Group policy grayed out, firewall off

[MavMin]

Working on my son's laptop and it had some sort of virus and not group policy is not accessible, cannot turn on firewall nor update the virus software from MS. Looked at several solutions and none work. What is the skinny on what caused it and how do I fix? Thanks!

 

[Borg 386]

Do you remember the name of the virus?

D/L & make Windows Defender Offline on another PC that's clean & run it on the infected machine.

http://www.sevenforums.com/tutorials/166445-windows-defender-offline.html?filter

You can manually d/l the definitions for MSE here:

Install the latest Microsoft Security Essentials definition updates - Get the latest definitions - Microsoft Malware Protection Center

Another tool you could run is MS Safety Scanner

Microsoft Safety Scanner - Antivirus | Remove Spyware, Malware, Viruses Free

 

[MavMin]

Did not try the Defender, but the other two options showed that there was not any virus but the gray is still there and I cannot turn on the firewall. I tried to load Zone Alarm and that shut the Internet down completely with a basic load. I think ome was called something like Im Yahoo and I forget the other one. Very exasperating!

 

[Jacee]

First, completely uninstall ZoneAlarm How to Completely Uninstall Zonealarm Free Firewall: 12 steps

Type services.msc in the start search box, click on the 'services' icon ... scroll down to Windows Firewall, right click> choose Properties> in the dropdown bar, set it to Automatic, then click start.

Next, I'd like you to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

 

[MavMin]

No threats found ;-(

 

[MavMin]

Just updated my IOBIT malware fighter and it found FunMoods and Babylon Toolbar and cleaned them. Will reboot and see what happens.

 

[cottonball]

MavMin,

You will more than likely have damage caused by the virus. It would help if you knew what the virus was.


Please do the following to see if something needs fixing:

Download: Farbar Service Scanner


Save to the Desktop

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press: Scan
• FSS creates a log, FSS.txt, on the Desktop.

Please provide the FSS.txt in your reply.

 

[cottonball]

By any chance, are you using an Internet security suite? If so, which one?

The reason for asking is that it may not be compatible with the Windows Action Center, and the program may have disabled the firewall.

Not knowing any more specifics, malware damage is probably the cause, though.

 

[MavMin]

Service Check

Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

 

[MavMin]

Just updated my IOBIT malware fighter and it found FunMoods and Babylon Toolbar and cleaned them. Will reboot and see what happens.

Nothing changed

 

[cottonball]

Thank you for the info, MavMin.

You are working onn your son's laptop, and I am not sure whether it is Windows 7, or what it is.
Don't know if the info that shows under your name is your computer, or your son's.

Can you please post the heading for FSS, and xxx out any personal info/name, if you like. It provides some details that are important.
Example (from mine):

Farbar Service Scanner Version: 16-01-2013
Ran by xxxxx (administrator) on 17-01-2013 at 16:30:31
Running from "C:\Users\xxxxx\Desktop"
Windows 7 Home Premium (X64)
Boot Mode: Normal

Just want to make sure I post the right fix for your son's system


Thanks!

 

[MavMin]

The FarBar was run on my son's PC so that inof is correct. I also have a Toshiba with the same specs.

 

[cottonball]

Since we are making some significant changes, please create new Restore Point before proceeding, per instructions following:

Windows Seven:
http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Next, download Seven.zip:
http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/

To unzip the file, right-click and select: Extract all

There are several files inside the folder...

Double click on MpsSvc.reg file, and confirm the prompt.
Double click on bfe.reg file, and confirm the prompt.
Double click on windefend.reg file, and confirm the prompt.

Restart computer.

Please run Farbar Service Scanner once again, and post the entire log.

 

[MavMin]

Farbar Service Scanner Version: 16-01-2013

Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

 

[MavMin]

All said they were added to the registry. but nothing changed. ;-(

 

[cottonball]

Please open the Run prompt (Windows key + R) and type: regedit
Click: OK
The Registry Editor opens...

Navigate to the following Registry key by clicking on the > to the left of each item:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on BFE and select: Permissions

Click on Add, and type: Everyone
Click: OK

Now Click on: Everyone

In Permission for Users, select Full Control in the Allow box, and click: OK


Do the same as above for the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc


Go back to Start > Run (Windows key + R), type cmd and click: OK

In the Open area, type:
net start mpssvc
Press: Enter

Next, type:
net start bfe
Press: Enter

Please run and post new FSS log.

 

[cottonball]

Here is an alternative, if the above does not work...
　
Please download: Windows Repair (All In One)
Save to the Desktop

Right-click the tweaking.com program icon on the Desktop, and select 'Run as Administrator'
Click: Next at the Setup, and follow the prompts.


At the program's console...

Go to the Step 4 tab, and, under System Restore click on: Create

Wait for the Restore Point to be created. Press: Next



Go to the Start Repairs tab, and click: Start

In the next prompt, press: Unselect all
(The items seen in the image below are checked by default, and you do not want all of them.)

Under Repair Options (on the left side) only check/select:
Register System Files
Repair WMI
Repair Windows Firewall.
Remove Policies Set by Infection


On the right side, check: Restart/Shutdown system when finished
Press: Start

　
After restarting the computer, please run: Farbar Service Scanner once again.
Check all the options.
Press: Scan

Please provide the new Farbar Service Scan report in your reply.

 

[MavMin]

Unfortunately, the net start commands resulted in access denied. Running Tweaking now. Thanks for everyone's help. This is very exasperating!

 

[cottonball]

The Repair Windows Firewall option should restore the Registry keys for the BFE and MPSSVC services, as well as the Shared Access service.

Let's hope it works.

If not, still have another approach we can try.

 

[MavMin]

Still the group policy error!

Farbar Service Scanner Version: 16-01-2013
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\windows\system32\wuaueng.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****