mb2003

> look close at GlassWire's Firewall tab Currently I have Glasswire's firewall feature turned off, because I'm using the Comodo Firewall. It looks like you may have gotten the problem fixed. Thank you very much for all of your help! I'll report back if I see anything. Best to you! Mark

Sorry for not replying -- for some reason, some (but not all) of the emails I get when you reply have gone to my junk-mail folder. 😕 Malwarebytes scans with rootkit option enabled have not detected anything, nor has Webroot scans. Glasswire has been turned off since July 15 (Wednesday of last week). Should I turn Glasswire back on now?

After completion, the MSERT dialog stated it found no virus, etc. The log file is attached. A Webroot scan detected no threats. msert (2).log

Avast Uninstall has been run and appears to have completed successfully. FIXLOG.txt is attached. There was no XSEARCH.txt file on the desktop, though. Fixlog.txt

Malwarebytes said it was up-to-date. The update package is 1.0.26797. The Component package is 1.0.979. Glasswire's Firewall page provides lists for Blocked Apps, Active Apps, and Inactive Apps. I found no reference to Avast in any of the lists. The new FRST scan logs and Autorun log are attached. Addition.txt FRST.txt Autoruns.zip

> Neither of those is reported as being found. Either as a registry entry ( trace) or as part of a file-name. Those would have been expected to be a value in a particular registry entry. My apologies. I noticed that the particular keys in the search string were associated with a pair of detections that I had already quarantined, so I assume they would not be found during the search. (I recall that you mentioned at the start of this effort not to make unrequested changes as this could hamper efforts. Going forward, I will not quarantine unless you say so.) As it turns out, two new detections appeared today. The latest Malwarebytes scan log is attached. Assuming you would want me to run FRSTENGLISH again with the two new detected keys in place of the previous ones, I ran it again. The resulting Search.txt log is attached. Let me know if you want me to run the additional instructions you gave after that. MBAM_Scan_Report_#5.txt Search.txt

Attached is the requested log file. Search.txt

Attached is the report from the lastest scan showing the two firewall rule detections. I had already quarantined them before saving the report. I don't recall seeing that dialog box. Typically, I open the Malwarebytes GUI and run a custom scan to see them, or it will already show detections from a scheduled scan. MBAM_Scan_Report_#4.txt

All updates have been applied. I experimented with disabling Glasswire. After two days, the two instances of Trojan.BlockAV are back again, so Glasswire may not be the cause. I went ahead and quaranatined them. Suggestions?

If the registry key creation that Malwarebytes is detecting as Trojan.BlockAV is associated with the Windows firewall, it could be that Glasswire is injecting those. Since no other checks have found any malware so far, how about if I disable Glasswire and check if they return over the next few days? BTW, I did *not* quarantine the two detections from the last Malwarebytes scan.

Attached are the requested files. The Malwarebytes scan detected two instances of Trojan.BlockAV again. I ran a full scan with Microsoft Safety Scanner; no viruses, etc. were found. SecurityCheck.txt msert.log MBAM_Scan_Report_#3.txt

Update completed. Malwarebytes version 4.1.2.73; Update package version 1.0.26373; Component package version 1.0.972.

I forgot to mention that the Webroot AntiVirus is a paid-for product. fyi

MBAM Scan Report #2 is attached. No Trojan.BlockAV detections were reported. This is not unusual concerning what I have experienced with Trojan.BlockAV after quarantining; if things go as usual, the two detections will appear again in a day or two. Concerning the Webroot and Comodo software: I installed Comodo Free Firewall in the past day or so. It may come bundled with a trial of their internet security suite as well, but the firewall is all I was interested in. I installed Webroot last night as a double-check, to see if it found any viruses; after a full scan, it found no viruses. I have used Glasswire to administer the Windows firewall. I have had that application for over a year (I recently renewed the annual subscription.) I have had the Trojan.BlockAV issues for quite a while. I'm not sure if it started before or after I started using Glasswire. It's unknown to me whether Glasswire could be causing this, but as I understand it, it is not a firewall itself -- it simply provides a (simplified) front-end for the Windows firewall. *As far as I know*, I've not had any adverse affects from Trojan.BlockAV, but a Malwarebytes description says that it interferes with antivirus software, so I wanted to get the issue fixed. MBAM_Scan_Report_#2.txt

