Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad-Aware Will Not Load Due to Group Policy Error


  • This topic is locked This topic is locked
9 replies to this topic

#1 Bo1965

Bo1965

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 04 January 2015 - 08:10 PM

BC,

 

     Thank you for your assistance.  Recently in the past, I was able to load and run Ad-Aware.  A few days ago, I noticed that Ad-Aware was no longer running so I uninstalled and reinstalled the program.  However, when I try to run it I get an error saying that group policy will not allow that program to run.  Also, my Windows Security Manager is stating that I do not have an active firewall.

 

I then decided to run the Emsisoft Anti-Walware just before this post so that I would have some protection from intruders.  That program loaded and it identified some malware that dealt with Microsoft Policy. 

 

I have attached the dds logs to this post.  Something of interest: C:\Windows\system32\wbem\wmiprvse.exe on the attach.txt file I think is a worm or Trojan.  If it is, none of the malware programs have isolated it and removed it.  I will await for your instruction.

 

Bo

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:36 PM

Posted 05 January 2015 - 07:56 AM

Hi. I'm checking your log now and will reply with instructions soon.

#3 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:36 PM

Posted 05 January 2015 - 12:23 PM

Please follow these steps:

1.- Download AdwCleaner by Xplode onto your Desktop.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, this time click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt ('n' represents the most recent report).
2.- Please download RogueKiller and Save to the desktop.

Note: Do NOT click the Delete button, unless otherwise instructed.
  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • Once the scan is done, click on Report.
  • A log file will open, please copy/paste the context of that file into your next reply.


#4 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 05 January 2015 - 05:37 PM

Rootk,

 

     Good afternoon.  Below is the data you requested.

 

AdwCleaner:

 

# AdwCleaner v4.106 - Report created 05/01/2015 at 16:48:38
# Updated 21/12/2014 by Xplode
# Database : 2015-01-03.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : My PC - MYPC-PC
# Running from : C:\Users\My PC\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496

-\\ Chromium v

*************************

AdwCleaner[R0].txt - [1493 octets] - [06/10/2014 07:30:36]
AdwCleaner[R1].txt - [2402 octets] - [02/01/2015 08:19:11]
AdwCleaner[R2].txt - [1025 octets] - [05/01/2015 16:47:10]
AdwCleaner[S0].txt - [1576 octets] - [06/10/2014 07:31:24]
AdwCleaner[S1].txt - [2449 octets] - [02/01/2015 08:20:03]
AdwCleaner[S2].txt - [950 octets] - [05/01/2015 16:48:38]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1009 octets] ##########

 

RougeKiller:

 

RogueKiller V10.1.1.0 (x64) [Dec 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : My PC [Administrator]
Mode : Scan -- Date : 01/05/2015  17:19:02

