Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

software restriction policy windows xp pro


  • This topic is locked This topic is locked
9 replies to this topic

#1 fdmajorpain

fdmajorpain

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 26 January 2014 - 07:16 PM

Hi, 

I am unable to run Malwarebytes Anti-Malware (or avast! anti-virus). I get a pop up telling me that "Windows cannot open this program because it has been prevented by a software restriction policy."

Computer is XP Pro SP3
I have admin permissions, should not have any permission issues. 

Not sure how to proceed, any help would be greatly appreciated. 


Edited by hamluis, 26 January 2014 - 08:12 PM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:06:19 AM

Posted 01 February 2014 - 10:51 AM

Hi

 

Please download and use the following tools (in the order listed) which will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants.

RKill created by Grinler (aka Lawrence Abrams), the site owner of BleepingComputer.
AdwCleaner created by Xplode.
Junkware Removal Tool created by thisisu.

1. Double-click on RKill to launch the tool. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

Important: Do not reboot your computer until you complete the next step.

2. Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.

Click on the Scan button.

  • AdwCleaner will begin...be patient as the scan may take some time to complete.

After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.

After reviewing the log, click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.

Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.

  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on each one and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).


Close all open programs and shut down any protection/security software to avoid potential conflicts.
If you do not know how to do this you can find out >here< or >here<
 
3. Double-click on
 JRT.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.

  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.

  • Copy and paste the contents of JRT.txt in your next reply.

4. As a final step, update and rescan again with Malwarebytes Anti-Malware. 

 

Stelios



#3 mapleton699

mapleton699

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 28 July 2014 - 08:26 AM

New user here. I appear to have a whole host of problems, but the primary one at the moment appears to be this one. So I will jump on this thread after finding it in a search. Someone let me know if I should start a new one, please, but not sure what I would title it.

 

I have been trying to debug my XP SP3 desktop machine after going through a failed mobo episode immediately after Tropical Storm Arthur blew through a couple of weeks ago. After getting up & going, I then seemed to get nailed by the 'iexplore.exe' issue - overloaded CPU was making my system crawl.

 

I did a MWB scan, it didn't find anything, but after realizing I didn't have the rootkit option selected, then running it again, it did - thought I was golden.

 

I have been a long time user of AVG but decided to try Avira as AVG was seeming to become a resource hog - as noticed in Task Manager while going through the above. So this morning I tried to d/l it - I thought it did, but when I click on the desktop icon I get the above 'software restriction policy' error. Then I try clicking on the AVG desktop item to open that, same thing, Then I tried to run MWB again, and get the same thing. Then I couldn't get Task Manager to open. Then my computer locked up. I got it rebooted by holding in the power button. Then I got MWB running, not sure now how, but it's finishing a scan now. I am on my laptop typing this. Since the intial MWB scan trying to get rid of the iexplore issue, I have also had odd instances of dll errors on shutdown. As typing my MWB scan just finished & found 3 things - two psvchost and one 'rest service windows 2014'? I saved the log, and it's now rebooting. I scanned twice with it yesterday, last one was clean. I seem to have somehow stepped in a virus or malware hornets nest.

 

I will stop here for now - I can either keep posting in this thread or we can start a new one. Just advise - I think I need help! I have not done the 3 steps above yet, but will d/l the programs in prep for it, if the above 3 steps apply to me also & I should do them next.

 

One more: on the reboot attempt, I have an error box pop up before my desktop gets populated, with the same message, re. 'C:\documents and settings\all users\application data\malwarebytes\malwarebytes anti-malware\mbamdor.exe'

 

(Excuse any typos - my fingers don't coordinate well with this laptop. And, while waiting for a reply, I will do the above 3 step process...)



#4 mapleton699

mapleton699

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 28 July 2014 - 03:43 PM

Uggh - cryptowall found.

 

Moving to that thread now.

 

Nasty nasty nasty....



#5 udo.la

udo.la

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 17 August 2014 - 04:22 AM

Good morning everyone.

 

I am jumping on the topic because i´ve got the same problem like the inital poster. Except for running xp home sp 3.

 

Been running malwarebytes and the programms recomended at post 2 a couple times and the system seems to be clean now. One thing found was "mubwoy.dat" i could not find any information about.

 

While the system seems to be clean now, i am still not able to access the folders that contain my antivirus programms like avast or highjackthis.

 

Any input how to solve this problem would be greatly apreciated.

 

Thanks for your time and have a great weekend. Udo



#6 kclassic

kclassic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 11 January 2015 - 04:31 PM

I ran RKILL, ADWCLEANER and JUNKWARE REMOVAL TOOL, as recommended above. While RKILL was running, I noticed in the DOS window it said that system restore was being disabled, or something like that. When RKIL was done, I was unable to even start System Restore. After lots of online research, fighting a browser hijacker the whole time, I found out how I could go into the Windows Registry and turn System Restore back on. Once I had it running again, I found that I no longer had ANY restore points left.

 

These three programs together with Malwarebytes were not able to eliminate the browser hijacker that was running and my only option was to do a system restore to 2 weeks ago, but the restore points were all gone. I went to bed knowing there was still malware on the computer.

 

The next morning we had a ransom demand screen from CTB LOCKER, which said that all the files on the computer have been encrypted. I pushed the power off button, and have not restarted, while I research this. It looks like I will have to format the hard drive.

 

My question, why did RKILL destroy my system restore points? Everything would have been cool if I could have just restored to an earlier date before the files were encrypted by CTB LOCKER.


Edited by kclassic, 11 January 2015 - 04:34 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 PM

Posted 11 January 2015 - 06:31 PM

:welcome: to Bleeping Computer.

First...you have replied to a topic several months old and you should never follow specific instructions provided to someone else. Those instructions were given under the guidance of a trained expert and Security Colleague to fix that particular member's problems after careful evaluation of the malware involved. Before taking any action, the helper must investigate the nature of the infection and then formulate a fix strategy for the victim. Many times the instructions provided are only intended for that user's computer.

Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware which means the degree of infection can vary. Using someone else's fix instructions could lead to disastrous problems with your operating system.

Second...RKill only reports (that's what you saw) when certain policies are enabled that disabled Automatic Updates, System Restore, Windows Defender. Further investigation is required to determine what malware was actual responsible for changing those policies and it your case, disabling system restore.


A repository of all current knowledge regarding CTB Locker and Critroni Ransomware is provided by Grinler (aka Lawrence Abrams), in this tutorial: CTB Locker and Critroni Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CTB Locker (Critroni) does and provide information for how to deal with it. The newest variants of CTB Locker typically encrypt all data files and rename them as a file with a 6-7 length extension with random characters. At this time there is no fix tool and no way to retrieve the private key that can be used to decrypt your files without paying the ransom.

More information in this article: New Critroni variant offers free test decryption and now uses CTB2 extension. Unfortunately, there is still no known method of decrypting your files without paying the ransom.

There is also an ongoing discussion in this topic: CTB Locker or DecryptAllFiles.txt Encrypting Ransomware Support & Discussion. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 owlman

owlman

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 16 February 2015 - 07:50 PM

I had occur to my pc this past weekend. help!



#9 owlman

owlman

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 16 February 2015 - 07:54 PM

I found avg and malwarebytes would not update. Ran security scans, no change. Please help.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 PM

Posted 16 February 2015 - 07:57 PM

You most likely are dealing with a VAWTRAK malware infection which targets security scanners. Disinfection will probably require the use of more powerful tools than we can recommend in this forum. Before that can be done you will need to create and post a FRST log for further investigation.

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

This topic is now closed. Should you have any questions, PM me or another moderator.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users