Group policy grayed out, firewall off

MavMin · 12 Feb 2013

# AdwCleaner v2.112 - Logfile created 02/12/2013 at 20:44:41
# Updated 10/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
#
# Boot Mode : Normal
# Running from : C:\Users\\Downloads\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\user.js
File Deleted : C:\Users\barronshultz\AppData\Roaming\Mozilla\Firefox\Profiles\sp8aj92j.default\searchplugins\zoneal arm.xml
Folder Deleted : C:\Users\Maverick\AppData\Local\Wajam
Folder Deleted : C:\Users\Maverick\AppData\LocalLow\AVG Secure Search

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Wajam
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{48C9C8B0-A546-46C1-A81F-47A31E623E9D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
Key Deleted : HKLM\SOFTWARE\Software
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16438

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.2 (en-US)

File : C:\Users\barronshultz\AppData\Roaming\Mozilla\Firefox\Profiles\sp8aj92j.default\prefs.js

C:\Users\barronshultz\AppData\Roaming\Mozilla\Firefox\Profiles\sp8aj92j.default\user.js ... Deleted !

[OK] File is clean.

File : C:\Users\Maverick\AppData\Roaming\Mozilla\Firefox\Profiles\ersv8bnw.default\prefs.js

C:\Users\Maverick\AppData\Roaming\Mozilla\Firefox\Profiles\ersv8bnw.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");
Deleted : user_pref("extensions.wajam.affiliate_id", "5922");
Deleted : user_pref("extensions.wajam.firstrun", "false");
Deleted : user_pref("extensions.wajam.log_send_info", "false");
Deleted : user_pref("extensions.wajam.mappingListJsonString", "{\"version\":\"0.21083\",\"supported_sites\":{\[...]
Deleted : user_pref("extensions.wajam.no_trace", "false");
Deleted : user_pref("extensions.wajam.server_current_mapping_version", "0.21083");
Deleted : user_pref("extensions.wajam.trace_log", "1357168869415 - processInstallationUpgrade - version set to[...]
Deleted : user_pref("extensions.wajam.unique_id", "8BED31FCD2D862B015EB12E8C948DEB3");
Deleted : user_pref("extensions.wajam.user_current_mapping_version", "0");
Deleted : user_pref("extensions.wajam.version", "1.26");
Deleted : user_pref("extensions.wecarereminder.merchHash", "{\"AFFILIATES\":{\"1-Sale-A-Day\":{\"name\":\"1 Sa[...]
Deleted : user_pref("keyword.URL", "hxxp://isearch.avg.com/search?cid={A9292D11-29A7-4E58-87C0-CBC7E8BCDB4E}&m[...]

*************************

AdwCleaner[R1].txt - [6297 octets] - [12/02/2013 20:11:19]
AdwCleaner[R2].txt - [6357 octets] - [12/02/2013 20:39:00]
AdwCleaner[R3].txt - [6476 octets] - [12/02/2013 20:44:04]
AdwCleaner[S1].txt - [341 octets] - [12/02/2013 20:39:55]
AdwCleaner[S2].txt - [6765 octets] - [12/02/2013 20:44:41]

########## EOF - C:\AdwCleaner[S2].txt - [6825 octets] ##########

cottonball · 12 Feb 2013

Welcome back, MavMin!

Presuming that we are still working with the same problem.

The Event Viewer report is showing some gpsvc errors, failing to start, and timing out. However, it does not give much to work with.

Let's see if this helps...

Please download RKill:
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
Save to the Desktop.

If rkill.exe does not run, then download and try to run iExplore.exe (renamed RKill.exe):
Downloading RKill

You only need to get one of these to run.

If your antivirus warns you about this tool, ignore the warning, or temporarily disable your antivirus.

Right-click on the downloaded file and select: Run as Administrator
A black DOS box briefly flashes and then disappear. This is normal and indicates the tool ran successfully.

If rkill.exe does not run, delete the file, then download and use: iExplore.exe
http://www.bleepingcomputer.com/download/rkill/dl/11/

Do not reboot until instructed.

When the scan is done Notepad opens with the RKill report.

Please post the RKill report in your reply.

MavMin · 12 Feb 2013

Rkill 2.4.7 by Lawrence Abrams (Grinler)
Bleeping Computer - Technical Support and Computer Help
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesn't - A brief introduction to the program - BleepingComputer.com

Program started at: 02/12/2013 09:58:51 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\windows\system32\ThpSrv.exe (PID: 2448) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* FontCache => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions Fixed. Administrators can now edit the HOSTS file.

* HOSTS file entries found:

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 008k.com
127.0.0.1 00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 å…¨è®¯ç½‘,åšå½©ä¼˜æƒ ,çš‡å† æ*£ç½‘cr67com,çš‡å† æ¯”åˆ†,çš‡å† å³æ—¶æŒ‡æ•°,å¤ªé˜³åŸŽä»£ç†112scg,ttå¨±ä¹åŸŽ8bc8,ç½‘ä¸ŠçœŸé’±å¨±
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 ²©²ÊÍ¨,²©²ÊÍø,½ð±¦²©188,²©²ÊÍ¨ÆÀ¼¶,°Ù¼ÒÀÖ,°ÂÃî°Ù¼ÒÀÖ
127.0.0.1 100sexlinks.com - Sex links Resources and Information. This website is for sale!

20 out of 15319 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 02/12/2013 09:59:12 PM
Execution time: 0 hours(s), 0 minute(s), and 20 seconds(s)

cottonball · 12 Feb 2013

After the AdwCleaner removals suggested by Jacee, did you check the Group Policy Client service?

Any change?

If you are still getting the Group Policy Client error, please use the info in this tutorial to post a screenshot of it:
https://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html

It would be a good idea to see exactly what you are getting, before proceeding.

MavMin · 12 Feb 2013

Yes, I did use delete.

MavMin · 12 Feb 2013

The screen goes off too quickly to get a screen shot. This is during start up. It says that Windows cannot access the group policy client so no standard users can log on. Every user has to be an administrator. I don't try to access it. Windows cannot get to it at startup. RKill did terminate a service and make some changes, but the same message comes up.

MavMin · 12 Feb 2013

IE explore terminated this service again. C:\windows\system32\ThpSrv.exe (PID: 3020) [WD-HEUR] but it appears to keep returning.

cottonball · 12 Feb 2013

Group policy grayed out, firewall off-gpsvc-capture.png

This is what my gpsvc looks like.
Service Status: Started

However, the Start, Stop, Pause, and Resume buttons are grayed out.

Please post an image of the of the Group Policy Client Properties of your system.

cottonball · 13 Feb 2013

Also, let's do some searching for the gpsvc key in the Registry...

Please download SystemLook:
64-bit:
http://jpshortstuff.247fixes.com/SystemLook_x64.exe
Save to your Desktop.

Right-click on SystemLook.exe, and select: Run As Administrator

At the SystemLook program console, copy the content inside the following quote box into the main textfield (do not include the word Quote):

:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\gpsvc

Click the Look button to start the scan.
When finished, a notepad window opens with the results of the scan.

Please post the SystemLook.txt (found on the Desktop) in your reply.

cottonball · 13 Feb 2013

Thpsrv.exe:

A Hard Disk Drive Protection Service belonging to TOSHIBA HDD Protection. This process, with the help of a built-in sensor, detects a sudden movement or a vibration of a laptop and it parks the hard disk head in a safe position. This prevents mechanical damage to the hard disk that may be caused by the head to disk contact.

This one is out of my ball park.

The Event Viewer report for this machine has so many issues...have no clue where we will end with all this.

Group policy grayed out, firewall off

AWD