Emsi IS control panel disappeared after update and cannot re-install it

[pallino]

Hello Kevin,

 

on the 21st of January I upgraded EMSI IS to the latest beta  (V.11.0.0.6114 updated from v.11.0.0.6054)  and restarted the pc as requested (windows 10).

Emsi control panel disappeared as the icon close to the clock.

I tryed to start Emsi but nothing happened nor changed.

 

Following Arthur advice I disinstalled EMSI and after some issues (no network because of EMSI NDIS Driver)  I managed to download and start installing the latest version.

http://support.emsisoft.com/topic/19626-emsisoft-is-control-panel-disappeared-after-beta-update-of-21-january/?p=145377

 

Unfortunately I couldn't complete the installation, "a major problem prevents application start.....".

Installation is not blocked by Zemana (no alerts nor files in quarantine) nor by Voodooshield (disabled and also killed).

 

Can you pls check the FBAR logs.

I checked with Emsi before and nothing was found, nor by Tdsskiller, Roguekiller, Adwcleaner.

 

The FBAR "old" logs are the ones created after the update of 21st, the other ones today after the unsuccessful installation of EMSI IS.

 

What can it be?

 

Thank you

 

P.S. FYI, Boot time is long (but was like this also before issues with EMSI)

 

 

 

 

 

 

 

 

Addition old.txt

FRST old.txt

FRST.txt

Addition.txt

virusinfo_syscheck.zip

TDSSKiller.3.1.0.9_29.01.2016_11.51.20_log.txt

rogue 29-1-16.txt

AdwCleanerS1.txt

[ShadowPuterDude]

Your FRST additions log shows that EIS is installed, but it is not showing in the list of security applications. Which means it did not register properly with eh Windows Security Center.

Also EIS is not compatible with other protection software, uninstall Zemana AntiMalware.

Uninstall EIS using its own uninstaller. Reboot the system twice.

Download EmsiClean to your Desktop: https://dl.emsisoft.com/Emsiclean.zip

After you downloaded the tool, just run it. Read the disclaimer carefully and press "Yes" if you accept it. The tool will then show a list of all Emsisoft objects it found installed on your system. Simply enable the check boxes of all objects you want to remove. Be careful with objects of type "Folder" though and check their contents before selecting them for removal, as they may still contain data that you may want to save first. Then press the "Remove selected objects" button and reboot when asked.

Download and install Emsisoft Internet Security: http://dl.emsisoft.com/EmsisoftInternetSecuritySetup.exe

Enter license information when prompted.

Edited July 10, 2018 by GT500
Updated link for Emsiclean. There are now two versions (32-bit and 64-bit) bundled in a ZIP archive. Run EmsiClean64, and if you see an error message then run EmsiClean32.

[pallino]

I had Emsi and Zemana on my 3 systems since a while..never had problems and still don't have problens on the other 2 systems.

I unistalled Zamana, Hmpalert and MB antiexploit. Same issues as before.
The culprit was the ndis filter that was unchecked but not uninstalled.

The doubt now is what blocked Emsi update/control panel before and mostly why is the boot time so long.

-Were the logs clean, no sign of infections?
Anything that can explain a slow boot up?
Just to be sure.

Thank you

FRST.txt

Addition.txt

virusinfo_syscheck.zip

AdwCleanerS1.txt

rk_BDB7.tmp.txt

[ShadowPuterDude]

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

2016-01-29 10:18 - 2016-01-29 10:18 - 00016384 _____ C:\Windows\SysWOW64\��k
2016-01-21 17:18 - 2016-01-21 17:18 - 00016384 _____ C:\Windows\SysWOW64\��w
2016-01-21 17:07 - 2016-01-21 17:07 - 00016384 _____ C:\Windows\SysWOW64\H�U
2016-01-19 12:10 - 2016-01-19 12:10 - 00016384 _____ C:\Windows\SysWOW64\x��
2016-01-14 10:37 - 2016-01-14 10:37 - 00016384 _____ C:\Windows\SysWOW64\p�h
2016-01-14 04:11 - 2016-01-14 04:11 - 00016384 _____ C:\Windows\SysWOW64\��z
2016-01-14 04:07 - 2016-01-14 04:07 - 00016384 _____ C:\Windows\SysWOW64\���
2016-01-30 09:24 - 2015-11-04 12:58 - 00000119 _____ C:\Windows\ZAM_Guard.krnl.trace
2015-09-10 10:12 - 2015-12-01 14:26 - 0000040 ___SH () C:\ProgramData\.zreglib
C:\Users\andrea\AppData\Local\Temp\dllnt_dump.dll

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

If you uninstalled ZAM, your AVZ and FRST logs show several entries for ZAM.

