4ubest
asked on
Restore Points Being Deleted !
Something is happening... Constantly all my restore points INCLUDING those that I set myself are being deleted when my computer reboots.. I have Windows XP SP2 and use SuperAntiSpyware resident and VIPRE. I also have other anti-spyware. SuperAntiSpyware support said it does NOT do this. Please help me resolve problem that is causing my restore points to go.
Computer dealer said that the HardDrive or Virus are possibilities but I am coming out clean with VIPRE and SAS .. so....
Computer dealer said that the HardDrive or Virus are possibilities but I am coming out clean with VIPRE and SAS .. so....
ASKER
Plenty of space so that is not an issue.. Disk Cleanup Utility cannot see where check is for deleting restore points as it always asks me if I want to..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks but none of these apply except Unistall IS components but I never had that problem before since 2002 so I did not choose that option.. ..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Incidently have you tried deleting all restore points which will automatically include viruses which may be backed up there. Then turn System Restore on again, and recreate a new Restore point:
http://www.pchell.com/virus/systemrestore.shtml
This previous question may help although MS KB309531 appears unavailable at this time>
"System Restore cannot successfully restore to a point":
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q__23205649.html
Further help>
http://wiki.answers.com/Q/How_do_you_delete_the_virus_on_C_System_Volume_Information_restore_EXE
If still unresolved you may find apppropriate information in this link >>
About System Restore:
http://www.pcug.org.au/16bits(catalogue)/16b2006/PCUG16b200603/system_restore.htm
http://www.pchell.com/virus/systemrestore.shtml
This previous question may help although MS KB309531 appears unavailable at this time>
"System Restore cannot successfully restore to a point":
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q__23205649.html
Further help>
http://wiki.answers.com/Q/How_do_you_delete_the_virus_on_C_System_Volume_Information_restore_EXE
If still unresolved you may find apppropriate information in this link >>
About System Restore:
http://www.pcug.org.au/16bits(catalogue)/16b2006/PCUG16b200603/system_restore.htm
ASKER
Hi,, I also have Malwarebytes and that too on the latest quick scan was clean. I ran Trend AV free and it found nothing.. As far as deleting all the restore points that was done automatically for me except for the last time which could have viruses in it although I have not had a virus since computer was rebuilt in Jan. Perhaps there is one that VIPRE and others are not detecting ???
>Perhaps there is one that VIPRE and others are not detecting ?<
It's quite possible, because there is no one virus scanner that can guarantee detecting & removing every known infection.
Another possibility although probably less likely, is a rootkit.
It's quite possible, because there is no one virus scanner that can guarantee detecting & removing every known infection.
Another possibility although probably less likely, is a rootkit.
ASKER
I also ran bitdefender free awhile back but it too found nothing so I will try that as well but first Kaspersky..
ASKER
using the Kaspersky in critical area scan it found... mejiyolo.dll.tmp How is it removed ? I am now scanning the rest of C..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:22 PM, on 2/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
Y:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TechSmith\Jing\Jing.exe
Y:\Program Files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\monitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
G:\EUDORA~1.0\Eudora.exe
Y:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PPKent\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\~~ahijackthis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - Y:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - Y:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - Y:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "Y:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] Y:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "Y:\Program Files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\monitor.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] Y:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Y:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Y:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - http://www.iolo.com/app/ocx/UpgradeVerify.cab
O20 - Winlogon Notify: !SASWinLogon - Y:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
--
End of file - 8822 bytesASKER
Combofix log
ComboFix 09-02-21.01 - PPKent 2009-02-23 20:25:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3583.2986 [GMT -5:00]
Running from: c:\documents and settings\PPKent\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated)
FW: ActiveArmor Firewall *enabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\wiaserviv.log
O:\D.COM
R:\D.COM
----- BITS: Possible infected sites -----
hxxp://www.hhdsoftware.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_seneka
((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.
