Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Turn Off System Restore Disabled


  • Please log in to reply
4 replies to this topic

#1 sjd

sjd

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 01 October 2010 - 12:56 PM

I just finished a virus scan to clean my computer and now want to Turn Off System Restore to clean out any lingering infection in old Restore Points.
Somehow the "Turn Off System Restore" option is not available "Disabled by Group Policy"-the checkbox cannot be highlighted.
I am also unable to RUN "gpedit.msc"-error message says can't find file.
Any help would be appreciated.Thanks

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:03 AM

Posted 01 October 2010 - 12:58 PM

How did you verify that you are clean? Where did you get malware removal assistance?

#3 joseibarra

joseibarra

  • Members
  • 1,306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:04:03 AM

Posted 01 October 2010 - 04:56 PM

There is no gpedit.msc in XP Home (if that is what you have), but that does not prevent malware from adjusting those parts of the registry to turn off group policy features. All of the stuff you can do in Group Policy Editor are just registry settings anyway (there is a list!).

Unless you disabled these tools on purpose, the chances are good that your system has a malicious software infection. The malware knows what tools you are going to use to try and find and remove it, so the malware disables what you are most likely to use and keeps them from running.

These things could be Task Manager, Registry Editor, Command Prompt, System Restore. Sometimes the malware will disable them all.

Whatever malicious software tools you are currently using or have been using have failed to protect your system.

The malicious software will be happiest to fool you into thinking you need to so something drastic to fix your system - like use a System Restore Point, perform a system Repair or even reinstall XP from scratch. That is what it would like you to do, but such measures are not required.

You need to fix the immediate problem of the tools not working, then scan your system for malicious software when you are done.

No matter what kind of malicious software scanning tools you have already used, they are unlikely to fix this problem because they cannot tell if the changes to your system were on purpose (you or an Administrator did them) or from some malware, so the scanning tools will leave these things alone (this is usually a good thing).

Fix the Task Manager, Command Prompt, Registry Editor and System Restore all at once (whether they need fixing or not). The process is the same for XP Home and XP Pro.

These registry commands will remove the registry entries that are stopping the programs from opening. Even if the registry entries are not there, these commands are safe to run.

Before making any changes to your registry, back up the registry with this popular free tool:
http://www.snapfiles.com/get/erunt.html

Open notepad to create a new text file:

Click Start, Run and in the box enter:

notepad

Copy and paste the following lines of text in the Code box into the new notepad file.


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=-
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
"DisableCMD"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-
[HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=-
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=-


Save the new text file with a .reg extension to your desktop with a name you can remember, something like:

enableit.reg

After saving the file, close notepad.

Locate the enableit.reg file on your desktop and double click it.

Alternatively, you can right click the enableit.reg file, choose Open With... and select the Registry Editor.

Respond in the affirmative to the question... are you sure you want to add the information to the registry?

You should then see a message that the information was successfully entered into the registry.

Depending on circumstances, your tools may work right away, but in order to prevent the "did you reboot your system?" question later, go ahead and reboot your system and then test.

Enabling the tools in this manner fixes only the symptom of the malicious software infection but does not fix the real problem (the infection) so you are not quite done yet - your system could still be infected.

Download, install, update and do a full scan with these free malware detection programs then troubleshoot any remaining issues.

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.


If the Registry Editor has also been disabled, you will not be able to run the registry changes to fix the rest of the problems, so you must first enable the Registry Editor from the Run command.

Click Start, Run and in the box enter (copy/paste would be safer) the following text:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0

Click OK and respond in the affirmative to the overwrite message.

Click Start, Run and in the box enter (copy/paste would be safer) the following text:

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0

Click OK and respond in the affirmative to the overwrite message.

Now that the Registry Editor is enabled, you can fix the rest of the things (Task Manger, System Restore, etc.).

Edited by joseibarra, 01 October 2010 - 08:23 PM.
Emphasis added ~ Hamluis.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#4 Gabrial

Gabrial

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 01 October 2010 - 10:44 PM

Hey great registry edit. Just so you know, I took all the registry modifications and created a batch file which does the same thing, deleting these group policy keys.

It removes the group policies from the machine, current user, and default user hives. That way if a new account is created it doesn't end up with group policies locking out something.

It makes it a little less risky, as the user only has to execute a batch file they download as an attatchment instead of having to edit the registry by hand or create a .reg file that could have typos.

Anyways, here it is. Does anyone know how to turn off word wrap in bbcode? It messes up the copy and pasting of batch files. xD
@Echo off

REM Enable registry:
ECHO Y|REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools
ECHO Y|REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools
ECHO Y|REG delete HKU\.default\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools

REM Enable Task Manager:
ECHO Y|REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
ECHO Y|REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
ECHO Y|REG delete HKU\.default\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr

REM Enable Command Prompt:
ECHO Y|REG delete HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD
ECHO Y|REG delete HKLM\Software\Policies\Microsoft\Windows\System /v DisableCMD
ECHO Y|REG delete HKU\.default\Software\Policies\Microsoft\Windows\System /v DisableCMD

REM Enable System Restore:
ECHO Y|REG delete "HKCU\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR
ECHO Y|REG delete "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR
ECHO Y|REG delete "HKU\.default\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR

REM Enable Configure Button in System Restore:
ECHO Y|REG delete "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig
ECHO Y|REG delete "HKCU\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig
ECHO Y|REG delete "HKU\.default\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig

REM Force Ctrl-Alt-Del to logon to windows:
ECHO Y|REG add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DisableCAD /t REG_DWORD /d 0

So yeah, that's what it looks like. I'll attatch a copy too. I added comments for clarity on what each registry key does.

Attached Files



#5 sjd

sjd
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 03 October 2010 - 05:20 PM

Many thanks for your reply.
As it happens, I have decided that my 7-year old Compaq running Windows XP is not worth salvaging anyway so I will be going to a Windows 7 machine.
I have saved your notes for future rference.
Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users