Author Topic: "Program blocked by Group Policy" (AVAST)  (Read 5257 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
"Program blocked by Group Policy" (AVAST)
« on: December 28, 2014, 06:27:03 PM »
Hi, I've seen a few other threads like this.. I've attached the files I found on a tutorial last night...

I started discovering issues when I'd click a link and it would take me to a different site- I'd have to go back and click the link a second time to get the page I wanted.

I can't access Avast, I get the error message in the topic of this post.. and I cannot upgrade. The Avast icon dissapears shortly after you run the new avast setup program. Explorer.exe is running a 2nd instance and is leaking tons of RAM (between 200mb and 2gb depending on when it wants to)

Here's the files, let me know if there's anything else you need. Thank you!
« Last Edit: December 29, 2014, 02:19:30 AM by Dave81 »

REDACTED

  • Guest
Re: "Program blocked by Group Policy" (AVAST)
« Reply #1 on: December 29, 2014, 01:47:32 AM »
 explorer.exe is leaking gigs of RAM and I can hardly use my PC! Please help, Thanks!
« Last Edit: December 29, 2014, 02:17:04 AM by Dave81 »

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: "Program blocked by Group Policy" (AVAST)
« Reply #2 on: December 29, 2014, 11:24:23 AM »
Dave,

According to your logs

Code: [Select]
2014-12-26 20:45 - 2014-12-26 22:26 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S03E12.HDTV.x264-2HD
2014-12-26 20:41 - 2014-12-26 20:41 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S03E13.HDTV.XviD-AFG
2014-12-26 20:28 - 2014-12-26 20:28 - 00008998 _____ () C:\Users\Burnzie\Downloads\The.Voice.S03E13.HDTV.XviD-AFG [IPT].torrent
2014-12-26 20:27 - 2014-12-26 20:27 - 00021429 _____ () C:\Users\Burnzie\Downloads\The.Voice.S03E12.HDTV.x264-2HD [IPT].torrent
2014-12-26 20:27 - 2014-12-26 20:27 - 00017659 _____ () C:\Users\Burnzie\Downloads\The.Voice.S03E12.HDTV.XviD-AFG [IPT] (1).torrent
2014-12-26 20:16 - 2014-12-26 20:28 - 3744092122 ____R () C:\Users\Burnzie\Downloads\The.Drop.2014.720p.WEB-DL.DD5.1.H.264-PLAYNOW.mkv
2014-12-26 20:16 - 2014-12-26 20:16 - 00035943 _____ () C:\Users\Burnzie\Downloads\The.Drop.2014.720p.WEB-DL.DD5.1.H.264-PLAYNOW.mkv [IPT].torrent
2014-12-26 20:16 - 2014-12-26 20:16 - 00017659 _____ () C:\Users\Burnzie\Downloads\The.Voice.S03E12.HDTV.XviD-AFG [IPT].torrent
2014-12-26 00:23 - 2014-12-26 00:28 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Interview.2014.480p.WEB.x264-mSD
2014-12-22 01:20 - 2014-12-23 00:32 - 424248479 ____R () C:\Users\Burnzie\Downloads\The.Voice.S03E09.HDTV.x264-2HD.mp4
2014-12-21 19:51 - 2014-12-21 19:51 - 00006654 _____ () C:\Users\Burnzie\Downloads\The.Voice.S03E09.480p.HDTV.x264-mSD [IPT].torrent
2014-12-21 19:50 - 2014-12-21 20:15 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S03E11.HDTV.XviD-AFG
2014-12-21 19:50 - 2014-12-21 20:07 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S03E09.HDTV.XviD-AFG
2014-12-21 19:49 - 2014-12-21 19:49 - 00008998 _____ () C:\Users\Burnzie\Downloads\The.Voice.S03E11.HDTV.XviD-AFG [IPT].torrent
2014-12-21 19:48 - 2014-12-21 19:49 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S03E10.HDTV.XviD-AFG
2014-12-21 19:48 - 2014-12-21 19:48 - 00017659 _____ () C:\Users\Burnzie\Downloads\The.Voice.S03E10.HDTV.XviD-AFG [IPT].torrent
2014-12-21 19:47 - 2014-12-21 19:47 - 00008978 _____ () C:\Users\Burnzie\Downloads\The.Voice.S03E09.HDTV.XviD-AFG [IPT].torrent
2014-12-21 01:16 - 2014-12-21 02:09 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S03E08.480p.HDTV.x264-mSD
2014-12-20 20:08 - 2014-12-26 00:23 - 00000000 ____D () C:\Users\Burnzie\Downloads\American.Country.Countdown.Awards.2014.720p.HDTV.x264-W4F
2014-12-20 20:06 - 2014-12-20 20:06 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S03E08.HDTV.XviD-AFG
2014-12-20 01:43 - 2014-12-20 01:43 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S03E07.480p.HDTV.x264-mSD
2014-12-20 01:34 - 2014-12-20 01:35 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S03E06.HDTV.XviD-AFG
2014-12-20 00:31 - 2014-12-20 00:31 - 00000000 ____D () C:\Users\Burnzie\Downloads\White.Collar.S06E06.480p.HDTV.x264-mSD
2014-12-20 00:27 - 2014-12-20 00:34 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S03E05.HDTV.XviD-AFG
2014-12-19 00:09 - 2014-12-19 00:21 - 00000000 ____D () C:\Users\Burnzie\Downloads\Homeland.S04E06.480p.HDTV.x264-mSD
2014-12-18 22:29 - 2014-12-20 15:05 - 00000000 ____D () C:\Users\Burnzie\Downloads\The.Voice.S04.720p.HDTV.x264-IPT
2014-12-18 21:48 - 2014-12-18 22:04 - 00000000 ____D () C:\Users\Burnzie\Downloads\Arrow.S03E09.The.Climb.480p.HDTV.x264-mSD
2014-12-17 23:23 - 2014-12-17 23:27 - 00000000 ____D () C:\Users\Burnzie\Downloads\White.Collar.S06E05.480p.HDTV.x264-mSD
2014-12-16 22:43 - 2014-12-26 19:09 - 00000000 ____D () C:\Users\Burnzie\Downloads\UFC.On.Fox.13.720p.HDTV.x264-KNOCKOUT