2009-02-23 20:04 . 2009-02-23 20:04 <DIR> d-------- C:\!!hijackthis
2009-02-23 09:17 . 2009-02-23 09:17 <DIR> d-------- c:\windows\[u]0[/u]E6ED660498C42F79EF4FB0C96DFC01A.TMP
2009-02-20 08:36 . 2009-02-20 08:42 6,790,436,864 --a------ C:\[u]0[/u]22009eudoraDrive G and MCI Flat Drive Y newer.bkf
2009-02-16 11:28 . 2009-02-18 09:05 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-02-16 11:28 . 2002-07-07 17:14 1,294,336 --a------ c:\windows\system32\vorbis.acm
2009-02-16 11:28 . 2008-09-24 13:41 839,680 --a------ c:\windows\system32\lameACM.acm
2009-02-16 11:28 . 2001-02-24 20:19 287,744 --a------ c:\windows\system32\divxa32.acm
2009-02-16 11:28 . 2006-10-18 13:05 232,448 --a------ c:\windows\system32\mp3fhg.acm
2009-02-16 11:28 . 2007-09-20 19:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2009-02-16 11:28 . 2008-10-03 07:30 414 --a------ c:\windows\system32\lame_acm.xml
2009-02-16 10:59 . 2009-02-16 10:59 <DIR> d-------- c:\program files\AVS4YOU
2009-02-16 10:59 . 2009-02-16 10:59 <DIR> d-------- c:\documents and settings\PPKent\Application Data\AVS4YOU
2009-02-16 10:59 . 2009-02-16 10:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-02-16 10:58 . 2009-02-16 10:59 <DIR> d-------- c:\program files\Common Files\AVSMedia
2009-02-16 10:58 . 2002-01-05 15:48 974,848 --a------ c:\windows\system32\mfc70.dll
2009-02-16 10:58 . 2002-01-05 14:40 487,424 --a------ c:\windows\system32\msvcp70.dll
2009-02-16 10:58 . 2002-01-05 02:37 344,064 --a------ c:\windows\system32\msvcr70.dll
2009-02-16 10:58 . 2003-05-21 12:50 24,576 --a------ c:\windows\system32\msxml3a.dll
2009-02-13 17:47 . 2009-02-13 17:47 <DIR> d-------- c:\documents and settings\PPKent\Application Data\InstallShield Installation Information
2009-02-13 17:08 . 2009-02-13 17:08 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-13 17:08 . 2009-02-13 17:08 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-13 14:44 . 2009-02-13 14:45 <DIR> d-------- C:\[u]0[/u]21309apyramdair
2009-02-13 13:00 . 2009-02-13 13:00 <DIR> d-------- c:\program files\DIFX
2009-02-13 12:50 . 2009-02-13 12:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-13 12:49 . 2009-02-13 12:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2009-02-10 09:44 . 2009-02-10 09:44 <DIR> d-------- c:\program files\AskSearch
2009-02-03 14:59 . 2009-02-03 14:59 <DIR> d-------- c:\documents and settings\PPKent\Application Data\Scooter Software
2009-02-03 09:31 . 2009-02-03 09:31 <DIR> d-------- c:\documents and settings\PPKent\Application Data\Ulead Systems
2009-02-03 09:29 . 2009-02-03 09:30 <DIR> d-------- c:\program files\Common Files\Ulead Systems
2009-02-03 09:29 . 2009-02-03 09:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-02-03 09:25 . 2009-02-03 09:25 <DIR> d-------- c:\windows\Downloaded Installations
2009-02-02 07:24 . 2009-02-08 07:48 3,452 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-02 07:24 . 2009-02-08 07:48 88 -r-hs---- c:\documents and settings\All Users\Application Data\1F80204B4F.sys
2009-02-02 07:23 . 2009-02-02 07:23 <DIR> d-------- c:\program files\Common Files\Protexis
2009-02-02 07:23 . 2009-02-02 07:23 <DIR> d-------- c:\program files\Common Files\Corel
2009-02-02 07:23 . 2009-02-02 07:24 <DIR> d-------- c:\documents and settings\PPKent\Application Data\Corel
2009-02-02 07:23 . 2009-02-02 07:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Corel
2009-02-02 07:21 . 2009-02-02 07:21 <DIR> d-------- c:\program files\Corel
2009-02-02 07:11 . 2009-02-02 07:11 51,124 --ah----- c:\windows\system32\mlfcache.dat
2009-02-01 14:14 . 2009-02-01 14:14 <DIR> d-------- c:\program files\Apple Software Update
2009-02-01 14:14 . 2009-02-01 14:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-30 09:55 . 2009-01-30 09:55 <DIR> d-------- c:\documents and settings\PPKent\Application Data\DeskView
2009-01-29 11:11 . 2009-01-29 11:11 <DIR> d-------- c:\documents and settings\PPKent\Application Data\NCH Software
2009-01-29 11:09 . 2009-01-29 11:11 <DIR> d-------- c:\program files\NCH Software
2009-01-29 11:09 . 2009-01-29 11:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Software
2009-01-27 11:46 . 2009-01-28 05:39 <DIR> d-------- c:\documents and settings\PPKent\Application Data\Nvu
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 14:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 01:28 --------- d-----w c:\program files\TC Web Conferencing
2009-02-05 14:13 --------- d-----w c:\documents and settings\PPKent\Application Data\Key Metric Software
2009-02-03 14:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-01 19:14 --------- d-----w c:\documents and settings\PPKent\Application Data\Apple Computer
2009-01-25 01:32 --------- d-----w c:\documents and settings\PPKent\Application Data\ZoomBrowser EX
2009-01-20 18:04 --------- d-----w c:\program files\Raxco
