Trojan.BlockAV reappears after quarantining

[mb2003]

I'm using Malwarebytes Premium.  For a while, I've been getting detections for Trojan.BlockAV, usually in pairs for any particular scan.  After quarantining, Trojan.BlockAV comes back every few days or so. (Or that's when I notice them, anyway.)

I recently installed Webroot AntiVirus as a double-check, but those scans did not detect any virus or malware.

I've attached the requested logs.  These are from my desktop PC.  I've also seen the same detections on my laptop PC, but I assume that will have to be checked separately.  Both run Windows 7 SP1. 

Any help to get rid of these would be appreciated.

Thanks,

Mark

Addition.txt FRST.txt MBAM_Scan_Report.txt

[Maurice Naggar]

Hi Mark.

The tagged line items are 2 registry key values (entries) that are for firewall rules to block Avast installer.   This is just an initial remark on my part.

Edited July 17, 2020 by Maurice Naggar

[Maurice Naggar]

Have you seen web protection "block" message-window-boxes like this one ?

 

[   2   ]

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.

Download Malwarebytes Support Tool
    
  

Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.2.802.exe  to run the report

 

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next

Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

[mb2003]

Attached is the mbst-grab-results.zip file.

mbst-grab-results.zip

[Maurice Naggar]

Thank you very much for the support tool.   I will ( over time ) have you do a few different scans  and potentially one custom script  ( later).

I would like to start out with the following, since I noticed a few prior set of different website blocks, and what looks like issues of adwares.

 

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

[mb2003]

Attached is the AdwCleaner log file.

AdwCleaner[S02].txt

[Maurice Naggar]

Thank you.   No actual malware or other real threat found.   That is good.

Lets go ahead and do one new scan with Malwarebytes for Windows.

One of the major goals here is to have it remove all that it detects.  If it finds anything that is.

Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".

You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

 

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.

Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

You can actualy click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).

 

Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

[Maurice Naggar]

I notice that the pc does have Webroot SecureAnywhere   as the antivirus.    and   as anti-spyware

and

COMODO Firewall

and

COMODO Advanced Protection   as another anti-spyware.

 

Any specific reason for having both of these ?   are both of these purchased & paid for ?  or is one of them "free" ?

It might be that one or the other accounts for some added tweaks into the firewall rules.

 

[mb2003]

MBAM Scan Report #2 is attached.  No Trojan.BlockAV detections were reported.  This is not unusual concerning what I have experienced with Trojan.BlockAV after quarantining; if things go as usual, the two detections will appear again in a day or two.

Concerning the Webroot and Comodo software:

I installed Comodo Free Firewall in the past day or so.  It may come bundled with a trial of their internet security suite as well, but the firewall is all I was interested in.  I installed Webroot last night as a double-check, to see if it found any viruses; after a full scan, it found no viruses. 

I have used Glasswire to administer the Windows firewall.  I have had that application for over a year (I recently renewed the annual subscription.)

I have had the Trojan.BlockAV issues for quite a while.  I'm not sure if it started before or after I started using Glasswire.  It's unknown to me whether Glasswire could be causing this, but as I understand it, it is not a firewall itself -- it simply provides a (simplified) front-end for the Windows firewall.

*As far as I know*, I've not had any adverse affects from Trojan.BlockAV, but a Malwarebytes description says that it interferes with antivirus software, so I wanted to get the issue fixed.

MBAM_Scan_Report_#2.txt

[mb2003]

I forgot to mention that the Webroot AntiVirus is a paid-for product.  fyi

[Maurice Naggar]

This scan report is good & very encouraging.   Lets get this Malwarebytes updated to the very latest Version.   The latest is Version 4.1.2.73

start Malwarebytes.   Click Settings icon  and look for the General tab,

Click on "Check for Updates".

Have patience.  Follow all prompts.    Let me know after you have the latest.

[mb2003]

Update completed.  Malwarebytes version 4.1.2.73; Update package version 1.0.26373; Component package version 1.0.972.

[Maurice Naggar]

Good afternoon.  It's great to know that the Malwarebytes is on the latest release.   Bravo.

Do one new scan with Malwarebytes  and then let me know the result.

and let me know if you need other help.

 

[    2    ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at   (in most cases )

C:\Windows\debug\msert.log

Please attach that log with your reply.

 

[     3    ]

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

• Download SecurityCheck by glax24 from here 
• and save the tool on the desktop.
•  
• If Windows's  SmartScreen blocks that with a message-window, then
• Click on the MORE INFO spot and over-ride that [ click Run Anyway ]   and allow it to proceed.
• This tool is safe.         Smartscreen is overly sensitive.
•  
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

[mb2003]

Attached are the requested files.

The Malwarebytes scan detected two instances of Trojan.BlockAV again.

I ran a full scan with Microsoft Safety Scanner; no viruses, etc. were found.

 

SecurityCheck.txt msert.log MBAM_Scan_Report_#3.txt

[mb2003]

If the registry key creation that Malwarebytes is detecting as Trojan.BlockAV is associated with the Windows firewall, it could be that Glasswire is injecting those.

