Hi,
I have a problem with my notebook: the group policy are corrupted! When I
try to go in TCP/IP setting, or in pheriperals management i receive an
message: "You don't have a permission".
My account is an administrators, and I have try administrator accont too,
but tge problem persist.
I have test ram memory, test antivirus and HD.
I have try create a new administrators user.
When I open sanp-in Group Policy I can explore only some folder, into
another folder the notebook block.
I have try to reset GPO:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
/verbose

the notebook block and I am forced to reset.
What I can do?
Help

Excuse my English

----------
Crisha

"Crisha" wrote:

> Hi,
> I have a problem with my notebook: the group policy are corrupted! When I
> try to go in TCP/IP setting, or in pheriperals management i receive an
> message: "You don't have a permission".
> My account is an administrators, and I have try administrator accont too,
> but tge problem persist.
> I have test ram memory, test antivirus and HD.
> I have try create a new administrators user.
> When I open sanp-in Group Policy I can explore only some folder, into
> another folder the notebook block.
> I have try to reset GPO:
>
> secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
> /verbose
>
> the notebook block and I am forced to reset.
> What I can do?
> Help
>
> Excuse my English
>
> ----------
> Crisha


Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/supe...freevspro.html
RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
http://www.microsoft.com/technet/sys...tRevealer.mspx


Run a scan from here on-line:
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine (offline scanner):
http://www.bitdefender.co.uk/site/Do...eeRemovalTool/

After the scan run disk cleanup on your drive.

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en...ols/hijackthis) is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Download to your Desktop FixPolicies.exe:
http://downloads.malwareremoval.com/...ixPolicies.exe
Courtesy of Bill Castner -Operation has been cancelled restrictions in
effect..
http://aumha.net/viewtopic.php?t=308...320db33e88a911

HTH.
Let us know how it is going.
nass
----
http://www.nasstec.co.uk

> Go through these Cleaning steps:
> 1... First, try to clean up your caches, Internet files and delete cookies
> by doing this:
> Click Start >> Control Panel >> Double click Network and Internet
> Connections >> Double click Internet Options.
> On the IE properties windows you will see these Tabs:
> General | Security | Privacy | Content | Connections | Programs |
> Advanced
> Under General Tab clear your History, Internet Files and Cookies.
> Then click on Advanced tab and scroll down to under the Browsing Option:
> [&] Browsing
> [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
> Then click on Programs Tab and click Manage Add-Ons and Disable all non
> Verified Add-Ons (You should Renable them later one-by-one and see the
> culprit and update it or remove it.
> How to manage Add-Ons:
> http://support.microsoft.com/kb/883256

Ok, I have try

> Scan for malware from here:
> SuperAntispyware - Free
> http://www.superantispyware.com/supe...freevspro.html
> RootkitRevealer v1.71
> By Bryce Cogswell and Mark Russinovich
> http://www.microsoft.com/technet/sys...tRevealer.mspx

See log file

> Run a scan from here on-line:
> http://security.symantec.com/sscv6/d...d=ie&venid=sym
> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
> Download Avast Cleaner (offline scanner) from here:
> http://www.avast.com/eng/avast-virus-cleaner.html
> Lots of tools to download and disinfect your machine (offline scanner):
> http://www.bitdefender.co.uk/site/Do...eeRemovalTool/

No virus found

> After the scan run disk cleanup on your drive.
>
> 2- Download the Hijackthis and send the report to one of many
> forums for analysis and troubleshooting:
> http://www.merijn.org/index.php
> When all else fails, HijackThis v2.0.2
> (http://www.trendsecure.com/portal/en...ols/hijackthis)
> is
> the preferred tool to use.
> It will help you to both identify and remove any hijackware/spyware. Post
> your log to http://aumha.net/viewforum.php?f=30,
> http://castlecops.com/forum67.html,
> http://forums.subratam.org/index.php?showforum=7, or other appropriate
> forums for expert analysis, not here.
> Download to your Desktop FixPolicies.exe:
> http://downloads.malwareremoval.com/...ixPolicies.exe
> Courtesy of Bill Castner -Operation has been cancelled restrictions in
> effect..
> http://aumha.net/viewtopic.php?t=308...320db33e88a911


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.56.02, on 01/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Hewlett-Packard\Driver di stampa mobile HP\HPBMOBIL.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Programmi\FreePDF_XP\fpassist.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Roberto Di Marco\Dati
applicazioni\U3\0000162443752A2A\LaunchPad.exe
C:\Programmi\HijackThis v 2.0.2\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Programmi\Hewlett-Packard\HP TV
Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Programmi\Hewlett-Packard\HP
Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Driver di stampa mobile HP]
C:\Programmi\Hewlett-Packard\Driver di stampa mobile HP\HPBMOBIL.EXE
O4 - HKLM\..\Run: [HPPresentationReady] C:\Programmi\Hewlett-Packard\HP
Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
/autorun
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programmi\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft
ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'?')
O4 - HKUS\S-1-5-21-538525854-2826650621-2974146706-1005\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk =
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferito portatile... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX
Control) - http://www.samsungdp.com/printerhelp.../DrPrinter.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{96009FDC-2FD8-4BB5-85BF-0C162F9EB8FF}:
NameServer = 151.99.125.1,151.99.125.2
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) -
Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard -
C:\WINDOWS\system32\HpRfDev.exe

--
End of file - 5131 bytes

This is log of Rootkit reveal:
HKLM\SECURITY\Policy\Secrets\SAC* 30/05/02 10.48 0 bytes Key name contains
embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 30/05/02 10.48 0 bytes Key name contains
embedded nulls (*)

