[[Template core/front/global/favico is throwing an error. This theme may be out of date. Run the support tool in the AdminCP to restore the default theme.]] Jump to content

Trojan.BlockAV reappears after quarantining


Recommended Posts

note:  According to the FRST reports, this system does not have Avast installed.   But it does have Glasswire.

Notice how the registry items made reference to Glasswire.

You had mentioned 

Quote

I have used Glasswire to administer the Windows firewall.  I have had that application for over a year (I recently renewed the annual subscription.)

Could you possibly recheck that Glasswire  app AND see if just maybe it makes some reference to Avast ?

It seems that somehow, somewhere there is a repeating reference.

 

Link to post
Share on other sites

In addition to the above  and after you've researched on Glasswire .....

 

Can we get a fresh new full scan with FRST with Additions.txt too

Perhaps an Autoruns log too

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures and Check VirusTotal.com and Submit Unknown Images
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

 

image.png

 

 

Link to post
Share on other sites

Malwarebytes said it was up-to-date.  The update package is 1.0.26797.  The Component package is 1.0.979.

Glasswire's Firewall page provides lists for Blocked Apps, Active Apps, and Inactive Apps.   I found no reference to Avast in any of the lists.

The new FRST scan logs and Autorun log are attached.

Addition.txt FRST.txt Autoruns.zip

Link to post
Share on other sites

Hi, Mark.  Thank you for the reports.

Lets see about turning off the auto-start of Glasswire   and keep it that way for a few days,   and then lets see what happens if anything after a few days.

Start Autoruns one more time  ( unless you have it on screen at this point).

and look on the main tab named  Logon.  scroll down to

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

just below that,  un-tick the check box  "GLASSWIRE"   on the far left-side

When done, Exit out of Autoruns

NEXT

We also need to do a FIXLIST script cleanup for a few remains / traces from Avast.   There are still at least 22  entries related to Avast "block" on the firewall rules.

Further, I notice 4 entries in firewall rules that block FRST tool.

The fact that there are so many traces of Avast makes me think that in the past, there had been more than one attempt to install Avast;  and that in addition, when it was uninstalled many traces were left behind.

.

This custom script is for  Mb2003  only / for this machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRSTENGLISH window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity     Also, look on the DESKTOP and find a file XSEARCH.txt.   Attach that as well.

.

[   2    NEXT }

Get / save / then run the AVAST removal tool

https://support.avast.com/en-us/article/Uninstall-Antivirus-Utility/

 

Let me know after all this is done.

 

 

Fixlist.txt

Edited by Maurice Naggar
added attachment
Link to post
Share on other sites

Thank you for the Fixlog.  This run indicates that there are currently no entries on the registry under

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES

that make any mention to "avast".

I did in fact get the results of the Xsearch in this log-report.   That is a fine result.   So my expectation is that there ought to be no more tagging about trojan.blockav due to a block entry on avast.

So here is the first next thing I would like you to do.

 

Run a scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.

then ( a )  Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

then ( b )

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, ( if anything is found),    be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.   Let it remove what it has detected.   ( if anything is found)

NOTES:  This all looks like the machine may have had in the past, some sort of infection that would have listed all security programs to be blocked;  then this was cleaned up;  except for a few entries about "avast".   Otherwise,  ( again conjecture) somehow something like Glaswire kept putting those block entries back in.

[    2   Next step]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

 

Link to post
Share on other sites

PS.  Yes, on step # 2 above, do get a new download of the MS Safety scanner  & run a new scan.

Also, if you would,  then do a new scan with the Webroot SecureAnywhere.   We want to be sure that indeed there are no infections.

Thanks.

Link to post
Share on other sites

Very good on the Safety Scanner result.  Great as well about the Webroot scan.

I am curious about the Malwarebytes scsn with rootkit option  as per the top of my last reply   

https://forums.malwarebytes.com/topic/261399-trojanblockav-reappears-after-quarantining/?do=findComment&comment=1395103

 

Link to post
Share on other sites

Sorry for not replying -- for some reason, some (but not all) of the emails I get when you reply have gone to my junk-mail folder.  😕

Malwarebytes scans with rootkit option enabled have not detected anything, nor has Webroot scans.

Glasswire has been turned off since July 15 (Wednesday of last week).  Should I turn Glasswire back on now?

Link to post
Share on other sites

Hello.   Yes, you can do that if you wish.  Just be sure to look close at GlassWire's Firewall tab  to re-check what is blocked as far as security programs or any antivirus program.

Link to post
Share on other sites

> look close at GlassWire's Firewall tab

Currently I have Glasswire's firewall feature turned off, because I'm using the Comodo Firewall.

It looks like you may have gotten the problem fixed.  Thank you very much for all of your help!  I'll report back if I see anything.

Best to you!

Mark

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.