Start-up problems again...

My original post (which I now can't 'reply' to):

I have a start-up problem with EAV 5: On cold start some of my task-bar apps don't load. All load on subsequent reboots. Disabling EAV corrects this. As this never happened with EAV 4, I'm wondering why / what I can do to prevent this without disabling the start-up scan completely. Or could the new 'Log Maintenance' task be holding things up...??

(Win 7 Pro x64)

Update:

Suddenly this issue has returned. Unfortunately I have not been successful in isolating any one element of v5 which may / may not be causing the problem this time. Uninstalling and reinstalling v4 though does resolve it.

 

same problem here,I don't know why.

 

Unlike v4, in v5 startup scans are run with a delay at the time all programs are already loaded.
Can you confirm that the problem actually disappears after disabling startup scan tasks and restarting the computer?

 

This problem not Not detected here...

 

Marcos, I've just re-installed v5 (clean install) with default settings. I'll test this out over the next few days and get back to you.

 

OK, I have something to report - I can't understand some of it (up to you / devs to decipher)

When I last had v5 installed (a few days ago) and started to experience this start up issue, i.e. not all task-bar apps loading / icons missing, I also experienced a Windows 'crash error' relating to csc.exe (C# Compiler I believe) but didn't think it was related in any way. I did not disable the start-up scan completely, but changed it to 'first time the computer starts each day'. That didn't make any difference. In a desperate attempt to try to isolate the problem, I un-installed v5 and re-installed v4 - both problems vanished. For the hell of it I also tried Avast Free and didn't experience any start-up issues or other errors / crashes.

That's about when you asked me the question above, and I did a clean installation of v5 yesterday. During the day, even after a few reboots, I had no issue. Then on cold start this morning one app (CoreTemp - which loads as a service incidentally, not a registry start-up or in the Start-up folder) failed to load properly. I disabled the start-up scan in v5 completely, rebooted (whereupon the 'csc.exe error' returned) but this time even less of the task-bar apps loaded! Rebooted again, and tried a cold start, and on both occasions all task-bar apps loaded with no problem.

There is something odd going on here with the way v5 is interfering or interrupting the start-up sequence, but for the life of me I cannot understand the odd behaviour I've described. There is no doubt (in my mind) that v5 is the culprit (somehow) as in 3 days of using v4 again I had no issue as I haven't for the last few months. Shame something as 'basic' as a start-up scan is broken in this new version when it worked fine before.

Hope you (or someone) can work out what's going on.

EDIT: Well, all known theories are blown out of the water. Even with the start-up scan disabled, the CoreTemp service was not loading. Could this be something else? HIPS? (I have it set to Automatic). Clutching at straws here but have decided v5 is not for me. I'm beginning to agree with the hardened critics that say it's too early to call this an RC. I would certainly view it as a Beta - there seem to be some issues with v5 that need work.

UPDATE: By way of confirmation, and for what it's worth, I've run v4 since my posts yesterday. I've cold started the PC half a dozen times, together with a number of reboots. No issues with start-up whatsoever.

 

Hello,

Have you tried disabling the HIPS module? If so, did that make any difference?

Regards,

Aryeh Goretsky

 

,Because I have Comodo,so I disabled the HIPS of NOD32 5 RC , but I had the same problem .

 

I'll install v5 again and try that for a day or two.

 

I am getting lags after installing ESS

 

Aryeh, I have re-installed v5 with HIPS completely disabled. On first reboot there was no start-up issue but, as before, this will need testing over a couple of days. I'll report back.

 

I'm trying this now with HIPS enabled in 'Learning Mode', the theory being I can see what's going on / what's being allowed (or not). Interactive mode, IMO, is completely unusable - one meaningless 'mumbo-jumbo' pop-up after another. I'd be sitting here all morning clicking 'Allow' (without knowing why) just to get the basic functions of the PC working. No-one (unless you're a pure techy) should use Interactive. I'll see what happens...

 

...pointless. Just done a cold boot after the machine had been off for a couple of hours. Now a different app has failed to load on start-up, and nothing in HIPS Advanced Setup to give me a clue why. Sigh...disabling HIPS now.

 

Hopefully I can get some help / guidance at this stage Aryeh? I have had to remove v5 again as, even with HIPS disabled (but startup scans enabled) one or two start-up apps are still failing to load. Remove v5 and all is well. I have tried automatic, interactive (impossible to deal with) and learning to no avail. For me v5 is unusable which is massively disappointing. Yes I can use v4 until my licence expires but I want (and thought I had) confidence in NOD32 going forward. v5 is out as an RC which worries me - if it gets released in anything like it's current form I'll have no option but to find another AV, which I do NOT want to do.

 

Unfortunately (or luckily) you're the only one person in the world having reported this kind of issue. I'd suggest renaming each of the ESET's drivers in the windows/system32/drivers folder in safe mode, one at a time, to narrow it down to the particular driver.

 

Clearly that's not the case Marcos. There is (at least) one other in this thread.

 

Also, how would I have clue which drivers to 'disable' and how would I do that? Randomly disabling drivers which may well break NOD32 anyway isn't going to prove anything is it?

 

Try renaming the following ones, one at a time:
C:\WINDOWS\system32\drivers\ehdrv.sys
C:\WINDOWS\system32\drivers\eamonm.sys
C:\WINDOWS\system32\drivers\epfwlfw.sys
C:\WINDOWS\system32\drivers\epfwfpr.sys

 

OK, I'll give it one last go.

 

I disabled ehdrv.sys by renaming it in safe mode. I can see that's disabled HIPS. I've done two cold starts (Normal shut-down, power off, wait an hour or so, and power on) - so far all start-up apps have loaded. So far then, this looks like HIPS, but I have no idea how to overcome that, if indeed I can.

 

Do the following:
- rename the ehdrv driver to its original name
- start Windows in normal mode
- enable "Log all blocked operations" in the advanced HIPS setup
- clear the HIPS log
- restart the computer to reproduce the issue
- copy & paste the HIPS log records here

 

04/07/2011 16:49:13 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:49:13 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:49:13 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:48:55 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:48:55 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:48:39 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:48:39 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:48:39 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:48:17 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:48:17 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:47:46 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:47:46 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:47:46 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:47:44 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:47:44 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:47:43 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:47:43 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:47:43 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:47:43 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:44:48 C:\Windows\System32\svchost.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:44:48 C:\Windows\System32\svchost.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:42:04 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:42:04 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:42:04 C:\Program Files\Logitech\SetPointP\SetPoint.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked SelfDefense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:42:03 C:\Windows\System32\winlogon.exe Get access to another application C:\Windows\System32\csrss.exe some access blocked SelfDefense: Don't allow modification of system processes Terminate/suspend another application,Modify state of another application
04/07/2011 16:42:03 C:\Windows\System32\winlogon.exe Get access to another application C:\Windows\System32\csrss.exe some access blocked SelfDefense: Don't allow modification of system processes Terminate/suspend another application,Modify state of another application

 

So what do I do? Is this giving you a clue Marcos?

 

I'll need to discuss this with our developers first which will take a while as it's a national holiday today.

 

OK..but your first thoughts? Clearly NOD32 is intolerant of the Logitech Setpoint app... (used for mouse control only)

I can't get to that machine atm, but when I do I'll check the HIPS log for anything new. EDIT: I may disable Setpoint at start-up (not remove it) and see if that in fact clears up all start-up issues in one hit...