LUPike

Windows 7 Professional 'Freezes' with Emsisoft Anti-Malware

Recommended Posts

Specs:

  • Emsisoft Anti-Malware v17.12.1.8340
  • Windows 7 Professional - SP1
  • 64bit
  • Intel i5 w/16GB RAM

System has been running fine for several weeks, and after rebooting this morning, the system freezes up (stops responding) after logon. Booting into safe mode and using MSConfig to Disable Emsisoft (Services and Startup) allowed the PC to boot and be usable. The software was showing it was up to date. I uninstalled the software and reinstalled with the Emsisoft Web Installer. When prompted, I entered the license key, and then joined the system to the Emsisoft Enterprise Console. The application showed Connecting... then Connected, and the OS locked up again. Windows Explorer and all open applications become non-responsive.

I rebooted the system in safe-mode and used MSConfig to disable Emsisoft (Services and Startup), and rebooted into normal startup. After login, the system operated normally. I began an uninstall (again) on Emsisoft Anti-Malware so the user could continue her day, and the uninstall process went non-responsive. After over 15 minutes, I forced the process closed. Appwiz.cpl no-longer shows Emsisoft Anti-Malware in the installation list, however the registry entries still exist, so I feel I have an incomplete 'uninstall' as-well.

SO, with all that said, I have two issues. The first item that I believe needs to be resolved is to cleanup the failed/partial uninstall. Is there a tool/process for either 'cleaning up' the uninstaller or a manual uninstall process? The second issue is Emsisoft Anti-Malware causing the Windows 7 Professional PC to become non-responsive on startup. I did not have time to test without joining the PC to the Enterprise Console; however, I am not sure if that could affect the OS.

Share this post


Link to post
Share on other sites

I don't use the Enterprise Console, and I have no trouble with EAM and Win 7 Pro X64.  I am assuming you need the console, but you might try with out it.

Also a lit of other software might be helpful.

 

Pete

Share this post


Link to post
Share on other sites

Peter2150,

  I have EAM running on many computers... the office this is in alone has 13 seats, and almost all of them are Win7Pro x64. Regardless, this is a new problem that just began today on this PC, after a reboot. It was working without issue for the last several months. I have attached a list of the software installed on the system below (SoftwareList.txt). I installed Enterprise Console at this site earlier this month to simplify EAM configuration, specifically for numerous exclusions required for a software upgrade at the end of this month. I can try installing EAM without EC tomorrow morning.

 

GT500,

   I ran FRST (64bit) on the PC and have included the Addition.txt and FRST.txt log files below.

Addition.txt

FRST.txt

SoftwareList.txt

Share this post


Link to post
Share on other sites

I recommend doing the following, since the EPP (Emsisoft Protection Platform) driver is still registered:

  1. click on the Start button.
  2. Go to All Programs.
  3. Go to Accessories.
  4. Right-click on Command Prompt and select Run as administrator.
  5. Type in sc delete epp and then press Enter on your keyboard.
  6. Restart your computer.

 

After that, I recommend that you download the latest versions of the drivers for your hardware from the manufacturers, and then uninstall all currently installed driver software. After doing so, and restarting your computer a couple of times, then try reinstalling all of the drivers and see if that helps.

From your Event Log errors we suspect there may be a driver conflict on the system.

Share this post


Link to post
Share on other sites

OK. If you continue to have trouble, then run another scan with FRST and post the new logs so that I can see if the errors in the Event Logs are different.

Share this post


Link to post
Share on other sites

GT500,

   The user with the affected machine has been busy with end of month reporting. I have ran the Service Control command to remove the EPP service, but have not had an opportunity to uninstall all drivers and reinstall them... The reason for this update is that, today about noon,  all of the remaining PC's at this office (13 systems) began doing the same thing. Several of the system logs I reviewed (eventvwr -> System Log) shows a2service.exe crashes numerous times, and at some point, the system stops responding completely. The desktop and open applications are still visible, some explorer activity will be captured and respond (right click on system tray and launch "Task Manager" (Task Manager never opens), click on the Windows Orb and the system presents the programs menu, etc...) but no applications are responding and on most of the computers, I was unable to get the context menu for Emsisoft tray icon to "Shut down protection". Once a desktop system gets to this point, the only option is to physically power down the computer, enter "Safe Mode" on restart, open MSCONFIG and disable the Emsisoft services, and restart the computer. This has resolved the issue for all affected computers (14 out of 14). All systems are currently running with Emsisoft Anti Malware disabled until either a fix can be found or a replacement AV package is chosen.

