Emsisoft Employee
  • Content Count

  • Joined

  • Days Won


Everything posted by GT500

  1. Are you getting any notifications from Emsisoft Anti-Malware or Online Armor while doing it? Do you have any security software installed other than Emsisoft Anti-Malware and Online Armor (other anti-virus, anti-spwyare, system settings protection, WinPatrol, etc)?
  2. TDSSKiller says there's no rootkit (at least none that it is capable of detecting). Lets get a scan from GMER, because I don't think I believe what TDSSKiller is saying. Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page). Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator") Allow the driver to load if asked. You may be prompted to scan immediately if it detects rootkit activity. If you are prompted to scan your system click "No", save the log and post back the results. If not prompted, click the "Rootkit/Malware" tab. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked. Select all drives that are connected to your system to be scanned. Click the Scan button to begin. (Please be patient as it can take some time to complete) When the scan is finished, click Save to save the scan results to your Desktop. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it). Exit the program and re-enable all active protection when done.
  3. Technically, EAM isn't removed, it's just that the System Tray icon hasn't appeared and the protection hasn't started. As for a 'fix', it might be possible to change the behavior of the wizard so that some notification of the communication failure is mentioned, and thus you know that there was an issue. I'll have to run it by our developers and see what they think.
  4. Please try uninstalling Emsisoft Anti-Malware, and then download Emsiclean from this link (save it on your desktop) and follow the instructions below: When running Emsiclean, you will first be presented with a disclaimer. You will need to accept this disclaimer to continue. Emsiclean will scan your computer for leftovers after the uninstall, and give you the option to remove what it finds. Please do not allow it to remove anything at this time. In the lower-right corner will be a button that says Close Emsisoft Clean. Click on that button to close the program without making any changes to your computer. Emsiclean will save a log on your desktop as it closes (it may take a moment for the log file to appear). Please attach that log to a reply for me to review (you can access the forum's attachment controls by clicking on the More Reply Options button to the lower-right of where you type in your reply).
  5. If there is an infection, then that could be the cause. It could also be a conflict with something else you have installed. It isn't possible to accurately answer this question until we are certain that your computer is clean. By default, Windows will hide icons that it considers inactive. There should be a little button to click to show the hidden icons, and you should find that button just to the left of where those icons are normally located. As for ComboFix scanning for 2 hours, note that it should not normally take more than 10 or 15 minutes, and for it to go for longer than 30 minutes is abnormal. At that point, you can assume that something is interfering with ComboFix, and go ahead and close it and restart your computer. I don't see any security software other than Emsisoft Anti-Malware in your OTL log, so I am fairly certain that there is a rootkit interfering with ComboFix, and TDSSKiller's log should let me know if that is the case. It is normal for the Emsisoft Anti-Malware icon to not appear when Windows is in Safe Mode, because most services and startup items (which includes the ones for Emsisoftt Anti-Malware) do not run in Safe Mode. This is because Safe Mode is a special diagnostic mode intended for repairing issues with your computer, and it is not expected for you to use your computer normally while Windows is running in Safe Mode. If that is happening while Windows is running in Safe Mode, then it might just be because the service isn't running. If it is happening while Windows is running normally, then it is a problem, and assuming that I am correct about a rootkit then it is probably just another symptom of that infection. Virtual Memory errors are not uncommon with some infections, so this could just be another symptom of that. Technically, it is always a problem when seeing Virtual Memory errors, however since I'm fairly certain that your computer is infected with a rootkit then we merely need to verify that that is the case, and then do what is necessary to get rid of it. Assuming Windows was running in Normal mode, and assuming I am correct about a rootkit infection, then that could simply be the rootkit interfering with Emsisoft Anti-Malware. Part of the function of modern rootkits tends to be to disable anti-virus and anti-spyware software, or at least fool them into thinking that the computer is not infected. The main purpose of a rootkit is to keep an infection from being removed, so the rootkit itself is not normally the main infection, but is just being used to prevent you from doing anything about the infection.
  6. I'll address your questions in another post. First, I want to give you some instructions for getting me a TDSSKiller log: Download TDSSKiller from this link and save it on your desktop. Run the TDSSKiller download that you saved. Click on Change parameters as it shows in the following screenshot: Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK: Click the Start scan button as in the following screenshot: You will see the following as the scan runs: If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip: Click on Report in the upper-right corner, as in the following screenshot: You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot: Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  7. As an addendum to my previous reply to this particular question, please note that Andrey has contacted me to further explain why he wanted to see the logs that I asked you for. Apparently the firewall logs did not contain the "Additional debug information", which Andrey needs to see in order to confirm a theory about why this might be happening.
  8. I thought you were testing with a new OS, Virtual Box, and Online Armor install now? Our developers just want to see a new firewall log from that new setup. Actually, there is a well known problem with Virtual Box that was caused by their network driver, and which we could not do anything about. So far, none of the data you have given us has shown Online Armor is the cause of the issue, which is why our developers wanted to see those firewall logs again. All they show is the DNS traffic not making it to the virtual machine. They don't actually show the cause. This will only be found in OA logs with debug information. Virtual PC is rather old. Have you considered a solution from VMware? Their software does not usually have issues with Online Armor, and if your development is open source (or at least not-for-profit) then VMware Player would be usable for free (although it is missing snapshots, which can be an essential feature for testing).
  9. As an addendum to what I just posted, I spoke to Andrey about this, and he mentioned that KAV has a network filter driver (I think it acts as a sort of proxy) that prevents third-party firewalls from filtering network traffic, which is why OA did not warn you about the leaktest trying to access the network.
