Jump to content


Emsisoft Employee
  • Content Count

  • Joined

  • Days Won


Posts posted by GT500

  1. That GMER log looks rather odd to me, and there's a ZeroAccess Check in your original OTL log that shows what I am certain is a ZeroAccess rootkit infection. The ZeroAccess Check information in the OTL log should be verifiable with Malwarebytes' Anti-Malware, so please run a scan with Malwarebytes' Anti-Malware by following the instructions below:

    1. Please download and install Malwarebytes' Anti-Malware from one of the three mirrors listed below (beware of excessive advertising on some of the download pages):

    [*] When first running Malwarebytes' Anti-Malware, it will ask you if you want to operate it in a free trial mode. You can say no to this (the trial can be unlocked again at a later time if you want to try it).

    [*] Make sure to go to the Update tab and click the Check for Updates button to get the latest database.

    [*] Switch back to the Scanner tab and run a Quick Scan.

    [*] When it is done, please do not remove anything it detects for now. I want to see the log before I ask you to delete anything.

    [*] Whether or not it finds anything, you should be presented with a log in Notepad, which you should save to your desktop.

    [*] Attach the log you saved on your desktop to a reply for me to take a look at. You can attach files to a reply by clicking the More Reply Options to the lower-right of where you type in your reply. When the page loads, there will be a button right below the box to type in (on the left side) that says Choose Files... which will allow you to select the log file to attach it.

  2. With admin rights, you shouldn't be seeing an "access is denied" error, unless something else is blocking it (or unless there's an issue with your hard drive). Please try shutting down Online Armor before trying to save the memory dump. You can do this by right-clicking on the Online Armor icon in the lower-right corner of the screen (somewhere to the left of the clock), and selecting to "close and shutdown" Online Armor.

  3. Hi Arthur, somehow this topic got hijacked!

    Unfortunately, that is one of the issues that we run into on an Internet forum. I have moved the off-topic post to its own topic. ;)

    Hung op apparently at C:\Documents and Settings\...\Apple Computer\iTunes|PodDevices.xml - this is a little 1k file

    This suggests that it could be a filesystem issue, and perhaps checking the disk for errors might resolve it. It would be difficult to find the file without a full path, but if you are able to then you might want to try running a scan on just that file and see what happens.

  4. TDSSKiller says there's no rootkit (at least none that it is capable of detecting). Lets get a scan from GMER, because I don't think I believe what TDSSKiller is saying.

    Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive.

    1. Disconnect from the Internet and close all running programs.
    2. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
    3. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page).
    4. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
    5. Allow the driver to load if asked.
    6. You may be prompted to scan immediately if it detects rootkit activity.
    7. If you are prompted to scan your system click "No", save the log and post back the results.
    8. If not prompted, click the "Rootkit/Malware" tab.
    9. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
    10. Select all drives that are connected to your system to be scanned.
    11. Click the Scan button to begin. (Please be patient as it can take some time to complete)
    12. When the scan is finished, click Save to save the scan results to your Desktop.
    13. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it).
    14. Exit the program and re-enable all active protection when done.

  5. ... now my question is, why did the problem in Internet connection remove the EAM?

    Technically, EAM isn't removed, it's just that the System Tray icon hasn't appeared and the protection hasn't started. As for a 'fix', it might be possible to change the behavior of the wizard so that some notification of the communication failure is mentioned, and thus you know that there was an issue. I'll have to run it by our developers and see what they think. ;)

  6. Please try uninstalling Emsisoft Anti-Malware, and then download Emsiclean from this link (save it on your desktop) and follow the instructions below:

    1. When running Emsiclean, you will first be presented with a disclaimer. You will need to accept this disclaimer to continue.
    2. Emsiclean will scan your computer for leftovers after the uninstall, and give you the option to remove what it finds. Please do not allow it to remove anything at this time.
    3. In the lower-right corner will be a button that says Close Emsisoft Clean. Click on that button to close the program without making any changes to your computer.
    4. Emsiclean will save a log on your desktop as it closes (it may take a moment for the log file to appear). Please attach that log to a reply for me to review (you can access the forum's attachment controls by clicking on the More Reply Options button to the lower-right of where you type in your reply).

  7. 1. It looks like ever since I downloaded Emsisoft Anti-Malware, my pc has been very slow. Why is that so? Eg., windows don't close immediately when I click the X. They close in slow motion - with the window getting shorter by the second. When I try to open anything, the pc takes a long time to respond.

    If there is an infection, then that could be the cause. It could also be a conflict with something else you have installed. It isn't possible to accurately answer this question until we are certain that your computer is clean.

