Avast Blocked by Group Policy - Please help

[essexboy]

SO the reboot brings the policy back.....  The only one that I know to do that would be a bootkit, but there was no sign of it

Lets run a double check

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system  and Use KSN to scan objects , then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please attach its contents on your next reply.

Then run a fresh FRST scan

[REDACTED]

We ran TDSSKiller.exe but no threats were found.  The Report is attached.

We then ran FRST and the logs are attached.  (do you need all three logs from FRST each time or just the mail FRST.txt file?)

[essexboy]

OK I can see the folder that is regenerating it but as of yet I cannot see the launch point

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:regfind
ForpEzuze
:filefind
ForpEzuze.*
:dir
ForpEzuze


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

THEN

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [ForpEzuze] => regsvr32.exe "C:\ProgramData\ForpEzuze\ForpEzuze.dat" 
2014-11-11 08:32 - 2014-11-12 08:23 - 00000000 ____D () C:\ProgramData\ForpEzuze
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

We ran SystemLook.  (log attached)

We ran FRST Fix (log attached)

The system rebooted and seemed okay.

I had her install Malwarebytes and ran a Full Threat Scan and it found ten threats; all were quarantined.

I had her manually reboot afterwards.

When the computer booted, both Avast and Malwarebytes still ran properly.  No error messages or dialog boxes appeared.

I had her run Malwarebytes one more time and got a clean scan result.

Are we done?  Maybe?

[essexboy]

C:\Windows\Installer\{1457735D-FE0E-4CB7-9391-4660BD532201} that is where it was launching from so it needed a two pronged attack to get it.  Now I need to figure out a way to check that in my scans..  If all is well tomorrow let me know and I will tidy up

[REDACTED]

I'll report back tomorrow or the next day with a final status update.

Thank you so much for all of your help these past few days.

Sincerely,
  Mark

[essexboy]

Thank you for helping locate the trigger

[REDACTED]

Well, all that hard work and it turns out that the CryptorBit thing did get ahold of her documents and pictures. 

She is going to bring me the computer next week and I may try Anti-CryptorBitV2 (I tried to walk her through it over the phone, but something didn't work right). 

Although the system is now active virus free, I think may just wipe it clean and restore everything from a backup that occurred prior to the infection and is on an external hard drive that has been stored off-line thus far.

Thank you so much for your help.  Do you want to close this thread or wait until next week when I have a chance to work on the computer hands-on/in-person?

[essexboy]

Threads remain open and just disappear, but if you add to this thread I will know as I am on notification for it.  It would be preferable to run the backup as I doubt if you will be able to decrypt the photos