I have a little story for the ppl thet can't turm on System Restore service:
I've disabled this service in the begining. A long time ago. Yesterday I wanted to enable it and I've hit the wall. Whenever I tried to uncheck that "turn off system restore on all drives" I get the error message saying that system restore encountered error on one or more drives, and telling me to reboot and try again.
I've tried to manualy start the service via computer managment, but there was none listed. So, I browsed the registry. There was no "SRService" key in the "services" branch, yet, there was a "SR" key with one flaw:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr] "ImagePath" = \SystemRoot\System32\DRIVERS\sr.sys
I know that is not a valid path. Should be "%SystemRoot%\System32".
So I Googled "\SystemRoot\System32\DRIVERS\sr.sys" and I've stumbled across some real info (quote):
General Information about Prorat 1.9 SE from megasecurity:
Server:
dropped files:
c:\WINDOWS\services.exe size: 350,764 bytes
c:\WINDOWS\system\sservice.exe Size: 350,764 bytes
c:\WINDOWS\system32\fservice.exe size: 350,764 bytes
c:\WINDOWS\system32\reginv.dll size: 20,992 bytes
c:\WINDOWS\system32\winkey.dll size: 16,896 bytes
port: 5110, 5112, 51100 TCP
added to registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} "StubPath"
data: C:\WINDOWS\system\sservice.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "DirectX For Microsoft® Windows"
data: C:\WINDOWS\system32\fservice.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
old data: Explorer.exe
new data: Explorer.exe C:\WINDOWS\system32\fservice.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore "DisableSR"
old data: 00, 00, 00, 00
new data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr "ImagePath"
old data: System32\DRIVERS\sr.sys
new data: \SystemRoot\System32\DRIVERS\sr.sys
My machine was clean, except that last "ImagePath" thing. And nobody had mentioned missing "SRService" key in the registry.
It was clear that I had this trojan. And it did some damage. And whatever software I've used to get rid of it, it didn't do it properly.
I had to manualy install the service in question in order to get it working back again. (Rightclick sr.inf in the windows/inf folder, choose "install" and skipped copying file by file when promped)
So, if anyone has a problem like I had, that's what you need to do.
Cheers.