Avast blocked by group policy

Hi, my computer is slow and sluggish. I cannot access Avast and other maleware programs because of a message “blocked by group policy”. Sometimes I have also error messages “powershell stopped”. Youtube videos don’t start in Mozilla. I am trying to get computer working normal again. Any help is appreciated.
Enclosed are the two Farbar txt files.
Thanks a lot.

Monitoring.

Hi thoangela, :slight_smile:

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer’s time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
    • Please do not install any new software while we are working on this system as it may hinder our process.
    • Malware removal is a complicated process so don’t stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
    • Please do not try to fix anything without being ask.
    • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
    • Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
    • If you are confused about any instruction, stop and ask. Do not keep on going.
    • Do not repeat the steps if you face any problems.
    • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
    • Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
    • The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.

Uninstall Spybot - Search & Destroy for now and what have you been doing with your PC to infect it to this extent?


  • Step #1 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    [li]Open Notepad.exe. Do not use any other text editor software;
    - Copy and Paste the contents inside the code-box to your Notepad
    [/li]
Start
Closeprocesses:
Emptytemp:
C:\Users\katzen3\AppData\Roaming\Baanums\dauxluz.exe
C:\Users\katzen3\AppData\Roaming\Baanums\dauxluz.exe
C:\Windows\Installer\{B6164F89-07B1-4875-86FA-C1459D148F7E}\msiexec.exe
HKLM\...\Run: [.tluafed** <*>] => C:\Users\katzen3\Application Data\{0000769B-696F-7A9A-D3E8-982D2FD60C58}.ex <===== ATTENTION (Value Name with invalid characters)
C:\Users\katzen3\Application Data\{0000769B-696F-7A9A-D3E8-982D2FD60C58}.ex
HKLM\...\Run: [Gurop] => C:\Users\katzen3\AppData\Roaming\Baanums\dauxluz.exe [291525 2014-11-05] ()
HKLM-x32\...\Run: [Gurop] => C:\Users\katzen3\AppData\Roaming\Baanums\dauxluz.exe [291525 2014-11-05] ()
HKLM-x32\...\Run: [CrashReportSaver] => C:\Windows\Installer\{B6164F89-07B1-4875-86FA-C1459D148F7E}\msiexec.exe [1157120 2014-11-04] ()
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\McAfee <====== ATTENTION
Winlogon\Notify\ivijios-x32: C:\Users\katzen3\AppData\Local\ivijios.dll ()
Winlogon\Notify\mavziuz-x32: C:\Users\katzen3\AppData\Local\mavziuz.dll ()
HKLM\...\Policies\Explorer\Run: [{13ba1a01-da48-805d-8338-820486a62f70}] => "C:\Users\katzen3\AppData\Local\Microsoft\{13ba1a01-da48-805d-8338-820486a62f70}\{13ba1a01-da48-805d-8338-820486a62f70}.exe" No File
C:\Users\katzen3\AppData\Local\Microsoft\{13ba1a01-da48-805d-8338-820486a62f70}\{13ba1a01-da48-805d-8338-820486a62f70}.exe
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\Run: [KekoVladq] => regsvr32.exe "C:\ProgramData\KekoVladq\KekoVladq.dat"
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\Run: [UocmUjeqg] => regsvr32.exe "C:\ProgramData\UocmUjeqg\UocmUjeqg.dat"
C:\ProgramData\KekoVladq\KekoVladq.dat
C:\ProgramData\UocmUjeqg\UocmUjeqg.dat
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\Run: [QenidAtake] => regsvr32.exe "C:\ProgramData\QenidAtake\QenidAtake.dat"
C:\ProgramData\QenidAtake\QenidAtake.dat
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\Run: [KuceGzud] => regsvr32.exe "C:\ProgramData\KuceGzud\KuceGzud.dat"
C:\ProgramData\KuceGzud\KuceGzud.dat
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\Run: [AozjoHmajl] => regsvr32.exe "C:\ProgramData\AozjoHmajl\AozjoHmajl.dat"
C:\ProgramData\AozjoHmajl\AozjoHmajl.dat
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\Run: [USB Adapter Updater] => C:\ProgramData\USB Adapter Updater\ndtcrvgiu.exe [305664 2014-11-05] ()
C:\ProgramData\USB Adapter Updater\ndtcrvgiu.exe
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\Run: [Gurop] => C:\Users\katzen3\AppData\Roaming\Baanums\dauxluz.exe [291525 2014-11-05] ()
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\MountPoints2: E - E:\Imageviewer.exe
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\MountPoints2: {85760917-edb4-11e0-bec8-0025647f0bcf} - E:\LaunchU3.exe -a
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...\MountPoints2: {885b59cf-2e47-11df-8ea5-0025647f0bcf} - E:\Imageviewer.exe
