systemfiles being deleted: aclui.dll - how to protect with cfw? [RESOLVED]

Hi

I still try to understand CFW. I use V3 the latest version.
On my system is also installed RegRunSuite from Greatis cause that helps me to control what processes autostart. Once I thought that Defence+ would check that also and give me control over autostarts but I did not manage to realise how. So I use Regrun too :frowning:
Antivir is Avast.

Problem encountered:

After reboot or fresh start two system32 files are deleted in windows xp pro sp3.

aclui.dll and acledit !!

Then I can’t use certain tools like taskmanager etc!! CRUCIAL !

So, I keep an backup of those two files in a zip and have to copy them always back in order to keep working. That works!

But ofcourse I would be very happy why that happens. I checked the fresh PC (only naturally speaking installed otherwise) with blacklite F-secure for trojan, with Avast and with comodo and it seems to be CLEAN!

I then tried to put those two files into Defense+ protected file list but they are keeping disapearing!

Please help me and explain me how I can REALLY protect system files and others with CFW / Defense from manipulation or deletion! How can I trace the source?

thanks

Hello diverxl,

Try to upload the 2 files to Virustotal and see if anything comes up.
Specially Avast, if it’s recognized than have a look at Avast logfiles to see if you can find it there reported ?

HI Ronny

I checked VirusTotal and Avast log there is no sign of a malware activity. So, well, am I wrong or can I
protect those two files with Comodo Defense and best 'd be if then a popup warning 'd come up and inform me which process / file is deleting acui.dll :frowning:

Do they disappear also if you boot in Safe Mode ?

Ronny

I did a secure windows start ( F8 ) and aclui.dll did not disapear!

I then did a normal start and used the feature of Greatis RegRun to do a clean windows boot with a minimum of startup files and they didnt disapear either!

So, there must be sth that is responsible for this during windows boot. So I disabled all autostarts but had no succes :frowning:

HijackThis, Avast and Comodo and F-Secure blacklight say my PC is clean. ■■■■.

refering to my earlier question. Cant I protect this dll with Defense+?
If not, with any other software? Should be possible to run this problem down.

thanks

I’m not familiar with RegRun, but if booting in Safe Mode keeps the file then it’s definitely a program cleaning this out.
Does RegRun also disable Services ? maybe you could take a look in there to see who could be doing this.

You can also go to, Local Security Policy, Security Settings, Local policies, Audit Policy.
And enable All Success, Failure (write down the defaults).

If all are enabled reboot “normal” and after the files disappeared have a look at the event viewer, security log to see who did it.

Hi Ronny

I followed your instructions
but I am not able to find any traces of aclui.dll in my events. I am using now the alternative freeware tool myeventviewer from Nirsoft that allows me to browse faster all my events…

Anyway the files are gone now and I will carry on finding the source. I just installed Bitdefender free next to my Avast scanner and will see what that tells me. Than I have prepared an Avira boot USB Stick and see what that says. Afterwards I try some Malware scanners as Spybot, Superatnispy etc.

Don’t know what to do and perhaps I will have to reinstall :frowning: though time is short since I am deeply into final exams.

Anyway, hwat is Comodos fileprotection for?
I setup an own group in Defense+ MyOwnSafeFiles and addes C:\windows\system32\aclui.dll and acledit.dll

diverxl,

as far as i know it will protect your files against “malicious” program’s. so if a legit software changes it i guess it won’t block this… but then again i could be wrong…

from the help file:
This section allows you to protect specific files and folders against unauthorized modification. Protecting files prevents modification by malicious programs such as virus, trojans and spyware. It is also useful for safeguarding very valuable files (spreadsheets, databases, documents) by denying anyone and any program the ability to modify the file - avoiding the possibility of accidental or deliberate sabotage. If a file is ‘Protected’ it can still be accessed and read by users, but not altered. A good example of a file that ought to be protected is the your ‘hosts’ file. (c:\windows\system32\drivers\etc\hosts). Placing this in the ‘My Protected Files’ area would allow web browsers to access and read from the file as per normal. However, should any process attempt to modify it then Comodo Firewall Pro will block this attempt and produce a ‘Protected File Access’ pop-up alert.

I’v e done some testing, this won’t work for applications you put in the “trusted” policy because they are allowed to change protected files, if you wish to cover this you need to change the:

Defence+ Policy
All Applications, Access Rights, Protected Files/Folders, Blocked Files/Folders.
Put the previously created group in here. Apply all and test again.
Now it will give you a “Access Denied” message if you try to save the changes to this file(s).
Also log a entry in you Defence+ Logging.

Hope this helps.

gOSH

Ronny,

thank you alot! I’d never guessed how to get that working. Btw., I did read the manual and the excerp you quoted but, well, I overlooked the term malicous and did not get the proper meaning. It is great to know now what I can do in Defense+.
Never thought that the key is in the rules allowed or not allowed for general *.exe files :BNC

PS:
None of the above anti virus scans did give a postive result. So my PC seems to be clean and it is a ‘celan’ files that does this deleting…better: DID :slight_smile:

Now I will see which of my programms was the culprit. I have a strong eye on the webdav tool called ‘netdrive’ from solutionbox. I is named as novels tool that does exactly the same so I have not recognized that my tool is not from Novel and therefore I did not suspect it to cause possible havoc but I will have to check this…

Thanks alot!

The cause of the disappearing files was Solution.box’s NETDRIVE tool!

I will ask there for a plausible explanation. What a sad experience.

now I will have to look for an alternative tool which connects webdav ftp to my explorer by assigning drive letters (:SAD)

At least you know who did it now, and how to stop it.
Did the block access help you out ?

hi Ronny,

yes, indeed, it helped. For the reason I edited that ruled for all applications in the defence plus settings no executable,
explorer or total commander, e.g.,can delete the file any more. So long defence is running.
that is, for the reason I have given true transparency the status of a trusted application may be I should have altered only the settings for netdrive.exe cutable. Anywayy, it does work now.

:■■■■

Okay then i’ll lock this topic.
If you need it opened again pm me or an active mod.