| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 139309 | 2015-04-11 11:36:00 | Hitman Pro Error 1260 during update + three other issues | Billy T (70) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1398419 | 2015-04-12 08:19:00 | If you still have anything relating to CryptoPrevent installed it may pay to remove it, that can be causing problems as well. Oh.................Is CryptoPrevent a problem then? It has been installed for quite some time now, so if it was an issue I would have thought it might have shown up sooner, or is it just a matter of removing it to facilitate fixing the current issue, then reinstalling it? I was familiar with cmd in the years of steam-driven computers with huge 250MB hard disks, but I assume that I just use Start/Run now. I'll wait until morning to try this, it might feature in Monday Laughs. Cheers Billy 8-{) |
Billy T (70) | ||
| 1398420 | 2015-04-12 09:18:00 | CryptoPrevent could be the cause of ALL the problems, to quote from cryptoprevent-does-it-work/ (www.bleepingcomputer.com) <<-------- CryptoPrevent artificially implants hundreds of group policy object rules into the registry in order to block executables So basically it stops anything that wants to change those setting. The programs mentioned would all want to make changes deep in your system. At the end of the day, any infection is a program that is written to do a certain task, whether it is good or bad intentions, so to stop such programs CryptoPrevent does a blanket block on everything. Have a read of that link above, post #2 explains how to reverse the actions and explains in more details what it does. Found on their site: READ THIS (www.bleepingcomputer.com) |
wainuitech (129) | ||
| 1398421 | 2015-04-12 10:29:00 | Have a read of that link above, post #2 explains how to reverse the actions and explains in more details what it does.] READ THIS[/URL] Is this the 'Post #2' that you mention WT?: Under the Prevention Section of that guide, one of the recommended tools is using CryptoPrevent to lock down any Windows OS to prevent infection by the Cryptolocker ransomware. CryptoPrevent artificially implants hundreds of group policy object rules into the registry in order to block executables (*.exe, *.com *.scr and *.pif) and fake file extension executables in certain locations (i.e. %AppData%, %LocalAppData%, Recycle Bin) from running. This allows it to stop other malicious files in addition to Crypotolocker. You can also use Command Line Parameters and manually whitelist individual items or automatically whitelist all .exe files currently found in the locations that would be blocked. The changes can be reversed by re-running the tool and selecting Undo, then rebooting. The free version of CryptoPrevent permits manually checking for updates. CryptoPrevent Premium (a one-time charge) keeps CryptoPrevent up-to-date automatically with free updates for life and can be used on all your home computers. It seems to be, and I more or less understand the principles of CryptoPrevent's operation, but I'm afraid the 'processes' are largely incomprehensible to me. What I don't understand is that I have had CP running for about 12 months more or less but if that is the cause, why is it that only now has CP decided to throw a spanner in the works? I do not recollect seeing any adverse comment about CP on PF1 and if I had, it would have been uninstalled very quickly, which I'm picking might have dug a deeper hole than I'm in at present! Does this: The changes can be reversed by re-running the tool and selecting Undo, then rebooting. offer any way out? Cheers Billy 8-{) |
Billy T (70) | ||
| 1398422 | 2015-04-12 11:11:00 | Thats the post billy :) I was just thinking outside the square so to speak. All the other places (obvious places) are showing as being Ok. The software Polices is showing empty, various antimalware programs that do run have found nothing. Looking at the error(s) 1260, to Quote MS Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy A restriction policy is stopping the actions by the programs trying to be installed. ( as you mentioned in the past posts-error messages) Theres another thought. -- Open the eventvwr and at the time the programs failed there should be an error message describing the restricted policy blocking the program & its path ( I think) At the end of the last post, is a link, the key point is : If you use Software Restriction Policies, or CryptoPrevent, to block CryptoLocker you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running. I've never actually used CryptoPrevent, Like yourself I use mailwasher, and any mails that come through get checked before allowed through, esp ones with zipped attachments. Going by those instructions in the link, if you re-run the program installer theres a option to reverse the policies back to default after rebooting. This "Should" allow the programs to install. If it doesn't then its a real mystery to me as to where they are being blocked. There was a KB put out by MS sept last year which did similar, but XP was NOT included, it was W7 onwards. |
wainuitech (129) | ||
| 1398423 | 2015-04-12 11:27:00 | If I get a chance tomorrow I'll throw CryptoPrevent on a XP install if I can find one that will boot and see if it screws the installs and removing reverses it. | wainuitech (129) | ||