    2. The Emsisoft icon in the bar at the bottom right screen appears intermittently. It wasn't there when you first suggested for me to disable the guards from the icon but last night, the icon popped up in the bar. I saw Enable all Guards so I assumed that the guards are disabled at the time and when I want to enable all guards, I would click on that option. So I ran the ComboFix then. And allowed it to do an update. It updated and once again, it stopped at the Autoscan stage with the blinking cursor - as described in my earlier message. I let it remain scanning for about 2 hours and then I gave up and turned off my pc.

    By default, Windows will hide icons that it considers inactive. There should be a little button to click to show the hidden icons, and you should find that button just to the left of where those icons are normally located.

    As for ComboFix scanning for 2 hours, note that it should not normally take more than 10 or 15 minutes, and for it to go for longer than 30 minutes is abnormal. At that point, you can assume that something is interfering with ComboFix, and go ahead and close it and restart your computer. I don't see any security software other than Emsisoft Anti-Malware in your OTL log, so I am fairly certain that there is a rootkit interfering with ComboFix, and TDSSKiller's log should let me know if that is the case.

    3. This morning (we are on opposite sides of the world so it is morning for me while it should be evening for you), I saw your note on running ComboFix on Safe Mode with Networking and that is what I am doing now. By the way, the Emsisoft icon has disappeared from the bar. And I don't think the ComboFix thing is ever going to finish scanning for infected files - it is still going on like the Energizer bunny.

    It is normal for the Emsisoft Anti-Malware icon to not appear when Windows is in Safe Mode, because most services and startup items (which includes the ones for Emsisoftt Anti-Malware) do not run in Safe Mode. This is because Safe Mode is a special diagnostic mode intended for repairing issues with your computer, and it is not expected for you to use your computer normally while Windows is running in Safe Mode.

    4. Whenever I activate Emsisoft from my desktop or start menu, I get the Welcome to Emsisoft screen where there is the option to buy the software or use the 30-day free trial - that was where I first started days ago when I had selected the 30-day free trial option and went followed the prompts until the end (I think I did get to the finish point). It doesn't start with the Security Status screen that you described. Is that a problem?

    If that is happening while Windows is running in Safe Mode, then it might just be because the service isn't running. If it is happening while Windows is running normally, then it is a problem, and assuming that I am correct about a rootkit then it is probably just another symptom of that infection.

    One more thing - after leaving AutoScan to run, a message from the bar at the bottom of page will pop up saying "Virtual Memory Minimum is too low..

    And Windows Security Center keeps telling me that Emsisoft Anti-Malware has been turned off - even after I have selected to enable all guards. Is that a problem?

    Virtual Memory errors are not uncommon with some infections, so this could just be another symptom of that. Technically, it is always a problem when seeing Virtual Memory errors, however since I'm fairly certain that your computer is infected with a rootkit then we merely need to verify that that is the case, and then do what is necessary to get rid of it.

    Re the above message "And Windows Security Center keeps telling me that Emsisoft Anti-Malware has been turned off - even after I have selected to enable all guards.", I'd like to clarify that I was referring to the times when I have stopped trying to run ComboFix and therefore, I enabled all guards.

    Assuming Windows was running in Normal mode, and assuming I am correct about a rootkit infection, then that could simply be the rootkit interfering with Emsisoft Anti-Malware. Part of the function of modern rootkits tends to be to disable anti-virus and anti-spyware software, or at least fool them into thinking that the computer is not infected. The main purpose of a rootkit is to keep an infection from being removed, so the rootkit itself is not normally the main infection, but is just being used to prevent you from doing anything about the infection.

  8. I'll address your questions in another post. First, I want to give you some instructions for getting me a TDSSKiller log:

    1. Download TDSSKiller from this link and save it on your desktop.
    2. Run the TDSSKiller download that you saved.
    3. Click on Change parameters as it shows in the following screenshot:
    4. Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:
    5. Click the Start scan button as in the following screenshot:
    6. You will see the following as the scan runs:
    7. If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:
    8. Click on Report in the upper-right corner, as in the following screenshot:
    9. You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.
    10. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.
    11. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.
    12. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:
    13. Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

  9. and how would that be any different from what I attached in the post 4 posts earlier?

    As an addendum to my previous reply to this particular question, please note that Andrey has contacted me to further explain why he wanted to see the logs that I asked you for. Apparently the firewall logs did not contain the "Additional debug information", which Andrey needs to see in order to confirm a theory about why this might be happening. ;)

  10. and how would that be any different from what I attached in the post 4 posts earlier?

