Avast blocked by group policy.

Hi there!

I’m currently trying to fix a PC for a friend and I’m receiving the error that “Avast! is blocked by group policy.” I received this after having the software installed, updated, and running for about 2 days. I’ve done some research and I keep finding that the fixes are for specific machines. So I am starting my own thread. I’ve run FRST and have the 3 logs attached. Any help would be greatly appreciated.

Also, why did this happen? I know the machine is riddled with viruses, malware, spyware, etc. But what exactly happened? Did something alter the system so that I couldn’t run it any longer? Is there a specific virus I should be looking for?

-b

MBAM has a GPS set too it…


HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION

If you chillax for a second, I shall grab someone for you.
\

Well, I’ve PM’d Essexboy for you.

You’re riddled with infections, I’ve started dicphering that log, and can generally see your issue…

Let me know how it is behaving after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\Symantec Shared <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION Winlogon\Notify\ivijios-x32: C:\Users\cat\AppData\Local\ivijios.dll () Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKU\S-1-5-21-2709139021-2172860651-1839205178-1001\...\Run: [MantErna] => regsvr32.exe "C:\ProgramData\MantErna\MantErna.dat" HKU\S-1-5-21-2709139021-2172860651-1839205178-1001\...\Run: [DogyAzbad] => regsvr32.exe "C:\ProgramData\DogyAzbad\DogyAzbad.dat" CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = SearchScopes: HKCU - {3980ED25-5F07-4214-9661-0C41FC17DD47} URL = SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = SearchScopes: HKCU - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = S4 AlotService; C:\Users\cat\AppData\LocalLow\alotservice\alotservice.exe [252264 2012-05-10] (Vertro Inc.) 2014-11-05 11:56 - 2014-11-05 11:56 - 00023552 _____ () C:\Users\cat\AppData\Local\ivijios.dll 2014-11-05 11:56 - 2014-11-05 11:56 - 00000000 ____D () C:\ProgramData\DogyAzbad 2014-11-05 11:55 - 2014-11-05 11:55 - 00000000 ____D () C:\ProgramData\MantErna 2014-11-04 22:57 - 2014-11-04 22:57 - 00003462 _____ () C:\Windows\System32\Tasks\{AF162B3C-8558-4891-BFD1-962C44FA45A0} 2014-11-04 22:51 - 2014-11-04 22:51 - 00003104 _____ () C:\Windows\System32\Tasks\{33399D82-D04F-4898-A08F-98514A0076C5} 2014-10-30 19:35 - 2014-10-30 19:35 - 00008562 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-10-30 19:35 - 2014-10-30 19:35 - 00004224 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-10-30 19:35 - 2014-10-30 19:35 - 00000276 _____ () C:\ProgramData\INSTALL_TOR.URL 2014-10-30 19:13 - 2014-11-04 02:27 - 00000000 ___HD () C:\e7b2273 2014-10-30 18:39 - 2014-10-30 18:39 - 00000019 _____ () C:\Windows\SysWOW64\2024DB~1.EXE 2014-10-28 21:22 - 2014-10-28 21:22 - 00000028 _____ () C:\Windows\SysWOW64\u 2014-10-28 21:12 - 2014-11-03 19:13 - 00013163 _____ () C:\Users\cat\AppData\Roaming\97583d21 2014-10-28 21:12 - 2014-11-03 19:12 - 00000016 _____ () C:\Users\cat\AppData\Roaming\97583d22 2014-10-28 21:10 - 2014-10-28 21:10 - 00000000 _____ () C:\Windows\system32\eewirw.dll 2014-11-03 09:30 - 2009-07-13 17:19 - 02648536 ___SH () C:\ProgramData\b0848f2jbh.exe CustomCLSID: HKU\S-1-5-21-2709139021-2172860651-1839205178-1001_Classes\CLSID\{da37bfec-2e0b-40e1-888d-79a9fde0d7a4}\InprocServer32 -> C:\Windows\system32\dfshim.dll (Microsoft Corporation) EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Ok, thanks much. Copied fixlist and have run FRST’s fix. It’s been running for about an hour or so, is there a general amount of time it usually takes? Or does it depend on the machine? I can see that it’s using resources from task manager, not frozen.

It depends on how long ago you last emptied the temporary files

If it is still running then stop it post the log and continue with combofix

Ok, here’s the fixlog.

I think it should be mentioned that I am doing this remotely through TeamViewer. Hope that doesn’t matter.

I’ve run ComboFix. While unpacking I received the error about “hiv-backup.(?)” It got to the second “output folder: c\32788r22fwjfw” and appears to have frozen. It may have rebooted the machine. I’ve never used the program, so I’m not sure if it initiates a reboot.