For lack of Characters, I will not put the rest. Into Torrenting I see? That is probably where you picked up the infection. My "word of advice" for today. Quit Torrenting!!! Whether it's legal or not where you live.

Remover Notified. Sit Tight, at least 2 of our Active Removers are either in Exams/Overloaded or on Vacation.

VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: "Program blocked by Group Policy" (AVAST)
« Reply #3 on: December 29, 2014, 11:58:15 AM »
Hello Dave81 and welcome to avast!. I will be working on your Malware issues. 

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper



---     ---     ---     ---     ---







1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Quote
Start
CreateRestorePoint:
Folder: c:\progra~3\BA15AA~1
Folder: C:\Temp

CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKU\S-1-5-21-3616324526-2623894536-1975344329-1000\...\MountPoints2: {0ea6cd5f-772b-11e4-8d97-1c3e84808440} - E:\TL-Bootstrap.exe
HKU\S-1-5-21-3616324526-2623894536-1975344329-1000\...\MountPoints2: {2cf68fe5-6175-11e4-bc4c-1c3e84808440} - E:\TL-Bootstrap.exe
HKU\S-1-5-21-3616324526-2623894536-1975344329-1000\...\MountPoints2: {6ac3202e-34fa-11e3-bae1-1c3e84808440} - E:\MotorolaDeviceManagerSetup.exe -a
HKU\S-1-5-21-3616324526-2623894536-1975344329-1000\...\MountPoints2: {d21b4475-3aa9-11e3-ac40-1c3e84808440} - F:\TL-Bootstrap.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
S2 Winmgmt; C:\PROGRA~3\BA15AA014C8427C8E6BA5A06BAE49222\vrjwwzjr.dot [X]

Hosts:
c:\progra~3\BA15AA~1\rjzwwjrv.cpp
C:\PROGRA~3\BA15AA014C8427C8E6BA5A06BAE49222\vrjwwzjr.dot
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

RemoveDirectory: C:\AdwCleaner
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns

EmptyTemp:
End


2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

REDACTED

  • Guest
Re: "Program blocked by Group Policy" (AVAST)
« Reply #4 on: December 30, 2014, 01:03:29 AM »
here's the Fixlog. Thanks!

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: "Program blocked by Group Policy" (AVAST)
« Reply #5 on: December 30, 2014, 03:26:44 PM »
Hi,

This looks good. Your AntiVirus should be free now. Now, let's go to future check ...



Please download Zoek tool by Smeenk () from here and save it to your Desktop.
Unpack the archive...
  • Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
    If you are unsure how to do this please read this or this Instruction.

  • Double click on zoek.exe to run the tool. Please wait while the tool does not start...
  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Code: [Select]
QuickScan;
  • Click on button.
    Please wait until a logreport will open (this can be after reboot)

  • Save notepad to your Desktop and attach here zoek-results.log
    Note: It will also create a log in the C:\ directory named "zoek-results.log"

REDACTED

  • Guest
Re: "Program blocked by Group Policy" (AVAST)
« Reply #6 on: December 31, 2014, 12:46:37 AM »
Here's the file. Thank you!

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: "Program blocked by Group Policy" (AVAST)
« Reply #7 on: December 31, 2014, 05:33:08 PM »
Hello,


Please re-run zoek tool as you did run before but with this script;


Code: [Select]
CHRDefaults;
AutoClean;


Kindly note that system shall be rebooted. Post here fresh created zoek log. Tell me the computer behavior now.




REDACTED

  • Guest
Re: "Program blocked by Group Policy" (AVAST)
« Reply #8 on: January 01, 2015, 04:21:06 AM »
Happy New Year!

I ran the program again with specified script: The computer is still running a second instance of explorer.exe, hogging anywhere from 200mb to 2.8gb of my RAM, often freezing and locking up everything- when I end the memory hogging explorer.exe (the regular instance left to keep running), it keeps starting again after a minute or so.. If I end both explorer.exe tasks in the task manager, then neither instance restarts, so my RAM is safe- but of course I can't use my start menu or view my desktop this way.

