAndNoImpersonation"=-

  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix.exe
    th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.


Attach logs for:

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

I'm posting this from my phone, because ComboFix seems to be going insane. I did everything as instructed, and now that my PC rebooted, the blue ComboFix window opens & closes very rapidly, like a cascading series of window prompts. I let it go for a half hour & then tried to stop it with Task Manager, to no avail. Not knowing whether this is supposed to happen or not, I decided to restart the system... and the ComboFix windows just started cascading again. What's happening?

::EDIT:: And now I'm posting from my PC. I kinda panicked & just shut down my computer, and when I started it up again, that ComboFix window popped up again, and I just clicked the red X to close it before it could cascade again. I'll be happy to do the entire process again if you say that's what it's supposed to do, but I just didn't know & it looked like some wild kind of lockup/loop to me.

I found -a- combofix.txt file in the C:\Combofix folder, so I'm attaching it in case it's of any help. I'm assuming I screwed this up, sorry if this causes problems.

Link to post
Share on other sites

Well, that didn't work at all.

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Link to post
Share on other sites

Close all windows then double click on AVZ.exe

  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program
    begin
    SetAVZGuardStatus(True);
    SearchRootkit(true, true);
    DeleteFile('C:\1210a545ff2b3d08555013\DW\DW20.exe');
    DeleteFile('C:\Combo-Fix\CF21365.cfxxe');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','combofix');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunOnce','combofix');
    DeleteFile('C:\Users\Blue\AppData\Local\ofatoqih.dll');
    RegKeyParamDel('HKEY_USERS','S-1-5-21-1459967209-3644158788-1528458740-1003\Software\Microsoft\Windows\CurrentVersion\Run','Qgobeh');
    ExecuteSysClean;
    RebootWindows(true);
    end.

  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Just ran that, and I really feel dumb for asking this, but... where would this new log be? The 3 files in the LOG folder seem to be the same 3 that were created yesterday & have a July 10th date associated. The only thing in the avz folder that has today's (July 11) date is a "Backup" folder which is empty.

Link to post
Share on other sites

Ouch, sorry to hear that, hope you're feeling better!

As for my system, a-squared's still not detecting anything in my nightly Deep Scans. I noticed some red text in that last AVZ scan about a Trojan/keylogger in the Emsisoft folder, could that be the culprit?

Link to post
Share on other sites
As for my system, a-squared's still not detecting anything in my nightly Deep Scans. I noticed some red text in that last AVZ scan about a Trojan/keylogger in the Emsisoft folder, could that be the culprit?
No, those a False Positive detections on the part of AVZ. Otherwise, I would have said something.

Your logs look fine. Running a deep scan on a nightly basis, is a bit much. I wouldn't be extremely concerned about the lack of detections. Your system appears to be clean.

Link to post
Share on other sites

Huh. Seriously? I mean, it's good to hear that my system seems clean, but if nightly scans aren't picking up even the website cookies & such that it used to, it's kind of like it's not showing the results it used to. I guess I'll try running scans less frequently & see what happens. Thanks for your help through all this!

One last question: What should I with OTL, AVZ, EEK, etc. now? Delete, uninstall, keep?

Link to post
Share on other sites

Now to remove most of the tools that we have used in fixing your machine:

  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Delete the following from your Desktop (If they exist)

CFscript.txt

Anything else I had you use

Delete the following files: (If they exist)

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\ComboFix

C:\Qoobox

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner

Run CCleaner

  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:
    4l5a4i.png
  • Click 16jox2o.png and choose 5x3nu8.gif
  • Uncheck amuvj8.gif
  • Then go back to 2jb4qyb.gif and click nf47ev.gif to run it.
  • Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...