    I thought you were testing with a new OS, Virtual Box, and Online Armor install now? Our developers just want to see a new firewall log from that new setup.

    I'm sure your developers can reproduce the problem, since it was acknowledged in another thread that there was a problem with OA and VirtualBox.

    Actually, there is a well known problem with Virtual Box that was caused by their network driver, and which we could not do anything about. So far, none of the data you have given us has shown Online Armor is the cause of the issue, which is why our developers wanted to see those firewall logs again.

    I have even attached Wincap files so your developers can look at possibly why the DNS replies are discarded.

    All they show is the DNS traffic not making it to the virtual machine. They don't actually show the cause. This will only be found in OA logs with debug information.

    ... I'm not going back to Virtual PC to develop my programs...

    Virtual PC is rather old. Have you considered a solution from VMware? Their software does not usually have issues with Online Armor, and if your development is open source (or at least not-for-profit) then VMware Player would be usable for free (although it is missing snapshots, which can be an essential feature for testing). ;)

  11. As an addendum to what I just posted, I spoke to Andrey about this, and he mentioned that KAV has a network filter driver (I think it acts as a sort of proxy) that prevents third-party firewalls from filtering network traffic, which is why OA did not warn you about the leaktest trying to access the network.

  12. My apologies for the confusion. My implication was more along the lines of pointing out that the HIPS in Online Armor attempted to block the leak test, which is technically a pass (since OA did detect it and did offer to prevent it from running). My question was intended to demonstrate that, had you selected to block it from running, that Online Armor would have protected you.

    As for why the firewall didn't warn you about the leak test, I would need to know more about this leak test before I knew why it wasn't blocked. (see below for explanation)

  13. Please hold down the Windows key on your keyboard (normally in between the Ctrl and Alt keys, with the little Windows logo on it) and tap the R key to open the Run dialog. Type services.msc into the field, and then click OK. This will open a list of services that are installed on your computer.

    Please scroll down until you find the Emsisoft Anti-Malware Service, right click on it, and select Properties. Make sure that the Startup type is set to Automatic, and then restart your computer.

    If that does not help, then please let me know.

  14. You don't need to disconnect the battery to shut it down when it is frozen. Just hold down the power button for about 4 or 5 seconds, and the vast majority of modern computers will immediately shut off. This function is intended as a bypass to the normal shutdown procedure, and should only be used when absolutely necessary, such as in the case of a system freeze where you cannot shut the computer down or continue to use it normally. ;)

    As for causing problems with the log, that happens when the system freezes. There is a possibility that the log will not contain the information that our developers would need to debug the issue, however there should have been enough time to log the cause of the freeze before everything froze up completely.

    Since the log file is being replaced with a blank one, you can try starting your computer in Safe Mode With Networking (instructions at this link) after the scan causes the freeze and you shut your computer off, and see if that prevents the log from being overwritten.

  15. OK, are you able to open Emsisoft Anti-Malware from the icon on your desktop, or from the Start menu? If so, then on the Security Status screen (which is normally the first one you see when you open Emsisoft Anti-Malware) it will list the status of Emsisoft Anti-Malware, and when you hold your mouse over File Guard, Behavior Blocker, and Surf Protection you will see an option to turn them off. They will turn red when they are off.

    If you have any trouble with that, then just follow the instructions at this link to start your computer in Safe Mode With Networking, and you should be able to run ComboFix in Safe Mode With Networking.

    Please note that ComboFix will need to download an update when it runs, as there will have been numerous updates to ComboFix since you first downloaded it. Please allow it to download the update.

  16. Our developers will most likely need to see an Engine Debug Log, which will tell them more information about what is going on. Here's another ZIP archive, which contains two batch files. One is named engine_enable_debug_output and the other is named engine_disable_debug_output. Please download this ZIP archive, extract the batch files, and run the engine_enable_debug_output file (if your computer is running Windows Vista or Windows 7 then please make sure to right-click and select to Run as administrator):

    After running the batch file, please restart your computer, and try your scan again. Once the computer freezes, please restart it,and then check the Emsisoft Anti-Malware folder (usually C:\Program Files\Emsisoft Anti-Malware) and there should be a file named ScanEngineDebug.log (the files should be listed in alphabetical order). Please ZIP this file (if you do not have a program such as WinZip, 7-Zip, or WinRar then please right-click on the file, go to Send To, and select Compressed (zipped) folder) and make sure to save the ZIP archive on your desktop to make it easy to find. After that, please attach the ZIP archive with the ScanEngineDebug.log file in it to a reply by using the More Reply Options button to the lower-right of where you type in your reply to access the attachment controls.

  • Create New...