Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

symantec exe 'blocked by software restriction policy'


  • This topic is locked This topic is locked
16 replies to this topic

#1 Lost in NY

Lost in NY

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:06:14 AM

Posted 15 January 2015 - 08:44 AM

Hi - I have a standalone XP machine that appears to have gotten infected:

  • SEP disappeared from tray and when I try to run from start-->programs I get popup "C:\program Files\...SymCorpUI.exe Windows cannot open this program because it has been prevented by a software restriction policy..."
  • I ran malwarebytes - it was able to run fine and it quarantined a trojan exe and some other stuff.
  • I tried to restore back via system restore but that was blocked with same message - I used regedit to remove that block but there are no earlier restore points available so assuming those got wiped out by whatever did the other damage.
  • I do see some entries in the reg under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer...Paths that are all names of AV software - a few name Malwarebytes (which I was able to run as I mentioned above), a few  name Symantec and 1 names McAfee which I uninstalled a while ago. 

Anyway, please let me know what I should try next - should I delete these paths?  Is there any more info I should provide?

 

I'm really trying avoid rebuilding this computer if at all possible.

 

Thanks in advance


Edited by hamluis, 15 January 2015 - 09:59 AM.
Moved from MRL to Am I Infected, no logs - Hamluis


BC AdBot (Login to Remove)

 


m

#2 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:06:14 AM

Posted 15 January 2015 - 08:55 AM

the trojan malwarebytes tagged today is trojan.kovter - sorry meant to mention that above



#3 iangcarroll

iangcarroll

  • Malware Study Hall Senior
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:06:14 AM

Posted 15 January 2015 - 10:22 AM

Is your computer joined to a domain (corporate computer?)

 

If not, can you post the MBAM log? 


Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#4 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:06:14 AM

Posted 15 January 2015 - 10:47 AM

thanks for your reply - it's not joined to a domain, just a standalone xp machine on my home network. 

 

I looked into event viewer app log and found an entry that matched up with one of those ...path files so I deleted just that one and SEP is now working - I got 2 signature updates installed by it and am running a full scan now and when that is done on it I will post the MBAM log.  Wondering if I should just go ahead and delete those other ...path entries in the reg.  Since there are 2 more tagged 'symantec', and 2 tagged 'malwarebytes', I'm guessing these are also part of the effects from the infection.



#5 Phantom010

Phantom010

  • Members
  • 944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyberspace
  • Local time:07:14 AM

Posted 15 January 2015 - 11:02 AM

Probably not, but did you, by any chance, install Simple Software-Restriction Policy? Or, did you set some yourself at one time?



Please stick around after posting. Helpers are never far. Don't disappear for a week!
Our help is free, so please have the courtesy to reply in a timely manner. Thank you!


#6 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:06:14 AM

Posted 15 January 2015 - 11:10 AM

heck no - I've never set any policies to restrict executables nor did I install anything.

 

SEP scan still running, nothing detected yet, when it finishes I'll post the MBAM log file.



#7 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:06:14 AM

Posted 15 January 2015 - 01:29 PM

so I'm ready to update the MBAM log and the SEP log but...I don't see any attachment option - I feel like a complete idiot - can someone tell how?  Sorry, this is my first post here.



#8 iangcarroll

iangcarroll

  • Malware Study Hall Senior
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:06:14 AM

Posted 15 January 2015 - 02:08 PM

Pasting it here works fine. You could also use https://paste.ian.sh (mine) or http://privatepaste.com/


Edited by iangcarroll, 15 January 2015 - 02:09 PM.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#9 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:06:14 AM

Posted 15 January 2015 - 03:12 PM

thanks - I've pasted the MBAM log and SEP log below

 

MBAM log:

  <?xml version="1.0" encoding="UTF-8" ?>

- <logs>
  <record severity="debug" LoggingEventType="1" datetime="2015-01-14T01:17:44.265625-05:00" source="Manual" type="Update" username="SYSTEM" systemname="ABIGAIL" fromVersion="2015.1.9.14" last_modified_tag="0f1ac23a-ba9b-4657-af09-1e8e5835ecf7" name="Malware Database" toVersion="2015.1.14.3" />
  <record severity="debug" scantype="threat" LoggingEventType="6" starttime="2015-01-14T01:17:45-05:00" datetime="2015-01-14T03:02:47.484375-05:00" source="Manual" type="Scan" username="SYSTEM" systemname="ABIGAIL" last_modified_tag="f592d78f-9eb7-4c11-b8ef-bcc20486ee01" duration="3434" malwaredetections="1" nonmalwaredetections="10" scanresult="completed" />
  </logs>
 
SEP log:
 
Filename Risk Action Risk Type Original Location Computer User Status Current Location Primary Action Secondary Action Logged By Action Description Date and Time DWH18.tmp Bloodhound.PDF.38 Log only File C:\Documents and Settings\Telis\Local Settings\Temp\ ABIGAIL SYSTEM Log only C:\Documents and Settings\Telis\Local Settings\Temp\ Clean security risk Quarantine Auto-Protect scan The file was left unchanged. 1/5/2015 15:43 {739e2285-28f0-cdbd-5267-96f39f2b1cb7}.exe Bloodhound.MalPE Quarantined Heuristics C:\Avenger\ ABIGAIL SYSTEM Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/15/2015 6:39 A0002011.exe Bloodhound.MalPE Quarantined Heuristics c:\System Volume Information\_restore{E8CBFF35-BD22-40B2-88E5-340C31002ADD}\RP1\ ABIGAIL Telis Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 1/15/2015 12:03


#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:14 PM

Posted 15 January 2015 - 05:09 PM

Begin HERE - Download Screen317 Security Check from Here or Here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box. and wait for it to Fully finish.
  • A Notepad document should open automatically called checkup.txt
  • Please Copy/Paste the contents of that document,

Note 1:: If any security program requests permission to access the Internet, allow it to
Note 2. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message, (or similar) restart computer and Security Check should run

 

 

Please download RKill by Grinler to your desktop

  • If you have an old version, please delete it first
  • Right click on the new Red icon and select Run as Administrator
  • A black DOS box will appear for a short time and then disappear.
  • This is normal and indicates the tool ran successfully.
  • At most the tool will usually run for about 2 minutes
  • Please Copy and Paste the small log back here.

