PCbanter

PCbanter (http://www.pcbanter.net/index.php)
-   The Basics (http://www.pcbanter.net/forumdisplay.php?f=13)
-   -   System Restore says computer has not been changed (http://www.pcbanter.net/showthread.php?t=1073130)

Lee July 29th 11 08:13 PM

System Restore says computer has not been changed
 
My computer has apparently been hit be a virus. When I do a search on
Google and click on a result an ad page comes up. Also, I'm having trouble
creating some queries in Microsoft Access. Also, when I boot the computer
I get 2 messages saying a file is missing.

So I tried to do a system restore. It keeps telling me that it can't do
the restore because the computer has not been changed. I've tried it using
several different dates going back weeks. How can I fix this? I'm using
Windows XP Professional.

Tim Meddick[_3_] July 29th 11 08:29 PM

System Restore says computer has not been changed
 
System Restore will only detect and able to restore changes to the SYSTEM
(the system part of the registry & system files) and any unwanted changes
that occur to the CURRENT USER's profile will not be included.

So perhaps it might be a suggestion to re-post here the details of what you
were trying to achieve with System Restore (i.e - what changes exactly were
you hoping to return to their former state?).

==

Cheers, Tim Meddick, Peckham, London. :-)




"Lee" wrote in message
...
My computer has apparently been hit be a virus. When I do a search on
Google and click on a result an ad page comes up. Also, I'm having
trouble
creating some queries in Microsoft Access. Also, when I boot the
computer
I get 2 messages saying a file is missing.

So I tried to do a system restore. It keeps telling me that it can't do
the restore because the computer has not been changed. I've tried it
using
several different dates going back weeks. How can I fix this? I'm using
Windows XP Professional.



Jeremy Nicoll - news posts[_2_] July 29th 11 08:52 PM

System Restore says computer has not been changed
 
Lee wrote:

My computer has apparently been hit be a virus. When I do a search on
Google and click on a result an ad page comes up.


All searches, or just a specific one? What are you searching for?

Also, I'm having trouble creating some queries in Microsoft Access. Also,
when I boot the computer I get 2 messages saying a file is missing.


What file?


--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".

Lee July 29th 11 09:41 PM

System Restore says computer has not been changed
 
There are 2 messages:
"Windows cannot find C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."
and
"Could not load or run C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."

Jeremy Nicoll - news posts wrote
in nvalid:

Lee wrote:

My computer has apparently been hit be a virus. When I do a search
on Google and click on a result an ad page comes up.


All searches, or just a specific one? What are you searching for?

Also, I'm having trouble creating some queries in Microsoft Access.
Also, when I boot the computer I get 2 messages saying a file is
missing.


What file?




Lee July 29th 11 09:45 PM

System Restore says computer has not been changed
 
I'm not trying to restore changes. I'm trying to repair the system.
My computer has apparently been hit be a virus. When I do a search
on Google and click on a result an ad page comes up. Also, I'm
having trouble creating some queries in Microsoft Access. Also, when I
boot the computer I get 2 messages saying csrss.exe is missing.

"Tim Meddick" wrote in
:

System Restore will only detect and able to restore changes to the
SYSTEM (the system part of the registry & system files) and any
unwanted changes that occur to the CURRENT USER's profile will not be
included.

So perhaps it might be a suggestion to re-post here the details of
what you were trying to achieve with System Restore (i.e - what
changes exactly were you hoping to return to their former state?).

==

Cheers, Tim Meddick, Peckham, London. :-)




"Lee" wrote in message
...
My computer has apparently been hit be a virus. When I do a search
on Google and click on a result an ad page comes up. Also, I'm
having trouble
creating some queries in Microsoft Access. Also, when I boot the
computer
I get 2 messages saying a file is missing.

So I tried to do a system restore. It keeps telling me that it can't
do the restore because the computer has not been changed. I've tried
it using
several different dates going back weeks. How can I fix this? I'm
using Windows XP Professional.




Lee July 29th 11 10:07 PM

System Restore says computer has not been changed
 
Since the partial restore the csrss.exe messages have gone away. I'm
still having problems with Access and Google.

Lee wrote in
:

I'm not trying to restore changes. I'm trying to repair the system.
My computer has apparently been hit be a virus. When I do a search
on Google and click on a result an ad page comes up. Also, I'm
having trouble creating some queries in Microsoft Access. Also, when
I boot the computer I get 2 messages saying csrss.exe is missing.

