Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Be careful when using Adware Removal Tool


  • Please log in to reply
17 replies to this topic

#1 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 12 June 2015 - 04:23 PM

Hi everyone,

I'm creating this thread following what I've seen done by Adware Removal Tool here:

Ads by On Stage

If you check the log on post #9, you'll see that a lot of files from the Steam App folder were deleted and they all have something in common: they all have the words conduit and babylon in it. So I thought that it would be just a coincidence, this tool couldn't really base it's search on simply words that are known to be associated with common malware without checking their signature, location or else. So I did a test: I created a bunch of files in one of my VM with the words "babylon" and "conduit" in them and dropped them a bit everywhere and gave them extensions (.exe, .xml and .dll). These files are totally empty, blank. I just created a new file and changed the extension. Then I downloaded Adware Removal Tool and ran a scan, and it looks like I was right.
 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 

Adware Removal Tool v3.9
Time: 2015_06_12_17_13_11
OS: Windows 7 - 64 Bit
Account Name: Yoan
U0L0S23

\\\\\\\\\\\\\\\\\\\\\\\ Repair Logs \\\\\\\\\\\\\\\\\\\\\\

Deleted - File - C:\program files\last_conduit_file.exe
Deleted - File - C:\program files (x86)\conduit_2.dll
Deleted - File - C:\program files (x86)\Conduit\conduit_1.dll
Deleted - File - C:\Users\Yoan\desktop\random_conduit.xml
Deleted - File - C:\Users\Yoan\desktop\random_babylon.xml
Deleted - File - C:\ProgramData\and_another_babylon.exe
Deleted - File - C:\ProgramData\Babylon\a_babylon_dll.dll
Deleted - File - C:\Users\Yoan\Appdata\some_random_conduit_file.exe
Deleted - File - C:\Users\Yoan\Appdata\Local\a_file_with_babylon_in_it.dll
Deleted - File - C:\Users\Yoan\Appdata\Roaming\normal_exe_I_named_with_conduit.exe
Deleted - Folder - C:\program files (x86)\Conduit
Deleted - Folder - C:\ProgramData\Babylon
Deleted - RegistryValueData - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}:dllname
Deleted - RegistryValueData - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}:masterclsid
Deleted - RegistryValueData - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}:dllname
Deleted - RegistryValueData - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{472734EA-242A-422B-ADF8-83D1E48CC825}:dllname
Deleted - RegistryValueData - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}:dllname
Deleted - RegistryValueData - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}:dllname
Deleted - RegistryKey - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility:{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}
Deleted - RegistryKey - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility:{2EECD738-5844-4A99-B4B6-146BF802613B}
Deleted - RegistryKey - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility:{472734EA-242A-422B-ADF8-83D1E48CC825}
Deleted - RegistryKey - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility:{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Deleted - RegistryKey - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility:{98889811-442D-49DD-99D7-DC866BE87DBC}

\\ Finished
All the files I created were picked up and deleted by Adware Removal Tool. Which means that this tool basically scan for files with known words and delete them, even thought they are perfectly safe and not malicious at all. A malware removal tool shouldn't work like that if you ask, this endangers the systems on which it is used and will force the OP to reinstall a lot of programs when it happens. I see that some users use the Adware Removal Tool in the "Am I Infected?" section and my advice is that: if someone asks you to run this tool, for the own safety of your system, please don't do it.

There's not much to add to this thread I guess. If a Moderator feel like I'm attacking a tool in an unfair way, feel free to close the thread and/or delete it.

Thank you.

Edit: I forgot to add that this is a brand new VM with nothing on it installed but legitimate security programs: herdProtect, Malwarebytes, Sandboxie, Process Hacker 2, etc. so I don't even know why it deleted stuff in the Registry for Internet Explorer when I have no extensions for it. Just checked the CLSIDs and they are false positives. So running Adware Removal Tool on a clean VM gives you a log full of false positive, that's nice.

Edit 2: Also, it looks like none of these files were moved to Adware Removal Tool's quarantine folder? All I have is my whole Google Chrome userprofile for some reason?

q2wjNR5.png
9uZeYWR.png
jC47WhE.png

Trying to see where it's even coming from. From what I can see, it would destroy my whole Google Chrome profile if I had used it on my real system.

Edited by Aura., 12 June 2015 - 05:10 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:32 PM

Posted 12 June 2015 - 07:46 PM

I already warned against using Adware Removal Tool in this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 12 June 2015 - 07:48 PM

But now we have proofs of why we should be careful about it which might open the eyes to some people :P

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:32 PM

Posted 13 June 2015 - 06:14 AM

I had proof when I posted then since I already tested the program.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:10:32 PM

Posted 13 June 2015 - 07:39 AM

sharepopcorn.gif  drink.gif



#6 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 13 June 2015 - 07:48 AM

But there was no logs or nothing posting in it. Anyway, it doesn't hurt to have one thread dedicated to it so people can clearly see that this tool isn't worth using :) If you want you can edit my first post and add your canned. The more information, the better.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:32 PM

Posted 13 June 2015 - 08:27 AM

I got rid of everything, including the logs. I don't like junk on my machine. :wink:

No need to edit...the link I posted will suffice.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:04:32 AM

Posted 13 June 2015 - 02:08 PM

 

 

So sorry about the inconvenient. Recently we got the same complaint as you informed us about our tool. Yes, it is a problem in our tool and we are still working on that to fix it. So please wait a while. Please try our tool later.
Thanks

 

Response from the authors.Hope they will fix it.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#9 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 13 June 2015 - 02:13 PM

Let me know when it's fixed and I'll test it again. But for now, it doesn't looks like a "bug" to me, more like it was coded that way.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:04:32 AM

Posted 13 June 2015 - 02:41 PM

I will informe you, if they inform me.  :thumbup2:


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:32 PM

Posted 13 June 2015 - 05:42 PM

Even if it was a bug this time, I still would not recommend this program.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 13 June 2015 - 05:44 PM

Same here. Plus, the product is axed around getting you to donate when you use it and I cannot stand that. They are pushing it down your throat.

Edited by Aura., 13 June 2015 - 05:45 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:32 PM

Posted 14 June 2015 - 07:34 PM

Several programs were coded to just run as "basic removal tools".

I did stop using Junkware Removal Tool as the early program was just a direct Removal code, with no options, like Xplode later built in.

The author of JRT did make several changes to the program, but I still prefer to see the Option given by AdwCleaner, of Preview then Removal.

 

Actually AdwCleaner has 1/ Preview then 2/ Quarantine, so the problems are only fully removed when you Delete (3/ Uninstall) the program.

 

Just my 2c on versions I prefer to use -



#14 RolandJS

RolandJS

  • Members
  • 4,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:09:32 PM

Posted 14 June 2015 - 07:45 PM

Adwcleaner, after being run, after the choices have been examined, one can nix the program via Task Manager -- and it will simply have been used as a reporting tool   :)  I have done several times 'cause all I wanted was a report.


Edited by RolandJS, 14 June 2015 - 07:45 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#15 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 14 June 2015 - 09:24 PM

JRT is still a "removal only" program, however on the opposition to AdwCleaner, it back up the Registry before running, which is quite useful.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users