PDA

View Full Version : Hitman Pro Error 1260 during update + three other issues



Billy T
11-04-2015, 10:36 PM
Hi Team. Problems per the title, Update starts ok but then throws up the 1260 error.


Secondly, I cannot update MS Security Essentials. It takes an inordinately long time to download new definitions, then quits with an 'internet connectivity' error message.

Yes, I know I should have abandoned MSE long ago but I am overloaded with work at present (this is a good thing) so I am loath to make changes that might cause me grief.

Thirdly I still have the Java Update problem that says something along the lines of adminstrator privileges.

Fourthly, I cannot logon to TUC (Traffic Usage Checker). This came out of the blue, one day it was fine, next day not and it appears to be a logon problem.

The Java issue appeared first, and I'm wondering if the others are a flow-on effect of some sort.

There are no other issues apparent, no passwords have been changed and everything else seems OK.

Any ideas??


Cheers

Billy 8-{) :confused:


Now I'm getting worried! Trend Micro Housecall throws up exactly the same administrator message as the Java issue. That makes four other issues

wainuitech
11-04-2015, 11:10 PM
Its all to do with the same thing. Malware of some description has gotten in and changed the policies, which in turn is stopping ANY type of antimalware / Antivirus program from running.

I cant test this as I don't have a XP home ( which I assume you have still) normally you would use gpedit, but home editions don't have it.

Did find this though - No idea if it works or not, so try at your own risk.


Click Start< Run and type secpol.msc and hit enter

Select and highlight "Software Restriction Policies." This will show you the options on the right hand side of the screen. Once you have "Software Restriction Policies" highlighted, click on "Actions" at the top of the group policy object editor window. In this menu choose "Delete Software Restriction Policy." An alert window will pop up, asking if you are sure you want to delete all the software restriction policies. Click "Yes."



From post #6 here http://www.windowsbbs.com/windows-xp/97419-software-restriction-policy.html

gary67
12-04-2015, 08:27 AM
I would also at least run the Nod32 online scanner, I did this recently on an infected laptop and it fixed it. It took an hour to run.

dugimodo
12-04-2015, 09:24 AM
Risky to diagnose anything remotely of course, but as mentioned this type of program blocking is something some malware is known to do. Basically they are written to prevent anything that might detect or remove them from doing so. As well as Wainui and Gary's suggestions I'd be looking at running some other malware scanners also if you can get any to run. Maybe try safemode with networking and run MBAM, NOD32 online, etc.

I've been stubbornly sticking to MSE/Defender myself and haven't had any issues but every time these threads come up I consider moving to NOD32. For me the threat of losing everything and starting over is not that bad so I don't worry too much but for some people it would be a major issue and might be worth considering better protection.

Billy T
12-04-2015, 10:40 AM
Its all to do with the same thing. Malware of some description has gotten in and changed the policies, which in turn is stopping ANY type of antimalware / Antivirus program from running.

I cant test this as I don't have a XP home ( which I assume you have still) normally you would use gpedit, but home editions don't have it.


Hi Wainui

OS is XP-Pro

Presumably that makes a difference

Cheers

Billy 8-{)

Billy T
12-04-2015, 10:54 AM
Its all to do with the same thing. Malware of some description has gotten in and changed the policies, which in turn is stopping ANY type of antimalware / Antivirus program from running.

I cant test this as I don't have a XP home ( which I assume you have still) normally you would use gpedit, but home editions don't have it.


Hi Wainui

OS is XP-Pro

Presumably that makes a difference

Cheers

Billy 8-{)

Billy T
12-04-2015, 10:57 AM
Hi Wainui

OS is XP-Pro

Presumably that makes a difference

Cheers

Billy 8-{)

Forgot to mention, I ran MWB last night and it did a full scan but found nothing. I'll see if NOD32 will run.

Cheers

Billy 8-{)

wainuitech
12-04-2015, 10:57 AM
Hi Billy, being XP Pro does make a defiance :) in the last post, theres a link http://www.windowsbbs.com/windows-xp/97419-software-restriction-policy.html in post #6 theres another link -- Direct Link http://www.ehow.com/how_6862152_delete-software-restriction-policies.html You need #3&4

Have a read of both the first link tells you how to open gpedit.

As mentioned have not tried it as mine don't have any entries in the restriction windows, so cant test it.

To your post above -- if polices have changed antivirus software may not find anything, Something has changed them and may have already been removed by other antimalware, but their actions to the polices will stay the same.

Edited: Just created some polices to show with Pictures.
1st - no polices
2nd - Polices
3rd- deleting
637063716372

Billy T
12-04-2015, 04:29 PM
OK

I found a way to run Hitman Pro at its existing settings and defiunitions etc, but that raised no issues.

Secondly, I found Gpedit OK and found that there were no logged restrictions (see screen dump).

