System restore software

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
ucyvusjw
ASKService

File::
c:\program files\askbardis\bar\bin\AskService.exe
C:\XESD.tmp
C:\XESB.tmp

DDS::
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar1.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[bluesstrummer24]

I installed the crawler product for it's screen saver,  because at the time, I had not only lost use of the system restore, I had also lost the windows screen saver utility
   The windows screensaver is back and functional. so I can uninstall the crawler if you like.
   I'm no expert by far, but i have noticed a lot of errors in the event viewer. I don't know if that has anything to do with our problem.

[evilfantasy]

Crawler is not dangerous so it's up to you.

[bluesstrummer24]

I hope i did that right. Pretty scarry stuff

[bluesstrummer24]

ComboFix 09-04-04.01 - HP_Administrator 2009-04-07 21:17:51.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.958.484 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
 * Created a new restore point

FILE ::
c:\program files\askbardis\bar\bin\AskService.exe
C:\XESB.tmp
C:\XESD.tmp
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\askbardis\bar\bin\askBar1.dll
c:\program files\askbardis\bar\bin\AskService.exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
c:\program files\messenger\msmsgs.exe
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\Uninstall Fun Web Products.dll
c:\windows\opuc.dll
c:\windows\patch.exe
c:\windows\system32\Cache
C:\XESB.tmp
C:\XESD.tmp
D:\Autorun.inf
K:\Autorun.inf
L:\autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASKSERVICE
-------\Legacy_UCYVUSJW
-------\Service_ASKService
-------\Service_ucyvusjw


(((((((((((((((((((((((((   Files Created from 2009-03-08 to 2009-04-08  )))))))))))))))))))))))))))))))
.

2009-04-07 21:14 . 2006-03-03 00:42   73,728   --a------   C:\pv.exe
2009-04-07 10:03 . 2009-03-07 21:23   30,136   --a------   c:\windows\system32\drivers\rspSanity32.sys
2009-04-05 16:48 . 2009-04-05 16:48   <DIR>   d--------   c:\program files\Citrix
2009-04-05 15:56 . 2009-04-05 15:56   <DIR>   d--------   c:\program files\CCleaner
2009-04-03 09:32 . 2009-04-03 09:32   <DIR>   d--------   c:\program files\Belarc
2009-04-02 13:54 . 2009-04-02 13:54   <DIR>   d--------   c:\program files\Trend Micro
2009-04-02 13:06 . 2009-04-02 13:06   <DIR>   d--------   c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-02 13:06 . 2009-03-26 16:49   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 13:06 . 2009-03-26 16:49   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-04-02 13:05 . 2009-04-02 13:06   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-04-02 13:05 . 2009-04-02 13:05   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-02 12:01 . 2009-04-02 12:01   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2009-04-02 12:01 . 2009-04-02 12:01   <DIR>   d--------   c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-04-02 12:01 . 2009-04-02 12:01   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-02 11:57 . 2009-04-02 11:57   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2009-03-30 18:43 . 2009-03-30 18:44   <DIR>   d--------   c:\windows\system32\ZoneLabs
2009-03-30 18:43 . 2009-03-30 18:43   <DIR>   d--------   c:\program files\Zone Labs
2009-03-30 18:43 . 2009-02-16 00:10   1,221,512   --a------   c:\windows\system32\zpeng25.dll
2009-03-30 18:43 . 2009-04-07 21:22   350,192   --a------   c:\windows\system32\vsconfig.xml
2009-03-30 10:21 . 2009-03-30 18:44   <DIR>   d--------   c:\program files\AskBarDis
2009-03-17 02:30 . 2009-03-17 02:30   <DIR>   d--------   c:\program files\Jetico
2009-03-15 14:40 . 2009-03-15 14:40   <DIR>   d--------   c:\windows\system32\IOSUBSYS
2009-03-11 11:04 . 2009-03-11 11:04   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-03-08 19:19 . 2009-03-08 19:19   <DIR>   d--------   c:\program files\ERUNT

