after that is: Explorer\ForceActiveDesktopOn
These registry keys correspond to group policies we use for students to limit their ability to change certain parts of the OS. I then went to the two domain controllers and ran DDS. I've atttached both DDS logs below. RootRepeal will not run on either machine. It starts on the first DC, but freezes and it causes a blue screen on the second DC, so I have no logs from it. DDS1 is from the first DC and DDS2 is from the second. DDS2 is the machine that had the antivirus problem described earlier.
I noticed that I could clean the student computer with Malwarebytes and as long as I logged in as a member of any user group other than a student, it stayed clean. When I log in as a student, it is reinfected. I then deleted the group policy I was applying to students and tried again. Sure enough, no infection. I've scanned both DC's with several online scanners and none report anything abnormal (I know I'm not suppposed to take a server online, but I'm desperate). Any help would be appreciated.