Avast Blocked by Group Policy - Please help

[REDACTED]

Hello,

I read the other threads on this topic with replies by essexboy.  I have attached my logs from Farbar.  Would someone please help me with a fixlist.txt file.  I see the entries I need to resolve the group policy problem, but I wonder if there are other entries in the logs that should be included in the fixlist that I'm unaware of.

Thank you so much.

[essexboy]

You have encryptor malware as well, do you have a backup of your data ? 

 CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION 
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [11c08d] => C:\11c08dd\11c08dd.exe [258432 2014-11-06] (Company name goes here)
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [JozcUqawo] => regsvr32.exe "C:\ProgramData\JozcUqawo\JozcUqawo.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [ForpEzuze] => regsvr32.exe "C:\ProgramData\ForpEzuze\ForpEzuze.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Evdtion] => C:\Users\Barbie\AppData\Local\Evdtion\msiexec.exe [163232 2014-11-06] ()
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Esxgtion] => regsvr32.exe C:\Users\Barbie\AppData\Local\Esxgtion\wxMaindll32.dll <===== ATTENTION
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Evzftion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Barbie\AppData\Local\Evdtion\DRMGLWeb16.dll
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [BayoRyomi] => regsvr32.exe "C:\ProgramData\BayoRyomi\BayoRyomi.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [PakuPutpi] => regsvr32.exe "C:\ProgramData\PakuPutpi\PakuPutpi.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\RunOnce: [*1c08dd] => C:\Users\Barbie\AppData\Roaming\11c08dd.exe
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
2014-11-06 18:52 - 2014-11-06 18:52 - 00008536 _____ () C:\Users\Barbie\Downloads\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:52 - 2014-11-06 18:52 - 00008536 _____ () C:\Users\Barbie\Documents\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:52 - 2014-11-06 18:52 - 00004208 _____ () C:\Users\Barbie\Downloads\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:52 - 2014-11-06 18:52 - 00004208 _____ () C:\Users\Barbie\Documents\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:52 - 2014-11-06 18:52 - 00000272 _____ () C:\Users\Barbie\Downloads\INSTALL_TOR.URL
2014-11-06 18:52 - 2014-11-06 18:52 - 00000272 _____ () C:\Users\Barbie\Documents\INSTALL_TOR.URL
2014-11-06 18:48 - 2014-11-06 18:48 - 00008536 _____ () C:\Users\Barbie\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:48 - 2014-11-06 18:48 - 00008536 _____ () C:\Users\Barbie\AppData\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:48 - 2014-11-06 18:48 - 00004208 _____ () C:\Users\Barbie\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:48 - 2014-11-06 18:48 - 00004208 _____ () C:\Users\Barbie\AppData\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:48 - 2014-11-06 18:48 - 00000272 _____ () C:\Users\Barbie\AppData\Roaming\INSTALL_TOR.URL
2014-11-06 18:48 - 2014-11-06 18:48 - 00000272 _____ () C:\Users\Barbie\AppData\INSTALL_TOR.URL
2014-11-06 18:47 - 2014-11-06 18:47 - 00008536 _____ () C:\Users\Barbie\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:47 - 2014-11-06 18:47 - 00004208 _____ () C:\Users\Barbie\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:47 - 2014-11-06 18:47 - 00000272 _____ () C:\Users\Barbie\AppData\Local\INSTALL_TOR.URL
2014-11-06 18:10 - 2014-11-06 18:10 - 00008536 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:10 - 2014-11-06 18:10 - 00004208 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:10 - 2014-11-06 18:10 - 00000272 _____ () C:\ProgramData\INSTALL_TOR.URL
2014-11-06 17:58 - 2014-11-06 17:58 - 00000000 ____D () C:\ProgramData\PakuPutpi
2014-11-06 17:58 - 2014-11-06 17:58 - 00000000 ____D () C:\ProgramData\BayoRyomi
2014-11-06 17:45 - 2014-11-06 17:45 - 00000000 ____D () C:\Users\Barbie\AppData\Local\Evdtion
2014-11-06 17:45 - 2014-11-06 17:45 - 00000000 ____D () C:\Users\Barbie\AppData\Local\Esxgtion
2014-11-06 17:44 - 2014-11-06 17:44 - 00000000 ____D () C:\ProgramData\JozcUqawo
2014-11-06 17:44 - 2014-11-06 17:44 - 00000000 ____D () C:\ProgramData\ForpEzuze
2014-11-06 17:41 - 2014-11-06 17:41 - 00000000 ___HD () C:\11c08dd
2014-11-06 17:41 - 2014-11-06 17:41 - 00000000 ____D () C:\Users\Barbie\AppData\Roaming\FrameworkUpdate7
CustomCLSID: HKU\S-1-5-21-124788536-2644335351-2029234871-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download Anti-CryptorBit.zip to your desktop
Extract Anti-CryptorBitV2 to the desktop and run

Select the file type you wish to decrypt and then follow the instructions

FINALLY

Download and run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[REDACTED]

The computer in question is my mother's and I'm helping her via phone get it un-malware'd.  She does have a backup of all of her data that is offline on an external hard drive from before this problem showed up (yesterday).