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 04:23   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\mjusbsp
2009-04-07 18:16   ---------   d-----w   c:\program files\Inbox
2009-04-06 22:14   ---------   d-----w   c:\program files\Billeo
2009-04-03 18:50   ---------   d-----w   c:\program files\Java
2009-04-03 17:40   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\OfficeUpdate12
2009-03-24 16:39   108,552   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-03-15 21:39   ---------   d-----w   c:\program files\Google
2009-03-13 15:05   325,640   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-03-08 20:24   ---------   d-----w   c:\program files\QuickTime
2009-03-06 09:23   ---------   d-----w   c:\program files\iTunes
2009-03-03 07:46   ---------   d-----w   c:\program files\Reference Assemblies
2009-03-03 07:46   ---------   d-----w   c:\program files\MSBuild
2009-03-02 17:12   ---------   d-----w   c:\documents and settings\All Users\Application Data\Cached Installations
2009-02-27 19:38   ---------   d-----w   c:\documents and settings\All Users\Application Data\TEMP
2009-02-27 10:00   ---------   d-----w   c:\program files\Paltalk Messenger
2009-02-26 16:16   12,552   ------w   c:\windows\system32\drivers\avgrkx86.sys
2009-02-26 16:16   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-02-23 19:10   ---------   d-----w   c:\documents and settings\All Users\Application Data\DriverCure
2009-02-23 17:42   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2009-02-23 17:34   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\DriverCure
2009-02-23 17:32   ---------   d-----w   c:\documents and settings\All Users\Application Data\ParetoLogic
2009-02-19 18:55   ---------   d-----w   c:\program files\ACW
2009-02-18 20:37   ---------   d-----w   c:\program files\reg cure
2009-02-10 00:10   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-02-09 21:29   ---------   d-----w   c:\program files\LimeWire
2007-02-01 04:24   22   -csh--w   c:\windows\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"cdloader"="c:\documents and settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-12-14 91440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-13 1932568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Shortcut to SetPoint.exe.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-14 805392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
billeo.lnk - c:\program files\Billeo\billeo.exe [2007-08-31 1176840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 03:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-13 08:05 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Shortcut to SetPoint.exe.lnk]
backup=c:\windows\pss\Shortcut to SetPoint.exe.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleToolbarNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jusched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\m3SrchMn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSASCui
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mwsoemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdateManager]
-r------- 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E_FATIACA]
--------- 2005-02-07 20:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
-----c--- 2007-01-17 00:59 958464 c:\program files\Browser Mouse\MOffice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--------- 2007-05-08 16:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWuSchd2]
--------- 2007-05-08 16:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
-----c--- 2004-07-27 23:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
-----c--- 2004-07-27 23:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--------- 2007-01-12 03:12 244512 c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MOffice]
-----c--- 2007-01-17 00:59 958464 c:\program files\Browser Mouse\MOffice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2008-05-16 14:01 13529088 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qttask]
--------- 2009-01-05 17:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2009-01-05 17:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--------- 2007-01-23 23:47 237568 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
-----c--- 2004-12-14 02:23 663552 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remind_XP]
-----c--- 2004-12-14 02:23 663552 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-03-09 05:19 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-r------- 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
-----c--- 2007-01-19 13:49 4670968 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YahooMessenger]
-----c--- 2007-01-19 13:49 4670968 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--------- 2005-05-03 11:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
-----c--- 2005-08-02 23:19 77312 c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDial]
-----c--- 2005-08-02 23:19 77312 c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ARPWRMSG]
-----c--- 2005-08-02 23:19 77312 c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KHALMNPR]
--------- 2008-02-29 04:12 76304 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--------- 2008-02-29 04:12 76304 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)
"WZCSVC"=2 (0x2)
"mnmsrvc"=3 (0x3)
"AOL ACS"=2 (0x2)
"wuauserv"=2 (0x2)
"LightScribeService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Application Data\\mjusbsp\\magicJack.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-02-26 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-26 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-26 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-26 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-26 298264]
S2 mrtRate;mrtRate;

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-03-05 c:\windows\Tasks\jusched.job
- c:\program files\Java\jre1.6.0_07\bin\jusched.exe []

2009-04-02 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll []

2009-04-07 c:\windows\Tasks\RegCure Program Check.job
- c:\documents and settings\HP_Administrator\Desktop\SYSTEM RESTORE\RegCure\RegCure.exe []

2009-03-06 c:\windows\Tasks\RegCure.job
- c:\documents and settings\HP_Administrator\Desktop\SYSTEM RESTORE\RegCure\RegCure.exe []
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar1.dll
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-bagent - \bagent.exe
MSConfigStartUp-DMAScheduler - c:\program files\HP DigitalMedia Archive\DMAScheduler.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-PicasaMediaDetector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-QuickenScheduledUpdates - \bagent.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: {{CDAFD956-97BE-443D-8EF7-F4F094EB5766} - c:\progra~1\inbox\ssaver\CSSaver.exe
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 21:23:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1934033104-4032786001-1496021485-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
c:\documents and settings\HP_Administrator\Application Data\mjusbsp\st00000\mjsetup.exe
c:\windows\system\hpsysdrv.exe
c:\documents and settings\HP_Administrator\Application Data\mjusbsp\magicJack.exe
c:\program files\Common Files\InstallShield\UpdateService\issch.exe
c:\windows\system32\ZoneLabs\updclient.exe
.
**************************************************************************
.
Completion time: 2009-04-07 21:27:20 - machine was rebooted
ComboFix-quarantined-files.txt  2009-04-08 04:27:17

Pre-Run: 221,289,791,488 bytes free
Post-Run: 221,174,652,928 bytes free

315   --- E O F ---   2009-03-05 14:52:04

[bluesstrummer24]

Still cannot restore system

[bluesstrummer24]

Hi Evil!!  You see anything of interest in the Combofix log?
I can't thank you enough, for all this help!!

