System restore has been turned off by group policy error

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi guys,

I am really desperate, as i spent the last 5 hours on the net searching for
answer and have used multiple removal tools for multiple worms and adaware
thingies.

My problem is that somehow i get this message when i try to do a system
restore. I tried editting the registery values of disablesr etc, but they
tell me that the values cannot be stored , due to the fact that other
processess are using these values.

I have heard on multiple sites that this is a worm of some sort, but i need
to get rid of it asap. A side error that it is causing that evreytime i try
to access this pc from a network pc, it gives me the error : ACCESS IS
DENIED. I have a feeling that both things are connceted to each other.

please please pelase help as i am going crazy here and DONT want to doa
reinstall.

thanks in advance,
Nabeel
 
Just a followup, here is my highjackthis log:

I also tried deleting the two registerey keys, in the system restore folder
in the register, still it said to me that they were in use by other process

Logfile of HijackThis v1.99.1
Scan saved at 1:52:44, on 27-9-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AT&TGL~1\NETCFGSV.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wupdnmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\nabeel malik\Bureaublad\FxBropia.exe
C:\Documents and Settings\nabeel malik\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Koppelingen
F2 - REG:system.ini: Shell=Explorer.exe SCardSrv.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Trend Micro Antifraud Toolbar -
{06647158-359E-4D10-A8DE-E6145DA90BE9} -
C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {f7d40011-29bb-43eb-9c97-875ce89e9e36} - (no file)
O3 - Toolbar: Trend Micro Antifraud Toolbar -
{871F91FD-3A92-4988-A842-16AB2CFF5AF1} -
C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"
-lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet
Security 14\pccguide.exe"
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program
Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://D:\office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
D:\office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan
Agent 6.5) -
http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class)
- http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31032508-5443-11D2-8150-0060080BE220} (NATBrowser) -
file://C:\DOCUME~1\NABEEL~1\LOCALS~1\Temp\NATBrowser.ocx
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) -
https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {371A7A46-F599-11D3-B7BD-005004612419} (NATSystemInfo Control) -
file://C:\DOCUME~1\NABEEL~1\LOCALS~1\Temp\NATSystemInfo.ocx
O16 - DPF: {426784E5-24B2-4708-820D-117342FAD009} (Cimporter Object) -
http://hyves.nl/cab/outlookaddressbook.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) -
http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120456167750
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) -
http://www.wow-europe.com/en/wowbeta/Si.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) -
http://www.pakdata.com/download/PDMSInstaller.cab
O16 - DPF: {A792BC36-6B4E-11D3-97B1-00500460FA55} (NATGrid) -
file://C:\DOCUME~1\NABEEL~1\LOCALS~1\Temp\NATGrid.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry
Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) -
http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) -
http://www.pakdata.com/download/urduplugin.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) -
http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4413/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class)
- http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T -
C:\PROGRA~1\AT&TGL~1\NETCFGSV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend
Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro
Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. -
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
 
Nabeel said:
Just a followup, here is my highjackthis log:

I also tried deleting the two registerey keys, in the system restore
folder in the register, still it said to me that they were in use by
other process

Logfile of HijackThis v1.99.1
Click to expand...

(snip)

We ask that you not post HijackThis logs in the MS newsgroups. Analyzing
HJT logs takes a great deal of time and expertise and you will not get
the help you need here. Instead, register at one of the following links
(listed in no particular order) and post your HJT log there.

http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forums.subratam.org/index.php?showforum=7
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/

Malke
 
See the article below on the registry setting that disable access to system
restore and if you find the key while logged on as an administrator try
changing the settings to 0 while booted into Safe mode and rebooting. Also
try your malware detection and removal tools in Safe Mode. You may also want
to post in the Microsoft.public.security.virus newsgroup where it is best to
post such questions.

Steve

http://www.winguides.com/registry/display.php/1273/

System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\SystemRestore]
Value Name: DisableConfig, DisableSR
Data Type: REG_DWORD (DWORD Value)
Value Data: (1 = enable restriction)
 
Dear all,

Sorry to have used highjackthis. Please consider that post not made.

Dear steve L Umbach:

I already tried this, and what it basically tells me is that i cant make any
changes, nor am i allowed to delete (with the admin account) these two keys.

Maybe i should have been more specific, i actually have 3 problems( of which
i believe are related to each other):

1. If i click with right mouse button on any shortcut point towards a .exe
file somewhere in the system, explorer.exe crashes and restarts itself.
2. I cannot access my pc from the network (all of a sudden), and get the
error : ACCESS is denied.
3. This is the system restore problem as explained in other posts. Believe
me i have tried safe mode, i have tried multiple software solutions for
spyware/malware( ewido, Adware SE, Windiows Defender) and antivrus such as
trendmicro cillin and MCafee anti-virus. ALl of them found nothing.

Sorry i was a bit desperate last night, so i made a very unorganised post.

I hope there is someone out there who can help.

And steve i will surely post this on the newgroup u proposed, thanks alot.

Nabeel


Steven L Umbach said:
See the article below on the registry setting that disable access to system
restore and if you find the key while logged on as an administrator try
changing the settings to 0 while booted into Safe mode and rebooting. Also
try your malware detection and removal tools in Safe Mode. You may also want
to post in the Microsoft.public.security.virus newsgroup where it is best to
post such questions.

Steve

http://www.winguides.com/registry/display.php/1273/

System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\SystemRestore]
Value Name: DisableConfig, DisableSR
Data Type: REG_DWORD (DWORD Value)
Value Data: (1 = enable restriction)



Nabeel said:
Hi guys,

I am really desperate, as i spent the last 5 hours on the net searching
for
answer and have used multiple removal tools for multiple worms and adaware
thingies.

My problem is that somehow i get this message when i try to do a system
restore. I tried editting the registery values of disablesr etc, but they
tell me that the values cannot be stored , due to the fact that other
processess are using these values.

I have heard on multiple sites that this is a worm of some sort, but i
need
to get rid of it asap. A side error that it is causing that evreytime i
try
to access this pc from a network pc, it gives me the error : ACCESS IS
DENIED. I have a feeling that both things are connceted to each other.

please please pelase help as i am going crazy here and DONT want to doa
reinstall.

thanks in advance,
Nabeel
Click to expand...
Click to expand...
 
Back
Top