Jump to content

GT500

Emsisoft Employee
  • Content Count

    14180
  • Joined

  • Days Won

    449

Posts posted by GT500

  1. The item detected in the log shows a small partition related to the TDSS rootkit. This partition can be removed by Kaspersky's TDSSKiller, however doing to can be dangerous, and there is a possibility that your computer may not start up properly after running the fix. Before I ask you to do this, I highly recommend that you make sure that you have current backups of all of your files (documents, pictures, etc). Also, I'm going to want to see a log from TDSSKiller to make sure that there are not other parts of the rootkit still on your computer. Here are the instructions for getting me the log:

    1. Download TDSSKiller from this link and save it on your desktop.
    2. Run the TDSSKiller download that you saved.
    3. Click on Change parameters as it shows in the following screenshot:
      tdsskiller_report_001.png
    4. Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:
      tdsskiller_report_002.png
    5. Click the Start scan button as in the following screenshot:
      tdsskiller_report_003.png
    6. You will see the following as the scan runs:
      tdsskiller_report_004.png
    7. If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:
      tdsskiller_report_005.png
    8. Click on Report in the upper-right corner, as in the following screenshot:
      tdsskiller_report_006.png
    9. You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.
      tdsskiller_report_007.png
    10. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.
      tdsskiller_report_008.png
    11. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.
    12. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:
      tdsskiller_report_009.png
    13. Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
      tdsskiller_report_010.png

  2. The logs are not showing any indication that Online Armor is interfering with DNS, nor are the showing anything to suggest that Online Armor is interfering with Virtual Box's networking drivers. Andrey says that the logs show ICMP packets passing through the firewall, as well as UDP packets on port 53 (which would be your DNS).

    Are you currently experiencing this issue with your fresh install of Online Armor?

  3. Please download ComboFix from this link and follow the instructions below to run it. Note that some infections will block it from running if you save it as ComboFix so you may wish to rename it in order to prevent this. Make sure you remember what you changed the name to.

    * IMPORTANT !!! Save ComboFix to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on the ComboFix icon on your desktop (it has a red and white icon that looks like a white cat's head in a red circle) and follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    Note:

    1. Do not click in ComboFix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

    • ComboFix (C:\combofix.txt)

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

  4. AVG Has this too

    AVG may have such a utility, however it does not appear to be available from their download page. Avira does appear to have an "Update Manager" for offline updates available on their download page, however.

    @Arthur, thank you. Sad as it is, this answers my question.

    You're quite welcome. ;)

    If you wish to request that we maintain such a tool, then please feel free to leave a comment in our Feedback, Comments and Suggestions section.

  5. Our developers are also requesting an Engine Debug Log, which will tell them more information about what is going on. Here's another ZIP archive, which contains two batch files. One is named engine_enable_debug_output and the other is named engine_disable_debug_output. Please download this ZIP archive, extract the batch files, and run the engine_enable_debug_output file (if your computer is running Windows Vista or Windows 7 then please make sure to right-click and select to Run as administrator):

    After running the batch file, please restart your computer, and try your scan again. Once it freezes, please check the Emsisoft Anti-Malware folder (usually C:\Program Files\Emsisoft Anti-Malware) and there should be a file named ScanEngineDebug.log (the files should be listed in alphabetical order). Please ZIP this file (if you do not have a program such as WinZip, 7-Zip, or WinRar then please right-click on the file, go to Send To, and select Compressed (zipped) folder) and make sure to save the ZIP archive on your desktop to make it easy to find. After that, please attach the ZIP archive with the ScanEngineDebug.log file in it to a reply by using the More Reply Options button to the lower-right of where you type in your reply to access the attachment controls.

  6. Normally running more than one scan at the same time would just cause the scans to run slower, and they wouldn't complete any faster than running them one at a time. This wouldn't be the case if your hard drive was an SSD (or if you were scanning more than one hard drive) and your anti-virus software was only capable of utilizing a single CPU core, however Emsisoft Anti-Malware will automatically utilize all of your CPU cores while scanning, so running more than one scan at the same time would not speed up the scanning.

    If there is some other reason why you may need to run more than one scan at the same time, then it might be possible to use the command-line scanner to accomplish this, however I have not tested this so I cannot guarantee that it will work.

  7. I have removed OA on one of my Windows 7 machine and used another free firewall and they have no problem with Virtualbox. Its not that OA is blocking internet traffic, just DNS queries as ping works, and only on Windows 7. I don't believe it is a Virtualbox problem as they work with other firewalls and only DNS is not working with OA.

    Would you be willing to reinstall Online Armor and gather some debug logs for us, so that Andrey can see what is happening?

  8. We'll probably need a DebugView log to see what is going on. Before we can get that, we'll need to set a registry entry that will tell Emsisoft Anti-Malware to output debug information that DebugView can see and save in its log. The following file eam_enable_debug_output.zip contains a batch file which, when run with administrative rights, will automatically create that registry entry for you. Please download this file, extract the batch file from it (it will also be named eam_enable_debug_output), and run the batch file (if your computer is running Windows Vista or Windows 7 then please make sure to right-click on the batch file and select to Run as administrator):

    After that, please restart your computer, and then proceed with the instructions below:

    1. Download DebugView from this link:
    2. When downloading, make sure to save it on your Desktop instead of clicking 'Run' or 'Open'.
    3. Right-click on the 'DebugView' file that you just saved on your Desktop, and select "Extract All".
    4. Open the new DebugView folder that was created on your Desktop after extracting.
    5. Windows XP and 2000 users should double-click on the file named 'Dbgview'. Windows 7 and Vista users should right-click and select "Run as Administrator".
    6. Click on the 'Capture' menu, and select everything except "Log Boot" (you will have to open the menu again after clicking to select an item).
    7. Do whatever it is you need to in order to replicate the issue (run the same scan until it freezes at 80%).
    8. After you have replicated the issue you can switch back to DebugView and click 'File' and "Save As" in order to save the log to a file on your Desktop.
    9. Please attach that log file to a reply so that we may analyze it for errors. You will need to use the More Reply Options button to the lower-right of where you type in your reply in order to access the attachment controls.

    Note: You may need to ZIP the log file in order to attach it. If you do not have a program such as 7-Zip, WinZip, WinRar, etc. then you can right-click on the log file, go to Sent to, and click on Compressed (zipped) folder. You will be able to attach the ZIP archive to a reply.

  9. Unfortunately, the logs you attached to your post were normal firewall logs, and not debug logs. The debug logs are encrypted to prevent anyone except Andrey (our Online Armor developer) from reading them. Here's an updated set of instructions, assuming you are using the latest version of Online Armor (which is 5.5.0.1616 if you have downloaded the latest updates):

    Please open Online Armor, go to Options in the menu on the left, click the little check box to enable debug mode, restart your computer, and then try reproducing your problem. After that, please ZIP your entire logs folder (normally C:\Program Files\Online Armor\Logs), upload it to a website such as RapidShare/DepositFiles/BayFiles/etc (which one you use is up to you), and then copy and paste the link to download the file into a reply (or you can send it to me in a Private Message if you don't want the link posted publicly on the forums). Note that, if you don't have a utility such as 7-Zip, WinZip, or WinRar that you can ZIP files and folders by right-clicking on them, going to Send To, and clicking on Compressed (zipped) Folder.

×
×
  • Create New...