Attached is the AdwCleaner log file. AdwCleaner[S02].txt

Attached is the mbst-grab-results.zip file. mbst-grab-results.zip

I'm using Malwarebytes Premium. For a while, I've been getting detections for Trojan.BlockAV, usually in pairs for any particular scan. After quarantining, Trojan.BlockAV comes back every few days or so. (Or that's when I notice them, anyway.) I recently installed Webroot AntiVirus as a double-check, but those scans did not detect any virus or malware. I've attached the requested logs. These are from my desktop PC. I've also seen the same detections on my laptop PC, but I assume that will have to be checked separately. Both run Windows 7 SP1. Any help to get rid of these would be appreciated. Thanks, Mark Addition.txt FRST.txt MBAM_Scan_Report.txt

@Porthos -- thanks for the comments. I don't really know if Malwarebytes is "functioning normally" during these events or not. I just see them occur via the Glasswire notifications (the device removal, followed by the re-adding of them) much more often than I would expect, and it seemed odd ... I can't remember looking for it, but I don't think I've ever seen any notification in the Malwarebytes GUI of any updates like this going on. Glasswire may just be detecting this activity and alerting me to it; otherwise, I probably wouldn't know anything about it. Glasswire simply provides a user-friendly interface for Windows' built-in firewall. I haven't noticed any issues with Malwarebytes being able to update, etc., so I assume there's no conflict there. The time delay between removal and the re-adds is sometimes quite long. Is Malwarebytes still providing protection between the time of removal and time of re-add? This of course assumes timely Glasswire notifications, but I don't know anything about that either. Is there a way to confirm that this is normal behavior?

I'm using Malwarebytes Premium. I also use Glasswire Pro, which is a network monitor and firewall program. Occasionally, Glasswire give me notices that four different "MBAM devices" have been "removed". The removal notices appear individually, but always occur at the same time. Some time thereafter (the amount of time varies up to maybe up to a day, but I haven't watched all that closely), I get notices that these same "devices" have been added again. I've attached a graphic file that shows an example of the notification boxes that appear (these show device removals). Glasswire doesn't give any more information than that, except for the file names. I'm wondering if this is related to Malwarebytes updates behind the scenes, or whether my PC (Windows 7 Pro SP1) might be infected. Any help/info would be appreciated Thanks -

The latest release (3.5.1) has not corrected the problem I'm having with a 3rd party application being blocked from updating. I manually updated Malwarebytes as mentioned in tetonbob's post above, and the problem remains. Disabling Ransomware Protection does NOT resolve the problem. As I mentioned in my original post, disabling Web Protection resolves it. Is there a fix in the works for this? Did anyone see an issue in the log files I originally submitted that would point to a cause & solution?

> How did you encountered the issue and any steps to reproduce it I am using the REAPER digital audio workstation application and attempting to check for program updates. If Malwarebytes' Web Protection is ON, the program is blocked from checking for updates. If Web Protection is OFF, the program can check for updates without issue. This issue appeared only recently. Data from Wireshark, and also the firewall logs on my PC, show that REAPER is attempting to connect to is 174.129.249.41, port 80. This appears to be the site for Cockos Inc., the maker of REAPER. I am able to use Firefox to go to this IP address directly with no issues, whether Web Protection is active or not. Malwarebytes version is 3.5.1. > Do you get the same result more than once if you follow the same steps? Y/N Yes. This issue is consistent on both of my computers that have Malwarebytes. Both installations have the same version. > If the system crashed (aka blue screen of death or BSOD), please include the error message N/A Thanks for any help possible. mbst-grab-results.zip