Avast blocked by group policy

Hi
My Avast blocked by group policy. This happened to me before with AVG and the problem was solved with the help of the forum.
I’ve already installed and ran FRST64 and this is the txt. I came up with.
I would ask for some help! thanks!

BTW, I can’t find any “attach” icon so I can attach the txt. file…How do I do it?

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

I have a friends laptop that had Avast End Point protection on it, but there was a problem with installation. Well the laptop became over run with viruses even cryptowall. I’ve had a real hard time dealing with this because the avast UI was blocked by Group Policy. I did a rescue disk boot scan which found and eliminated 494 PUP and malware files, Then I followed your guys instructions to run Malwarebytes-anti-malware, which removed another 300 detected object, Finally I’ve run FRST64 and aswmbr and have attached the output files below. Can you help me get this running again

Please, be patient while I analyze you logs. Thank you.

One or more of the identified infections is a rootkit.

This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the rootkit has been identified and can be killed, because of how it exploits your system, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this rootkit, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can’t guarantee that it will be 100% secure afterwards.


[*]Step #1 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad

Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKU\S-1-5-21-1931180291-2634211220-2304859528-500\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Administrator\AppData\Roaming\sxxepxn\scfcifb\wow.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-1931180291-2634211220-2304859528-500\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
AppInit_DLLs: c:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL => c:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL File Not Found
AppInit_DLLs-x32: c:\progra~2\optimi~1\optpro~1.dll => "c:\progra~2\optimi~1\optpro~1.dll" File Not Found
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1931180291-2634211220-2304859528-500\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://search.conduit.com/?ctid=CT3324316&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SPFF3DD6CA-13F8-4B8E-B933-38F2A06E05FC&SSPV=
FF DefaultSearchEngine: Trovi search
FF SearchEngineOrder.3: Bing 
FF SelectedSearchEngine: Trovi search
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
2015-02-03 14:59 - 2015-02-03 14:59 - 00000000 ____D () C:\Program Files (x86)\PriicEoDownlooadder
2015-01-27 11:33 - 2015-02-02 15:59 - 00008632 _____ () C:\Users\Administrator\Desktop\HELP_DECRYPT.HTML
2015-01-27 11:33 - 2015-02-02 15:59 - 00004256 _____ () C:\Users\Administrator\Desktop\HELP_DECRYPT.TXT
2015-01-27 11:33 - 2015-02-02 15:59 - 00000300 _____ () C:\Users\Administrator\Desktop\HELP_DECRYPT.URL
2015-01-27 11:33 - 2015-01-27 11:33 - 00008528 _____ () C:\Users\Administrator\HELP_DECRYPT.HTML
2015-01-27 11:33 - 2015-01-27 11:33 - 00004204 _____ () C:\Users\Administrator\HELP_DECRYPT.TXT
2015-01-27 11:33 - 2015-01-27 11:33 - 00000272 _____ () C:\Users\Administrator\HELP_DECRYPT.URL
2015-01-27 11:32 - 2015-01-27 11:32 - 00008528 _____ () C:\Users\Administrator\Downloads\HELP_DECRYPT.HTML
2015-01-27 11:32 - 2015-01-27 11:32 - 00008528 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.HTML
2015-01-27 11:32 - 2015-01-27 11:32 - 00008528 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-27 11:32 - 2015-01-27 11:32 - 00008528 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.HTML
2015-01-27 11:32 - 2015-01-27 11:32 - 00004204 _____ () C:\Users\Administrator\Downloads\HELP_DECRYPT.TXT
2015-01-27 11:32 - 2015-01-27 11:32 - 00004204 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.TXT
2015-01-27 11:32 - 2015-01-27 11:32 - 00004204 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-27 11:32 - 2015-01-27 11:32 - 00004204 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.TXT
2015-01-27 11:32 - 2015-01-27 11:32 - 00000272 _____ () C:\Users\Administrator\Downloads\HELP_DECRYPT.URL
2015-01-27 11:32 - 2015-01-27 11:32 - 00000272 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.URL
2015-01-27 11:32 - 2015-01-27 11:32 - 00000272 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.URL
2015-01-27 11:32 - 2015-01-27 11:32 - 00000272 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.URL
2015-01-27 11:31 - 2015-01-27 11:31 - 00008528 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.HTML
2015-01-27 11:31 - 2015-01-27 11:31 - 00004204 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.TXT
2015-01-27 11:31 - 2015-01-27 11:31 - 00000272 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.URL
2015-01-27 11:30 - 2015-01-27 11:30 - 00008528 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-27 11:30 - 2015-01-27 11:30 - 00004204 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-27 11:30 - 2015-01-27 11:30 - 00000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
CMD: bitsadmin /reset /allusers
End

[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
[*]Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[]After the completion, a log will be produced;
[
]Attach the log in your next reply.[/list]


[*]Required Log(s):
[*]FRST Fix Log

Regards,
Valinorum

Thank you for the quick reply. I have advised the owner that the laptop needs to be completely reformatted and she and her employees need to change their online password. I also told them to change the passwords on all the machines in the Vets office. And Thank you for your help.

It is a CryptoWall infection.

Zeroaccess is there as well.

The laptop was so messed up the people at the vets had stopped using it. They never complained of missing files, But the Cryptowall popups were installed all over. I removed and quarantined those, but never saw any files that could not be opened. I immediately turned off it’s wireless card antennae and left it that way until I ran the malwarebytes software. After that I put it in an isolated network that could go out to the internet. But yes, Cryptowall had been installed, but I think the level of infections from so many viruses interfered with each other.

can somebody give me the fix file?
Here goes my FRST txt. file (attached)

Addition file attached

As you didn’t reply in time, your topic got hijacked. :wink: Wait a bit…

Perform Step 1 and post the log.

Excuse me Valinorium, but the last post instructions were for me?

Cheers

Eitherway, here goes the Fixlog!

Cheers