Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to run AVG or MBAM- software restriction policy pop-up


  • Please log in to reply
8 replies to this topic

#1 JerseyGeekDad76

JerseyGeekDad76

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:06 PM

Posted 22 December 2014 - 04:08 PM

I am helping a co-worker with his laptop. He had noticed some weirdness (freezing at Windows splash screen, etc.) & asked me to take a look at it. In the course of my troubleshooting, I tried to run scans in both AVG & MBAM & was unable to. Both times I got an error message of "Windows cannot open this program because it has been prevented by a software restriction policy." I was able to run MalwareBytes Anti-Rootkit which didn't find anything. I also ran TDSS Killer, RKill, & an ESET Online Scan, all of which came back clean. I am also unable to open my external hard drive (120 GB laptop drive in an enclosure) when I connect it (I get "E:\ is not accessible. The file or directory is corrupted and unreadable." Drive works fine in my PC ) but I can open a USB flash drive without issue.

 

Laptop is an IBM ThinkPad T60P... Windows XP Pro SP3; 1GB RAM; T2500 @ 2.00 GHz processor; 100 GB HDD with 77.6 GB free space



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 PM

Posted 22 December 2014 - 04:29 PM

These are example entries from a FRST log explaining what is most likely going on with malware and the "software restriction policy" message...

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\a-squared Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\a-squared Anti-Malware <====== ATTENTION


Farbar Recovery Scan Tool (FRST) is an advanced specialized tool designed to run in the Recovery Environment in Windows Vista and Windows 7/8 in order to diagnose and fix boot problems. It is also useful for removing malware when other tools fail including this software restriction issue. However, the use of FRST (and posting of its log) is prohibited in this area per this pinned topic.

Many of the scanning tools we use in this forum are not capable of detecting (repairing/removing) all malware variants. Disinfection will probably require the use of more powerful tools than we can recommend in this forum. Before that can be done you will need to create and post a DDS log for further investigation.

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running DDS which will create two logs. (Note: Windows 8.1 Users will not be able run DDS and create a log)
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs or you're using Windows 8.1, then still start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JohnC_21

JohnC_21

  • Members
  • 23,989 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 PM

Posted 22 December 2014 - 04:31 PM

Hello, and Welcome

 

Because you have XP Pro you can use the Group Policy Editor to change your Security Policy. See this tutorial. If this is a work computer then IT support should be taking care of it.

 

Also look through Additional Rules.



#4 JerseyGeekDad76

JerseyGeekDad76
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:06 PM

Posted 22 December 2014 - 04:54 PM

Hello, and Welcome

 

Because you have XP Pro you can use the Group Policy Editor to change your Security Policy. See this tutorial. If this is a work computer then IT support should be taking care of it.

 

Also look through Additional Rules.

It's a personal laptop for a co-worker & I AM part of IT Support.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 PM

Posted 22 December 2014 - 05:00 PM

Follow the instructions I provided in Post #2.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 cnewman60

cnewman60

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 25 December 2014 - 05:48 PM

First get process explorer and GiPo@MoveOnBoot
 
What is happening is a dll is being registered and kicking off an executable in the temp directory locking some files.
 
Find the process with Process Explorer, right click properties and find the target folder.
 
After you install Move on Boot you can right click the folder and say Delete at next boot.
 
For malwarebytes you will have to manually delete it from program files and reinstall it.
 
But it may come back again if you don't delete the dll being called by regsvr32.

 

Also in Process Explorer look for regsrv32, right click properties and verify folder location and use move on boot.

 

To use move on boot you just right click the file or folder.
 
Next copy down these files in notepad, then head to the registry and hit F3 and do a find and delete all instances of these files.
 
Mod Edit by quietman7: Removed instructions to use PROHIBITED Malware Removal Tool
 
Then Download Malwarebytes, installl and run Malwarebytes last for the little stuff.
 
This was the executable I found cpiqkzdexve.exe the dll I forgot but it start with fr
 
Everytime you boot up, open up Process Explorer and just watch it for a bit to make sure it doesn't return.
 
 I use this method for every virus and works 100% of the time.


Edited by cnewman60, 25 December 2014 - 07:24 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 PM

Posted 25 December 2014 - 06:17 PM

@ cnewman60

Your reply was edited to remove instructions for using a tool prohibited in this forum ...

Please read the pinned sticky Instructions for posting advice in Am I Infected

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in ALL other areas of the BC forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 cnewman60

cnewman60

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 25 December 2014 - 07:12 PM

@ cnewman60

Your reply was edited to remove instructions for using a tool prohibited in this forum ...

Please read the pinned sticky Instructions for posting advice in Am I Infected

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in ALL other areas of the BC forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.

 

Apologies, just trying to help....



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 PM

Posted 25 December 2014 - 07:15 PM

I understand...just trying to point you in the right direction for helping around here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users