Avast Blocked by Group Policy - Please help

Hello,

I read the other threads on this topic with replies by essexboy. I have attached my logs from Farbar. Would someone please help me with a fixlist.txt file. I see the entries I need to resolve the group policy problem, but I wonder if there are other entries in the logs that should be included in the fixlist that I’m unaware of.

Thank you so much.

You have encryptor malware as well, do you have a backup of your data ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [11c08d] => C:\11c08dd\11c08dd.exe [258432 2014-11-06] (Company name goes here) HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [JozcUqawo] => regsvr32.exe "C:\ProgramData\JozcUqawo\JozcUqawo.dat" HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [ForpEzuze] => regsvr32.exe "C:\ProgramData\ForpEzuze\ForpEzuze.dat" HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Evdtion] => C:\Users\Barbie\AppData\Local\Evdtion\msiexec.exe [163232 2014-11-06] () HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Esxgtion] => regsvr32.exe C:\Users\Barbie\AppData\Local\Esxgtion\wxMaindll32.dll <===== ATTENTION HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Evzftion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Barbie\AppData\Local\Evdtion\DRMGLWeb16.dll HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [BayoRyomi] => regsvr32.exe "C:\ProgramData\BayoRyomi\BayoRyomi.dat" HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [PakuPutpi] => regsvr32.exe "C:\ProgramData\PakuPutpi\PakuPutpi.dat" HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\RunOnce: [*1c08dd] => C:\Users\Barbie\AppData\Roaming\11c08dd.exe HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File 2014-11-06 18:52 - 2014-11-06 18:52 - 00008536 _____ () C:\Users\Barbie\Downloads\DECRYPT_INSTRUCTION.HTML 2014-11-06 18:52 - 2014-11-06 18:52 - 00008536 _____ () C:\Users\Barbie\Documents\DECRYPT_INSTRUCTION.HTML 2014-11-06 18:52 - 2014-11-06 18:52 - 00004208 _____ () C:\Users\Barbie\Downloads\DECRYPT_INSTRUCTION.TXT 2014-11-06 18:52 - 2014-11-06 18:52 - 00004208 _____ () C:\Users\Barbie\Documents\DECRYPT_INSTRUCTION.TXT 2014-11-06 18:52 - 2014-11-06 18:52 - 00000272 _____ () C:\Users\Barbie\Downloads\INSTALL_TOR.URL 2014-11-06 18:52 - 2014-11-06 18:52 - 00000272 _____ () C:\Users\Barbie\Documents\INSTALL_TOR.URL 2014-11-06 18:48 - 2014-11-06 18:48 - 00008536 _____ () C:\Users\Barbie\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-11-06 18:48 - 2014-11-06 18:48 - 00008536 _____ () C:\Users\Barbie\AppData\DECRYPT_INSTRUCTION.HTML 2014-11-06 18:48 - 2014-11-06 18:48 - 00004208 _____ () C:\Users\Barbie\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-11-06 18:48 - 2014-11-06 18:48 - 00004208 _____ () C:\Users\Barbie\AppData\DECRYPT_INSTRUCTION.TXT 2014-11-06 18:48 - 2014-11-06 18:48 - 00000272 _____ () C:\Users\Barbie\AppData\Roaming\INSTALL_TOR.URL 2014-11-06 18:48 - 2014-11-06 18:48 - 00000272 _____ () C:\Users\Barbie\AppData\INSTALL_TOR.URL 2014-11-06 18:47 - 2014-11-06 18:47 - 00008536 _____ () C:\Users\Barbie\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-11-06 18:47 - 2014-11-06 18:47 - 00004208 _____ () C:\Users\Barbie\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-11-06 18:47 - 2014-11-06 18:47 - 00000272 _____ () C:\Users\Barbie\AppData\Local\INSTALL_TOR.URL 2014-11-06 18:10 - 2014-11-06 18:10 - 00008536 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-11-06 18:10 - 2014-11-06 18:10 - 00004208 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-11-06 18:10 - 2014-11-06 18:10 - 00000272 _____ () C:\ProgramData\INSTALL_TOR.URL 2014-11-06 17:58 - 2014-11-06 17:58 - 00000000 ____D () C:\ProgramData\PakuPutpi 2014-11-06 17:58 - 2014-11-06 17:58 - 00000000 ____D () C:\ProgramData\BayoRyomi 2014-11-06 17:45 - 2014-11-06 17:45 - 00000000 ____D () C:\Users\Barbie\AppData\Local\Evdtion 2014-11-06 17:45 - 2014-11-06 17:45 - 00000000 ____D () C:\Users\Barbie\AppData\Local\Esxgtion 2014-11-06 17:44 - 2014-11-06 17:44 - 00000000 ____D () C:\ProgramData\JozcUqawo 2014-11-06 17:44 - 2014-11-06 17:44 - 00000000 ____D () C:\ProgramData\ForpEzuze 2014-11-06 17:41 - 2014-11-06 17:41 - 00000000 ___HD () C:\11c08dd 2014-11-06 17:41 - 2014-11-06 17:41 - 00000000 ____D () C:\Users\Barbie\AppData\Roaming\FrameworkUpdate7 CustomCLSID: HKU\S-1-5-21-124788536-2644335351-2029234871-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download Anti-CryptorBit.zip to your desktop
Extract Anti-CryptorBitV2 to the desktop and run

https://dl.dropboxusercontent.com/u/73555776/anticrypt.JPG

Select the file type you wish to decrypt and then follow the instructions

FINALLY

Download and run farbar service scanner

https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

The computer in question is my mother’s and I’m helping her via phone get it un-malware’d. She does have a backup of all of her data that is offline on an external hard drive from before this problem showed up (yesterday).