Since no other checks have found any malware so far, how about if I disable Glasswire and check if they return over the next few days?

BTW, I did *not* quarantine the two detections from the last Malwarebytes scan.

[Maurice Naggar]

The MS Safety scanner found no virus / no malware.

The SecurityCheck report had these notations.   Be sure to review and follow up.  and note that this Windows 7 is lacking several MS updates/fixes.

Internet Explorer 11.0.9600.18860 Warning! Download Update

 

------------------------------- [ HotFix ] --------------------------------
HotFix KB3177467 Warning! Download Update
HotFix KB3125574 Warning! Download Update
HotFix KB4012212 Warning! Download Update
HotFix KB4499175 Warning! Download Update
HotFix KB4474419 Warning! Download Update
HotFix KB4490628 Warning! Download Update
HotFix KB4512486 Warning! Download Update
HotFix KB4474419 Warning! Download Update
HotFix KB4539602 Warning! Download Update

 

.

Wireshark 3.2.2 64-bit v.3.2.2 Warning! Download Update

You said

Quote

how about if I disable Glasswire and check if they return over the next few days?

Ok by me.   Give that a try.

[mb2003]

All updates have been applied.

I experimented with disabling Glasswire.  After two days, the two instances of Trojan.BlockAV are back again, so Glasswire may not be the cause.  I went ahead and quaranatined them.

Suggestions?

[Maurice Naggar]

Hi.

The "trojan.blockav".   Are those block message windows,  like I asked before?

Have you seen web protection "block" message-window-boxes like this one ?

 

IF yes, then the web protection is keeping the pc safe.   Notice the text on that screen that the threat was stopped.

.

IF on the other hand, this is a situation where you ran a Scan  and it reported something ....then I need to see the report from the Scan that was last run.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Look at & do as per the section "View and download detection History in Malwarebytes on Windows "  if it was a Block detection.

If it was from a Scan, look at the section "View and download Reports in Malwarebytes on Windows"

 

[mb2003]

Attached is the report from the lastest scan showing the two firewall rule detections.  I had already quarantined them before saving the report.

I don't recall seeing that dialog box.  Typically, I open the Malwarebytes GUI and run a custom scan to see them, or it will already show detections from a scheduled scan.

MBAM_Scan_Report_#4.txt

[Maurice Naggar]

Hi,

My apologies for not getting back to you earlier.   I am seeking advice from other folks about this recurring issue.

Thank you for your patience.

[Maurice Naggar]

Hello.

I would like you to do a  special search.

There is the FRSTENGLISH  tool on the Downloads folder.   We will use that to do a search.

Find then start FRSTENGLISH
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button 
 

SearchAll: 08D9B674-3AB7-43B5-8E4A-6EFF12948B11;D367B616-BD26-4003-BA0F-E111E8BD2D7E

 
Please wait while the program searches for all entries relating to this program, when done a  search.txt    log will be saved to the desktop. Please attach this log to your next reply. 

Thanks for your patience.

[mb2003]

Attached is the requested log file.

Search.txt

[Maurice Naggar]

Thank you for the Search results file.

Neither of those is reported as being found.  Either as a registry entry ( trace) or as part of a file-name.

Those would have been expected to be a value in a particular registry entry.

Lets see if we can perhaps get a readout of the supposed parent key.

I would like for you to get to an Elevated Command-prompt window

Open the Start Menu, type cmd in the search box, and press CTRL+SHIFT+ENTER.

 

then to COPY all of the line below ( verbatim ) and then Paste it onto the command window-box

reg query HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES /reg:64 >> %USERPROFILE%\desktop\Xsearch.txt

then tap the Enter-key.

[ Be very sure that you highlight all of the line.  It is quite long.  You will need to scroll all of it. ]

This will produce an output file by the name of xsearch.txt  on the Desktop.

Please find that file and attach it with your next reply.

[mb2003]

> Neither of those is reported as being found.  Either as a registry entry ( trace) or as part of a file-name. Those would have been expected to be a value in a particular registry entry.

My apologies.  I noticed that the particular keys in the search string were associated with a pair of detections that I had already quarantined, so I assume they would not be found during the search. (I recall that you mentioned at the start of this effort not to make unrequested changes as this could hamper efforts.  Going forward, I will not quarantine unless you say so.)

As it turns out, two new detections appeared today.  The latest Malwarebytes scan log is attached. Assuming you would want me to run FRSTENGLISH again with the two new detected keys in place of the previous ones, I ran it again.  The resulting Search.txt log is attached.

Let me know if you want me to run the additional instructions you gave after that.

MBAM_Scan_Report_#5.txt Search.txt

[Maurice Naggar]

Hi.  Need for you to take just a few minutes and do a new Check for Updates in the Malwarebytes.

Start Malwarebytes.  Click Settings ( gear icon ).   Then look on either the General or the About tab.

Then click the spot "Check for Updates".

after it gets all done, look on the About tab   and then tell me if th Update package is at least 1.0.26791   or higher

and the Component shows as 1.0.979