Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create a FREE account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you have signed in.
Create an Account Login to Account

Software restriction policy malware? [Solved]


  • This topic is locked This topic is locked

#1
dino velvet

dino velvet

    Member

  • Member
  • PipPip
  • 10 posts
I appear to have picked up some malware that is disabling my Malwarebytes and Eset antivirus on my Win XP machine. I noticed earlier today that I got a pop up from Malwarebytes that a couple of malicious process were trying to do some actions, I quarantined them at the time. The programs I quarantined were "Trojan.Fake.Apach", "Trojan.Ransom.Gend" and "Trojan.ED"



I tried to do a scan with Malwarebytes but it gave me a message that it could not open due to a software policy restriction, although I have never set any on my stand alone pc. I tried to do an online scan with ESET but it gave me "error 8" and would not start. I downloaded a trial version of ESET but it will not start, it gives me the messsage "Error: Service 'ESET Service' (ekrn) failed to start. Verify that you have sufficient priveleges to start system services".



I have reinstalled Malwarebytes and now it starts, however it does not find any new threats, but I cannot enable the filesystem or malicious website blocking protection as I cannot check the boxes to turn them on. Lastly my Zonealarm firewall icon has disappeared from the Taskbar and it doesn't seem that I can restart it.



What should I do first to resolve this?



Thank you for your help!
  • 0

Similar Topics: Software restriction policy malware? [Solved]     x


#2
Dakeyras

Dakeyras

    GeekU Mammoth

  • GeekU Moderator
  • 7,290 posts

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome back to Geeks to Go. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Download/run Rkill:

Please download Rkill from one of the following links below and save to your desktop.

Note: If one fails to work delete it and download/try another.

One, Two,Three, Four or Five

  • Double click on Rkill to run it.
  • A command window will open then disappear upon completion, this is normal.
  • Post the log created, found on the desktop rkill.txt. in your next reply.
Scan with aswMBR:

Please download and save aswMBR to your desktop.

  • Double-click on aswMBR.exe to run it.
  • When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
  • Now click on the Scan button to start scan
  • On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Note: There will also be a file on your desktop named MBR.dat(or similar) do not delete this for now it is a actual backup of the MBR(master boot record).

Scan with Farbar Recovery Scan Tool:

Please download and save Farbar Recovery Scan Tool 32-Bit to your desktop.

  • Double-click on FRST.exe to start FRST >> click on Yes at the disclaimer.
  • Under Optional Scan ensure both Drivers MD5 and Addition.txt are selected.
  • Now click on the Scan button/radio tab >> at the Scan completed prompt click on OK
  • At the next prompt denoting Addition.txt is saved in the same location FRST tool is run >> click on OK
  • There will now be two logs on your desktop, Addition.txt and FRST.txt. Post the contents of both in your next reply.
Next:

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • Rkill Log.
  • aswMBR Log.
  • Both FRST logs. <-- Post them individually please, IE: one Log per post/reply.

  • 0

#3
dino velvet

dino velvet

    Member

  • Member
  • PipPip
  • 10 posts
Hi, I have run combofix and then FRST, using the Fix function and this has solved my issue. Here is a log of the fixed FRST for others having this issue down the road...


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-10-2013
Ran by RG at 2013-10-22 15:45:55 Run:1
Running from C:\Documents and Settings\RG\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM Group Policy restriction on software: C:\Program Files\Alwil Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\BitDefender <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Lavasoft <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Panda Security <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\ESET <====== ATTENTION
S0 tgsbnnve; System32\drivers\gdduv.sys [x]
C:\WINDOWS\System32\drivers\gdduv.sys





*****************

HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
tgsbnnve => Service deleted successfully.
"C:\WINDOWS\System32\drivers\gdduv.sys " => File/Directory not found.

==== End of Fixlog ====
  • 0

#4
Dakeyras

Dakeyras

    GeekU Mammoth

  • GeekU Moderator
  • 7,290 posts
Acknowledged...

Do you require any further assistance?
  • 0

#5
dino velvet

dino velvet

    Member

  • Member
  • PipPip
  • 10 posts
Everything is ok now, you can close this thread..
  • 0

#6
Dakeyras

Dakeyras

    GeekU Mammoth

  • GeekU Moderator
  • 7,290 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured