Group policy corrupt
in [Security]
|
From: Crisha on 31 Dec 2007 10:58 Hi, I have a problem with my notebook: the group policy are corrupted! When I try to go in TCP/IP setting, or in pheriperals management i receive an message: "You don't have a permission". My account is an administrators, and I have try administrator accont too, but tge problem persist. I have test ram memory, test antivirus and HD. I have try create a new administrators user. When I open sanp-in Group Policy I can explore only some folder, into another folder the notebook block. I have try to reset GPO: secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose the notebook block and I am forced to reset. What I can do? Help Excuse my English ---------- Crisha
From: nass on 31 Dec 2007 13:07 "Crisha" wrote: > Hi, > I have a problem with my notebook: the group policy are corrupted! When I > try to go in TCP/IP setting, or in pheriperals management i receive an > message: "You don't have a permission". > My account is an administrators, and I have try administrator accont too, > but tge problem persist. > I have test ram memory, test antivirus and HD. > I have try create a new administrators user. > When I open sanp-in Group Policy I can explore only some folder, into > another folder the notebook block. > I have try to reset GPO: > > secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb > /verbose > > the notebook block and I am forced to reset. > What I can do? > Help > > Excuse my English > > ---------- > Crisha Go through these Cleaning steps: 1... First, try to clean up your caches, Internet files and delete cookies by doing this: Click Start >> Control Panel >> Double click Network and Internet Connections >> Double click Internet Options. On the IE properties windows you will see these Tabs: General | Security | Privacy | Content | Connections | Programs | Advanced Under General Tab clear your History, Internet Files and Cookies. Then click on Advanced tab and scroll down to under the Browsing Option: [&] Browsing [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box. Then click on Programs Tab and click Manage Add-Ons and Disable all non Verified Add-Ons (You should Renable them later one-by-one and see the culprit and update it or remove it. How to manage Add-Ons: http://support.microsoft.com/kb/883256 Scan for malware from here: SuperAntispyware - Free http://www.superantispyware.com/superantispywarefreevspro.html RootkitRevealer v1.71 By Bryce Cogswell and Mark Russinovich http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx Run a scan from here on-line: http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym http://www3.ca.com/securityadvisor/virusinfo/scan.aspx Download Avast Cleaner (offline scanner) from here: http://www.avast.com/eng/avast-virus-cleaner.html Lots of tools to download and disinfect your machine (offline scanner): http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/ After the scan run disk cleanup on your drive. 2- Download the Hijackthis and send the report to one of many forums for analysis and troubleshooting: http://www.merijn.org/index.php When all else fails, HijackThis v2.0.2 (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) is the preferred tool to use. It will help you to both identify and remove any hijackware/spyware. Post your log to http://aumha.net/viewforum.php?f=30, http://castlecops.com/forum67.html, http://forums.subratam.org/index.php?showforum=7, or other appropriate forums for expert analysis, not here. Download to your Desktop FixPolicies.exe: http://downloads.malwareremoval.com/BillCastner%5CFixPolicies.exe Courtesy of Bill Castner -Operation has been cancelled restrictions in effect.. http://aumha.net/viewtopic.php?t=30889&highlight=&sid=d393f57a6d1797e7b9320db33e88a911 HTH. Let us know how it is going. nass ---- http://www.nasstec.co.uk
From: Crisha on 1 Jan 2008 14:01 > Go through these Cleaning steps: > 1... First, try to clean up your caches, Internet files and delete cookies > by doing this: > Click Start >> Control Panel >> Double click Network and Internet > Connections >> Double click Internet Options. > On the IE properties windows you will see these Tabs: > General | Security | Privacy | Content | Connections | Programs | > Advanced > Under General Tab clear your History, Internet Files and Cookies. > Then click on Advanced tab and scroll down to under the Browsing Option: > [&] Browsing > [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box. > Then click on Programs Tab and click Manage Add-Ons and Disable all non > Verified Add-Ons (You should Renable them later one-by-one and see the > culprit and update it or remove it. > How to manage Add-Ons: > http://support.microsoft.com/kb/883256 Ok, I have try > Scan for malware from here: > SuperAntispyware - Free > http://www.superantispyware.com/superantispywarefreevspro.html > RootkitRevealer v1.71 > By Bryce Cogswell and Mark Russinovich > http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx See log file > Run a scan from here on-line: > http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym > http://www3.ca.com/securityadvisor/virusinfo/scan.aspx > Download Avast Cleaner (offline scanner) from here: > http://www.avast.com/eng/avast-virus-cleaner.html > Lots of tools to download and disinfect your machine (offline scanner): > http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/ No virus found > After the scan run disk cleanup on your drive. > > 2- Download the Hijackthis and send the report to one of many > forums for analysis and troubleshooting: > http://www.merijn.org/index.php > When all else fails, HijackThis v2.0.2 > (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) > is > the preferred tool to use. > It will help you to both identify and remove any hijackware/spyware. Post > your log to http://aumha.net/viewforum.php?f=30, > http://castlecops.com/forum67.html, > http://forums.subratam.org/index.php?showforum=7, or other appropriate > forums for expert analysis, not here. > Download to your Desktop FixPolicies.exe: > http://downloads.malwareremoval.com/BillCastner%5CFixPolicies.exe > Courtesy of Bill Castner -Operation has been cancelled restrictions in > effect.. > http://aumha.net/viewtopic.php?t=30889&highlight=&sid=d393f57a6d1797e7b9320db33e88a911 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19.56.02, on 01/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\HPConfig.