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-1582120608-2412769606-2048508628-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-1582120608-2412769606-2048508628-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-1582120608-2412769606-2048508628-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-1582120608-2412769606-2048508628-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1002FAEX-00Z3A0 ATA Device +++++
--- User ---
[MBR] 27fd125bad996c2805ce78f5e95971bb
[BSP] f00eb5e4b6d871b91f7b044fd3ffbaae : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_DEL_01012015_105211.log - RKreport_DEL_01012015_233345.log - RKreport_DEL_01022015_001917.log - RKreport_DEL_01022015_180627.log
RKreport_DEL_01032015_124921.log - RKreport_DEL_01032015_142111.log - RKreport_DEL_01032015_142337.log - RKreport_DEL_01032015_142518.log
RKreport_DEL_01032015_142648.log - RKreport_DEL_01032015_145948.log - RKreport_DEL_01032015_160651.log - RKreport_DEL_01032015_192504.log
RKreport_DEL_01032015_192629.log - RKreport_DEL_06252014_201835.log - RKreport_DEL_07032014_171524.log - RKreport_DEL_07042014_180914.log
RKreport_DEL_08222014_112004.log - RKreport_DEL_08232014_215147.log - RKreport_DEL_09242014_224746.log - RKreport_DEL_09242014_225535.log
RKreport_DEL_09252014_094459.log - RKreport_DEL_09252014_095454.log - RKreport_DEL_09252014_130355.log - RKreport_DEL_09252014_131715.log
RKreport_DEL_09262014_160853.log - RKreport_DEL_09272014_133403.log - RKreport_DEL_09272014_133837.log - RKreport_DEL_09302014_121710.log
RKreport_DEL_09302014_211903.log - RKreport_DEL_10022014_150538.log - RKreport_DEL_10032014_082358.log - RKreport_DEL_10032014_131903.log
RKreport_DEL_10032014_132507.log - RKreport_DEL_10032014_140240.log - RKreport_DEL_10042014_103834.log - RKreport_DEL_10042014_185329.log
RKreport_DEL_10042014_190029.log - RKreport_DEL_10042014_201631.log - RKreport_DEL_10052014_092827.log - RKreport_DEL_10052014_155029.log
RKreport_DEL_10052014_161317.log - RKreport_DEL_10052014_173702.log - RKreport_DEL_10052014_180446.log - RKreport_DEL_10062014_002032.log
RKreport_DEL_10062014_171914.log - RKreport_DEL_10062014_193625.log - RKreport_DEL_10072014_084747.log - RKreport_DEL_10072014_101921.log
RKreport_DEL_10082014_161909.log - RKreport_DEL_10102014_094930.log - RKreport_DEL_10132014_195449.log - RKreport_DEL_10142014_123416.log
RKreport_DEL_10152014_224928.log - RKreport_DEL_10162014_104651.log - RKreport_DEL_10162014_111316.log - RKreport_DEL_10162014_121846.log
RKreport_DEL_10162014_220514.log - RKreport_DEL_10162014_221603.log - RKreport_DEL_10182014_130856.log - RKreport_DEL_10192014_004140.log
RKreport_DEL_10192014_083558.log - RKreport_DEL_10192014_123410.log - RKreport_DEL_10212014_172257.log - RKreport_DEL_10212014_173543.log
RKreport_DEL_10252014_082249.log - RKreport_DEL_10272014_120412.log - RKreport_DEL_10272014_123007.log - RKreport_DEL_10292014_074715.log
RKreport_DEL_10292014_223026.log - RKreport_DEL_10312014_113900.log - RKreport_DEL_11012014_111721.log - RKreport_DEL_11022014_085746.log
RKreport_DEL_11022014_091043.log - RKreport_DEL_11042014_223332.log - RKreport_DEL_11062014_091040.log - RKreport_DEL_11082014_113506.log
RKreport_DEL_11082014_114043.log - RKreport_DEL_11092014_002644.log - RKreport_DEL_11092014_082702.log - RKreport_DEL_11092014_083230.log
RKreport_DEL_11092014_120542.log - RKreport_DEL_11122014_114606.log - RKreport_DEL_11152014_101836.log - RKreport_DEL_11212014_164647.log
RKreport_DEL_11212014_165258.log - RKreport_DEL_11212014_220810.log - RKreport_DEL_11222014_093930.log - RKreport_DEL_11222014_101044.log
RKreport_DEL_11222014_191740.log - RKreport_DEL_11242014_120504.log - RKreport_DEL_11242014_122110.log - RKreport_DEL_11242014_174350.log
RKreport_DEL_11262014_074019.log - RKreport_DEL_11272014_084214.log - RKreport_DEL_11272014_212936.log - RKreport_DEL_11302014_091122.log
RKreport_DEL_12012014_215445.log - RKreport_DEL_12032014_122125.log - RKreport_DEL_12082014_121637.log - RKreport_DEL_12182014_221100.log
RKreport_DEL_12192014_175447.log - RKreport_DEL_12202014_113927.log - RKreport_DEL_12262014_105749.log - RKreport_DEL_12282014_081447.log
RKreport_DEL_12292014_165713.log - RKreport_SCN_01012015_104637.log - RKreport_SCN_01012015_233319.log - RKreport_SCN_01022015_001849.log
RKreport_SCN_01022015_180517.log - RKreport_SCN_01032015_124847.log - RKreport_SCN_01032015_142046.log - RKreport_SCN_01032015_142326.log
RKreport_SCN_01032015_142501.log - RKreport_SCN_01032015_142631.log - RKreport_SCN_01032015_145855.log - RKreport_SCN_01032015_160614.log
