Thread: System Restore says computer has not been changed
View Single Post
  #11  
Old July 30th 11, 07:53 PM posted to microsoft.public.windowsxp.basics
Tim Meddick[_3_]
external usenet poster
  
Posts: 1,020
Default System Restore says computer has not been changed
"Lee" had asked you, in an earlier post ;

"All searches, or just a specific one? What are you searching for?"

I would like to also ask ; What is this "Ad page" that you are referring
to?

You could be a little more specific; include the URL (web address) of this
"Ad page" for instance.

What should have come up instead of this "Ad page".


With so little information, it's difficult to speculate on the cause, but
it may be that your 'Hosts' file has been modified by the same virus that
has caused, at least, some of the other problems you have been
experiencing.

To check this theory out, locate the file :

C:\WINDOWS\system32\drivers\etc\hosts

....and open it in a simple text editor such as [edit.com] or Notepad.
Delete everything in this file except for the following line that should be
at the very beginning ;

127.0.0.1 localhost

....then save and close. There should be only this one line in your Hosts
file, unless you have either SpyWareBlaster or SpyBotSD installed on your
system.

Certain entries in the hosts file can have the unwanted effect of
re-directing any possible web address to one other than expected - it is
just one of the ways a virus may attack your computer.

==

Cheers, Tim Meddick, Peckham, London. :-)




"Lee" wrote in message
...
The csrss.exe messages are gone now even though the restore supposedly
wasn't done. I have AVG and Malaware and have scanned both several
times (before the phantom restore). I'm still having a problem with
Access and Google. I'll try scanning again.


"Tim Meddick" wrote in
:


That's right! - Alarm bells should start to ring if you find any file
wants to be run from a TEMP directory (except for in the midst of a
program's installation 'setup', perhaps).

The normal location for [CSRSS.EXE] in the [system32] folder.

It was probably a virus which switched the correct path in the
registry for [csrss.exe] to it's own bogus version residing in the
TEMP directory... The 'real' [csrss.exe] file probably didn't go
anywhere - it was just that it's registered path had been altered.

You have tried, of course, running a *full* scan with your installed
Anti-Virus Software?

==

Cheers, Tim Meddick, Peckham, London. :-)




"Jeremy Nicoll - news posts"
wrote in message
nvalid...
Lee wrote:

There are 2 messages:
"Windows cannot find C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe. ..."
and
"Could not load or run C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe.
..."

That's odd; I'd not expect anything to be trying to use a file in

...\Temp\...

as you log in, unless - say - you'd been uninstalling a product and
it

a) told you you needed to reboot (so it could perhaps do some
file renames or deletes as the system is rebooted), and

b) set up (in the registry) a command to run that program next time
you booted, and

c) before rebooting, you manually, or some program that clears up
temporary files etc, deleted something from \Temp\

If you know how to look at the eventlogs, is it possible to find out
what task/process was looking for csrss.exe ?

Google suggests that csrss.exe is part of Windows, provided it's the
copy in
C:\WINDOWS\system32. Perhaps the one in \Temp\ is infected?


Do you have antivirus software?

Have you run anti-malware scans?

--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".
Ads