Eset causes desktop to not load

Discussion in 'ESET NOD32 Antivirus' started by leonvmetcalf, Mar 11, 2013.

Thread Status:
Not open for further replies.
  1. leonvmetcalf

    leonvmetcalf Registered Member

    Joined:
    Mar 11, 2013
    Posts:
    2
    Location:
    United States
    Hello fellow members!

    I have a problem. Eset causes the desktop to not load; it gets stuck on a black screen with the mouse cursor visible (this is after the "Welcome" screen). When I disabled the Eset service via safe mode, my desktop loaded fine with no problem. Is there a fix/solution to this? If not, I'm planning to remove Eset altogether, since there's no use for it being disabled.

    Thanks. Any advice and tips are appreciated.
     
  2. jinman

    jinman Registered Member

    Joined:
    Mar 7, 2013
    Posts:
    6
    Location:
    USA
    I've been having the same problem off and on for several weeks now. Tried going through all the startup programs to see which one it was. After disabling NOD32, it stopped. I read here that uninstalling a few Windows updates might fix that. So after re-enabling NOD32, I uninstalled the updates. No change. I'm using Windows 7, SP1. I was using the latest NOD32 update. I also use Malwarebytes.
     
    Last edited: Mar 12, 2013
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please start Windows in safe mode and rename the following drivers, one at a time and let us know renaming which of them makes the issue go away:
    C:\Windows\System32\drivers\eamonm.sys
    C:\Windows\System32\drivers\ehdrv.sys

    It would help a lot if you generate a complete memory dump manually as per the instructions here from the point the system is unresponsive and supply it to ESET for analysis.

    I'd also appreciate if you create a SysInspector log, upload it to a safe location and PM me the download link. By comparing them, we might find a troublesome 3rd party driver that you both may have installed.
     
    Last edited: Mar 12, 2013
  4. leonvmetcalf

    leonvmetcalf Registered Member

    Joined:
    Mar 11, 2013
    Posts:
    2
    Location:
    United States
    The system is responsive, since I am not getting any blue screens and am able to boot into Windows. My desktop just doesn't load, it hangs there. Explorer.exe doesn't load, my wallpaper doesn't load. Only the mouse cursor is visible. (Meaning I am not able to generate a dump unless if I intentionally crash the system)

    I have renamed the files as instructed. Do I re-enable the Eset Service via Services.msc to see if it works?
     
  5. black_harry

    black_harry Registered Member

    Joined:
    Feb 9, 2013
    Posts:
    17
    Hi,

    I understand that Marcon meant to do two tests:
    1. enable service in safeboot and rename eamonm driver file (ehdrv stays unchanged)
    2. enable service in safeboot and rename ehdrv (renamed eamonm revert back)

    This is just to narrow down a problem.
     
  6. jinman

    jinman Registered Member

    Joined:
    Mar 7, 2013
    Posts:
    6
    Location:
    USA
    I have renamed the ehdrv file. And for the past few days I have not had any problems. However I have noticed that my problem is sporadic. When I was first trying to isolate the problem I was constantly having to go into Safe Mode. After disabling a few things and rebooting, I didn't have any problems. Then a few days later the problem would start back up again. If I don't have any more trouble in the next few days, I'll know that it was the ehdrv file. If that is the case, what would be the best way to report this? I should note that I have scanned the system for viruses and malware. Didn't find anything.
     
    Last edited: Mar 15, 2013
  7. jinman

    jinman Registered Member

    Joined:
    Mar 7, 2013
    Posts:
    6
    Location:
    USA
    Update: I have been able to determine that it is the ehdrv.sys file that is causing the trouble.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please rename ehdrv.sys back so that the driver loads with Windows. In the advanced ESET NOD32 Antivirus setup, disable Self-defense (followed by a computer restart). Let us know if that resolves the problem. Also please create a SysInspector log, upload it to a safe location and PM me the download link. We'll check if you have applications or drivers potentially causing issues in conjunction with Self-defense installed.
     
  9. danmcco

    danmcco Registered Member

    Joined:
    Mar 24, 2013
    Posts:
    1
    Location:
    Canada
    I have the same problem. I also run Webroot but I uninstalled it and reinstalled ESET AV and still had the problems.

    I will wait to reinstall until I hear this is fixed.
     
  10. howardagoldberg

    howardagoldberg Registered Member

    Joined:
    Mar 24, 2013
    Posts:
    3
    Location:
    USA
    I have had the same issue for a number of months, since updating to ESET NOD32 Antivirus 6.0 (currently using 6.0.314).

    Same behavior on two similarly configured systems (using Win7 x64 SP1).

    After logging in to Windows, the boot sequence would stall at the "Welcome" screen or a half-loaded desktop. Only solution was to shut down cold and reboot. Problem was intermittent on both systems.

    For the moment, I have disabled both HIPS and "self defense," based on earlier ESET guidance from tickets I submitted. Most recent instance occurred for me on Friday morning on both systems. In both cases, the Windows event viewer noted that the "ESET Service Hung," which is when the system stalled in the boot cycle.