| 1398424 | 2015-04-13 01:45:00 | I've spent a few hours looking through Event Viewer and although I am none the wiser from the experience, I have found a string of entries referring to Hitman Pro, and some others that I think are related . There is a swathe of other entries, but these seem to run closest to the start of this problem . I think I saw a reference to Crypto Prevent as well but I can't see it at present so a further search will be needed . I hope these can shed some light on the situation . Lastly, is it possible to copy the Eventviewer file in its entirety and send that as an attachment because I may be missing some vital information simply because I don't recognise its importance . Cheers Billy 8-{) :waughh: Event Viewer Logs: There are entries in Applications and System . There is nothing in Internet Explorer (not currently in use anyway) or Security . Application errors are mostly warnings of software restrictions, plus a few confined to miscellaneous applications . The following is a representative listing of warning and error messages: Warning: 12-2-2015 The content source <mapi://{s-1-5-21-2025429265-1078145449-682003330-1003}/> cannot be accessed . Context: Application, SystemIndex Catalog Details: A server error occurred . Check that the server is available . (0x80041206) -------------------------- Warning : 12-04-2015 User Env Windows cannot unload your classes registry file - it is still in use by other applications or services . The file will be unloaded when it is no longer in use . -------------------------- Warning: 26-02-2015 Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro . exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\* . exe -------------------------- Warning: 12-04-2014 Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro . exe has been restricted by your Administrator by location with policy rule {1eaed502-a99b-4c6a-b926-04d2d244e439} placed on path C:\Documents and Settings\John\Local Settings\Temp\* . exe -------------------------- Warning: 27-1-2015 Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro . exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\* . exe -------------------------- Warning: 12-04-2015 Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro . exe has been restricted by your Administrator by location with policy rule {1eaed502-a99b-4c6a-b926-04d2d244e439} placed on path C:\Documents and Settings\John\Local Settings\Temp\* . exe -------------------------- Warning: 27-01-2015 Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro . exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\* . exe -------------------------- Warning: 27-03-2015 Access to C:\DOCUME~1\John\LOCALS~1\Temp\jre-8u40-windows-au . exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\* . exe -------------------------- Warning: 03-04-2015 Access to C:\DOCUME~1\John\LOCALS~1\Temp\jre-8u40-windows-au . exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\* . exe [This is Java related and might explain my Java update issues) -------------------------- Warning: 10-04-2015 Access to C:\DOCUME~1\John\LOCALS~1\Temp\jre-8u40-windows-au . exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\* . exe -------------------------- Warning: 15-01-2015 Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro . exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\* . exe -------------------------- Warning: 15-01-2015 Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro . exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\* . exe Ends, but many more in the files . |
Billy T (70) | ||
| 1398425 | 2015-04-13 02:27:00 | Clutching at straws, but might work...... Use system restore & restore the PC to say a month ago (before the infection/issues). Then run the malware scans. But chances are, if its infected ,all the restore points will have been deleted. As a last resort, you can often restore the registry to old versions manually, that should fix any policy issues (not the easiest thing if youve never done it before) If you have another PC , make a bootable Hitman CD , or download Hitman Kickstart & Eset/Nod rescue CD on another PC & scan the PC with those. www.surfright.nl www.eset.com |
1101 (13337) | ||
| 1398426 | 2015-04-13 02:54:00 | 99% sure the problem is Cryptoprevent. loaded up a XP home this morning-- installed Cryptoprevent, then tried to run Trend housecall ( since you mentioned it) Is this the error -- Replicating the problem ? 6382 The Error report in applications was SUSPICIOUS APPLICATION BLOCKED Access to C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS1.tmp\setup.exe has been restricted by your Administrator by location with policy rule {b5714453-c317-4878-861c-cbb447e821da} placed on path C:\Documents and Settings\Owner\Local Settings\Temp\7z*\*.exe Uninstalled cryptoPrevent via Revo uninstaller using advanced mode which took out quite a few reg entries it had put in,rebooted then re ran Trend house call with out a problem. |
wainuitech (129) | ||
| 1398427 | 2015-04-13 04:02:00 | 99% sure the problem is Cryptoprevent. OK, now you can be 100% sure! Revo'd CryproPrevent and apart from the Java update and TUC, which are of lower priority, everything else is now back to normal. Thank you for the time and effort you have put into this issue Wainui, and I hope that it will solve similar problems for other members, especially in relation to CryptoProtect. I am very grateful for your kind assistance. Cheers Billy 8-{) :clap |
Billy T (70) | ||
| 1 2 | |||||