"Tim Meddick" wrote in
:

System Restore will only detect and able to restore changes to the
SYSTEM (the system part of the registry & system files) and any
unwanted changes that occur to the CURRENT USER's profile will not be
included.

So perhaps it might be a suggestion to re-post here the details of
what you were trying to achieve with System Restore (i.e - what
changes exactly were you hoping to return to their former state?).

==

Cheers, Tim Meddick, Peckham, London. :-)




"Lee" wrote in message
...
My computer has apparently been hit be a virus. When I do a search
on Google and click on a result an ad page comes up. Also, I'm
having trouble
creating some queries in Microsoft Access. Also, when I boot the
computer
I get 2 messages saying a file is missing.

So I tried to do a system restore. It keeps telling me that it
can't do the restore because the computer has not been changed.
I've tried it using
several different dates going back weeks. How can I fix this? I'm
using Windows XP Professional.






Lee July 29th 11 10:07 PM

System Restore says computer has not been changed
 
Since the partial restore the csrss.exe messages have gone away. I'm
still having problems with Access and Google.

Lee wrote in
:

There are 2 messages:
"Windows cannot find C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."
and
"Could not load or run C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."

Jeremy Nicoll - news posts

wrote
in nvalid:

Lee wrote:

My computer has apparently been hit be a virus. When I do a search
on Google and click on a result an ad page comes up.


All searches, or just a specific one? What are you searching for?

Also, I'm having trouble creating some queries in Microsoft Access.
Also, when I boot the computer I get 2 messages saying a file is
missing.


What file?






Jeremy Nicoll - news posts[_2_] July 29th 11 10:14 PM

System Restore says computer has not been changed
 
Lee wrote:

There are 2 messages:
"Windows cannot find C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."
and
"Could not load or run C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."


That's odd; I'd not expect anything to be trying to use a file in

...\Temp\...

as you log in, unless - say - you'd been uninstalling a product and it

a) told you you needed to reboot (so it could perhaps do some
file renames or deletes as the system is rebooted), and

b) set up (in the registry) a command to run that program next time
you booted, and

c) before rebooting, you manually, or some program that clears up
temporary files etc, deleted something from \Temp\

If you know how to look at the eventlogs, is it possible to find out what
task/process was looking for csrss.exe ?

Google suggests that csrss.exe is part of Windows, provided it's the copy in
C:\WINDOWS\system32. Perhaps the one in \Temp\ is infected?


Do you have antivirus software?

Have you run anti-malware scans?

--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".

Tim Meddick[_3_] July 30th 11 12:23 AM

System Restore says computer has not been changed
 

That's right! - Alarm bells should start to ring if you find any file wants
to be run from a TEMP directory (except for in the midst of a program's
installation 'setup', perhaps).

The normal location for [CSRSS.EXE] in the [system32] folder.

It was probably a virus which switched the correct path in the registry for
[csrss.exe] to it's own bogus version residing in the TEMP directory...
The 'real' [csrss.exe] file probably didn't go anywhere - it was just that
it's registered path had been altered.

You have tried, of course, running a *full* scan with your installed
Anti-Virus Software?

==

Cheers, Tim Meddick, Peckham, London. :-)




"Jeremy Nicoll - news posts" wrote
in message nvalid...
Lee wrote:

There are 2 messages:
"Windows cannot find C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."
and
"Could not load or run C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."


That's odd; I'd not expect anything to be trying to use a file in

...\Temp\...

as you log in, unless - say - you'd been uninstalling a product and it

a) told you you needed to reboot (so it could perhaps do some
file renames or deletes as the system is rebooted), and

b) set up (in the registry) a command to run that program next time
you booted, and

c) before rebooting, you manually, or some program that clears up
temporary files etc, deleted something from \Temp\

If you know how to look at the eventlogs, is it possible to find out what
task/process was looking for csrss.exe ?

Google suggests that csrss.exe is part of Windows, provided it's the copy
in
C:\WINDOWS\system32. Perhaps the one in \Temp\ is infected?


Do you have antivirus software?

Have you run anti-malware scans?

--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".



Lee July 30th 11 05:24 AM

System Restore says computer has not been changed
 
The csrss.exe messages are gone now even though the restore supposedly
wasn't done. I have AVG and Malaware and have scanned both several
times (before the phantom restore). I'm still having a problem with
Access and Google. I'll try scanning again.


"Tim Meddick" wrote in
:


That's right! - Alarm bells should start to ring if you find any file
wants to be run from a TEMP directory (except for in the midst of a
program's installation 'setup', perhaps).

The normal location for [CSRSS.EXE] in the [system32] folder.

