I’m getting avast blocked by group policy on my home pc, Ive done some basic poking around but dont really understand how to go about getting rid of whatever is casuing this, its also blocked system restore which I got back by running registry editor and unlocking it, however it has removed all my prior restore points, I’m at a loss as to what to do next, any advice?
Follow the instructions and ATTACH the logs to your next post:
https://forum.avast.com/index.php?topic=53253.0
Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
Just run FRST initially and I will use that to get Avast back up and running
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.
its scanning now, will post logs as soon as scans are complete, so far there are loads of detected items in the malware bytes, I guess this is what I get for letting my mother inlaw use this laptop, I swear she breaks everything she touches
should I stop this scan and just run FRST?
- :-X ;D
- Essexboy will tell you…
Complete with MBAM seeing as you have started once done run FRST and attach all logs
logs are attatchred I havent taken any actions to clean or remove anything yet
OK Adware city… I see you are running THREE antiviruses : Comodo, Avast and TrendMicro, two of these will need to go. More is not better
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
[quote]
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software\Avast <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro\Titanium <====== ATTENTION
ShortcutTarget: FancyStart daemon.lnk → C:\Windows\Installer{C944B4C5-1C4D-4D95-8AC0-7CEF13914131}_77B5857C27147149171BE7.exe ()
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={17153397-CA55-11E2-B11C-10BF48033E4C}
SearchScopes: HKLM-x32 - DefaultScope {E7D9ED11-9085-4FE4-BF0A-5D6F482BC1AB} URL =
SearchScopes: HKLM-x32 - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={17153397-CA55-11E2-B11C-10BF48033E4C}
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3320569&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPB22C78CE-0BEB-4CF5-B34C-6A0F288AA84A&q={searchTerms}&SSPV=
SearchScopes: HKCU - {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = http://us.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
SearchScopes: HKCU - {E7D9ED11-9085-4FE4-BF0A-5D6F482BC1AB} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3304783&CUI=UN42909943661554224&UM=2
SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://mysearch.sweetpacks.com?src=6&q={searchTerms}&barid={17153397-CA55-11E2-B11C-10BF48033E4C}&crg=3.5000006.10042&st=23
BHO-x32: Shopping Assistant Plugin → {1631550F-191D-4826-B069-D9439253D926} → C:\Program Files (x86)\PriceGong\2.6.4\PriceGongIE.dll (PriceGong)
BHO-x32: No Name → {2CEBF6C7-2B40-469B-B5D5-CD3F3676C3C4} → No File
BHO-x32: Funmoods Helper Object → {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} → C:\PROGRA~2\Funmoods\1.5.23.22\bh\escort.dll No File
BHO-x32: Define → {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} → C:\Users\Derek\AppData\Local\DefineExt\temp.dat No File
BHO-x32: SweetPacks Browser Helper → {EEE6C35C-6118-11DC-9C72-001320C79847} → C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKLM-x32 - Funmoods Toolbar - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - C:\PROGRA~2\Funmoods\1.5.23.22\escorTlbr.dll No File
Toolbar: HKLM-x32 - SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
FF user.js: detected! => C:\Users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\dtz74td9.default\user.js
FF SearchPlugin: C:\Users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\dtz74td9.default\searchplugins\conduit-search.xml
FF Extension: Ant Video Downloader - C:\Users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\dtz74td9.default\Extensions\anttoolbar@ant.com [2014-07-30]
FF Extension: Define Ext - C:\Program Files (x86)\Mozilla Firefox\extensions\zgvstddqqjlabihif@opvrjrelhkc.org [2013-09-07]
FF HKLM.…\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] - C:\Program Files\Updater By SweetPacks\Firefox