[pallino]

Hi Kevin,

 

attached the new logs.

 

Strange that the old FBAR logs showed many Zemana files after having uninstalled it *and rebooted many times). 

AVZ showed Zemana files since I uploaded the report before deleting Zemana.

 

How does it look now?

 

 

Do/did  you find anything that can explain a slow boot up?

 

Do you want me to upload the deleted files (I copied them and compressed/encrypted  in case you need them)?

 

 

thank you

Fixlog.txt

FRST.txt

Addition.txt

virusinfo_syscheck.zip

[ShadowPuterDude]

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [202144 2015-12-14] (Zemana Ltd.)
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
2016-01-30 11:15 - 2016-01-30 11:15 - 00003622 _____ C:\Users\andrea\Downloads\rk_BDB7.tmp.txt
2016-01-29 15:48 - 2015-09-02 21:18 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-01-29 15:47 - 2015-11-04 12:58 - 00007624 _____ C:\Windows\ZAM.krnl.trace
C:\Windows\System32\drivers\zam64.sys
C:\Windows\System32\drivers\zamguard64.sys
C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[pallino]

Hello Kevin,

 

attached the new logs.

System still slow to boot.

 

AVZ starts with

 

1. Searching for Rootkits and other software intercepting API functions
 >> Danger ! Process masking detected
 

Are all entries safe?

 

 

Thank you

Fixlog.txt

FRST.txt

Addition.txt

virusinfo_syscheck.zip

[ShadowPuterDude]

Your logs look fine.

How are things running?

[pallino]

Boot time still as before, slow.

[ShadowPuterDude]

I am going to have you reset several areas of windows to there defaults.

 

Download Windows Repair by Tweaking.com http://www.tweaking.com/content/page/windows_repair_all_in_one.html to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

• Double-click "tweaking.com_windows_repair_aio.zip" and extract the "Tweaking.com - Windows Repair" folder to your desktop.
• Now open this folder and double-click "Repair_Windows.exe".
• Click the "Repairs" tab on the far right.
• Click the "Open Repairs" button (bottom right)

Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.

• Click "Unselect All"
• Put a checkmark in the following items:
  • 01 - Reset Registry Permissions
  • 02 - Reset File Permissions
  • 03 - Reset Service Permissions
  • 10 - Remove Policies Set By Infections
  • 19 - Repair Volume Shadow Copy Service
  • 26 - Restore Important Windows Services
  • 27 - Set Windows Services To Default Startup
  • 28.01 - Repair Windows 8/10 App Store
  • 28.02 - Repair Windows 8/10 App Store (Completely Reset App Store)
  • 29 - Repair Windows 8/10 Component Store
  • 30 - Repair Windows 8/10 COM+ Unmarshalers
  • 31 - Repair Windows 'New' Submenu
  • 32 - Restore UAC (User Account Control) Settings
  • 33 - Repair Performance Counters

Note: Leave everything else unchecked

• Put a checkmark in "Restart System When Finished"
• Now click the "Start" button (bottom right)

[pallino]

Hello Kevin,

 

run the tool but unfortunately the boot time is still long.

 

What can it be, what else can we do?

 

thank you

 

 

 

Addition.txt

FRST.txt

2.7.2016_10.08.00-PM.7z

[ShadowPuterDude]

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4075139586-202694078-2915613115-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
2016-02-01 22:32 - 2016-02-01 22:34 - 00000119 _____ C:\Windows\ZAM_Guard.krnl.trace

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[pallino]

Hi Kevin,

 

attached new logs...boot time still too long.

 

what do we do now?

 

thank  you

 

 

Fixlog.txt

FRST.txt

Addition.txt

virusinfo_syscheck.zip

[ShadowPuterDude]

You have items disabled using MSConfig, this places the system in selective startup mode. MSConfig is not a startup manager, it is a system diagnostic tool.

This is very likely why you are experiencing slow boot times.

[pallino]

I had this slow boot since some months now, I tried many solutions, at the end also to change some boot options, to use more processors at boot, to safe boot etc...never had any improvement.

The issue was there before any msconfig/boot changes.

I really don't know what to do.

Win 10 got installed not a long time ago.

-Can you discard/exclude a malware cause?

-Could it be a (unknown )bios/mbr/vbr infection?

-If it's a bios infection there is nothing I can do, correct?

-If it's a mbr/vbr, if I delete the partition, create a new one, maybe 2 and reinstall windows shoul I be safe/ have deletet the malware?

-In other words, if I decide to reinstall windos (not preferred solution ) and I wanted to do it in the safest possible way, in a way with the lowest risk to keep any possible infections on the system, how would you recommend to do it?

-What programs would you use?

-How would you proceed?

I ll then do it this weekend.