HKU\S-1-5-21-3651347504-2686705820-778402691-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\RunOnce: [DeleteEngineAfterUpdate] => reg DELETE HKCU\Software\AppDataLow\Software\ConduitEngine /f
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => "C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll" File Not Found
C:\PROGRA~2\SearchProtect
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Hosts:
2014-11-05 12:01 - 2014-11-05 12:01 - 00000054 _____ () C:\Windows\SysWOW64\Ÿ
2014-11-05 08:08 - 2014-11-05 08:08 - 00000054 _____ () C:\Windows\SysWOW64\M
2014-11-04 18:27 - 2014-11-04 18:27 - 00000000 ____D () C:\Users\katzen3\AppData\Roaming\Apviwo
2014-11-04 18:27 - 2013-07-26 07:14 - 00291525 _____ () C:\Windows\SysWOW64\usepsoe.exe
2014-11-04 18:26 - 2014-11-05 16:32 - 00000153 _____ () C:\Users\katzen3\AppData\Local\svcxdcl32.dat
2014-11-04 18:26 - 2014-11-04 18:26 - 00023552 _____ () C:\Users\katzen3\AppData\Local\ivijios.dll
2014-11-04 18:26 - 2014-11-04 18:26 - 00000000 ____D () C:\ProgramData\KekoVladq
2014-11-04 13:37 - 2014-11-04 13:40 - 00000000 ____D () C:\Users\katzen3\AppData\Roaming\Uxvali
2014-11-04 01:48 - 2014-11-04 01:48 - 00000000 ____D () C:\ProgramData\UocmUjeqg
2014-11-04 01:48 - 2014-11-04 01:48 - 00000000 ____D () C:\ProgramData\QenidAtake
2014-11-04 00:13 - 2014-11-04 00:13 - 00002964 _____ () C:\Windows\System32\Tasks\{7859BD29-2F6E-4FF9-A8FB-FDB8006C3821}
2014-11-04 00:12 - 2014-11-04 00:12 - 00002964 _____ () C:\Windows\System32\Tasks\{BF99F5BE-2DD1-4B11-AB2D-1497684473BA}
2014-11-04 00:12 - 2014-11-04 00:12 - 00002964 _____ () C:\Windows\System32\Tasks\{882041DA-9DC9-443D-96AA-8F7F4C43839D}
2014-11-03 23:55 - 2014-11-03 23:55 - 00006656 __RSH () C:\Users\katzen3\AppData\Roaming\{0000769B-696F-7A9A-D3E8-982D2FD60C58}.exe
2014-11-02 06:37 - 2014-11-04 20:43 - 00000000 ____D () C:\Users\katzen3\AppData\Roaming\Bulyuhu
2014-11-02 06:37 - 2014-11-02 13:41 - 00000000 ____D () C:\Users\katzen3\AppData\Roaming\Nyipucq
2014-11-02 06:37 - 2012-10-06 04:10 - 00292029 _____ () C:\Windows\SysWOW64\inzeeg.exe
2014-11-02 06:37 - 2012-10-03 06:07 - 00292029 _____ () C:\Windows\SysWOW64\hemiibdada.exe
2014-11-02 06:35 - 2014-11-02 06:35 - 00023552 _____ () C:\Users\katzen3\AppData\Local\mavziuz.dll
2014-11-02 06:35 - 2014-11-02 06:35 - 00000144 _____ () C:\Windows\SysWOW64\Ä
2014-11-02 06:35 - 2014-11-02 06:35 - 00000000 ____D () C:\ProgramData\KuceGzud
2014-11-02 06:35 - 2014-11-02 06:35 - 00000000 ____D () C:\ProgramData\AozjoHmajl
2014-11-01 08:44 - 2014-11-05 13:43 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2014-11-01 08:44 - 2014-11-01 08:44 - 00000124 _____ () C:\Windows\SysWOW64\º
2014-11-01 08:25 - 2014-11-01 08:25 - 00008564 _____ () C:\Users\katzen3\Documents\DECRYPT_INSTRUCTION.HTML
2014-11-01 08:25 - 2014-11-01 08:25 - 00004226 _____ () C:\Users\katzen3\Documents\DECRYPT_INSTRUCTION.TXT
2014-11-01 08:25 - 2014-11-01 08:25 - 00000278 _____ () C:\Users\katzen3\Documents\INSTALL_TOR.URL
2014-10-31 16:04 - 2014-10-31 16:04 - 00008564 _____ () C:\Users\katzen3\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-31 16:04 - 2014-10-31 16:04 - 00008564 _____ () C:\Users\katzen3\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-31 16:04 - 2014-10-31 16:04 - 00004226 _____ () C:\Users\katzen3\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-31 16:04 - 2014-10-31 16:04 - 00004226 _____ () C:\Users\katzen3\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-31 16:04 - 2014-10-31 16:04 - 00000278 _____ () C:\Users\katzen3\AppData\Roaming\INSTALL_TOR.URL
2014-10-31 16:04 - 2014-10-31 16:04 - 00000278 _____ () C:\Users\katzen3\AppData\INSTALL_TOR.URL
2014-10-31 13:34 - 2014-10-31 13:34 - 00008562 _____ () C:\Users\katzen3\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-31 13:34 - 2014-10-31 13:34 - 00004224 _____ () C:\Users\katzen3\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-31 13:34 - 2014-10-31 13:34 - 00000276 _____ () C:\Users\katzen3\AppData\Local\INSTALL_TOR.URL
2014-10-31 13:27 - 2014-10-31 13:27 - 00008562 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-10-31 13:27 - 2014-10-31 13:27 - 00004224 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-10-31 13:27 - 2014-10-31 13:27 - 00000276 _____ () C:\ProgramData\INSTALL_TOR.URL
2014-11-05 19:50 - 2011-12-16 15:55 - 00000354 _____ () C:\Windows\Tasks\At40.job
C:\Windows\Tasks\At*.job
C:\ProgramData\YeS5u0.dat
C:\Users\katzen3\Ie.reg
DeleteJunctionsIndirectory: C:\Windows\system64
End
  •   [li]Click on [b]File[/b] > [b]Save as...[/b]
    