Do not reboot your computer until you complete the next step.

Now :

  • Download AdwCleaner by Xplode from Here or Here and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
     * Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button (only once)
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button only once
  • A report (AdwCleaner[R0].txt) will open in Notepad for your review.
  • Check the listed removals and see if you are OK with them.
  • If you have questions, post the Report log back here.
     Next
  • Click on the Clean button only once for accuracy
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK finally to allow AdwCleaner to Restart the computer and complete the removal process.
  • After rebooting, a log report (AdwCleaner[S0].txt) will open automatically.
  • **Copy and Paste the contents of that log in your next reply.**
  • To restore an item that has been deleted by accident : Open the program again,
  • Go to Tools (top left) > Quarantine Manager > check what you want restored > now click on Restore.

Note: With most Adware / Junkware / PUPs it is strongly recommended to deal with it like a legitimate program and uninstall from Programs and Features or Add/Remove Programs in the Control Panel. In many cases, using the uninstaller of the adware not only removes the adware more effectively, but it also restores any changed configuration. After uninstallation, then you can run specialized tools like AdwCleaner to fix any remaining entries they may find.

 

 

Now restart with a visit to Removal and Reinstall page for a fresh copy of your Malwarebytes Antimalware program.
Follow the directions on how to remove and reinstall your version, and the directions below ..........

Please download a clean fresh copy of Malwarebytes Anti-Malware as per given directions on that page, and restart -

  • Follow the simple directions to install the program to desktop
  • Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
  • Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
  • Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
  • If you find malware and tick it to remove it, you may be asked to re-boot the computer to finish cleaning.
  • Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

Follow this with a scan by ESET Online Scanner
Run ESET Online Scanner.

  • For Internet Explorer users only, hold down Control  (Ctrl) and click on This Link to open ESET OnlineScan in a new window.
  • Click the ESET Online button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu. to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives and Remove Threats"
  • Click Advanced settings and select the following:
    Scan potentially unwanted applications
     Scan for potentially unsafe applications
     Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • Please be patient as this will take some time (Note : 2 hours is not unusual for a first scan).
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.

 

 

I hope that this explains a bit easier how to Copy and Paste your logs back here .

 

Thanks -


Edited by noknojon, 15 January 2015 - 05:13 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:14 AM

Posted 15 January 2015 - 07:22 PM

These are example entries from a FRST log explaining what is most likely going on with this malware infection and the "software restriction (Group Policy)" message targeting security scanners...some crypto-malware variants have been reported to add these restrictions.

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Ad-Aware
HKLM Group Policy restriction on software: C:\Program Files\Spybot <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\a-squared Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Essentials <====== ATTENTION


Farbar Recovery Scan Tool (FRST) is an advanced specialized tool designed to run in the Recovery Environment in Windows Vista and Windows 7/8 in order to diagnose and fix boot problems. It is also useful for removing malware when other tools fail including this software restriction issue. However, the use of FRST (and posting of its log) is prohibited in this area per this pinned topic.

Many of the scanning tools we use in this forum are not capable of detecting (removing) all malware variants. Disinfection will probably require the use of more powerful tools than we can recommend in this forum. Before that can be done you will need to create and post a DDS log for further investigation.

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running DDS which will create two logs. (Note: Windows 8.1 Users will not be able run DDS and create a log)
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs or you're using Windows 8.1, then still start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:06:14 AM

Posted 16 January 2015 - 03:19 AM

Thanks noknojon and quietman7 - I tried to proceed with the prep steps in the article per quietman7 and was unable to set Windows Firewall - got a pop-up "due to an identified problem, Windows cannot display Windows Firewall settings".

 

So I guess I should plan instead to start with noknojon's suggested steps which I may not have to time to do before I need to leave for work this morning but will try. 

 

However, I found a post that says " all you do is delete the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Firewall registry key" but sounds like that was just to address a problem of the option being grayed out.  For me it wasn't grayed out but I got that pop-up.

 

Before I make the wrong move here, can you guys please advise me?



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:14 PM

Posted 16 January 2015 - 03:28 AM

Hi -

Personally from me, quietman7 usually has the better options.

 

I would add a New Topic (as above) and in your post, just mention that your infection prevents the creation of the logs. I would also do it as soon as you can, since many problems are treated on a "First come First served" basis (depending on infections)

 

Thank You -



#14 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:06:14 AM

Posted 16 January 2015 - 03:50 AM

thanks noknojon - I will do as you suggest and follow the steps per quietman7

 

Although I was hoping to clear up the issue cited in my immediate post above so I can enable windows firewall before perform those steps (since that is the first one the tutorial tells me to do) before I proceed I didn't see the reg key that article reference so isn't the cause of it.

 

Anyway, no time to do the steps before I have to go to work this morning so will it tonight if possible, if not then early tomorrow and then post to the other forum and post link to that entry here.



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:14 AM

Posted 16 January 2015 - 05:43 AM

If you cannot complete a step, then skip it and continue with the next.
If you cannot produce any of the required logs or you're using Windows 8.1, then still start the new topic anyway.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users