Group policy corrupt

  • Thread starter Thread starter Crisha
  • Start date Start date
C

Crisha

Hi,
I have a problem with my notebook: the group policy are corrupted! When I
try to go in TCP/IP setting, or in pheriperals management i receive an
message: "You don't have a permission".
My account is an administrators, and I have try administrator accont too,
but tge problem persist.
I have test ram memory, test antivirus and HD.
I have try create a new administrators user.
When I open sanp-in Group Policy I can explore only some folder, into
another folder the notebook block.
I have try to reset GPO:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
/verbose

the notebook block and I am forced to reset.
What I can do?
Help

Excuse my English
 
Crisha said:
Hi,
I have a problem with my notebook: the group policy are corrupted! When I
try to go in TCP/IP setting, or in pheriperals management i receive an
message: "You don't have a permission".
My account is an administrators, and I have try administrator accont too,
but tge problem persist.
I have test ram memory, test antivirus and HD.
I have try create a new administrators user.
When I open sanp-in Group Policy I can explore only some folder, into
another folder the notebook block.
I have try to reset GPO:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
/verbose

the notebook block and I am forced to reset.
What I can do?
Help

Excuse my English
Click to expand...


Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx


Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine (offline scanner):
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

After the scan run disk cleanup on your drive.

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Download to your Desktop FixPolicies.exe:
http://downloads.malwareremoval.com/BillCastner\FixPolicies.exe
Courtesy of Bill Castner -Operation has been cancelled restrictions in
effect..
http://aumha.net/viewtopic.php?t=30889&highlight=&sid=d393f57a6d1797e7b9320db33e88a911

HTH.
Let us know how it is going.
nass
 
Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Click to expand...

Ok, I have try
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
Click to expand...

See log file
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine (offline scanner):
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/
Click to expand...

No virus found
After the scan run disk cleanup on your drive.

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis)
is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Download to your Desktop FixPolicies.exe:
http://downloads.malwareremoval.com/BillCastner\FixPolicies.exe
Courtesy of Bill Castner -Operation has been cancelled restrictions in
effect..
http://aumha.net/viewtopic.php?t=30889&highlight=&sid=d393f57a6d1797e7b9320db33e88a911
Click to expand...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.56.02, on 01/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Hewlett-Packard\Driver di stampa mobile HP\HPBMOBIL.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Programmi\FreePDF_XP\fpassist.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Roberto Di Marco\Dati
applicazioni\U3\0000162443752A2A\LaunchPad.exe
C:\Programmi\HijackThis v 2.0.2\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Programmi\Hewlett-Packard\HP TV
Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Programmi\Hewlett-Packard\HP
Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Driver di stampa mobile HP]
C:\Programmi\Hewlett-Packard\Driver di stampa mobile HP\HPBMOBIL.EXE
O4 - HKLM\..\Run: [HPPresentationReady] C:\Programmi\Hewlett-Packard\HP
Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
/autorun
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programmi\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft
ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'?')
O4 - HKUS\S-1-5-21-538525854-2826650621-2974146706-1005\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk =
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferito portatile... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX
Control) - http://www.samsungdp.com/printerhelp/ActiveX/DrPrinter.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{96009FDC-2FD8-4BB5-85BF-0C162F9EB8FF}:
NameServer = 151.99.125.1,151.99.125.2
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) -
Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard -
C:\WINDOWS\system32\HpRfDev.exe

--
End of file - 5131 bytes

This is log of Rootkit reveal:
HKLM\SECURITY\Policy\Secrets\SAC* 30/05/02 10.48 0 bytes Key name contains
embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 30/05/02 10.48 0 bytes Key name contains
embedded nulls (*)
 
Crisha said:
Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Click to expand...

Ok, I have try
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
Click to expand...

See log file
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine (offline scanner):
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/
Click to expand...

No virus found
After the scan run disk cleanup on your drive.

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis)
is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Download to your Desktop FixPolicies.exe:
http://downloads.malwareremoval.com/BillCastner\FixPolicies.exe
Courtesy of Bill Castner -Operation has been cancelled restrictions in
effect..
http://aumha.net/viewtopic.php?t=30889&highlight=&sid=d393f57a6d1797e7b9320db33e88a911
Click to expand...

This is log of Rootkit reveal:
HKLM\SECURITY\Policy\Secrets\SAC* 30/05/02 10.48 0 bytes Key name contains
embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 30/05/02 10.48 0 bytes Key name contains
embedded nulls (*)
Click to expand...

Please Hijackthis not here, try to send the log to an Italian forum or one
of the forums listed above.
Good luck.
HTH.
nass
 
Please Hijackthis not here, try to send the log to an Italian forum or one
of the forums listed above.
Good luck.
HTH.
nass
Click to expand...

You think I have a problem with malware? I have try to post a message on
italian newsgroup,
But I have not yet solved the problem!
I have think the problem isn't the malware, but system file of Group Policy.
I have try the command: sfc /scannow
I have try to replace secedit.sdb file!
 
Crisha said:
You think I have a problem with malware? I have try to post a message on
italian newsgroup,
But I have not yet solved the problem!
I have think the problem isn't the malware, but system file of Group Policy.
I have try the command: sfc /scannow
I have try to replace secedit.sdb file!
Click to expand...

Do you have this path created on your machine!:
C:\windows\system32\GroupPolicy\User\ Registry.pol


HOW TO Reset Security Settings Back to the Defaults:
http://support.microsoft.com/default.aspx?scid=kb;en-us;313222
Lift MMC/GPEDIT Snap-In Restrictions
http://www.kellys-korner-xp.com/regs_edits/mmc.reg

How to Identify a Damaged User Profile and Create a New Profile
http://support.microsoft.com/kb/811151
HTH.
nass
 
Do you have this path created on your machine!:
C:\windows\system32\GroupPolicy\User\ Registry.pol
Click to expand...

Yes, I have
HOW TO Reset Security Settings Back to the Defaults:
http://support.microsoft.com/default.aspx?scid=kb;en-us;313222
Click to expand...

I have try, I have tell to you on my first post!
Lift MMC/GPEDIT Snap-In Restrictions
http://www.kellys-korner-xp.com/regs_edits/mmc.reg
Click to expand...

I have try, but there isn't change!
How to Identify a Damaged User Profile and Create a New Profile
http://support.microsoft.com/kb/811151
Click to expand...

I have try with Administrator user and I have try with new Administrators
User! It isn't a profile problem. There is problem on safe mode too.
 
Back
Top