While reviewing the issue today, I did notice that an Emsisoft software update was downloaded and installed on two of the PC's after 12:00pm Central Time today. (the issue appears to have started on all affected computers about lunch time today). I did not check this on all affected PC's due to a lack of available time on-site.

All 14 of the computers were reporting into an ECC server prior to the original issue, and 13 of the desktop clients were reporting into the ECC server until EAM was disabled on the systems this afternoon.

Share this post


Link to post
Share on other sites
On 1/31/2018 at 4:29 PM, LUPike said:

All 14 of the computers were reporting into an ECC server prior to the original issue, and 13 of the desktop clients were reporting into the ECC server until EAM was disabled on the systems this afternoon.

Sorry, EEC, not ECC.

Share this post


Link to post
Share on other sites

Your "Auto- Game mode enabled" merely means that EAM detected you were running a game, or something else, full-screen, and set that 'Mode' so it would not interrupt you.

 

You say the freezing issue is recent...    Did it start at the same time as you installed (assuming you did) MS updates for the Meltdown/Spectre problems?

Share this post


Link to post
Share on other sites

JeremyNicoll,

   In my case, no. The first issue appeared on a single PC a little over a week ago. The subsequence machines in that office all began exhibiting the problem on Wednesday, about noon... ALL of the computers with EAM on them. Rebooting into safe mode, disabling all EAM related services and startup options (using MSCONFIG) and rebooting into normal mode resolved the issue... but now they are in an 'unprotected' mode.

Share this post


Link to post
Share on other sites
2 hours ago, LUPike said:

The subsequence machines in that office all began exhibiting the problem on Wednesday, about noon...

That sounds like it was around the time we released EAM 2018.1 to our Stable update feed. What happens when you revert to the Delayed update feed and then check for updates?

  1. Open Emsisoft Anti-Malware.
  2. Click on Settings in the menu at the top.
  3. Click on Updates in the menu at the top.
  4. On the left, under Update Settings, click on the box to the right of Update feed and select Delayed from the list.
  5. Click on the Update now button on the right side.

Share this post


Link to post
Share on other sites
2 hours ago, Peter2150 said:

I also run Win 7 Pro x64, and I don't have any  issues.   But also I have NOT done any updates since all this Meltdown\Spectre started.

Microsoft has released an update to disable the Spectre patches, so any systems that had it installed should now have it disabled (assuming they've installed updates since Saturday).

Share this post


Link to post
Share on other sites

Actually, I think the update is only for systems with processors that had problems with Intel's microcode updates. From what I'm reading,  Microsoft says "Users who do not have the affected Intel microcode do not have to download this update."

Share this post


Link to post
Share on other sites

At least one of the PCs in the affected office is running an AMD chipset, so a Microsoft released intel update is not applicable on that PC (there may be two other AMD systems, but I have not confirmed). I have numerous other offices that are running EAM without issue (including my own office and my wife's workplace). This issue is going to be specific to the applications being used at the office, but it is clear that EAM (and possibly EEC) is(are) the application(s) causing the lockups. After removing EAM on all systems, I have not had a single reported issue.

Share this post


Link to post
Share on other sites
11 hours ago, LUPike said:

At least one of the PCs in the affected office is running an AMD chipset, so a Microsoft released intel update is not applicable on that PC (there may be two other AMD systems, but I have not confirmed). I have numerous other offices that are running EAM without issue (including my own office and my wife's workplace). This issue is going to be specific to the applications being used at the office, but it is clear that EAM (and possibly EEC) is(are) the application(s) causing the lockups. After removing EAM on all systems, I have not had a single reported issue.

Do these systems all have security software other than Emsisoft Anti-Malware on them? If you're not sure, or want me to verify for you, then you can run FRST on the workstations and send me the logs:
https://helpdesk.emsisoft.com/Knowledgebase/Article/View/274/55/running-a-scan-with-frst

Share this post


Link to post
Share on other sites
14 hours ago, iWarren said:

also note... since these freezes started... i haven't done any factory resets, or re-installed emsisoft.

I wanted to note that I did uninstall EAM, and perform a fresh reinstall (after a reboot). With in a few minutes of the installation completing, the EAM interface went non-responsive... and less than 3 minutes later nothing was working. I only tried this on a single PC.

I was not able to draw a direct corollary to Emsisoft update engine, but in the logs on two separate PC's, I did see that the EAM updater had updated 'Core' files prior to those particular systems being affected. As a note, these are different than the standard 'Scheduler' updates, which appear to be threat definitions.

