Jump to content

Recommended Posts

Long-time user of Malwarebytes Premium & new user of Adware Cleaner
Win 10 Pro PC (up-to-date)

First use of Adware Cleaner 3 days ago showed 4 registry items it called a Trojan.Agent.  Items were quarantined  and removed.
They were all located here:    HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {xxxxx}
The program whose entries being flagged is Glasswire

Second use of AdWare Cleaner this AM and those items are back. Scan after cleaning and reboot shows two items are back (then numbers vary but the location in the registry is the same)

Malwarebytes Premium shows nothing.  

So who is right - Malwarebytes finding nothing or AdWare Cleaner finding what it terms as a Trojan.Agent.
The program whose entries being flagged is The program whose entries being flagged is Glasswire

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the AdwCleaner Help forum.

Someone will reply shortly, but in the meantime here are a few resources which may help resolve your issue:

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Thanks, it looks like those are firewall rules for the Windows Firewall.

Please do the following so that we may take a closer look at what's going on with the system:

  1. Download and run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced tab on the left (not Start Repair)
  3. Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

Thanks

Link to post
Share on other sites

Thanks, it looks like all of these detections are coming from some Java related entries in the Windows Firewall to allow those Java components to communicate with the internet:

FirewallRules: [{0EE4C4C4-EC74-45A8-8878-F5DF2ACD14F9}] => (Allow) c:\program files (x86)\common files\java\java update\jusched.exe (Oracle America, Inc. -> Oracle Corporation)
FirewallRules: [{7FC17F33-61F7-4C03-803E-2EA33E69FEFA}] => (Allow) c:\program files (x86)\common files\java\java update\jusched.exe (Oracle America, Inc. -> Oracle Corporation)
FirewallRules: [{F70CFAF6-1F6D-48B3-952D-08EDB2D4E40F}] => (Allow) c:\program files (x86)\common files\java\java update\jusched.exe (Oracle America, Inc. -> Oracle Corporation)
FirewallRules: [{FD52B46A-8D8E-4A22-84AA-AAFED9A4062A}] => (Allow) c:\program files (x86)\common files\java\java update\jusched.exe (Oracle America, Inc. -> Oracle Corporation)

They shouldn't be detected as threats, however unless you really need Java installed, I'd suggest removing it anyway as Java is widely known to frequently contain exploits that leave systems vulnerable to attack.  If you don't need it, then please run the Java Uninstall Tool to remove Java from your system.  Once that is done, scan again with ADWCleaner, and if it still finds the same entries, allow it to remove them, and if they still persist then we can remove them manually using the Windows Firewall settings as documented on this page.

Please let me know how it goes and what you've decided to do.

Thanks

Link to post
Share on other sites

As mentioned in my original post all of these flagged registry entries have to do with Glasswire:
These are the 4 most recent ones:

v2.28|Action=Allow|Active=TRUE|Dir=Out|App=c:\program files (x86)\common files\java\java update\jusched.exe|Name={Glasswire.app.out_85}|Desc=GlassWire|EmbedCtxt=GlassWire

v2.28|Action=Allow|Active=TRUE|Dir=In|App=c:\program files (x86)\common files\java\java update\jusched.exe|Name={Glasswire.app.in_192}|Desc=GlassWire|EmbedCtxt=GlassWire|

v2.28|Action=Allow|Active=TRUE|Dir=Out|App=c:\program files (x86)\common files\java\java update\jusched.exe|Name={Glasswire.app.out_192}|Desc=GlassWire|EmbedCtxt=GlassWire|

v2.28|Action=Allow|Active=TRUE|Dir=In|App=c:\program files (x86)\common files\java\java update\jusched.exe|Name={Glasswire.app.in_85}|Desc=GlassWire|EmbedCtxt=GlassWire|

Link to post
Share on other sites

Glasswire created them because Glasswire uses the same WFP (Windows Filtering Platform) APIs as the built in Windows Firewall, but those entries actually belong to Java, which GlassWire doesn't require as far as I know (I've used GlassWire in the past myself and don't recall it ever installing/using Java, though that may have changed in more recent versions).

Link to post
Share on other sites

Just now, exile360 said:

They shouldn't be detected as threats, however unless you really need Java installed, I'd suggest removing it anyway as Java is widely known to frequently contain exploits that leave systems vulnerable to attack.  If you don't need it, then please run the Java Uninstall Tool to remove Java from your system.  Once that is done, scan again with ADWCleaner, and if it still finds the same entries, allow it to remove them, and if they still persist then we can remove them manually using the Windows Firewall settings as documented on this page.

Please let me know how it goes and what you've decided to do.

Thanks

I seem to remember that something on my system "needs" Java but can't remember what it is.  I'll go ahead and remove Java and those entries and see what complains.  
 

Thanks for the help.  

Link to post
Share on other sites

That's understandable as some apps do still use Java.  In particular I recall that the 3DMark benchmarking suite uses it along with some game launchers (can't recall which ones exactly off the top of my head), however if you happen to launch an app that requires it, you'll see a message box saying that Java wasn't found and is required so then you can just go grab the latest version of Java from here and that should resolve the issue.

Link to post
Share on other sites

Can't find a way to edit the above post so here's an addendum:
I meant to add I have also removed any mention of Java in the firewall settings using Option 3.  I just checked and there is no mention of Java in the firewall rules now.
Using the Command Prompt method of examining the firewall rules.  "Find" finds no instance of java in the text file

Link to post
Share on other sites

OK, go ahead and check within the Windows Firewall itself (not through the command line) just to make sure there are no remaining entries there.  It may just be that they're being left behind for some reason and that's why they keep showing up.  It's also possible that the software on your system that uses Java is downloading/reinstalling Java each time it is removed which could also account for it.

Link to post
Share on other sites

I said above that I did that already and saw no remaining mentions of Java anywhere.  

The image below is where I checked to see if there were any Java mentions in the firewall rules.  There were none as I removed them last night. I rechecked again this AM after AdWare found those same entries.  

Capture.JPG

Link to post
Share on other sites

OK, what about the registry?  Have the entries returned under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules?  If so, what happens if you delete the detected entries from there by hand?  Do they still return on reboot?  If so, then something is putting them back, though I'm not sure exactly what program that might be.

Link to post
Share on other sites

Did that.  Adware reported them gone in a scan right after.  They were right back after a reboot.  (different numbers but the strings were the same)
I have also gone through Glasswire and removed all mentions of Java/JavaUpdate/JavaSched etc.  Those have stayed gone through multiple reboots.  

I checked C/Program Files (x86) and the java folder being referenced no longer exists.
 

Link to post
Share on other sites

Interesting, I wonder what is bringing them back then?  There's got to be some program on the system adding those entries to the registry.  No harm I guess, but if you really want to track it down you could try a tool such as Process Monitor to see what programs access those keys/create those entries and you could even get your system checked in our malware removal area if you want to make sure that it's nothing malicious going on (I doubt it, but it my be best just to rule it out completely if you aren't certain).  If you wish to do the latter then please read and follow the instructions in this topic then create a new topic in the malware removal area by clicking here and one of our malware removal specialists will assist you in checking the system and clearing it of any threats as soon as one is available.

Again, I doubt that it is anything malicious, but they might have better luck tracking down the exact program creating those entries so it might be worth pursuing if you really want to eliminate them once and for all.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.