2009-01-20 18:04 --------- d-----w c:\documents and settings\All Users\Application Data\Raxco
2009-01-18 13:10 --------- d-----w c:\documents and settings\PPKent\Application Data\Desktopicon
2009-01-17 00:12 --------- d-----w c:\program files\Hunting Unlimited 2009
2009-01-17 00:12 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-01-17 00:03 --------- d-----w c:\program files\Gigabyte
2009-01-15 12:42 516,096 ----a-w c:\windows\iwexec.exe
2009-01-15 01:11 --------- d-----w c:\program files\Opera
2009-01-13 00:14 --------- d-----w c:\program files\TechSmith
2009-01-13 00:14 --------- d-----w c:\program files\Common Files\TechSmith Shared
2009-01-13 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2009-01-09 20:02 --------- d-----w c:\documents and settings\PPKent\Application Data\Media Player Classic
2009-01-09 19:52 --------- d-----w c:\program files\Ashampoo
2009-01-09 15:49 71,184 ----a-w c:\windows\system32\drivers\DefragFs.sys
2009-01-09 01:27 --------- d-----w c:\program files\Mythicsoft
2009-01-08 22:42 --------- d-----w c:\documents and settings\PPKent\Application Data\Canon
2009-01-07 18:42 --------- dc-h--w c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-01-07 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-07 18:41 --------- dc-h--w c:\documents and settings\All Users\Application Data\{752EA1EF-1744-4EC4-BC85-85F7632FCEFB}
2009-01-07 18:41 --------- d-----w c:\program files\Common Files\Key Metric Software
2009-01-07 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-07 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop
2009-01-07 18:36 --------- d-----w c:\program files\Common Files\ArcSoft
2009-01-05 20:17 4,501 ----a-w c:\windows\gdrv.sys
2009-01-05 03:37 --------- d-----w c:\program files\NVIDIA Corporation
2009-01-03 14:29 --------- d-----w c:\documents and settings\PPKent\Application Data\Panasonic
2009-01-03 14:01 --------- d-----w c:\program files\ISL
2009-01-03 13:59 --------- d-----w c:\program files\Panasonic
2009-01-03 13:30 --------- d-----w c:\documents and settings\PPKent\Application Data\SCATE
2009-01-03 13:30 --------- d-----w c:\documents and settings\All Users\Application Data\SCATE
2009-01-03 11:27 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-31 23:17 --------- d-----w c:\documents and settings\PPKent\Application Data\Any Video Converter
2008-12-31 20:25 --------- d-----w c:\documents and settings\PPKent\Application Data\Ashampoo
2008-12-28 19:56 --------- d-----w c:\documents and settings\PPKent\Application Data\Systweak
2008-12-28 01:34 --------- d-----w c:\documents and settings\PPKent\Application Data\SUPERAntiSpyware.com
2008-12-27 20:06 --------- d-----w c:\program files\Java
2008-12-27 14:25 --------- d-----w c:\documents and settings\PPKent\Application Data\Malwarebytes
2008-12-27 14:25 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 03:45 --------- d-----w c:\documents and settings\PPKent\Application Data\iolo
2008-12-27 03:45 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-12-27 03:16 --------- d-----w c:\program files\Common Files\Download Manager
2008-12-27 02:43 --------- d-----w c:\program files\SpyZooka
2008-12-27 02:28 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-27 00:38 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-26 19:17 --------- dc----w c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-12-24 01:39 --------- d-----w c:\documents and settings\PPKent\Application Data\Uniblue
2008-12-24 00:41 --------- d-----w c:\documents and settings\All Users\Application Data\PIXELA
2008-12-24 00:34 --------- d-----w c:\program files\Canon
2008-12-24 00:32 --------- d-----w c:\program files\Common Files\Canon
2008-12-24 00:22 --------- d-----w c:\documents and settings\PPKent\Application Data\ArcSoft
2008-12-24 00:15 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-12-24 00:15 --------- d-----w c:\documents and settings\PPKent\Application Data\ScanSoft
2008-12-24 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanWizard
2008-12-24 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="y:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-20 1830128]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2009-01-06 2495752]
"Advanced Uninstaller PRO Installation Monitor"="y:\program files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\monitor.exe" [2008-10-31 1153936]
"Uniblue RegistryBooster 2"="y:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 1885464]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688]
"QuickTime Task"="y:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-06-06 64256]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "g:\eudorapro 3.0\EuShlExt.dll" [2005-11-14 86016]
