Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with some new, odd program restrictions.


  • This topic is locked This topic is locked
12 replies to this topic

#1 ammobake

ammobake

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 06 February 2014 - 02:41 PM

I just started receiving program restrictions that I have not seen before.  Under event viewer there are apparently new program restrictions blocking Symantec, Liveupdate, Malwarebytes anti-malware, not sure what else.

 

Everything else under my program files directory seems legit but except perhaps "Program Files\NTRU Cryptosystems"

 

I have no ransomware screen or lockout screens involved with this which might help me narrow down the culprit.

 

I ran a scan with Spybot Search & Destroy, removed a few detected items, rebooted but the file restrictions remain.

 

Trying to update and scan with malwarebytes anti-malware results in an error message with red X.

 

"Windows cannot open this program because it has been prevented by a software restriction policy.  For more information, open Event Viewer or contact your system administrator."

 

The firewall and the anti-malware scanners are not programs our admin team would restrict - for me especially.

 

My machine...

 

Microsoft Window XP Professional (SP3)

Dell Precision T3500

Intel® Xeon® CPU

E5640 @ 2.67GHz 2.67GHz

3.62 MB RAM

 

I did some searches online about this but couldn't find anything specific that might imply a virus or malware.

 

-Chris


Edited by ammobake, 06 February 2014 - 02:42 PM.


BC AdBot (Login to Remove)

 


#2 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 06 February 2014 - 03:26 PM

Also important to note...

 

Under Administrative tools > Local Security Policy > Software Restrictions....

 

"No Software Restriction Policies Defined"

 

Ran Kaspersky TDSS Killer - Scanned but nothing was found.

 

-ChriS



#3 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 06 February 2014 - 03:45 PM

Also

 

Under Administrative tools > Local Security Policy > Software Restrictions....

 

When I click on "Actions" at the top I get an error message.

 

MMC has detected an error in a snap-in.  It is recommended that you shut down and restart MMC.

 

I am given three options in the error message...

 

  • Report this error to Microsoft, and then shut down MMC
  • Continue running and ignore errors with this snap-in for the rest of the session
  • Continue running and always ignore errors with this snap-in, regardless of user or session.

OK Button at bottom.

 

Thank you!

 

-ChriS



#4 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 06 February 2014 - 09:46 PM

I did a full scan with Microsoft Malicious Software Removal Tool - no objects detected.

 

Looked in the event logs for this morning (when the problem began).

 

Just before the error messages started involving program restrictions there is one event log that looks like it could possibly be the culprit - but whether or not it is malware related I don't know yet.

 

Type: Information

Source: SceCli

Category: None

Event: 1704

User: N/A

Description: Security policy in the Group policy objects has been applied successfully.  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .

 

 

The event was associated with my first boot of the morning after I arrived at work - there were no problems yesterday or any day prior for the last six years.

 

Right after the above event is logged the software restriction policies kick into effect and blocked "Symantec endpoint protection - SmcGui.exe" a total of 65 times (approximately once a second) while it is trying to initialize during the bootup/login process.

 

I ran through my system services but everything appears legitimate - nothing out of the ordinary.

 

I read about an episode of this occurring in which it was recommended by someone on this website to download and use "FixPolicies" program developed by Bill Castner to reset the system group policies.  They ran the program and the problem was supposedly solved.

 

However, I am reluctant to do that for a variety of reasons.  I'm still curious and tryin to figure out what the ACTUAL cause of the problem might be.  Apart from Malware or Virus I don't have any ideas but I don't want this coming back.

 

Each time the system is booted the software restriction policies warnings compile in the event logs but the "policy rule" in the event description is different for each boot.

 

 

For example,

 

this warning event happened 65 times during one boot...(source: software restriction policies)...

 

 

Access to C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe has been restricted by your Administrator by location with policy rule {745f4c12-0413-45b5-8f11-06a9698825e5} placed on path C:\Program Files\Symantec

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

this warning event happend 65 times during a different boot...(source: software restriction policies)...

 

 

Access to C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe has been restricted by your Administrator by location with policy rule {31b94134-5019-4659-aa01-7e474c693715} placed on path C:\Program Files\Symantec

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

Again, the "Local Security Policy" sais there are no software restrictions on this machine.

 

Any help is appreciated.  Thanks!

 

-ChriS


Edited by ammobake, 06 February 2014 - 10:07 PM.


#5 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 PM

Posted 07 February 2014 - 04:14 AM

Hi there,

please run a FRST scan:


Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#6 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 10 February 2014 - 03:26 PM

Thanks aharonov - I want to try a couple things first.  If these two things don't work I'll do the FRST scan with Farbar.

 

I Tried running MBAM Chameleon in the background to disable this - if it is a virus anyway. 

 

Running from C drive would give me the software restriction error.  I copied and pasted the chameleon files to a folder on my desktop.  I was then able to run the Malwarebytes chameleon program but after updating it would fail to launch (see this photo)...