  10. My apologies for the confusion. My implication was more along the lines of pointing out that the HIPS in Online Armor attempted to block the leak test, which is technically a pass (since OA did detect it and did offer to prevent it from running). My question was intended to demonstrate that, had you selected to block it from running, that Online Armor would have protected you. As for why the firewall didn't warn you about the leak test, I would need to know more about this leak test before I knew why it wasn't blocked. (see below for explanation)
  11. Please hold down the Windows key on your keyboard (normally in between the Ctrl and Alt keys, with the little Windows logo on it) and tap the R key to open the Run dialog. Type services.msc into the field, and then click OK. This will open a list of services that are installed on your computer. Please scroll down until you find the Emsisoft Anti-Malware Service, right click on it, and select Properties. Make sure that the Startup type is set to Automatic, and then restart your computer. If that does not help, then please let me know.
  12. That will happen if you do not have administrative rights. To elevate the Task Manager to administrative rights, then you would need to click on the button in the lower-left of the Task Manager's Processes tab that says Show processes from all users.
  13. You don't need to disconnect the battery to shut it down when it is frozen. Just hold down the power button for about 4 or 5 seconds, and the vast majority of modern computers will immediately shut off. This function is intended as a bypass to the normal shutdown procedure, and should only be used when absolutely necessary, such as in the case of a system freeze where you cannot shut the computer down or continue to use it normally. As for causing problems with the log, that happens when the system freezes. There is a possibility that the log will not contain the information that our developers would need to debug the issue, however there should have been enough time to log the cause of the freeze before everything froze up completely. Since the log file is being replaced with a blank one, you can try starting your computer in Safe Mode With Networking (instructions at this link) after the scan causes the freeze and you shut your computer off, and see if that prevents the log from being overwritten.
  14. May I ask how you know that EAM was able to connect and get a license key? I don't see it saying anywhere in your video that it succeeded.
  15. OK, are you able to open Emsisoft Anti-Malware from the icon on your desktop, or from the Start menu? If so, then on the Security Status screen (which is normally the first one you see when you open Emsisoft Anti-Malware) it will list the status of Emsisoft Anti-Malware, and when you hold your mouse over File Guard, Behavior Blocker, and Surf Protection you will see an option to turn them off. They will turn red when they are off. If you have any trouble with that, then just follow the instructions at this link to start your computer in Safe Mode With Networking, and you should be able to run ComboFix in Safe Mode With Networking. Please note that ComboFix will need to download an update when it runs, as there will have been numerous updates to ComboFix since you first downloaded it. Please allow it to download the update.
  16. Our developers will most likely need to see an Engine Debug Log, which will tell them more information about what is going on. Here's another ZIP archive, which contains two batch files. One is named engine_enable_debug_output and the other is named engine_disable_debug_output. Please download this ZIP archive, extract the batch files, and run the engine_enable_debug_output file (if your computer is running Windows Vista or Windows 7 then please make sure to right-click and select to Run as administrator): After running the batch file, please restart your computer, and try your scan again. Once the computer freezes, please restart it,and then check the Emsisoft Anti-Malware folder (usually C:\Program Files\Emsisoft Anti-Malware) and there should be a file named ScanEngineDebug.log (the files should be listed in alphabetical order). Please ZIP this file (if you do not have a program such as WinZip, 7-Zip, or WinRar then please right-click on the file, go to Send To, and select Compressed (zipped) folder) and make sure to save the ZIP archive on your desktop to make it easy to find. After that, please attach the ZIP archive with the ScanEngineDebug.log file in it to a reply by using the More Reply Options button to the lower-right of where you type in your reply to access the attachment controls.
  17. I would believe that the only way to do this is to manually add the file to the whitelist. Hopefully, if the feature request I submitted is implemented, it will add a way to do that directly from the results list.
  18. EAM will attempt to contact our license servers when you select the 30-day trial option, and if there are problems with the connection then that can cause the issue you experienced.
  19. Is there a little Emsisoft Anti-Malware icon in the lower-right corner of your screen, to the left of the clock somewhere? If so, then right-click on it, go to Guard state, and select to Disable all guards. You should be able to run ComboFix after that.
  20. I'm glad to hear that you were able to resolve your issue. Also, please note that, if you update to the latest version of Online Armor, that that should also resolve the issue if you were to experience it again.
  21. Please download ComboFix from this link and follow the instructions below to run it. Note that some infections will block it from running if you save it as ComboFix so you may wish to rename it in order to prevent this. Make sure you remember what you changed the name to. * IMPORTANT !!! Save ComboFix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on the ComboFix icon on your desktop (it has a red and white icon that looks like a white cat's head in a red circle) and follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not click in ComboFix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  22. This appears to be a behavior based detection, and Online Armor is warning that it is attempting to "get screen content". If you trust this behavior in this module, then you can select to trust it in Online Armor. I talked with our developers about this, and they recommend checking the Programs list in Online Armor to see if this wscui.cpl file is listed there. Please open Online Armor, go to Programs in the menu on the left, unselect the option at the bottom to Hide trusted, and then you should be able to find it in the list. If it is there, please remove it from the list, and let us know if Online Armor notifies you again.
  23. I assume you've checked to make sure that consent.exe is not already in the list? If it is, then you should be able to click on the rule, and change it to 'Allowed' by clicking on the Allow button below the list.
  24. Please pardon my confusion, but it sounds like Online Armor passed the leak test. In a real-world situation, would you have clicked 'Allow' for an unknown application that seemed suspicious?