"{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"= "c:\progra~1\SpyZooka\spyguard.dll" [2005-05-07 173568]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "y:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-31 05:07 356352 y:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"= wdmaud.sys
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\[u]0[/u]autocheck autochk *
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor for SD.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor for SD.lnk
backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor for SD.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snagit 9.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snagit 9.lnk
backup=c:\windows\pss\Snagit 9.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^PPKent^Start Menu^Programs^Startup^Product Registration.lnk]
backup=c:\windows\pss\Product Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
-r------- 2006-06-02 03:46 385024 c:\windows\system32\JMRaidTool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
--a------ 2006-04-07 10:37 135168 c:\windows\system32\nvraidservice.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
-ra------ 2003-07-07 10:29 729088 f:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 f:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyZooka]
--a------ 2008-08-15 19:20 60408 c:\program files\SpyZooka\SpyZookaLdr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-10-22 08:58 1885464 y:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
--a------ 2008-08-26 11:48 2019624 f:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"H:8\\Program Files\\Raxco\\PerfectDisk2008\\PD91Agent.exe"=
"c:\\Program Files\\Common Files\\Logitech\\KhalShared\\KHALMNPR.exe"=
"H:8\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"q:\\Program Files\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"=
R1 SASDIFSV;SASDIFSV;y:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;y:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-27 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-12-27 202928]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-27 69168]
R3 hhdusbh;USB Monitor Filter Driver;c:\windows\system32\drivers\hhdusbh.sys [2008-12-30 35968]
R3 SASENUM;SASENUM;y:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2008-10-28 886056]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f721b3-dcf7-11dd-a0ea-0016e6858a5a}]
\Shell\AutoRun\command - S:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f721b4-dcf7-11dd-a0ea-0016e6858a5a}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\m.exe /s
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d61d736-cb77-11dd-a066-0016e6858a5a}]
\Shell\AutoRun\command - B:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-02-24 c:\windows\Tasks\GlaryInitialize.job
- c:\local disk (y)\Glary Utilities\initialize.exe [2009-01-10 17:02]
2009-02-24 c:\windows\Tasks\XoftSpySE 2.job
- y:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
MSConfigStartUp-dotNetInstallerBoot - c:\docume~1\PPKent\LOCALS~1\Temp\RarSFX0\Ignite_Home.exe
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://yahoo.com
mStart Page = hxxp://yahoo.com
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - f:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.cab
FF - ProfilePath - c:\documents and settings\PPKent\Application Data\Mozilla\Firefox\Profiles\fiytr45r.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - plugin: y:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: y:\program files\Mozilla Firefox\plugins\nppsynth.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin7.dll
---- FIREFOX POLICIES ----
ÿFF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: content.notify.backoffcount - 5
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.cache.memory.capacity - 65536.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 20:29:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-839522115-152049171-2147200963-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(940)
y:\program files\SUPERAntiSpyware\SASWINLO.DLL
- - - - - - - > 'lsass.exe'(996)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-23 20:30:52 - machine was rebooted [PPKent]
ComboFix-quarantined-files.txt 2009-02-24 01:30:50
ComboFix2.txt 2008-12-27 19:39:17
Pre-Run: 346,827,358,208 bytes free
Post-Run: 347,080,310,784 bytes free
320 --- E O F --- 2008-12-12 19:15:11
HijackThis results:
This entry may well be your IE local page, i'm still checking >
R0 - HKCU\Software\Microsoft\In
These three entries can be "Fixed" but they may well regenerate. Caused possibly by a Trojan downloader >
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
From your ComboFix results there have been a number of "other deletions", which is good ... will continue systematically analysing these entries & get back to you later in the day ..