 

MBAM-chameleonattempt10feb14.jpg



#7 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 10 February 2014 - 04:24 PM

ESET Online Scanner results....

 

No threats found.

 

Scanned Files: 130996

Infected Files: 0

Cleaned files: 0

Total scan time: 00:49:47

Scan status: Finished

 

Gonna try one or two more things here...



#8 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 12 February 2014 - 09:58 PM

Attached is the combofix log.  Also attached is the log from Farbar Recovery Scan Tool.

 

I ran ESET online scanner - nothing was detected.

 

I ran scan with Malwarebytes anti-rootkit utility - nothing was detected.

 

I ran Malwarebytes Anti-Malware in safe mode and ran a full scan (which will not run in normal mode due to the unknown "Software Restriction Policy") - no items were detected.

 

I ran "spybot search & destroy 2.2", did an update and full scan - some cookies detected only (and removed).

 

I ran Malwarebytes Chameleon in safe mode - conducted quick scan and full scan - no items were detected.

 

I ran a scan with Kaspersky Virus Removal Tool - Detected and quarantined Trojan "HEUR:Exploit.Java.Generic"  and all associated files but the "Software Restriction policy" issue remains.

 

I ran rkill - nothing was detected.

 

I ran Farbar Recovery Scan Tool (log attached)

 

I then ran combofix (log attached)

 

 

However, something I found interesting In the Farbar notepad log file......(below is copied and pasted)

 

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION

 

However, under control panel > Administrative tools  > Local Security Settings > Software Restriction Policies

 

"No Software Restriction Policies Defined"

This group policy has no software restriction policies defined directly on it.

 

I'm at a loss now.

 

I appreciate any help!

 

-ChriS

Attached Files



#9 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 13 February 2014 - 07:24 PM

Does anyone have any ideas what could be causing this?  Thanks!

 

-ChriS



#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 PM

Posted 17 February 2014 - 06:15 PM

Are the policy restrictions gone after the following fix?


Please download this attached Attached File  fixlist.txt   674bytes   7 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to same location the tool was run from.
    Please copy and paste its contents in your next reply.


#11 ammobake

ammobake
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 03 March 2014 - 02:28 PM

Thanks aharanov I think I'm going to try a different route after thinking about this somemore and discussing with other IT folks.

 

In the meantime, I will post back here if the problem does get resolved.  Our IT staff is recommending a complete hard drive wipe & OS reinstall but I'm not sure it would work.  They want to back up my data first - which wouldn't work if the cause remains in said backup data.

 

Also Important to note...

 

Every file I open on my computer is somehow being stored in the history in internet explorer including registry entries for temp files.  I have not seen that before.  Every file I open is stored in "my computer" file in the internet history.

 

Also..

 

The registry had a clue to what is causing this.  I started digging in the history looking for anything out of the ordinary when I discovered something interesting.   I'm still not sure what process this is associated with (other than windows).

 

The path in the registry is...

 

HKEY Local Machine – SOFTWARE – POLICIES – MICROSOFT – WINDOWS – SAFER – 0 – PATHS

 

There are six entries for different software being blocked.  They are the same six entries noted in the FRST log file I attached in an earlier post.

 

Our IT people tried to create a temporary admin account to uninstall and reinstall the affected programs (Symantec & Malwarebytes primarily).  Uninstalling and reinstalling Malwarebytes ant-malware was successful.  I can now run Malwarebytes without having any problems.

 

But after they reinstalled Symantec they got the software restriction message again.  It appears the mystery group policy on the machine affects even admin accounts.

 

-ChriS


Edited by ammobake, 03 March 2014 - 02:30 PM.


#12 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 PM

Posted 03 March 2014 - 05:37 PM

Hi,

I don't quite understand what the problem is. There is nothing mysterious about these restrictions. They are caused by these software policies that are written to the registry. The only open question is who or what has put them there. Normally this is done by malware to kill protection software. There is absolutely no point in uninstalling and reinstalling the software.

My advice is the following: Windows XP is dead in a month from now. Don't invest any more time in this system but back up your data, format the harddrive and install a more modern operating system:
 

You're still working on a Windows XP machine. It's a very old operating system and Microsoft will abandon it in April 2014 when it will reach end-of-support. This means that no more updates will be available and therefor newly discovered security holes will not be patched anymore.

It will become quite risky to surf the internet on a XP machine after April 2014! You'd better start planning now to move to a more recent operating system in time.

If your computer fullfills the system requirements you can install a more modern version of Windows on it, e.g. Windows 7 or Windows 8.1. Otherwise you should consider to purchase a new and contemporary computer.
(As an alternative, if a Windows operating system is not a must and you want to keep working on your old computer, you can also try to install a lightweight version of Linux, e.g. xubuntu or lubuntu.)

Also read through the information that Microsoft provides concerning this end-of-support: http://windows.microsoft.com/en-us/windows/end-support-help



#13 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 PM

Posted 18 March 2014 - 05:36 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users