[Solved] HKLM Group Policy restrictions ATTENTION

[Tony D]

There are many HKLM Group Policy restriction ATTENTION lines in the FRST report. Maybe they're there due to CryptoPrevent.

Here's an exaple. The full logs are attached.

HKLM Group Policy restriction on software: *.mp3.msh* <==== ATTENTION
HKLM Group Policy restriction on software: *.png.hta <==== ATTENTION
HKLM Group Policy restriction on software: *.7z.jse <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.isp <==== ATTENTION

I also note that MBAM starts with Windows. I have it set to NOT start with Windows. I'll have to play around with that.

Anything else to be concerned about in these logs? ESET said it was clean. I ran MBAM afterwards and it found PUPs. Kaspersky scan is clean.

Thanks much for looking.

 

[starbuck]

Hi Tony,

I was meant to be away for a few days, but woke up this morning and we're snowed in lol.
Might try and get away tomorrow if the roads have cleared a bit.

There are many HKLM Group Policy restriction ATTENTION lines in the FRST report. Maybe they're there due to CryptoPrevent.

Yes, those group policies are set by CryptoPrevent.
That's how it works.

I also note that MBAM starts with Windows. I have it set to NOT start with Windows. I'll have to play around with that.

Right click on the MB taskbar icon and then untick Start with Windows.

Anything else to be concerned about in these logs?

Not really.
There's only one line to remove.... but we may as well do that.

Copy the script within the quote box below: (make sure that you include Start:: and End:: as these are the clipboard notifiers.

Start::
CloseProcesses:
Task: {8EE22972-67D0-4F38-A658-B5609DD4CA91} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:
End::

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system

Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait.

The tool will make a log in the same directory that FRST is run from (Fixlog.txt).
Please post this in your next reply.

 

[Tony D]

Looking good. Don't showel too much!

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Hinkle (27-12-2017 17:38:20) Run:3
Running from C:\Users\Hinkle\Desktop
Loaded Profiles: Hinkle (Available Profiles: Hinkle)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
Task: {8EE22972-67D0-4F38-A658-B5609DD4CA91} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:

*****************

Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8EE22972-67D0-4F38-A658-B5609DD4CA91} => could not remove key. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8EE22972-67D0-4F38-A658-B5609DD4CA91}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => key not found

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 6053888 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7009330 B
Java, Flash, Steam htmlcache => 1066 B
Windows/system/drivers => 31588509 B
Edge => 2870908 B
Chrome => 724205681 B
Firefox => 98270846 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 14870 B
NetworkService => 0 B
Hinkle => 321482391 B

RecycleBin => 1052526 B
EmptyTemp: => 1.1 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 17:40:23 ====

 

[starbuck]

1.1 GB temporary data Removed

the fix was worth running, just to clear this out.

 

[Tony D]

Yeah, I noticed that.

Thanks again