-Last question before the weekend :if you boot your pc with a (AV) rescue disk, does the cd load before the HD mbr/vbr?

.

Thank you

[ShadowPuterDude]

The HD MBR/VBR is always read during boots.

You can discard a BIOS infection. There are no known working BIOS infection vectors in the wild.

If the problem existed before you did all the changes, then a reinstall may be what needs to be done.

[pallino]

If I boot from a AV boot cd/dvd, the HD Mbr is loaded before the dvd, correct? So to boot from cd doesn't really help too much to detect a MBR/Vbr infection, or?

Imagine I have a unknown/ undetected MBR/VBR , what would be the safest way to reinstall?

If I delete the partition booting from a DVD, create a new one, maybe 2 and reinstall windows should I be safe/ have deleted the malware?

or

-How would you proceed?

-What programs would you use?

I masking because this laptop has something since some time and if memory serves me, installing win 10 didn't help.

This laptop was very fast and still is after boot.

[ShadowPuterDude]

If you are do a full reinstall then you will want to delete the OS partition and create a new one. The only way to create a new MBR is to completely low level format the disk and write a new MBR, and there are no free tools available, that I know of, that will do that.

I seriously doubt you have an MBR/VBR infection. A scan with EEK/EAM/EIS would have shown an unknown MBR/VBR/GPT.

[pallino]

On the weekend I decided to refresh windows 10.

I used the dvd created with windows media tool some months ago when I updated from win 8.1 to win 10. I used thid dvd to install win 10 few months ago.

When I booted from the dvd I got twice an error message.

Error 0x0000428

The digital signature cannot be verified

C/windoes/system32/boot/winload.exe

I pressed F8 to fix it but nothung happrned ...onky a quick refresh of the same winfow.

I then used another dvd created the same wsy on another laptop and refreshed windows.

Unfortunately same long boot time with long black window.

P.S. Repartitioning the hd doesn't "force " to create a new MBR? Or only a new FAT but not the VBR etc?

[ShadowPuterDude]

Partitioning does not force MBR creation. The Boot record always resides on sector 0 of the HDD and contains all information about the partitions on a drive. The only thing that will happen to the MBR during partitioning is changing the partition information held in the MBR.

You can attempt to repair the MBR: http://www.thewindowsclub.com/repair-master-boot-record-mbr-windows

[pallino]

What about error message below when booting with Win 10 dvd (created with media creation tool and used to install Win 10 on the same device before) to try to refresh windows?

Error 0x0000428

The digital signature cannot be verified

C/windows/system32/boot/winload.exe

What can it be and how to solve it?

After a win refresh shouldn't the laptop boot faster?

If I boot from a AV boot cd/dvd, the HD Mbr is loaded before or after the dvd/AV on the dvd ?

Does it help to boot from boot dvd to scan MBR and detect malware in mbr/vbr?

Last question: before I repair/fix the MBR, do you want me to copy it for further analysis?

Emsi mbrmastr is Win 10 compatible and does it copy the whole mbr/vbr (also if whith malware)? Is it a good program for this or what do uou recommend?

Thank you

P.S I run Fbar but AVZ could update but soon after starting running the standard script 2 a "problem caused the program to stop working correctly".

I decided to (re) install Emsi IS (after refreshing win 10 and runnung fbar and AVZ).

Soon after start, BSOD, windows is collecting infos (few seconds) and restarted. As far as I could see the ertor was in epp.sys.

What's going on here???

FRST.txt

Addition.txt

[ShadowPuterDude]

What about error message below when booting with Win 10 dvd (created with media creation tool and used to install Win 10 on the same device before) to try to refresh windows?

Error 0x0000428

The digital signature cannot be verified

C/windows/system32/boot/winload.exe

What can it be and how to solve it?

http://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-winloadexe-error-0x0000428/08650701-4e84-4f25-be9d-e6f173d19ae2?auth=1

AV Live CDs are not effective and miss more then they detect. Malware cleaning is best done from Windows while booted in Normal mode.

Your FRST logs show no malware.

[pallino]

After a win refresh shouldn't the laptop boot faster?

2-What about error message below when booting with Win 10 dvd (created with media creation tool and used to install Win 10 on the same device before) to try to refresh windows?

Error 0x0000428

The digital signature cannot be verified

C/windows/system32/boot/winload.exe

3If I boot from a AV boot cd/dvd, the HD Mbr is loaded before or after the dvd/AV on the dvd ?

4 I deleted the uncompketed emsi is installstion using emdi clean tool.

Rebooted but dtill cannot install Emsii, same ertor msg.

Last question: before I repair/fix the MBR, do you want me to copy it for further analysis?