Also, Reboots did not correct the issue, they simply let the PC run for a short period of time before becoming unusable again.

 

GT500,

   I have not had a chance to run FRST on any of the affected computers since the initial report. I will be able to get that started after 5:00 PM Central Time today. ...and to answer your question in a previous post, there were no other running security programs on the systems at the time of the issue. The systems did have CryptoPrevent installed previously (had been uninstalled), and, of course, they have the Windows Firewall.

Share this post


Link to post
Share on other sites

LUPike, its definitely not a solution, but I suspect if you disable the Emsisoft automatic updates...
you might be able to correlate the exact timing of the freezes with Emsisoft update.

I apologize I can't be more helpful, but I just don't feel I should be giving up my whole day (which i would likely do) to try to solve this problem.
i will keep you apprised if i learn anything new.

Share this post


Link to post
Share on other sites
7 hours ago, LUPike said:

I was not able to draw a direct corollary to Emsisoft update engine, but in the logs on two separate PC's, I did see that the EAM updater had updated 'Core' files prior to those particular systems being affected. As a note, these are different than the standard 'Scheduler' updates, which appear to be threat definitions.

I suspect that we probably have two separate issues here. I will split iWarren's posts into another topic so that things don't get all jumbled together.

 

7 hours ago, LUPike said:

GT500,

   I have not had a chance to run FRST on any of the affected computers since the initial report. I will be able to get that started after 5:00 PM Central Time today. ...and to answer your question in a previous post, there were no other running security programs on the systems at the time of the issue. The systems did have CryptoPrevent installed previously (had been uninstalled), and, of course, they have the Windows Firewall.

OK. Hopefully we can find out more once we get the FRST logs, but if not then we may need a memory dump from one of the computers so that we can see what's causing it to freeze. We'll need the memory dump to be saved as the computer is freezing, that way we can see what's happening during the freeze.

I'll paste the instructions I posted for iWarren below, since those are about to get moved to a new topic:

  1. Hold down the Windows key (the one with the Windows logo on it, usually between the Ctrl and Alt keys) and hold down the R key to open the Run dialog.
  2. Type in control system and click OK.
  3. On the left, click on Advanced system settings.
  4. In the Startup and Recovery section, click on the Settings button.
  5. Please ignore the System Startup and System Failure sections.
  6. In the Write debugging information section, please change the first option to Complete memory dump (it may say something like Small memory dump, Kernel memory dump, or Automatic memory dump).
  7. The Dump file field should say %SystemRoot%\MEMORY.DMP which means that it will save the dump as MEMORY.DMP in your Windows folder (usually C:\Windows). If it does not say %SystemRoot%\MEMORY.DMP then please change it so that it does.
  8. Make sure that Overwrite any existing file is selected.
  9. Click the OK button, and restart your computer to save the changes.

You'll also have to configure Windows to crash when you press a certain key combination. The easiest way is to download the following ZIP archive, open it, double-click on the Memory_Dump_Ctrl_Scroll_Lock file in the folder that opens, allow it to be imported into your registry, and then restart your computer (assuming it's Windows 10 the best way to restart after doing this is to right-click on the Start button, go to Shut down or sign out, and select Restart):
https://www.gt500.org/emsisoft/Force_BSOD.zip

Once you've done all of that, the next time you hold down the right Ctrl key on your keyboard and then press the Scroll Lock button (you may need to press it twice) the computer will crash, show you the dreaded "Blue Screen of Death" (aka. BSoD), and then start writing a memory dump. When it's done you can turn your computer off and back on.

Note: The method of using Ctrl + Scroll Lock to cause a BSoD that I linked to above only works with USB keyboards. If you have a laptop, then it may use a PS2 keyboard, in which case I'll need to create a new registry export for you.

If everything works as expected, you should have a memory dump in the following location:

  • C:\Windows\MEMORY.DMP

You will need to ZIP this file to be able to send it to me. If you don't have something like 7-Zip or WinRar, then you can right-click on the file, go to Send to, and select Compressed (zipped) folder to ZIP the file. Note that it will more than likely need to be saved on your Desktop when you do this.

You're almost certainly going to have to send me the memory dump via a file sharing service such as WeTransferMega, etc. Some file sharing services may require that you send the file download link via e-mail, so you can simply enter support@emsisoft.com and paste the link to this forum topic in your message when you send it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.