As the System Restore was not working previously(constant loss of restore points), nothing would be lost if you disabled SR, then re-enabled it, thus removing any ~possible~ infection within it's folder. Then recreate a new restore point, & monitor the machine.
This entry may well be your IE local page, i'm still checking >
R0 - HKCU\Software\Microsoft\In
These three entries can be "Fixed" but they may well regenerate. Caused possibly by a Trojan downloader >
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
From your ComboFix results there have been a number of "other deletions", which is good ... will continue systematically analysing these entries & get back to you later in the day ..
As the System Restore was not working previously(constant loss of restore points), nothing would be lost if you disabled SR, then re-enabled it, thus removing any ~possible~ infection within it's folder. Then recreate a new restore point, & monitor the machine.
ASKER
turned off system restore but before I did I checked and all the points again were deleted.. Turned it back on.
Apologies for delay .. from your ComboFix log, there's an entry here that's a problem >
C:\[u]0[/u]21309apyramdair
Also not yet sure about this one>
c:\documents and settings\PPKent\Applicatio
So there appears to be an infection still which may well be the trojan(vundo). If it is, Housecall will find and remove it>>
Trend Micro's FREE online virus scanner":
http://housecall.trendmicro.com/uk/
Failing that, try VundoFix 7.0.6 >>
http://www.softpedia.com/get/Antivirus/VundoFix.shtml
To use VundoFix follow the instructions written below:
<quote>
· Please download VundoFix.exe to your desktop.
· Double-click VundoFix.exe to run it.
· Put a check next to Run VundoFix as a task.
· You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
· When VundoFix re-opens, click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on.
<unquote>
C:\[u]0[/u]21309apyramdair
Also not yet sure about this one>
c:\documents and settings\PPKent\Applicatio
So there appears to be an infection still which may well be the trojan(vundo). If it is, Housecall will find and remove it>>
Trend Micro's FREE online virus scanner":
http://housecall.trendmicro.com/uk/
Failing that, try VundoFix 7.0.6 >>
http://www.softpedia.com/get/Antivirus/VundoFix.shtml
To use VundoFix follow the instructions written below:
<quote>
· Please download VundoFix.exe to your desktop.
· Double-click VundoFix.exe to run it.
· Put a check next to Run VundoFix as a task.
· You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
· When VundoFix re-opens, click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on.
<unquote>
Have re-read your comments & note that you ran Trend AV free and it found nothing.
ASKER
Yes and the Kaspersky full scan only found files that I had in my archives and essentially nothing on the OS Drive or associated files..Also the pyramdair file is a folder of jpgs
http://screencast.com/t/0IMfUQmej
http://screencast.com/t/0IMfUQmej
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Wondering if it could be a corrupted file that can be handled by the System File Checker ...
Start>Run .. and then type SFC /scannow
http://www.updatexp.com/scannow-sfc.html
Start>Run .. and then type SFC /scannow
http://www.updatexp.com/scannow-sfc.html
Another possible cause perhaps >
"The System Restore Utility May Be Suspended on a System Drive Even Though There Is Enough Disk Space":
http://support.microsoft.com/kb/299904/
Or if you have a corrupted SR file, you could try this reinstall >
http://windowsxp.mvps.org/repairsr.htm
"The System Restore Utility May Be Suspended on a System Drive Even Though There Is Enough Disk Space":
http://support.microsoft.com/kb/299904/
Or if you have a corrupted SR file, you could try this reinstall >
http://windowsxp.mvps.org/repairsr.htm
ASKER
Restore points are still here after 3 days now.. certainly not a space issue.. I cannot run SFC at all as files are missing..
All check setting in the Disk Cleanup utility. It has a check for deleting restort points. Make sure it is not selected.