Here's the log, I really appreciate your help.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: "Program blocked by Group Policy" (AVAST)
« Reply #9 on: January 01, 2015, 01:40:02 PM »
Quote
The computer is still running a second instance of explorer.exe, hogging anywhere from 200mb to 2.8gb of my RAM ...

Explorer.exe is a systems process that is used to start other parts (files) of a program. More than one explorer is sometime normally to see in TM. This mey not be malware related issue...

Still, post me the fresh FRST.txt logreprot.

REDACTED

  • Guest
Re: "Program blocked by Group Policy" (AVAST)
« Reply #10 on: January 02, 2015, 12:40:31 AM »
I know this is abnormally high RAM usage by the second instance..

I found these threads (just a couple examples below) and many many others all over the internet of users complaining about the exact same symptoms... a virus causing a second instance explorer.exe to use high RAM...

http://superuser.com/questions/836586/virus-causing-multiple-explorer-exe-instances-using-high-memory
http://support.emsisoft.com/topic/15893-same-problem-as-others-multiple-instances-of-explorerexe-using-lots-of-ram/
http://www.reddit.com/r/techsupport/comments/2jz6qu/win_7_64_bit_second_explorerexe_instance_eating/




Here's the FRST log file again, thanks!

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: "Program blocked by Group Policy" (AVAST)
« Reply #11 on: January 02, 2015, 01:26:57 PM »
Hi Dave81,

You may delete this folder manualy.
C:\Users\Burnzie\.android

Posted logs does not show active malware on your system. Your PC is malware free.

Piece of advice: Next time, do NOT run ComboFix by yourself.
http://www.techsupportforum.com/1829551-post6.html
http://www.bleepingcomputer.com/forums/topic273628.html


Quote
I found these threads (just a couple examples below) and many many others all over the internet of users complaining about the exact same symptoms... a virus causing a second instance explorer.exe to use high RAM...
Quote
Explorer.exe is a systems process that is used to start other parts (files) of a program. More than one explorer is sometime normally to see in TM. This mey not be malware related issue...
Explorer has a dual function, it can be started in two modes.
When you start Explorer, explorer.exe search whether is it one more explorer active. If not, then he himself starts in shell mode (this is what we know as the Desktop taskbar, clock, etc.).
If you see that it is already booted an explorer, he assumes that the Desktop is already running, and then he starts itself as a file manager.

http://superuser.com/questions/836586/virus-causing-multiple-explorer-exe-instances-using-high-memory
http://support.emsisoft.com/topic/15893-same-problem-as-others-multiple-instances-of-explorerexe-using-lots-of-ram/
http://www.reddit.com/r/techsupport/comments/2jz6qu/win_7_64_bit_second_explorerexe_instance_eating/


None of these link isn't related to your problem. First and the last link are not valid to follow advice. The second link is just basic junkware (adware) removal...

I want to say that your problem is not related malware. As I sad, posted logs appear cleans and show no signs of active infection. You should be good to go ...   

We're gonna remove my used tools now as well as carry out some further cleaning and security settings. To learn more about how to protect yourself I'll give you a few tips for reading. 



The following will implement some post-cleanup procedures:





---     ---     ---     ---     ---


Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore

Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.





Tip: Do not use security tools such as ComboFix, FRST, Zoek and the like. These are advanced security tool, should not be used without supervision.



---     ---     ---     ---     ---



Learn how to protect yourself:



=>  In order to stay protected it is very important that you regularly update all of your software and Windows Operating System.

It is important that you visit Windows Update regularly.
How to configure and use Automatic Updates in Windows

It's vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Keeping Java and Adobe update is priority.
Download and install latest version of Java
Download and install latest version of Adobe Reader




=>  I recommend that you use one of the fantastic opportunities provided by avast! AntiVirus.

For security protection, an active AntiVirus is required. If you want to reinforce your security setup I recommended additional security software and utilities:
Download and install Malwarebytes' Anti-Malware and perform 'Threat Scan' from time to time. Malwarebytes will detect and remove all traces of known malware.
Download and install MCShield Anti-Malware Tool to prevent infections transmitted via removable drives.
Download and install Unchecky to keeps your checkboxes clear by preventing installing additional adware and other PUP bad software.
Download and install AdBlock for safe web browser surfing without annoying and malicious advertising ads.




Extra text for reading:

Please visit and review PC Safety and Security - What Do I Need? for some helpful information.

Please visit FAQ - Answers to common security questions - Best Practices to read tips how to protect yourself against malware infection.

You may also visit and read What to do if your Computer is running slowly? if you like to read some basic geek stuff.




The specific type of infection:

Meet CryptoPrevent. Security app that shall attempt to prevent dangerous malware that encrypts certain types of files stored on your disk, like CryptoWall, CryptoLocker and simular clones.

More information about this family of malicious software: CryptoLocker Ransomware Information Guide and FAQ
Cryptolocker Ransomware: What You Need To Know and CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ











Stay safe. 


Best Regards,
magna86