It was probably a virus which switched the correct path in the
registry for [csrss.exe] to it's own bogus version residing in the
TEMP directory... The 'real' [csrss.exe] file probably didn't go
anywhere - it was just that it's registered path had been altered.

You have tried, of course, running a *full* scan with your installed
Anti-Virus Software?

==

Cheers, Tim Meddick, Peckham, London. :-)




"Jeremy Nicoll - news posts"
wrote in message
nvalid...
Lee wrote:

There are 2 messages:
"Windows cannot find C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."
and
"Could not load or run C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe.
..."


That's odd; I'd not expect anything to be trying to use a file in

...\Temp\...

as you log in, unless - say - you'd been uninstalling a product and
it

a) told you you needed to reboot (so it could perhaps do some
file renames or deletes as the system is rebooted), and

b) set up (in the registry) a command to run that program next time
you booted, and

c) before rebooting, you manually, or some program that clears up
temporary files etc, deleted something from \Temp\

If you know how to look at the eventlogs, is it possible to find out
what task/process was looking for csrss.exe ?

Google suggests that csrss.exe is part of Windows, provided it's the
copy in
C:\WINDOWS\system32. Perhaps the one in \Temp\ is infected?


Do you have antivirus software?

Have you run anti-malware scans?

--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".




Tim Meddick[_3_] July 30th 11 07:53 PM

System Restore says computer has not been changed
 
"Lee" had asked you, in an earlier post ;

"All searches, or just a specific one? What are you searching for?"


I would like to also ask ; What is this "Ad page" that you are referring
to?

You could be a little more specific; include the URL (web address) of this
"Ad page" for instance.

What should have come up instead of this "Ad page".


With so little information, it's difficult to speculate on the cause, but
it may be that your 'Hosts' file has been modified by the same virus that
has caused, at least, some of the other problems you have been
experiencing.

To check this theory out, locate the file :

C:\WINDOWS\system32\drivers\etc\hosts

....and open it in a simple text editor such as [edit.com] or Notepad.
Delete everything in this file except for the following line that should be
at the very beginning ;

127.0.0.1 localhost

....then save and close. There should be only this one line in your Hosts
file, unless you have either SpyWareBlaster or SpyBotSD installed on your
system.

Certain entries in the hosts file can have the unwanted effect of
re-directing any possible web address to one other than expected - it is
just one of the ways a virus may attack your computer.

==

Cheers, Tim Meddick, Peckham, London. :-)




"Lee" wrote in message
...
The csrss.exe messages are gone now even though the restore supposedly
wasn't done. I have AVG and Malaware and have scanned both several
times (before the phantom restore). I'm still having a problem with
Access and Google. I'll try scanning again.


"Tim Meddick" wrote in
:


That's right! - Alarm bells should start to ring if you find any file
wants to be run from a TEMP directory (except for in the midst of a
program's installation 'setup', perhaps).

The normal location for [CSRSS.EXE] in the [system32] folder.

It was probably a virus which switched the correct path in the
registry for [csrss.exe] to it's own bogus version residing in the
TEMP directory... The 'real' [csrss.exe] file probably didn't go
anywhere - it was just that it's registered path had been altered.

You have tried, of course, running a *full* scan with your installed
Anti-Virus Software?

==

Cheers, Tim Meddick, Peckham, London. :-)




"Jeremy Nicoll - news posts"
wrote in message
nvalid...
Lee wrote:

There are 2 messages:
"Windows cannot find C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."
and
"Could not load or run C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe.
..."

That's odd; I'd not expect anything to be trying to use a file in

...\Temp\...

as you log in, unless - say - you'd been uninstalling a product and
it

a) told you you needed to reboot (so it could perhaps do some
file renames or deletes as the system is rebooted), and

b) set up (in the registry) a command to run that program next time
you booted, and

c) before rebooting, you manually, or some program that clears up
temporary files etc, deleted something from \Temp\

If you know how to look at the eventlogs, is it possible to find out
what task/process was looking for csrss.exe ?

Google suggests that csrss.exe is part of Windows, provided it's the
copy in
C:\WINDOWS\system32. Perhaps the one in \Temp\ is infected?


Do you have antivirus software?

Have you run anti-malware scans?

--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".





JD July 30th 11 08:08 PM

System Restore says computer has not been changed
 
Tim Meddick wrote:
"Lee" had asked you, in an earlier post ;

"All searches, or just a specific one? What are you searching for?"


I would like to also ask ; What is this "Ad page" that you are referring
to?