I'll relay your instructions to her and get the new logs and an update back to you. 

Thank you so much for the prompt reply.

[essexboy]

I am glad she has a backup as the encrypted files can not always be decrypted, it affects pictures and documents

[REDACTED]

I had her look around in Windows Explorer for any HOWDECRYPT.* files in her documents folder and in her Windows folder (and on her external hard drive) and didn't see any such files.  I did not have her try to open any of her documents yet.  Does the lack of HOWDECRYPT.* files suggest that it didn't get far enough to "encrypt" or muck with her files?

• I had her run the FRST fixfile (log attached)
• I didn't have her run Anti-CryptorBitV2 because I wasn't sure she had any encrypted files (but she has it downloaded if you tell me to have her run it anyhow).
• I had her run FSS (log attached)

Of note, when she ran FRST with the fixfile, the computer rebooted and when it finished, the was at least one windows dialog that it couldn't find some file.  I had her close it and didn't think to write down what the actual message was.  Sorry. 

I have not had her reboot since running FSS, so I don't know if the problem will still be there.  I didn't want to take any steps that might hamper the recovery you are directing.

[essexboy]

Go for a reboot now and then let me know how the computer is behaving

[essexboy]

Once rebooted download this small programme from tweaking.com  http://www.tweaking.com/content/page/set_windows_services_to_default_startup.html to the desktop
Run the programme and on completion reboot and then run one further FSS scan please

[REDACTED]

The error dialog boxes in Windows continue to show up after the first boot and after running the tweaking.com program and rebooting.  Same errors before and currently.  The error dialogs are:

RegSvr32
The module
C:\Users\Barbie\AppData\Local\...\DRMGLWeb16.dll
failed to load.
Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.

The specified module could not be found.

RegSvr32
The module
C:\ProgramData\JozcUqaweo.dat
failed to load.
Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.

The specified module could not be found.

RegSvr32
The module
C:\ProgramData\BayoRyomi\BayoRyomi.dat
failed to load.
Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.

The specified module could not be found.

RegSvr32
The module
C:\ProgramData\PakuPutpi\PakuPutpi.dat
failed to load.
Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.

The specified module could not be found.

RegSvr32
The module
C:\Users\Barbie\AppData\Local\Es...\wsMaindll32.dll
failed to load.
Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.

The specified module could not be found.

Also, I have attached the latest FSS.txt file

[essexboy]

OK could I have a fresh FRST log and I will kill those

EDIT: Just realised what is causing that spybot is replacing the run keys, could you temporarily uninstall before we run the next fix 

[REDACTED]

Here is the latest FRST logs

[essexboy]

Whoops you forgot the main FRST.txt   Did you see my note about spybot in my last post

[REDACTED]

Sorry, grabbed the wrong file to attach.

Will do with SpyBot.

[essexboy]

Teatimer also replaced the restrictions on Avast and MBAM

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1095000 2013-12-13] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [JozcUqawo] => regsvr32.exe "C:\ProgramData\JozcUqawo\JozcUqawo.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [ForpEzuze] => regsvr32.exe "C:\ProgramData\ForpEzuze\ForpEzuze.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Esxgtion] => regsvr32.exe C:\Users\Barbie\AppData\Local\Esxgtion\wxMaindll32.dll <===== ATTENTION
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Evzftion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Barbie\AppData\Local\Evdtion\DRMGLWeb16.dll
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [BayoRyomi] => regsvr32.exe "C:\ProgramData\BayoRyomi\BayoRyomi.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [PakuPutpi] => regsvr32.exe "C:\ProgramData\PakuPutpi\PakuPutpi.dat"
2014-11-07 11:43 - 2014-11-07 11:43 - 00000000 ____D () C:\ProgramData\ForpEzuze
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Before I run this fix, can I ask why you are killing off:

HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

and

HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1095000 2013-12-13] (Garmin Ltd or its subsidiaries)

I can understand TeaTimer, although it should go away with uninstalling Spybot, but why the Garmin tray app?  That is for my mom's GPS synch features.

[essexboy]

My apologies delete the garmin line only, the teatimer one is just to be doubly sure