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\carpserv.exe C:\Programmi\Hewlett-Packard\HP Notebook Utilities\hptasks.exe C:\Programmi\Synaptics\SynTP\SynTPLpr.exe C:\Programmi\Synaptics\SynTP\SynTPEnh.exe C:\Programmi\Hewlett-Packard\Driver di stampa mobile HP\HPBMOBIL.EXE C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe C:\Programmi\FreePDF_XP\fpassist.exe C:\WINDOWS\system32\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Roberto Di Marco\Dati applicazioni\U3\0000162443752A2A\LaunchPad.exe C:\Programmi\HijackThis v 2.0.2\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [HP TV Now] C:\Programmi\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK O4 - HKLM\..\Run: [HP Display Settings] C:\Programmi\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE O4 - HKLM\..\Run: [Driver di stampa mobile HP] C:\Programmi\Hewlett-Packard\Driver di stampa mobile HP\HPBMOBIL.EXE O4 - HKLM\..\Run: [HPPresentationReady] C:\Programmi\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programmi\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\wcescomm.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-21-538525854-2826650621-2974146706-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Crea preferito portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://www.samsungdp.com/printerhelp/ActiveX/DrPrinter.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{96009FDC-2FD8-4BB5-85BF-0C162F9EB8FF}: NameServer = 151.99.125.1,151.99.125.2 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe -- End of file - 5131 bytes This is log of Rootkit reveal: HKLM\SECURITY\Policy\Secrets\SAC* 30/05/02 10.48 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 30/05/02 10.48 0 bytes Key name contains embedded nulls (*) --------- Crisha
From: nass on 1 Jan 2008 14:45 "Crisha" wrote: > > Go through these Cleaning steps: > > 1... First, try to clean up your caches, Internet files and delete cookies > > by doing this: > > Click Start >> Control Panel >> Double click Network and Internet > > Connections >> Double click Internet Options. > > On the IE properties windows you will see these Tabs: > > General | Security | Privacy | Content | Connections | Programs | > > Advanced > > Under General Tab clear your History, Internet Files and Cookies. > > Then click on Advanced tab and scroll down to under the Browsing Option: > > [&] Browsing > > [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box. > > Then click on Programs Tab and click Manage Add-Ons and Disable all non > > Verified Add-Ons (You should Renable them later one-by-one and see the > > culprit and update it or remove it. > > How to manage Add-Ons: > > http://support.microsoft.com/kb/883256 > > Ok, I have try > > > Scan for malware from here: > > SuperAntispyware - Free > > http://www.superantispyware.com/superantispywarefreevspro.html > > RootkitRevealer v1.71 > > By Bryce Cogswell and Mark Russinovich > > http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx > > See log file > > > Run a scan from here on-line: > > http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym > > http://www3.ca.com/securityadvisor/virusinfo/scan.aspx > > Download Avast Cleaner (offline scanner) from here: > > http://www.avast.com/eng/avast-virus-cleaner.html > > Lots of tools to download and disinfect your machine (offline scanner): > > http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/ > > No virus found > > > After the scan run disk cleanup on your drive. > > > > 2- Download the Hijackthis and send the report to one of many > > forums for analysis and troubleshooting: > > http://www.merijn.org/index.php > > When all else fails, HijackThis v2.0.2 > > (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) > > is > > the preferred tool to use. > > It will help you to both identify and remove any hijackware/spyware. Post > > your log to http://aumha.net/viewforum.php?f=30, > > http://castlecops.com/forum67.html, > > http://forums.subratam.org/index.php?showforum=7, or other appropriate > > forums for expert analysis, not here. > > Download to your Desktop FixPolicies.exe: > > http://downloads.malwareremoval.com/BillCastner%5CFixPolicies.exe > > Courtesy of Bill Castner -Operation has been cancelled restrictions in > > effect.. > > http://aumha.net/viewtopic.php?t=30889&highlight=&sid=d393f57a6d1797e7b9320db33e88a911 > > This is log of Rootkit reveal: > HKLM\SECURITY\Policy\Secrets\SAC* 30/05/02 10.48 0 bytes Key name contains > embedded nulls (*) > HKLM\SECURITY\Policy\Secrets\SAI* 30/05/02 10.48 0 bytes Key name contains > embedded nulls (*) > > --------- > Crisha Please Hijackthis not here, try to send the log to an Italian forum or one of the forums listed above. Good luck. HTH. nass --- http://www.nasstec.co.uk
From: Crisha on 2 Jan 2008 03:39 > Please Hijackthis not here, try to send the log to an Italian forum or one > of the forums listed above. > Good luck. > HTH. > nass > --- > http://www.nasstec.co.uk You think I have a problem with malware? I have try to post a message on italian newsgroup, But I have not yet solved the problem! I have think the problem isn't the malware, but system file of Group Policy. I have try the command: sfc /scannow I have try to replace secedit.sdb file!
|
Next
|
Last
Pages: 1 2 Prev: MBSA and XP Next: At logon, password prompt already open and cursor positioned? |