You could be a little more specific; include the URL (web address) of
this "Ad page" for instance.

What should have come up instead of this "Ad page".


With so little information, it's difficult to speculate on the cause,
but it may be that your 'Hosts' file has been modified by the same virus
that has caused, at least, some of the other problems you have been
experiencing.

To check this theory out, locate the file :

C:\WINDOWS\system32\drivers\etc\hosts

...and open it in a simple text editor such as [edit.com] or Notepad.
Delete everything in this file except for the following line that should
be at the very beginning ;

127.0.0.1 localhost

...then save and close. There should be only this one line in your Hosts
file, unless you have either SpyWareBlaster or SpyBotSD installed on
your system.

Certain entries in the hosts file can have the unwanted effect of
re-directing any possible web address to one other than expected - it is
just one of the ways a virus may attack your computer.

==

Cheers, Tim Meddick, Peckham, London. :-)



Some of us use the HOSTS file from he

http://winhelp2002.mvps.org/hosts.htm

--
JD..

Jeremy Nicoll - news posts[_2_] July 30th 11 09:23 PM

System Restore says computer has not been changed
 
Tim Meddick wrote:

There should be only this one line in your Hosts file, unless you have
either SpyWareBlaster or SpyBotSD installed on your system.


Well, not necessarily. I have a printer on my LAN which has its address
defined in my hosts file and I also use it to define symbolic names for my
router, cable-modem etc, eg with entries like:

127.0.0.1 localhost
192.168.1.91 myprinter
192.168.1.1 myrouter

so for example I can open the browser connection to the router by putting

http://router

in my browser.

--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".

Tim Meddick[_3_] July 30th 11 09:31 PM

System Restore says computer has not been changed
 
That's neither here nor there! - The point I was making was that the Hosts
file can be used by malicious software to re-direct *any* typed URL request
on your PC to *anywhere* the said malicious software wants!

It CAN and IS used by Anti-Malware / Anti-Spyware utilities to re-direct a
selection of known disreputable website URLs back to the host address
(loop) and by so doing, save the user the vulnerabilities of visiting
possibly virus-infested websites!

However, as I have said, this is not the Hosts file's only possible use -
URLs included in the Hosts file can be associated with *any* dotted decimal
IP address - not just 127.0.01 (loop) - thereby re-directing (associating)
any alpha-numerical web address with *any* IP address.....

==

Cheers, Tim Meddick, Peckham, London. :-)




"JD" wrote in message
ecom...
Tim Meddick wrote:
"Lee" had asked you, in an earlier post ;

"All searches, or just a specific one? What are you searching for?"


I would like to also ask ; What is this "Ad page" that you are referring
to?

You could be a little more specific; include the URL (web address) of
this "Ad page" for instance.

What should have come up instead of this "Ad page".


With so little information, it's difficult to speculate on the cause,
but it may be that your 'Hosts' file has been modified by the same virus
that has caused, at least, some of the other problems you have been
experiencing.

To check this theory out, locate the file :

C:\WINDOWS\system32\drivers\etc\hosts

...and open it in a simple text editor such as [edit.com] or Notepad.
Delete everything in this file except for the following line that should
be at the very beginning ;

127.0.0.1 localhost

...then save and close. There should be only this one line in your Hosts
file, unless you have either SpyWareBlaster or SpyBotSD installed on
your system.

Certain entries in the hosts file can have the unwanted effect of
re-directing any possible web address to one other than expected - it is
just one of the ways a virus may attack your computer.

==

Cheers, Tim Meddick, Peckham, London. :-)



Some of us use the HOSTS file from he

http://winhelp2002.mvps.org/hosts.htm

--
JD..



Ken Blake, MVP[_4_] July 30th 11 09:39 PM

System Restore says computer has not been changed
 
On Sat, 30 Jul 2011 19:53:20 +0100, "Tim Meddick"
wrote:


...and open it in a simple text editor such as [edit.com] or Notepad.
Delete everything in this file except for the following line that should be
at the very beginning ;

127.0.0.1 localhost

...then save and close. There should be only this one line in your Hosts
file, unless you have either SpyWareBlaster or SpyBotSD installed on your
system.



Or the MVP Hosts file (which I strongly recommend. See
http://winhelp2002.mvps.org/hosts.htm) and probably several other
similar programs or files.

--
Ken Blake, Microsoft MVP (Windows Desktop Experience) since 2003
Please Reply to the Newsgroup


All times are GMT +1. The time now is 03:10 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2004 - 2006 PCbanter
Comments are property of their posters