    Per ESET's guidance, I disabled HIPS and self-defense on both systems, and submitted SysInspector logs for both systems. As of now, I have not heard any feedback as to a solution short of disabling these lines of security.

    It is good (albeit, a cold comfort), to finally have confirmation that I was not alone in having this issue -- and it is not unique to my systems.

    With that -- a question: Should I re-enable HIPS but leave "self-defense" unchecked/disabled? Would that also resolve the issue for the moment?
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Since I haven't received a PM from you, please PM me the download link to your ESI log. Also it would be great if you reproduced the issue but this time with logging of all blocked operations enabled in the advanced HIPS setup. After the freeze occurs and you restart the computer, provide me with the corresponding (recent) records from your HIPS log.
     
  12. howardagoldberg

    howardagoldberg Registered Member

    Joined:
    Mar 24, 2013
    Posts:
    3
    Location:
    USA
    Marcos ... as stated, I already sent logs to ESET tech support. Have not heard back from them yet. Also -- I know of no way to reproduce the behavior "on demand." The behavior is sporadic/intermittent ... and the systems have always rebooted fine after a hard shut down. The smoking gun is the Windows Event log entry that clearly indicates that "ESET Service Hung." In the latest incident, where the behavior and log entry was noted on two systems with similar software configurations ... I have little doubt it is a HIPS/Self-Defense issue.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Nevertheless, please provide me with a download link to your ESI log. Since you provided it to your local customer care, I can't check it myself.
     
  14. howardagoldberg

    howardagoldberg Registered Member

    Joined:
    Mar 24, 2013
    Posts:
    3
    Location:
    USA
    Marcos -- do you work for ESET?
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    Marcos works for ESET and is based in Bratislava which is where the head office is located.
     
  16. jinman

    jinman Registered Member

    Joined:
    Mar 7, 2013
    Posts:
    6
    Location:
    USA
    Marcos, Per your instructions earlier on this thread, I'm checking back with you on the outcome of unchecking "Self Defense". For a few weeks the problem I was having had not surfaced, until today. The system froze up several times. I ran DDS to get a log of the events and found the following. Please note time indexes 10:48:52 and 10:51:15 and let me know your thoughts on this:

    4/7/2013 4:27:49 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.
    4/7/2013 3:00:09 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    4/7/2013 10:51:30 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    4/7/2013 10:51:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    4/7/2013 10:51:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    4/7/2013 10:51:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    4/7/2013 10:51:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    4/7/2013 10:51:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    4/7/2013 10:51:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache eamonm ehdrv NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7003] - The Net.Pipe Listener Adapter service depends the following service: was. This service might not be installed.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7003] - The Net.Msmq Listener Adapter service depends the following service: msmq. This service might not be installed.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The Net.Tcp Listener Adapter service depends on the Net.Tcp Port Sharing Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    4/7/2013 10:51:15 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    4/7/2013 10:48:52 PM, Error: Service Control Manager [7022] - The ESET Service service hung on starting
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    First of all, make sure "The driver detected a controller error" doesn't appear in the Event log which may account for freezes. Then you can try disabling Self-defense and check if the issue recurs. We'll need to get a complete memory dump from a freeze but first need to rule out the possibility of a controller or another hw issue.
     
  18. jinman

    jinman Registered Member

    Joined:
    Mar 7, 2013
    Posts:
    6
    Location:
    USA
    Marcos, I have disabled the self-defense as you directed. We'll see what happens. I had to completely uninstall NOD32 because I got an error message stating that the kernel had corrupted. I tried running the repair on it, but it couldn't because it could not find the following file: "NUP3960.MSI". I have reinstalled NOD32, and the next time I get a freeze I will get you the complete memory dump.
     
  19. jinman

    jinman Registered Member

    Joined:
    Mar 7, 2013
    Posts:
    6
    Location:
    USA
    Oh...one more thing. My event log listed this: "The ESET Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly." I tried doing some research on this but I'm finding references from 2008 using Vista.

    I found this link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms683502%28v=vs.85%29.aspx which says that if "NoInteractiveServices value defaults to 0, services with SERVICE_INTERACTIVE_PROCESS are allowed to run interactively." Because I use Windows 7, that service listed on my registry should be able to function. Any thoughts on what this is about?
     
  20. Steve Taylor

    Steve Taylor Registered Member

    Joined:
    Jul 2, 2013
    Posts:
    1
    Location:
    USA
    We have had this same intermittent issue with NOD32 - latest 6 version on about five different Windows 7 PCs. I believe that Malwarebytes was installed on them as well. We have removed NOD32 and gone to various other antivirus software and the issues have never come back.

    I would be interested in a solution to this problem since I would prefer to run Eset's NOD32. I am beginning to wonder if Malwarebytes has something to do with the problem.
     
Thread Status:
Not open for further replies.