Emsi mbrmastr is Win 10 compatible and does it copy the whole mbr/vbr (also if whith malware)? Is it a good program for this or what do uou recommend?

[pallino]

Kevin,

If you check my msgs above you see something is very weird.

After refreshing win 10, I csnnot install Emsi, run AVZ.

Got a weird win signature error msg and the boot time is still extreme slow....

Pls, tell me what i can do to find out what it is and to fix it.

Thank you

[ShadowPuterDude]

EIS is having issues with recent Win10 updates that are causing a BSOD issues. Our developers are currently investigating the issue and may have a fix published in the near future.

The issue with winload.exe can only be corrected using the instructions I posted earlier.

Sector 0 (MBR) of the system HDD is read during all system boots, does not matter what device you are booting form it is always read.

[pallino]

Sure it is read, but before or after a boot dvd ?

If i boot from dvd, can i scan the mbr from a safe environment before the mbr is loaded(e.g by the bios)?

[pallino]

Do you want me to backup the mbr? If yes with what tool?

[ShadowPuterDude]

It is is read first, before any other device is read.

Why are you fixated on the MBR? Nothing is any of your logs gives me any cause to think there is an issue with the MBR.

I suspect boot times are more an issue with Windows 10 and its updates then anything else. MS is being extremely secretive about Win10 updates and the changes they are making to systems, as in new features, and removal of features.

[pallino]

I don't know what to do anymore.

I have 5 + systems..all work fine, load normal and way faster than this laptop.

This laptop was and should be the fastest.

I tried all I know, nothing helped.

Even a win refresh didn't bring any change, but ..exe signature warning, problem to scan with avz, to install Emsi etc....

All but one other systems are older, with "cheaper/lower" components.

All have Emsi, win 10 , are updated daily.

Only this has problems.

A unknown malware is the only think I can imagine.

Btw, Thank you for staying online with me today !

[ShadowPuterDude]

My Laptop has had long boot times for a few months now, and the system is a quad core i5 with 8GB of system RAM. I do have quite a bit of stuff loading at system start, but its been that way since I first configured the system. It started a few months back after MS pushed Win10 updates. Still have not figured out what they changed that is causing the system to take longer to boot.

[pallino]

My problem us this is the only device with these issues...and i just refreshed Windows....all other, same programs (now actually they have way more programs at startup) are way faster at boot, no issues at all till now...

[pallino]

If bios and mbr are fine, hd is fine, why doesn't a win 10 refresh even before updated solve the problems?

About the winlogon.exe ertor, I don't have 2 OS on my laptop.

I just have 2 partitions, 1 Win 10 and 1 for my data-no os.

What should I do?

[ShadowPuterDude]

I have 2 systems with Win10, my laptop and my desktop. Desktop boots just fine, laptop takes much longer to boot. Both have the same software installed and all updates. In fact the desktop is a much older system. Could be a BIOS setting, a hardware driver, or who knows what is causing the slow boots.

Your Winlogon Notify value is legit.

Even if there was some piece of malware on the system, I would still see signs of it in your logs. Malware cannot completely hide itself, there is always some visible traces of it on the system.

[pallino]

Kevin,

Have you ever not "seen "a new malware or it s signs with FBAR or is thwre always something in the 2 reports?

Thank you and nice weekend

[ShadowPuterDude]

There is always something in the scan logs from EEK and FRST, that will tell me that something is amiss and malware is present on the system. Malware cannot completely hide itself, there is always something that will show in the logs. One just needs to know where to look and what to look for, comes with a lot of experience and being highly familiar with Windows, Windows Internals, and the Windows File System.

[pallino]

Kevin,

I hope you are right.

I had many weird happenings with this laptop.

I just reinstalled all.

Boot time as before but I ll hope an update will solve it since it s not caused by malware.

Thank you for your time and help!

Bye

[ShadowPuterDude]

I am pretty sure that there is an issue with the BIOS and Secure Boot on my laptop. Unfortunately Dell does not have a newer BIOS version for my Laptop.

[pallino]

Does your laptop have 2 videocards(e.g on the MB and on slot)?

I just saw that disabling one, speeds up the boot process (somehow Windows had them both enabled).

Do also advanced malwares, say APTs, always leave some traces on tge HD that are in the Fbar, Emsi, Avz logs?

[ShadowPuterDude]

I only have the on board video. Sometimes it takes forever to load the lock screen, and other times it comes up fairly quickly.

Even an APT is going to leave a trace of itself on the system, that will show up in either FRST, Emsi, or AVZ.

[pallino]

I still think this system has something "weird" but will trust you and "live " with it.

Thank you for your help!

Bye

[ShadowPuterDude]

I'm not seeing any malware in any of the logs. If malware is present none of the tools are seeing it.