I’ll relay your instructions to her and get the new logs and an update back to you.

Thank you so much for the prompt reply.

I am glad she has a backup as the encrypted files can not always be decrypted, it affects pictures and documents

I had her look around in Windows Explorer for any HOWDECRYPT.* files in her documents folder and in her Windows folder (and on her external hard drive) and didn’t see any such files. I did not have her try to open any of her documents yet. Does the lack of HOWDECRYPT.* files suggest that it didn’t get far enough to “encrypt” or muck with her files?

  • I had her run the FRST fixfile (log attached)

  • I didn’t have her run Anti-CryptorBitV2 because I wasn’t sure she had any encrypted files (but she has it downloaded if you tell me to have her run it anyhow).

  • I had her run FSS (log attached)

Of note, when she ran FRST with the fixfile, the computer rebooted and when it finished, the was at least one windows dialog that it couldn’t find some file. I had her close it and didn’t think to write down what the actual message was. Sorry.

I have not had her reboot since running FSS, so I don’t know if the problem will still be there. I didn’t want to take any steps that might hamper the recovery you are directing.

Go for a reboot now and then let me know how the computer is behaving

Once rebooted download this small programme from tweaking.com http://www.tweaking.com/content/page/set_windows_services_to_default_startup.html to the desktop
Run the programme and on completion reboot and then run one further FSS scan please

The error dialog boxes in Windows continue to show up after the first boot and after running the tweaking.com program and rebooting. Same errors before and currently. The error dialogs are:

[u]RegSvr32[/u] The module C:\Users\Barbie\AppData\Local\...\DRMGLWeb16.dll failed to load. Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.

The specified module could not be found.

[u]RegSvr32[/u] The module C:\ProgramData\JozcUqaweo.dat failed to load. Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.

The specified module could not be found.

[u]RegSvr32[/u] The module C:\ProgramData\BayoRyomi\BayoRyomi.dat failed to load. Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.

The specified module could not be found.

[u]RegSvr32[/u] The module C:\ProgramData\PakuPutpi\PakuPutpi.dat failed to load. Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.

The specified module could not be found.

[u]RegSvr32[/u] The module C:\Users\Barbie\AppData\Local\Es...\wsMaindll32.dll failed to load. Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.

The specified module could not be found.

Also, I have attached the latest FSS.txt file

OK could I have a fresh FRST log and I will kill those

EDIT: Just realised what is causing that spybot is replacing the run keys, could you temporarily uninstall before we run the next fix

Here is the latest FRST logs

Whoops you forgot the main FRST.txt :slight_smile: Did you see my note about spybot in my last post

Sorry, grabbed the wrong file to attach.

Will do with SpyBot.

Teatimer also replaced the restrictions on Avast and MBAM

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.) HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1095000 2013-12-13] (Garmin Ltd or its subsidiaries) HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [JozcUqawo] => regsvr32.exe "C:\ProgramData\JozcUqawo\JozcUqawo.dat" HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [ForpEzuze] => regsvr32.exe "C:\ProgramData\ForpEzuze\ForpEzuze.dat" HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Esxgtion] => regsvr32.exe C:\Users\Barbie\AppData\Local\Esxgtion\wxMaindll32.dll <===== ATTENTION HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Evzftion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Barbie\AppData\Local\Evdtion\DRMGLWeb16.dll HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [BayoRyomi] => regsvr32.exe "C:\ProgramData\BayoRyomi\BayoRyomi.dat" HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [PakuPutpi] => regsvr32.exe "C:\ProgramData\PakuPutpi\PakuPutpi.dat" 2014-11-07 11:43 - 2014-11-07 11:43 - 00000000 ____D () C:\ProgramData\ForpEzuze EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Before I run this fix, can I ask why you are killing off:

HKU\S-1-5-21-124788536-2644335351-2029234871-1000.…\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

and

HKU\S-1-5-21-124788536-2644335351-2029234871-1000.…\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1095000 2013-12-13] (Garmin Ltd or its subsidiaries)

I can understand TeaTimer, although it should go away with uninstalling Spybot, but why the Garmin tray app? That is for my mom’s GPS synch features.

My apologies delete the garmin line only, the teatimer one is just to be doubly sure :slight_smile:

No apology necessary. I am VERY grateful for your help in getting this resolved. New logs to follow…

Ta, the removal of that line would not have affected the programme in any way, just that the taskbar icon would not appear and would need to be reset :slight_smile:

We uninstalled Spybot, rebooted, ran the fixlist, and it rebooted again. The dialogs are still popping up on boot and here is the latest fixlog.txt

That is intriguing as FRST is reporting the keys not found

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I may not be able to get the latest instructions carried out for another 1-2 days. I have not given up on your help and I will report back when I get a chance to run ComboFix.