[list]
[li]Inside the File Name box type fixlist.txt
- From the Save as type drop down list, choose All Files
[/li]
- Save the file to your Desktop;
- Re-run FRST.exe and click Fix;

		[li][b]Note[/b]: If FRST advises there is a new updated version to be downloaded, do so/allow this.
	[/li]
	- After the completion, a log will be produced;
	- Attach the log in your next reply.
[/list][/li]

  • Step #2 Run ComboFix
    Download ComboFix by sUBs from one of the suitable locations listed below and save it to your Desktop.
    Download Link #1
    Download Link #2
    Donwload Link #3
    WarningPlease acknowledged yourself this warning beforehand. The tool, ComboFix, is an extremely powerful malware removal tool if not one of the most powerful tools ever created. In the hands of an inept person or a simple mistake can render your machine un-bootable. Peruse every step I listed below unless you want a dreadful occurrence. ***

      [li]Disable your security software. For more information, peruse [url=http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/][b]this[/b][/url] thread;
      - Right-click and choose [i]Run as administrator[/i] to run the program.
      - As a buit-in process, ComboFix will check if you system has [b]Microsoft Windows Recovery Console[/b] installed. Let Combofix download and install Microsoft Windows Recovery Console. 
    

[list]
[li]It requires an active internet connection.
- If your system already has Microsoft Windows Recovery Console installed, this step will be skipped
[/li]
- ComboFix will now scan your system for malwares and will attempt to remove them.
-
[li]Note: ComboFix performs fifty steps during this fix. Please be patient.
[/li]
- After the scan your system will reboot and a log will be produced. The log is automatically saved in C:\ComboFix.txt.
- Attach the log in your next reply.
[/list]Crucial Notes:

	- Do not mouse-click when ComboFix is running as it may stall.
	- Do not re-run ComboFix if you face a problem. Ask for my instruction here.
	- ComboFix will make [i]Internet Explorer[/i] your default browser and will change number of different Internet Explorer settings.
	- ComboFix prevents autorun functions of [i]all[/i] CD and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you, please tell me.
	- It is possible that ComboFix, even on its first run, may have fixed the problems you are having. We strongly suggest that you still post your log into the topic that you are receiving help as you most likely will have infections left over that your helper will need to analyze further.
	- ComboFix will disconnect your system from internet for security measures. The connection is automatically restored after the scan but if it does not, it can be restored by rebooting the PC.
[/li]

  • Step #3 Scan with RogueKiller

      [li]Download [b]Rogue Killer[/b] from one of the suitable links below to your [i]Desktop[/i]. 
    

[list]
[li]Download link for 32 bit system
- Download link for 64 bit system
[/li]
- Click on Scan;
- The scan won’t take long;
- Click on Report to open the log.
- Attach the log in your next reply.
[/list][/li]


  • Required Log(s):

      [li]FRST Fix Log
      - Combofix Log
      - RogueKiller Log
    

    [/li]
    Regards,
    Valinorum

Hi Valinorium,

Thanks for your reply and instructions yesterday. I was following your instructions yesterday in the evening. Running Fastbar has frozen the computer so i don’t think it was running through. I was running Combofix and it went through 50steps and rebooted the computer and Roguekiller and I am attaching the requested files. The computer seems to be faster but I still cannot open Avast or Malewarebytes because of message “blocked by group policy”. Thanks for further instructions.

How long FRST was frozen? Re-do the FRST fix step. If it freeze for more than thirty minutes, I will provide an alternative script.

Hi Valinorum,

I got my Video working in Mozilla Browser because it had to do with “Shockwave may be busy or may stopped responding”. I added a line in mms.cfg “ProtectedMode=0”. There is an article “Flash plugin crashing problem in Firefox, finaly solved” on the web. I got Avast and Malewarebytes working again by editing the registry. Local machine/Software/Microsoft/Policies/Safer/Codeidentifiers/Path and deleted the entries. Now is looks like everything is working. Thanks for your help and have a nice weekend.

Acknowledged.