---------
Crisha

"Crisha" wrote:

> > Go through these Cleaning steps:
> > 1... First, try to clean up your caches, Internet files and delete cookies
> > by doing this:
> > Click Start >> Control Panel >> Double click Network and Internet
> > Connections >> Double click Internet Options.
> > On the IE properties windows you will see these Tabs:
> > General | Security | Privacy | Content | Connections | Programs |
> > Advanced
> > Under General Tab clear your History, Internet Files and Cookies.
> > Then click on Advanced tab and scroll down to under the Browsing Option:
> > [&] Browsing
> > [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
> > Then click on Programs Tab and click Manage Add-Ons and Disable all non
> > Verified Add-Ons (You should Renable them later one-by-one and see the
> > culprit and update it or remove it.
> > How to manage Add-Ons:
> > http://support.microsoft.com/kb/883256
>
> Ok, I have try
>
> > Scan for malware from here:
> > SuperAntispyware - Free
> > http://www.superantispyware.com/supe...freevspro.html
> > RootkitRevealer v1.71
> > By Bryce Cogswell and Mark Russinovich
> > http://www.microsoft.com/technet/sys...tRevealer.mspx
>
> See log file
>
> > Run a scan from here on-line:
> > http://security.symantec.com/sscv6/d...d=ie&venid=sym
> > http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
> > Download Avast Cleaner (offline scanner) from here:
> > http://www.avast.com/eng/avast-virus-cleaner.html
> > Lots of tools to download and disinfect your machine (offline scanner):
> > http://www.bitdefender.co.uk/site/Do...eeRemovalTool/
>
> No virus found
>
> > After the scan run disk cleanup on your drive.
> >
> > 2- Download the Hijackthis and send the report to one of many
> > forums for analysis and troubleshooting:
> > http://www.merijn.org/index.php
> > When all else fails, HijackThis v2.0.2
> > (http://www.trendsecure.com/portal/en...ols/hijackthis)
> > is
> > the preferred tool to use.
> > It will help you to both identify and remove any hijackware/spyware. Post
> > your log to http://aumha.net/viewforum.php?f=30,
> > http://castlecops.com/forum67.html,
> > http://forums.subratam.org/index.php?showforum=7, or other appropriate
> > forums for expert analysis, not here.
> > Download to your Desktop FixPolicies.exe:
> > http://downloads.malwareremoval.com/...ixPolicies.exe
> > Courtesy of Bill Castner -Operation has been cancelled restrictions in
> > effect..
> > http://aumha.net/viewtopic.php?t=308...320db33e88a911
>

> This is log of Rootkit reveal:
> HKLM\SECURITY\Policy\Secrets\SAC* 30/05/02 10.48 0 bytes Key name contains
> embedded nulls (*)
> HKLM\SECURITY\Policy\Secrets\SAI* 30/05/02 10.48 0 bytes Key name contains
> embedded nulls (*)
>
> ---------
> Crisha

Please Hijackthis not here, try to send the log to an Italian forum or one
of the forums listed above.
Good luck.
HTH.
nass
---
http://www.nasstec.co.uk

> Please Hijackthis not here, try to send the log to an Italian forum or one
> of the forums listed above.
> Good luck.
> HTH.
> nass
> ---
> http://www.nasstec.co.uk

You think I have a problem with malware? I have try to post a message on
italian newsgroup,
But I have not yet solved the problem!
I have think the problem isn't the malware, but system file of Group Policy.
I have try the command: sfc /scannow
I have try to replace secedit.sdb file!

"Crisha" wrote:

> > Please Hijackthis not here, try to send the log to an Italian forum or one
> > of the forums listed above.
> > Good luck.
> > HTH.
> > nass
> > ---
> > http://www.nasstec.co.uk
>
> You think I have a problem with malware? I have try to post a message on
> italian newsgroup,
> But I have not yet solved the problem!
> I have think the problem isn't the malware, but system file of Group Policy.
> I have try the command: sfc /scannow
> I have try to replace secedit.sdb file!

Do you have this path created on your machine!:
C:\windows\system32\GroupPolicy\User\ Registry.pol


HOW TO Reset Security Settings Back to the Defaults:
http://support.microsoft.com/default...b;en-us;313222
Lift MMC/GPEDIT Snap-In Restrictions
http://www.kellys-korner-xp.com/regs_edits/mmc.reg

How to Identify a Damaged User Profile and Create a New Profile
http://support.microsoft.com/kb/811151
HTH.
nass

> Do you have this path created on your machine!:
> C:\windows\system32\GroupPolicy\User\ Registry.pol

Yes, I have

>
> HOW TO Reset Security Settings Back to the Defaults:
> http://support.microsoft.com/default...b;en-us;313222

I have try, I have tell to you on my first post!

> Lift MMC/GPEDIT Snap-In Restrictions
> http://www.kellys-korner-xp.com/regs_edits/mmc.reg

I have try, but there isn't change!

> How to Identify a Damaged User Profile and Create a New Profile
> http://support.microsoft.com/kb/811151

I have try with Administrator user and I have try with new Administrators
User! It isn't a profile problem. There is problem on safe mode too.

"Crisha" wrote:

> > Do you have this path created on your machine!:
> > C:\windows\system32\GroupPolicy\User\ Registry.pol
>
> Yes, I have

Rename this :
Registry.pol to Registry.pol.old and Reboot your machine, do you notice any
difference?.

> Rename this :
> Registry.pol to Registry.pol.old and Reboot your machine, do you notice
> any
> difference?.

No difference.
Thank you, now I format pc.