FF HKLM.…\Firefox\Extensions: [{8E9E3331-D360-4f87-8803-52DE43566502}] - C:\Program Files\Updater By SweetPacks\Firefox
FF Extension: Freemake Video Downloader Plugin - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox [2012-09-24]
FF HKLM-x32.…\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] - C:\Program Files\Updater By SweetPacks\Firefox
FF HKLM-x32.…\Firefox\Extensions: [{8E9E3331-D360-4f87-8803-52DE43566502}] - C:\Program Files\Updater By SweetPacks\Firefox
FF HKCU.…\Firefox\Extensions: [{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}] - C:\Program Files (x86)\PriceGong\2.6.4\FF
FF Extension: PriceGong - C:\Program Files (x86)\PriceGong\2.6.4\FF [2012-08-06]
CHR RestoreOnStartup: “hxxp://search.conduit.com/?ctid=CT3277370&SearchSource=48&CUI=UN21448024982487821&UM=2”, “hxxp://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN41105631852184923&UM=2”, “hxxp://search.conduit.com/?ctid=CT3316243&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP6A1CA703-7500-40DE-9BF2-E50464DF6D45”
CHR Extension: (Extutil) - C:\Users\Derek\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B [2014-02-22]
CHR Extension: (Managera) - C:\Users\Derek\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42 [2014-02-22]
CHR HKLM.…\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\Derek\AppData\Local\funmoods.crx [2012-07-29]
CHR HKCU.…\Chrome\Extension: [adopjdgphfekoiecgklciallnajkpdgn] - C:\Users\Derek\AppData\Local\CRE\adopjdgphfekoiecgklciallnajkpdgn.crx [2013-08-21]
CHR HKCU.…\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\Derek\AppData\Local\funmoods.crx [2012-07-29]
CHR HKLM-x32.…\Chrome\Extension: [adopjdgphfekoiecgklciallnajkpdgn] - C:\Users\Derek\AppData\Local\CRE\adopjdgphfekoiecgklciallnajkpdgn.crx [2013-08-21]
CHR HKLM-x32.…\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\Derek\AppData\Local\funmoods.crx [2012-07-29]
CHR HKLM-x32.…\Chrome\Extension: [bkomkajifikmkfnjgphkjcfeepbnojok] - C:\Program Files (x86)\PriceGong\2.6.4\pricegong.crx [2012-03-18]
CHR HKLM-x32.…\Chrome\Extension: [bpegkgagfojjbcpkihigfmkojdmmimdf] - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Chrome\Freemake.Plugin.Chrome.crx [2012-09-24]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2014-08-09 10:14 - 2014-08-09 10:14 - 00000000 ____D () C:\ProgramData\UpdateServer
2014-07-21 08:25 - 2014-07-21 08:25 - 00000000 ____D () C:\Users\Derek\AppData\Roaming{c4a11e02-0bdb-33db-f62d-15320f1ca0b7}
2014-07-21 08:24 - 2014-07-21 08:24 - 00000000 ____D () C:\Users\Derek\AppData\Local{c4a11e02-0bdb-33db-f62d-15320f1ca0b7}
HKU\S-1-5-21-3640260577-4127167766-859960011-1001\Software\Classes.exe: => <===== ATTENTION!
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
fixlog
adware cleaner
am I good to try and run avast again?
Yep Avast should now function
Also which two antiviruses are you going to remove ?
Now re-run MBAM and allow it to quarantine all it finds
I’m removing comodo now, I tried running than when avast wouldnt work, what others are on the computer, I wasnt aware that there was another one other than comodo and avast
You also have TrendMicro, it probably came with the computer
There is a trend micro removal tool here http://esupport.trendmicro.com/solution/en-us/1037161.aspx?referral=1059018
Click this link to open it up Having problems removing Trend Micro?
got them both removed and re running scans now before I run avast again, since I know the inlaw is going to use this computer again and I dont want to have to bother you guys again can you reccomend some sort of install blocker that will keep this from happening again?
Easy, create a limited user account for her and set restrictions.
didnt think about that, thanks again for all your help, you guys are seriously awesome
How is the computer behaving now ?
everything seems to be back to normal, its alot faster and not lagging like it was, internet speed is also faster acording to speedtest.net