Something elsle or something deeper is going on here :(

Cheers

Billy 8-{) :confused:

wainuitech
12-04-2015, 05:27 PM
Hmmmmm OK you can try resetting the polices, you need to open a cmd and type or copy paste the following instructions.

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

As described http://windowsitpro.com/windows/jsi-tip-5571-how-do-i-reset-windows-2000-windows-xp-security-back-default-settings and http://nj180degree.net/2010/11/01/restore-windows-security/

If that doesn't work, take it out back and shoot it :p

Edited: if you still have anything relating to CryptoPrevent installed it may pay to remove it, that can be causing problems as well.

Billy T
12-04-2015, 07:19 PM
If you still have anything relating to CryptoPrevent installed it may pay to remove it, that can be causing problems as well.

Oh.................Is CryptoPrevent a problem then? It has been installed for quite some time now, so if it was an issue I would have thought it might have shown up sooner, or is it just a matter of removing it to facilitate fixing the current issue, then reinstalling it?

I was familiar with cmd in the years of steam-driven computers with huge 250MB hard disks, but I assume that I just use Start/Run now.

I'll wait until morning to try this, it might feature in Monday Laughs.

Cheers

Billy 8-{)

wainuitech
12-04-2015, 08:18 PM
CryptoPrevent could be the cause of ALL the problems, to quote from cryptoprevent-does-it-work/ (http://www.bleepingcomputer.com/forums/t/525028/cryptoprevent-does-it-work/) <<--------
CryptoPrevent artificially implants hundreds of group policy object rules into the registry in order to block executables

So basically it stops anything that wants to change those setting. The programs mentioned would all want to make changes deep in your system.
At the end of the day, any infection is a program that is written to do a certain task, whether it is good or bad intentions, so to stop such programs CryptoPrevent does a blanket block on everything.

Have a read of that link above, post #2 explains how to reverse the actions and explains in more details what it does.

Found on their site: READ THIS (http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#enableapp)

Billy T
12-04-2015, 09:29 PM
Have a read of that link above, post #2 explains how to reverse the actions and explains in more details what it does.] READ THIS[/URL]

Is this the 'Post #2' that you mention WT?:

Under the Prevention Section of that guide, one of the recommended tools is using CryptoPrevent to lock down any Windows OS to prevent infection by the Cryptolocker ransomware. CryptoPrevent artificially implants hundreds of group policy object rules into the registry in order to block executables (*.exe, *.com *.scr and *.pif) and fake file extension executables in certain locations (i.e. %AppData%, %LocalAppData%, Recycle Bin) from running. This allows it to stop other malicious files in addition to Crypotolocker. You can also use Command Line Parameters and manually whitelist individual items or automatically whitelist all .exe files currently found in the locations that would be blocked. The changes can be reversed by re-running the tool and selecting Undo, then rebooting. The free version of CryptoPrevent permits manually checking for updates. CryptoPrevent Premium (a one-time charge) keeps CryptoPrevent up-to-date automatically with free updates for life and can be used on all your home computers.

It seems to be, and I more or less understand the principles of CryptoPrevent's operation, but I'm afraid the 'processes' are largely incomprehensible to me. What I don't understand is that I have had CP running for about 12 months more or less but if that is the cause, why is it that only now has CP decided to throw a spanner in the works? I do not recollect seeing any adverse comment about CP on PF1 and if I had, it would have been uninstalled very quickly, which I'm picking might have dug a deeper hole than I'm in at present!

Does this: The changes can be reversed by re-running the tool and selecting Undo, then rebooting. offer any way out?

Cheers

Billy 8-{)

wainuitech
12-04-2015, 10:11 PM
Thats the post billy :)

I was just thinking outside the square so to speak. All the other places (obvious places) are showing as being Ok. The software Polices is showing empty, various antimalware programs that do run have found nothing.

Looking at the error(s) 1260, to Quote MS
Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy

A restriction policy is stopping the actions by the programs trying to be installed. ( as you mentioned in the past posts-error messages)

Theres another thought. -- Open the eventvwr and at the time the programs failed there should be an error message describing the restricted policy blocking the program & its path ( I think)

At the end of the last post, is a link, the key point is :
If you use Software Restriction Policies, or CryptoPrevent, to block CryptoLocker you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.

I've never actually used CryptoPrevent, Like yourself I use mailwasher, and any mails that come through get checked before allowed through, esp ones with zipped attachments. Going by those instructions in the link, if you re-run the program installer theres a option to reverse the policies back to default after rebooting.

This "Should" allow the programs to install. If it doesn't then its a real mystery to me as to where they are being blocked.

There was a KB put out by MS sept last year which did similar, but XP was NOT included, it was W7 onwards.

wainuitech
12-04-2015, 10:27 PM
If I get a chance tomorrow I'll throw CryptoPrevent on a XP install if I can find one that will boot and see if it screws the installs and removing reverses it.