RKreport_SCN_01032015_192425.log - RKreport_SCN_01032015_192622.log - RKreport_SCN_01052015_170331.log - RKreport_SCN_06252014_201757.log
RKreport_SCN_07032014_171512.log - RKreport_SCN_07042014_180909.log - RKreport_SCN_08112014_232947.log - RKreport_SCN_08222014_111914.log
RKreport_SCN_08232014_215143.log - RKreport_SCN_09242014_224733.log - RKreport_SCN_09242014_225255.log - RKreport_SCN_09252014_084233.log
RKreport_SCN_09252014_085641.log - RKreport_SCN_09252014_094830.log - RKreport_SCN_09252014_122813.log - RKreport_SCN_09252014_131131.log
RKreport_SCN_09262014_160831.log - RKreport_SCN_09272014_133330.log - RKreport_SCN_09272014_133632.log - RKreport_SCN_09302014_121553.log
RKreport_SCN_09302014_211233.log - RKreport_SCN_10022014_150447.log - RKreport_SCN_10032014_081746.log - RKreport_SCN_10032014_131840.log
RKreport_SCN_10032014_132444.log - RKreport_SCN_10032014_140221.log - RKreport_SCN_10042014_103809.log - RKreport_SCN_10042014_183227.log
RKreport_SCN_10042014_190001.log - RKreport_SCN_10042014_201611.log - RKreport_SCN_10052014_092809.log - RKreport_SCN_10052014_154950.log
RKreport_SCN_10052014_161224.log - RKreport_SCN_10052014_173122.log - RKreport_SCN_10052014_180323.log - RKreport_SCN_10062014_001955.log
RKreport_SCN_10062014_171813.log - RKreport_SCN_10062014_193549.log - RKreport_SCN_10072014_084726.log - RKreport_SCN_10072014_101857.log
RKreport_SCN_10082014_161801.log - RKreport_SCN_10102014_094831.log - RKreport_SCN_10132014_195426.log - RKreport_SCN_10142014_122009.log
RKreport_SCN_10152014_224850.log - RKreport_SCN_10162014_104338.log - RKreport_SCN_10162014_105132.log - RKreport_SCN_10162014_111401.log
RKreport_SCN_10162014_121827.log - RKreport_SCN_10162014_220425.log - RKreport_SCN_10162014_221429.log - RKreport_SCN_10182014_130829.log
RKreport_SCN_10192014_002048.log - RKreport_SCN_10192014_083537.log - RKreport_SCN_10192014_123356.log - RKreport_SCN_10212014_171507.log
RKreport_SCN_10212014_173451.log - RKreport_SCN_10252014_082221.log - RKreport_SCN_10272014_120340.log - RKreport_SCN_10272014_120854.log
RKreport_SCN_10272014_122846.log - RKreport_SCN_10292014_074640.log - RKreport_SCN_10292014_222953.log - RKreport_SCN_10312014_102147.log
RKreport_SCN_11012014_111601.log - RKreport_SCN_11022014_085715.log - RKreport_SCN_11022014_090256.log - RKreport_SCN_11042014_223249.log
RKreport_SCN_11062014_090919.log - RKreport_SCN_11082014_113156.log - RKreport_SCN_11082014_113941.log - RKreport_SCN_11092014_002230.log
RKreport_SCN_11092014_082401.log - RKreport_SCN_11092014_083110.log - RKreport_SCN_11092014_120511.log - RKreport_SCN_11102014_091325.log
RKreport_SCN_11102014_101105.log - RKreport_SCN_11102014_102422.log - RKreport_SCN_11122014_114338.log - RKreport_SCN_11152014_101813.log
RKreport_SCN_11212014_163337.log - RKreport_SCN_11212014_164930.log - RKreport_SCN_11212014_220758.log - RKreport_SCN_11222014_093857.log
RKreport_SCN_11222014_101029.log - RKreport_SCN_11222014_191708.log - RKreport_SCN_11242014_120438.log - RKreport_SCN_11242014_121921.log
RKreport_SCN_11242014_173944.log - RKreport_SCN_11262014_073525.log - RKreport_SCN_11272014_084150.log - RKreport_SCN_11272014_085713.log
RKreport_SCN_11272014_090123.log - RKreport_SCN_11272014_090708.log - RKreport_SCN_11272014_212922.log - RKreport_SCN_11302014_091105.log
RKreport_SCN_11302014_094117.log - RKreport_SCN_11302014_095011.log - RKreport_SCN_11302014_095421.log - RKreport_SCN_11302014_095948.log
RKreport_SCN_11302014_100350.log - RKreport_SCN_12012014_215332.log - RKreport_SCN_12022014_194756.log - RKreport_SCN_12022014_195126.log
RKreport_SCN_12032014_115943.log - RKreport_SCN_12032014_122026.log - RKreport_SCN_12052014_223717.log - RKreport_SCN_12062014_115246.log
RKreport_SCN_12072014_083305.log - RKreport_SCN_12072014_084737.log - RKreport_SCN_12072014_120328.log - RKreport_SCN_12072014_124439.log
RKreport_SCN_12082014_121619.log - RKreport_SCN_12092014_113704.log - RKreport_SCN_12092014_174912.log - RKreport_SCN_12102014_172940.log
RKreport_SCN_12102014_185145.log - RKreport_SCN_12122014_092340.log - RKreport_SCN_12122014_131516.log - RKreport_SCN_12132014_110605.log
RKreport_SCN_12132014_215521.log - RKreport_SCN_12182014_220949.log - RKreport_SCN_12182014_221242.log - RKreport_SCN_12192014_174927.log
RKreport_SCN_12192014_175415.log - RKreport_SCN_12202014_113840.log - RKreport_SCN_12212014_104840.log - RKreport_SCN_12222014_102617.log
RKreport_SCN_12232014_183004.log - RKreport_SCN_12232014_210419.log - RKreport_SCN_12262014_105430.log - RKreport_SCN_12282014_002856.log
RKreport_SCN_12282014_081436.log - RKreport_SCN_12292014_164636.log

