system restore disabled by group policy

Hi, I have an outstanding virus fix with bleepingcomputer, I believe it was a rootkit google redirect. I am happy to wait for that but I have a couple of other issues which may not be related and am seeking advice.

I ran tsskiller which found and removed a virus , I think TDL4, and then I ran
Superantispyware, which found some things and removed them, ran malwarebytes too.

I have not run combofix ever.

In trying to clean up system restore I found it said "disabled by group policy"

I have win xp sp2 which doesnt have the group policy editor. I dont remember doing anything to disable system restore, and use it for a new restore point when making any changes.

I also have some stuff in the event logs under SYSTEM "TCP has reached the security limit imposed on the number of concurrent connection attempts" and APPLICATION for an msi installer failure for which I posted a picture.

Is this likely to be virus related ?

Any advice appreciated. sorry for the long post.
Thanks

 

when you have a serious infection like TDL4/TDL3, a lot of the time, the rootkit itself is actually gone, but it left behind one or more problems with your computer.

there is one thing i'd like you to try though:

1. Click Start, Run and type regedit.exe and press Enter

2. Navigate to the following key:

HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows NT \ SystemRestore

In the right-pane:

* Delete the value DisableConfig
* Delete the value DisableSR

3. Exit the Registry Editor.

In Windows XP Professional, you can accomplish the above using Group Policy Editor as well.

1. Click Start, Run and type GPEDIT.MSC

2. Navigate to this path:

-> Computer Configuration
--> Administrative Templates
---> System
----> System Restore

3. Set Turn off System Restore to Not Configured

4. Set Turn off Configuration to Not Configured
More Information

Turn off System Restore corresponds to DisableSR registry value. With this Policy is turned ON, the System Restore tab may be missing in My Computer Properties. Also, when you run System Restore (rstrui.exe), you receive this message:

System Restore has been turned off by group policy. To turn on System Restore, contact your domain Administrator.

Turn off Configuration corresponds to DisableConfig registry value. With this Policy turned ON, the System Restore tab will remain displayed but the user cannot configure the SR options. It reads disabled by Group Policy.
http://windowsxp.mvps.org/srpolicy.htm


Or perhaps you can review this
Control of System Restore function has been disabled by "Group Policy".
How do regain control?Go to Start>Run, key in gpedit.msc and hit ENTER. Under Computer
Configuration, expand Administrative Templates, expand System, then click on
the System Restore folder. In the right-hand pane, double-click on Turn off
Configuration and, under the Setting tab, click in the radio button beside
Not Configured. Click on Apply then OK.

Please visit the following Microsoft Knowledge Base website
and review the topic titled: "Method 1: Use Group Policy".

How to Disable the System Restore Configuration User Interface
http://windowsxp.mvps.org/srpolicy.htm

Note: You must be an administrator or owner, or have administrative
privileges to perform this task.

Undo the changes using Group Policy Editor (Gpedit.msc)

-or-

Open Registry Editor and navigate to:

HKEY LOCAL MACHINE\SOFTWARE\Policies\Microsoft\Wind… NT\SystemRestore

In the right-pane, delete the value "DisableConfig".
Close Registry Editor
Close and re-open the System Restore properties page.


Note: Group Policy Editor is only Available in XP Professional (according to http://www.pcreview.co.uk/forums/thread-515648.php

 

ok, thanks

I only had the value DisableConfig so I deleted it.
System restore is now showing , but I will leave it off for now until I am sure I am virus free.

 

ok, good luck