Billy T
13-04-2015, 12:45 PM
I've spent a few hours looking through Event Viewer and although I am none the wiser from the experience, I have found a string of entries referring to Hitman Pro, and some others that I think are related. There is a swathe of other entries, but these seem to run closest to the start of this problem.

I think I saw a reference to Crypto Prevent as well but I can't see it at present so a further search will be needed. I hope these can shed some light on the situation.

Lastly, is it possible to copy the Eventviewer file in its entirety and send that as an attachment because I may be missing some vital information simply because I don't recognise its importance.

Cheers

Billy 8-{) :waughh:




Event Viewer Logs:

There are entries in Applications and System.

There is nothing in Internet Explorer (not currently in use anyway) or Security.

Application errors are mostly warnings of software restrictions, plus a few confined to miscellaneous applications.

The following is a representative listing of warning and error messages:


Warning: 12-2-2015
The content source <mapi://{s-1-5-21-2025429265-1078145449-682003330-1003}/> cannot be accessed.

Context: Application, SystemIndex Catalog
Details: A server error occurred. Check that the server is available. (0x80041206)

--------------------------
Warning : 12-04-2015
User Env Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

--------------------------
Warning: 26-02-2015
Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro.exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\*.exe

--------------------------
Warning: 12-04-2014
Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro.exe has been restricted by your Administrator by location with policy rule {1eaed502-a99b-4c6a-b926-04d2d244e439} placed on path C:\Documents and Settings\John\Local Settings\Temp\*.exe

--------------------------
Warning: 27-1-2015
Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro.exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\*.exe

--------------------------
Warning: 12-04-2015
Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro.exe has been restricted by your Administrator by location with policy rule {1eaed502-a99b-4c6a-b926-04d2d244e439} placed on path C:\Documents and Settings\John\Local Settings\Temp\*.exe

--------------------------
Warning: 27-01-2015
Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro.exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\*.exe

--------------------------
Warning: 27-03-2015
Access to C:\DOCUME~1\John\LOCALS~1\Temp\jre-8u40-windows-au.exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\*.exe

--------------------------
Warning: 03-04-2015
Access to C:\DOCUME~1\John\LOCALS~1\Temp\jre-8u40-windows-au.exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\*.exe [This is Java related and might explain my Java update issues)

--------------------------
Warning: 10-04-2015
Access to C:\DOCUME~1\John\LOCALS~1\Temp\jre-8u40-windows-au.exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\*.exe

--------------------------
Warning: 15-01-2015
Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro.exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\*.exe

--------------------------
Warning: 15-01-2015
Access to C:\DOCUME~1\John\LOCALS~1\Temp\HitmanPro.exe has been restricted by your Administrator by location with policy rule {f3a01406-2c7a-4968-9e56-1bcf37d268ff} placed on path C:\Documents and Settings\John\Local Settings\Temp\*.exe


Ends, but many more in the files.

1101
13-04-2015, 01:27 PM
Clutching at straws, but might work......

Use system restore & restore the PC to say a month ago (before the infection/issues). Then run the malware scans.
But chances are, if its infected ,all the restore points will have been deleted.

As a last resort, you can often restore the registry to old versions manually, that should fix any policy issues (not the easiest thing if youve never done it before)

If you have another PC , make a bootable Hitman CD , or download Hitman Kickstart & Eset/Nod rescue CD on another PC & scan the PC with those.
http://www.surfright.nl/en/kickstart
http://www.eset.com/int/support/sysrescue/

wainuitech
13-04-2015, 01:54 PM
99% sure the problem is Cryptoprevent.

loaded up a XP home this morning-- installed Cryptoprevent, then tried to run Trend housecall ( since you mentioned it)

Is this the error -- Replicating the problem ?

6382

The Error report in applications was
SUSPICIOUS APPLICATION BLOCKED

Access to C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS1.tmp\setup.exe has been restricted by your Administrator by location with policy rule {b5714453-c317-4878-861c-cbb447e821da} placed on path C:\Documents and Settings\Owner\Local Settings\Temp\7z*\*.exe

Uninstalled cryptoPrevent via Revo uninstaller using advanced mode which took out quite a few reg entries it had put in,rebooted then re ran Trend house call with out a problem.

Billy T
13-04-2015, 03:02 PM
99% sure the problem is Cryptoprevent.

OK, now you can be 100% sure!

Revo'd CryproPrevent and apart from the Java update and TUC, which are of lower priority, everything else is now back to normal.

Thank you for the time and effort you have put into this issue Wainui, and I hope that it will solve similar problems for other members, especially in relation to CryptoProtect.

I am very grateful for your kind assistance.

Cheers

Billy 8-{) :clap