When I can access the drive I’ll post the ComboFix log.

It appears that the shell has frozen. I can initiate a file transfer via TeamViewer, navigate her file system, and transfer files. But I have a frozen mouse pointer, no response from the OS, no Windows key, etc.

It will need a reboot

The following happened before “It will need a reboot.” I will have her reboot.

I restarted a session of TeamViewer and was able to remote in. When I did, I received the error I’ve attached. The blue cmd window came up and the program started and tried to create a restore point and froze again. When I tried to remote in again, I was denied.

What do I after it’s rebooted? I see a line above that says to not re-run combofix. Sorry for the flood of posts, I just want to keep you as updated as possible.

No problem flood away, in that case could you run a fresh FRST scan for me please and I will see if there is a blockage

Ok, that may be a bit. Need to get her to reboot. Heads up.

She told me that her machine hadn’t frozen, but her internet was disconnected on the machine only. The combofix cmd window didn’t appear to be doing anything. She rebooted and everything started no problem.

Here are the logs from the new FRST scan.

I would like to re-run the FRST fix again as it did not take last time, I have removed the empty temp element this time

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\Symantec Shared <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION Winlogon\Notify\ivijios-x32: C:\Users\cat\AppData\Local\ivijios.dll () Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKU\S-1-5-21-2709139021-2172860651-1839205178-1001\...\Run: [MantErna] => regsvr32.exe "C:\ProgramData\MantErna\MantErna.dat" HKU\S-1-5-21-2709139021-2172860651-1839205178-1001\...\Run: [DogyAzbad] => regsvr32.exe "C:\ProgramData\DogyAzbad\DogyAzbad.dat" CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = SearchScopes: HKCU - {3980ED25-5F07-4214-9661-0C41FC17DD47} URL = SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = SearchScopes: HKCU - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = S4 AlotService; C:\Users\cat\AppData\LocalLow\alotservice\alotservice.exe [252264 2012-05-10] (Vertro Inc.) 2014-11-05 11:56 - 2014-11-05 11:56 - 00023552 _____ () C:\Users\cat\AppData\Local\ivijios.dll 2014-11-05 11:56 - 2014-11-05 11:56 - 00000000 ____D () C:\ProgramData\DogyAzbad 2014-11-05 11:55 - 2014-11-05 11:55 - 00000000 ____D () C:\ProgramData\MantErna 2014-11-04 22:57 - 2014-11-04 22:57 - 00003462 _____ () C:\Windows\System32\Tasks\{AF162B3C-8558-4891-BFD1-962C44FA45A0} 2014-11-04 22:51 - 2014-11-04 22:51 - 00003104 _____ () C:\Windows\System32\Tasks\{33399D82-D04F-4898-A08F-98514A0076C5} 2014-10-30 19:35 - 2014-10-30 19:35 - 00008562 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-10-30 19:35 - 2014-10-30 19:35 - 00004224 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-10-30 19:35 - 2014-10-30 19:35 - 00000276 _____ () C:\ProgramData\INSTALL_TOR.URL 2014-10-30 19:13 - 2014-11-04 02:27 - 00000000 ___HD () C:\e7b2273 2014-10-30 18:39 - 2014-10-30 18:39 - 00000019 _____ () C:\Windows\SysWOW64\2024DB~1.EXE 2014-10-28 21:22 - 2014-10-28 21:22 - 00000028 _____ () C:\Windows\SysWOW64\u 2014-10-28 21:12 - 2014-11-03 19:13 - 00013163 _____ () C:\Users\cat\AppData\Roaming\97583d21 2014-10-28 21:12 - 2014-11-03 19:12 - 00000016 _____ () C:\Users\cat\AppData\Roaming\97583d22 2014-10-28 21:10 - 2014-10-28 21:10 - 00000000 _____ () C:\Windows\system32\eewirw.dll 2014-11-03 09:30 - 2009-07-13 17:19 - 02648536 ___SH () C:\ProgramData\b0848f2jbh.exe CustomCLSID: HKU\S-1-5-21-2709139021-2172860651-1839205178-1001_Classes\CLSID\{da37bfec-2e0b-40e1-888d-79a9fde0d7a4}\InprocServer32 -> C:\Windows\system32\dfshim.dll (Microsoft Corporation) CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

That one ran for about 4 minutes and finished. Here is the log.

Avast and MBAM should now run, we will now clear the adware and take a fresh look with FRST. How is the computer behaving at the moment

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

THEN

Run a fresh FRST scan and attach the logs :slight_smile: