Malware has restricted access to Control Panel - how to lift restrictions

This is an interesting problem.

Customer brought in a Dell 4600 running XP SP2 Home with Win Antivirus Pro 2007 on it, along with other goodies, viruses, spyware, adware.  I cleaned it, did a repair install, put in Webroot Spysweeper and Desktop Firewall and AVG antivirus.  I think I got most of it, but I still cant get to the control panel or the Display Properties (the malware took over the desktop with its warning message).  

Ive gone into the administrative userid in safe mode but still when I try to access the control panel or other major functions, I get:  This operation has been cancelled due to restrictions in effect on this computer.  Please contact your system administrator. 

This is covered by Microsoft here:
http://support.microsoft.com/kb/278839

But that doesnt work if every userid is locked out.  I cant get to the User Configurations to change the permissions.  How do we get out of this?

Thanks,
Al

Alan SilvermanOwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pwrBallCommented:
Can you run gpedit.msc from the Run dialog box?

Maybe check the permissions on c:\windows\system32\control.exe file, and make sure the permissions have not been modified. Admins should have full control as well as the SYSTEM account
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cuziyqCommented:
The virus has basically applied a group policy settings in your registry.  Group policy is used by administrators in an Active Directory domain to lock peons out of sensitive areas of the operating system.  Although XP home does not support being joined to a corporate domain, it will still recognize the GPO settings in the registry because XP Home is basically just a deliberately handicapped version of XP Pro.  The virus has taken advantage of this behavior.

Try to run gpedit.msc by going to Start -> Run.  If windows complains that the file can't be found, see if you can obtain it from a clean XP Pro machine.  Hopefully, Microsoft didn't "break" the ability to use that tool in the Home version.

Once you get your hands on that file (assuming you can get it up and running), unset anything that has been set.  There are a bazillion policies in there, and most of them should say "Not Defined"  There is plenty of documentation on M$'s web site about GPO objects.  You're looking for the ones that restrict access to the display control panel and the like.

The virus has probably disabled registry editing too.
0
Alan SilvermanOwnerAuthor Commented:
I actually could get regedit to work.  I found this site about and did what it said below.
Thanks to you both, your suggestions would have worked as well
Al


http://www.dslreports.com/forum/r18901642-pro-This-operation-has-been-cancelled-due-to-restrictions

NoAddRemovePrograms
NoControlPanel

If your system is attached to a domain, your network administrator may have

disabled the Add or Remove Programs applet. For standalone systems, follow

the steps below to unlock the restrictions.

Click Start, Run and type Regedit.exe

Navigate to the following branches one by one:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \

Policies \ Uninstall
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \

Policies \ Uninstall

Delete the NoAddRemovePrograms value if present in the above locations.
Then, navigate to following locations:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \

Policies \ Explorer
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \

Policies \ Explorer

Delete the NoControlPanel value in the above locations.
Close Regedit.exe
0
cuziyqCommented:
Yep, that's exactly what GPO does to the registry.  You just took the long way around :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.