Application blocked and .exe erased

[Peio64]

Hi,

I have a big problem with a small app which does not need installation in Windows 10 (App "OpenCompass" that you can download free here : https://drive.google.com/file/d/1_fAxu8laIFO_MjZ9ZEpde3b9G8TKM5AD/view?usp=sharing ).

When I try to open it, MWB tells me that it blocks it and it erases the executable file (OpenCompass.exe) from the OpenCompass folder.

I put both the folder and the .exe file in the exclusion folder with no success. As well, changing the name in "Open_Compass" does not solve this issue : MWB still block it and still  erases the renamed "Open_Compass.exe" file. I tried the exclusion of "an already detected exploit" but the windows is blank, with no exploit detected.

Actually there is nothing concerning this blocking action in the "Quarantine" nor in the "Protection log".

I ran the MB-check tool and I found 4 entries at the today date (03/07/2018) in the folder "MwacDetections" (file attached).

An analysis of OpenCompass.exe by both Zemana anti-malware and AVG does not indicate that this file contains any threat.

I have updated MWB from version 3.1.3 to 3.1.4 but the same issue is still blocking the app.

What can I do ? Thanks for any help.

 

mb-check-results.zip

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Farbar Recovery Scan Tool (FRST)
  1. Download FRST and save it to your desktop
     Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
  3. Press the "Scan" button
  4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
     • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
• MB-Check
  1. Download MB-Check and save to your desktop
  2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
  3. This will produce one log file on your desktop: mb-check-results.zip
     • This file will include the FRST logs generated from the previous set of instructions
     • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[shadowwar]

This should be fixed now. If its still detected i would need you to do this to stop the detections.

 

Totally shutdown Malwarebytes. Go here in explorer:

 

C:\ProgramData\Malwarebytes\MBAMService

and delete the following file only.

hubblecache

 

it has no extension.

 

Then you can restart mbam and the cache file will rebuild on the next scan. You only have to do this on repeated detections if we told you we have fixed it already.

[Peio64]

Hi Shadowwar,

I did what you said but the app is still blocked as before.

In MBAM service, there is no more "hubblecache" after restarting MWB.

What can I do more ?

[edit] I realize that I was wrong when I said in my first message that the check tool reported entries for today. Actually they were from 02/07/2018. Apparently there is nothing for today (03/07) in this MwacDetection file.

Edited March 7, 2018 by Peio64
Add some comments

[shadowwar]

Ok so everything ok?

 

[Peio64]

2 minutes ago, shadowwar said:

Ok so everything ok?

 

Not really, I still can not open this app. Still the same blocking by MWB which continues to erase the .exe when I try to open it. :-(

[shadowwar]

Ok i fixed one other setting. It should be good now. Worse case you may have to delete hubblecache. again as above and reboot. Keep me posted.

[Peio64]

I don't understand (maybe my limited English). What do you mean by "I fixed one other setting" ? Do you mean you fixed something in MY installed MWB ? And there is no more "hubblecache" in my MBAMService folder. Thus I can not delete it again.

 

Edited March 7, 2018 by Peio64

[shadowwar]

I  fixed the whitelisting on our cloud database on our end.

Edited March 7, 2018 by shadowwar

[Peio64]

I see now.

But maybe I do not closed MWB completely. I closed it by right clicking on the icon and choosing "quit" but when I try again to open this bloody app, it blocks it despite it is "closed". Is there an other mean to shut it down completely ?

[Peio64]

I re-ran mb-check and I found no more entries for today. But in the mb-check results.txt, I found what follows which obviously concerns my problem :

"....

"scanArchives" : true,
      "scanRootkit" : true,
         "id" : "0904a1e8-21f8-11e8-94ed-4ccc6adbb304",
         "path" : "F35F497A629BF895C56D5A6E3C7DE6CC29E64379F75A93DEF8E4DDA3B3CC2CCC1B486F484F36DA89CE4F43A92A67C92F30AC0841451BD20BB338ACC19A",
        C:\Users\Pierre Aubineau\Desktop\OpenCompass\OpenCompass.exe
         "type" : "file"
         "id" : "9258c7fa-2200-11e8-8a12-4ccc6adbb304",
         "path" : "F35F497A629BF895C56D5A6E3C7DE6CC29E64379F75A93DEF8E4DDA3B3CC2CCC1B486F484F36DA89CE4F43A976",
        C:\Users\Pierre Aubineau\Desktop\OpenCompass
         "type" : "folder"

..."

[shadowwar]

Can you maybe post a screenshot of the block? Are you getting an alert message? Did you restart the computer? Also can you attach the most recent mbamcheck?

 

Edited March 7, 2018 by shadowwar

[shadowwar]

Also what you posted above isnt actually a detection.

 

[Peio64]

Thank you very much.

I have restarted the computer and discovered that this application was also blocked by Zemana anti-malware.

After placing it in the Zemana's exclusions, I can now open it !

[shadowwar]

Great. Glad to hear it.