[bluesstrummer24]

By the way Evil, great website!

[evilfantasy]

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services
mrtRate

:files
c:\windows\Tasks\ParetoLogic Registration.job
c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll
c:\windows\Tasks\RegCure Program Check.job
c:\documents and settings\HP_Administrator\Desktop\SYSTEM RESTORE\RegCure\RegCure.exe
c:\windows\Tasks\RegCure.job

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

[bluesstrummer24]

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========

Service\Driver mrtRate deleted successfully.
========== FILES ==========
c:\windows\Tasks\ParetoLogic Registration.job moved successfully.
File/Folder c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll not found.
c:\windows\Tasks\RegCure Program Check.job moved successfully.
File/Folder c:\documents and settings\HP_Administrator\Desktop\SYSTEM RESTORE\RegCure\RegCure.exe not found.
c:\windows\Tasks\RegCure.job moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF6A73.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF6B6B.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF8773.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF878A.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF9BCA.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF9BE1.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DFB94F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DFB968.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\;ord=821180493[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\ads[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\ads[3].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\evilfantasy_wordpress_com[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\InboxLight[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\popup3[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\rating_nine_os_x_browsers1[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\topic,80551.15[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\view_play_list[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\web-safety[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\wwf_merijn_org[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\01[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\ads[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\iframe3[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\kioskHandler[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\popup2[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\popuptest_com[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\results[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\showMessage[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\3-cleaner-settings[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\;ord=821164198[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\ads[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\ads[3].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\india[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\installers-hall-of-shame[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\rotate2[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\browse[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\HistoryFrame_13.3.0215.0327[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\InboxLight[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\index[4].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\kioskHandler[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\searchMetric[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\st[1] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\st[2] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\topic,80551.msg533440[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\2618af90-2e02-48c3-bca6-58244d990f8c.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\bbe8eaf8-7e0a-49a4-ab30-48b6397cbd8b.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_74.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT05470.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04082009_123352

Files moved on Reboot...
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF6A73.tmp moved successfully.
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF6B6B.tmp moved successfully.
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF8773.tmp not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF878A.tmp not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF9BCA.tmp not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF9BE1.tmp not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DFB94F.tmp not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DFB968.tmp not found!
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\;ord=821180493[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\ads[2].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\ads[3].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\evilfantasy_wordpress_com[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\InboxLight[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\popup3[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\rating_nine_os_x_browsers1[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\topic,80551.15[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\view_play_list[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\web-safety[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZBOFN8GW\wwf_merijn_org[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\01[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\ads[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\iframe3[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\kioskHandler[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\popup2[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\popuptest_com[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\results[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NN6WRL8T\showMessage[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\3-cleaner-settings[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\;ord=821164198[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\ads[2].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\ads[3].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\india[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\installers-hall-of-shame[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5Q7RJB8\rotate2[2].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\browse[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\HistoryFrame_13.3.0215.0327[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\InboxLight[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\index[4].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\kioskHandler[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\searchMetric[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\st[1] moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\st[2] moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\08H1BPTH\topic,80551.msg533440[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
C:\WINDOWS\temp\2618af90-2e02-48c3-bca6-58244d990f8c.tmp moved successfully.
C:\WINDOWS\temp\bbe8eaf8-7e0a-49a4-ab30-48b6397cbd8b.tmp moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_74.dat not found!
File C:\WINDOWS\temp\ZLT05470.TMP not found!

[evilfantasy]

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
----------

Download

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

1. Double click OTMoveIt3.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt3

.
----------

Restart the computer.

Is System Restore working normally now?

[bluesstrummer24]

It still, will not successfully restore the system, unless while in the safe mode.
   i wonder if maybe there is an application running that prevents i from restoring. and that aplication is not running, when in the safe mode??

[evilfantasy]

Try this again now that we have cleaned up everything else.

Download  systemrestore.reg to your Desktop right click the file and select merge.

Accept any warnings.

[bluesstrummer24]

Still the same. GRRRR

[evilfantasy]

I'm sort of at a loss then.

Try going to Start > Run then type in sfc /scannow and click OK

Note the space between sfc and /scannow