"This program is blocked by group policy"

Lately, I’ve been having issues when trying to run anything as administrator, or download anything. For example, while trying to download Microsoft’s Silverlight, I constantly get the “This program is blocked by group policy” error. I understand this is usually related to rootkits, but after scanning with avast and searching the registry, I found nothing. I am the system administrator for this PC, yet I don’t have the permissions. Please help!

Follow this guide and attach MBAM, aswMBR and FRST. (Run MBAM first, then anything after)

https://forum.avast.com/index.php?topic=53253.0

I attempted to download MBam and aswMBR, but when I did it said the action was blocked by group policy. I was able to download FRST, though.

Odd, usually the Group Policies show in the logs.

Seems you have adware on the system.

Remover Notified.

(Note: It may take a while before they show. They are asleep, or heading there soon!)

Hi your HOST file has been suborned so we will fix that, after the FRST fix you should have no problem downloading AdwCleaner

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\Run: [ChromeHelper] => C:\Program Files (x86)\Common Files\ChromeHelper\ChromeHelper.exe [737568 2014-05-08] () HKU\S-1-5-21-1146722121-1527258221-492997677-1002\...\Run: [Search Protection] => C:\Users\Skyler\AppData\Roaming\Search Protection\SP.EXE [1128760 2014-12-11] () HKLM-x32\...\Run: [BService] => C:\Program Files (x86)\Bench\BService\1.1\bservice.exe HKLM-x32\...\Run: [BService64] => C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe [110592 2014-09-29] () HKLM-x32\...\Run: [Wd] => C:\Program Files (x86)\Bench\Wd\wd.exe [92672 2014-09-29] () AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => "C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll" File Not Found Startup: C:\Users\Skyler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk ShortcutTarget: MyPC Backup.lnk -> C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe (MyPCBackup.com) HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = SearchScopes: HKU\S-1-5-21-1146722121-1527258221-492997677-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: Browser Warden BHO -> {2C09954F-CDA8-4BD1-8794-1D543E050378} -> C:\Program Files (x86)\Browser Warden\FrameworkBHO64.dll () BHO: No Name -> {59A062A1-5ECA-4a1a-BC44-B2A9283A8ACB} -> No File O-x32: Browser Warden BHO -> {2C09954F-CDA8-4BD1-8794-1D543E050378} -> C:\Program Files (x86)\Browser Warden\FrameworkBHO.dll () BHO-x32: No Name -> {59A062A1-5ECA-4a1a-BC44-B2A9283A8ACB} -> No File Toolbar: HKLM - No Name - {C95A4E8E-816D-4655-8C79-D736DA1ADB6D} - No File FF NewTab: hxxp://search.conduit.com/?gd=&ctid=CT3326239&octid=EB_ORIGINAL_CTID&ISID=M825E64F1-984C-4DD4-B574-E682E0D31066&SearchSource=69&CUI=&SSPV=&Lay=1&UM=2&UP=SP0D9C6124-A830-4D74-8E0D-538AAB9AEC3D FF Homepage: hxxp://www.trovi.com/?gd=&ctid=CT3325163&octid=EB_ORIGINAL_CTID&ISID=M74BC956E-C8E1-4CF7-A2E4-DB9E834796AB&SearchSource=55&CUI=&UM=5&UP=SP0D9C6124-A830-4D74-8E0D-538AAB9AEC3D&SSPV= FF NetworkProxy: "ftp", "218.244.235.166" FF NetworkProxy: "ftp_port", 80 FF NetworkProxy: "http", "218.244.235.166" FF NetworkProxy: "http_port", 80 FF NetworkProxy: "socks", "218.244.235.166" FF NetworkProxy: "socks_port", 80 FF NetworkProxy: "ssl", "218.244.235.166" FF NetworkProxy: "ssl_port", 80 FF SearchPlugin: C:\Users\Skyler\AppData\Roaming\Mozilla\Firefox\Profiles\e2v2leu9.default\searchplugins\trovi-search.xml FF HKLM-x32\...\Firefox\Extensions: [extension@Convert_Files_for_Free.com] - C:\Program Files (x86)\Convert Files for Free\extension@Convert_Files_for_Free.com S2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [36936 2014-10-13] (Just Develop It) <==== ATTENTION R2 pcregservice; C:\Program Files\pcreg\pcreg.exe [249024 2014-04-25] () 2014-12-10 10:54 - 2014-12-10 10:54 - 00029730 _____ () C:\Users\Skyler\Downloads\dantooinejedirobes.zip 2014-11-27 14:10 - 2009-05-22 16:02 - 00281088 _____ (QwertyLab) C:\Users\Skyler\Downloads\runassystem.exe 2014-11-27 14:09 - 2014-11-27 14:09 - 00126083 _____ () C:\Users\Skyler\Downloads\runassystem.zip C:\ProgramData\SetStretch.exe C:\ProgramData\SetStretch.VBS C:\Users\Skyler\jagex_cl_oldschool_LIVE.dat C:\Users\Skyler\jagex_cl_runescape_LIVE.dat C:\Users\Skyler\random.dat C:\Program Files (x86)\MyPC Backup C:\Program Files (x86)\Bench C:\PROGRA~2\SearchProtect Hosts: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Ran the fix perfectly. FRST rebooted PC. Still can’t download any new files, like you suggested. When I try to download them, it says “Your system administrator has blocked this program. For more information, contact your system administrator.” Fixlog is attached.

Post a fresh FRST Log.

This is why you still can’t download files:

“C:\Windows\System32\Drivers\etc\hosts” => Could not move.
Could not reset Hosts.

Just scanned, new attachments.

I wonder if I can remove the bad line, if this does not work I will move on to a stronger tool

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Hosts: 54.225.95.126 hjjjegfhiceggepdokloeepnhlfnedkk EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that