 

Bo.



#5 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:36 PM

Posted 05 January 2015 - 08:08 PM

Please follow these steps:

1.- Download TFC.exe - Temp File Cleaner by OldTimer:
Alternate link: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Save it to your Desktop
  • Close any open windows, save your work
  • Double click the TFC icon to run the program. ] (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • TFC will close all open programs itself in order to run
  • Click the Start button to begin the process
  • Allow TFC to run uninterrupted
  • The program should not take long to finish its job.
  • Once it's finished, click OK to reboot
2.- Download Malwarebytes Anti-Malware and save it to your desktop.
  • Open Malwarebytes Anti-Malware
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Please update the database by clicking on the Update Now button as shown below.
Capture1_zps47821576.jpg
  • Following the update, Click Settings > Detection and Protection and make sure Scan for Rootkits it checked.
MBAM%20rootkit%20setting.jpg
  • Click on Dashboard, then click on the large green Scan Now button to begin the Threat Scan.If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
MBAMThreatScan_zpsc6c6daeb.jpg
  • After viewing the results, please click on the Copy to Clipboard button > OK.
    MBAMScanLog_zps21b494ad.jpg
  • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.
3.- Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes and if it finds anything, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#6 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 06 January 2015 - 08:09 PM

Rootk,

 

    Good evening.  I have pasted the results of the Malwarebytes log below.  I ran the Eset Online program and no malware was found.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/6/2015
Scan Time: 11:24:25 AM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.06.06
Rootkit Database: v2014.12.30.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: My PC

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 333846
Time Elapsed: 6 min, 7 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

Bo



#7 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:36 PM

Posted 06 January 2015 - 09:38 PM

Your logs looks OK. How are things running now? Are you still getting problems?

#8 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 06 January 2015 - 10:04 PM

Not sure.  I will try loading Ad-Aware again.  If I get the same problem, I will submit a new ticket.  Thank you Rootk for your assistance. 



#9 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:36 PM

Posted 07 January 2015 - 08:04 AM

You don't need to start a new thread, just reply to this one.

Edited by Rootk, 07 January 2015 - 08:04 AM.


#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:12:36 PM

Posted 26 January 2015 - 11:19 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users