Firstly, Hi to all the forum members!
I believe my computer was infected by a root-kit of some sort which has probably been removed now by the ESET online scanner (I didn’t keep logs) However the group policy issue has remained. I have tried removing Avast with the removal tool and re-installing but it will not allow me to reinstall. I have my OTL log attached and RK Logs.
Hope someone can help
Cheers
Chris
Hi,
Download TDSSKiller and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.
[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
.
Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Many thanks for the quick reply! Didn’t find anything but here is the log file
Farbar tool ?
Ok I’ve attached the log files from FARBAR 
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKU\S-1-5-21-165786774-502117087-1876469581-500\...\MountPoints2: {0f52f6c7-4b0d-11e3-a6c6-74d02b7fb370} - F:\SETUP.EXE
HKU\S-1-5-21-165786774-502117087-1876469581-500\...\MountPoints2: {f9333e50-4ae8-11e3-893c-806e6f6e6963} - E:\CD_menu.exe
C:\Users\Chris.BEAST_MACHINE\IP_Log_Data.js
C:\Users\Chris.BEAST_MACHINE\Network_Meter_Data.js
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Brilliant it worked perfectly!! Many thanks for your help. Is there any further steps I need to take?
Content of fixlist:
Start
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes’ Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
C:\Users\Chris.BEAST_MACHINE\IP_Log_Data.js
C:\Users\Chris.BEAST_MACHINE\Network_Meter_Data.js
CMD: DEL %TEMP%*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:
End
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
C:\Users\Chris.BEAST_MACHINE\IP_Log_Data.js => Moved successfully.
C:\Users\Chris.BEAST_MACHINE\Network_Meter_Data.js => Moved successfully.
========= DEL %TEMP%*.* /F /S /Q =========
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp\AdobeARM.log
C:\Users\CHRIS~1.BEA\AppData\Local\Temp\FXSAPIDebugLogFile.txt
The process cannot access the file because it is being used by another process.
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp\jusched.log
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp\ntdll_dump.dll
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp\StructuredQuery.log
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp\Updater log for TuneUp (checkforupdates).txt
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp~DF20B5B994FC507662.TMP
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp~DF5DB3A88C1D3E344B.TMP
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp~DF9B1241A6FA1AD48D.TMP
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp~DFC3E569CF1384ADBF.TMP
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp~DFD2CBB780FA796748.TMP
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp\avastBCLTMP\chrome\Default\Web Data
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp\avastBCLTMP\firefox\extension@hidemyass.com\chrome\skin\hma_icon_48.png
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp\xcrashreport\XCrashReport.exe
Deleted file - C:\Users\CHRIS~1.BEA\AppData\Local\Temp\xcrashreport\xcrashreport.ini
========= End of CMD: =========
========= RD /S /Q %TEMP% =========
C:\Users\CHRIS~1.BEA\AppData\Local\Temp\FXSAPIDebugLogFile.txt - The process cannot access the file because it is being used by another process.
C:\Users\CHRIS~1.BEA\AppData\Local\Temp~DF20B5B994FC507662.TMP - Access is denied.
C:\Users\CHRIS~1.BEA\AppData\Local\Temp~DF5DB3A88C1D3E344B.TMP - Access is denied.
C:\Users\CHRIS~1.BEA\AppData\Local\Temp~DF9B1241A6FA1AD48D.TMP - Access is denied.
C:\Users\CHRIS~1.BEA\AppData\Local\Temp~DFC3E569CF1384ADBF.TMP - Access is denied.
C:\Users\CHRIS~1.BEA\AppData\Local\Temp~DFD2CBB780FA796748.TMP - Access is denied.
========= End of CMD: =========
The system needed a reboot.
==== End of Fixlog ====
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.