System Restore says computer has not been changed

Again - you also seem to have missed my point!

I was trying to explain the vulnerabilities of the Hosts file if altered by
malicious software.

The single line :

127.0.0.1 localhost

....is the only line that really should be there, and even that isn't needed
for any special purpose other than to make operations like ping localhost
easier to type than typing ping 127.0.0.1 all the time....

My own begins :

127.0.0.1 localhost
127.0.0.1 self
127.0.0.1 me
192.168.1.1 loop
192.168.1.1 msloop
192.168.1.1 MyComp
178.33.255.46 www.wikileaks.org/

==

Cheers, Tim Meddick, Peckham, London. :-)




"Jeremy Nicoll - news posts" wrote
in message nvalid...
Tim Meddick wrote:

There should be only this one line in your Hosts file, unless you have
either SpyWareBlaster or SpyBotSD installed on your system.

Well, not necessarily. I have a printer on my LAN which has its address
defined in my hosts file and I also use it to define symbolic names for
my
router, cable-modem etc, eg with entries like:

127.0.0.1 localhost
192.168.1.91 myprinter
192.168.1.1 myrouter

so for example I can open the browser connection to the router by putting

http://router

in my browser.

--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".

Tim Meddick wrote:

Again - you also seem to have missed my point!

Not at all. And what do you mean by "again"?


--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".

There are several pages which keep appearing. They look like something
you would get if a link was dead. Here is one:

http://63.209.69.107/search/web/Ms%2...hart/a53/riva-
2198/v5

This appears when I click on a Google search link. If I go back to
Google and do it all over again, I get the correct page.

hosts contains

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy

followed by a long list


"Tim Meddick" wrote in
:

"Lee" had asked you, in an earlier post ;

"All searches, or just a specific one? What are you searching
for?"

I would like to also ask ; What is this "Ad page" that you are
referring to?

You could be a little more specific; include the URL (web address) of
this "Ad page" for instance.

What should have come up instead of this "Ad page".


With so little information, it's difficult to speculate on the cause,
but it may be that your 'Hosts' file has been modified by the same
virus that has caused, at least, some of the other problems you have
been experiencing.

To check this theory out, locate the file :

C:\WINDOWS\system32\drivers\etc\hosts

...and open it in a simple text editor such as [edit.com] or Notepad.
Delete everything in this file except for the following line that
should be at the very beginning ;

127.0.0.1 localhost

...then save and close. There should be only this one line in your
Hosts file, unless you have either SpyWareBlaster or SpyBotSD
installed on your system.

Certain entries in the hosts file can have the unwanted effect of
re-directing any possible web address to one other than expected - it
is just one of the ways a virus may attack your computer.

==

Cheers, Tim Meddick, Peckham, London. :-)




"Lee" wrote in message
...
The csrss.exe messages are gone now even though the restore
supposedly wasn't done. I have AVG and Malaware and have scanned
both several times (before the phantom restore). I'm still having a
problem with Access and Google. I'll try scanning again.


"Tim Meddick" wrote in
:


That's right! - Alarm bells should start to ring if you find any
file wants to be run from a TEMP directory (except for in the midst
of a program's installation 'setup', perhaps).

The normal location for [CSRSS.EXE] in the [system32] folder.

It was probably a virus which switched the correct path in the
registry for [csrss.exe] to it's own bogus version residing in the
TEMP directory... The 'real' [csrss.exe] file probably didn't go
anywhere - it was just that it's registered path had been altered.

You have tried, of course, running a *full* scan with your installed
Anti-Virus Software?

==

Cheers, Tim Meddick, Peckham, London. :-)




"Jeremy Nicoll - news posts"
wrote in message
nvalid...
Lee wrote:

There are 2 messages:
"Windows cannot find C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe.
..." and
"Could not load or run C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe.
..."

That's odd; I'd not expect anything to be trying to use a file in

...\Temp\...

as you log in, unless - say - you'd been uninstalling a product and
it

a) told you you needed to reboot (so it could perhaps do some
file renames or deletes as the system is rebooted), and

b) set up (in the registry) a command to run that program next time
you booted, and

c) before rebooting, you manually, or some program that clears up
temporary files etc, deleted something from \Temp\

If you know how to look at the eventlogs, is it possible to find
out what task/process was looking for csrss.exe ?

Google suggests that csrss.exe is part of Windows, provided it's
the copy in
C:\WINDOWS\system32. Perhaps the one in \Temp\ is infected?


Do you have antivirus software?

Have you run anti-malware scans?

--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please
reply to replacing "aaa" by
"284".

I am being blocked from proceeding from Google. But after 2 or 3 tries
it works. Could that problem possibly come from the hosts file?


JD wrote in
ecom:

Tim Meddick wrote:
"Lee" had asked you, in an earlier post ;

"All searches, or just a specific one? What are you searching for?"

I would like to also ask ; What is this "Ad page" that you are
referring to?

You could be a little more specific; include the URL (web address) of
this "Ad page" for instance.

What should have come up instead of this "Ad page".


With so little information, it's difficult to speculate on the cause,
but it may be that your 'Hosts' file has been modified by the same
virus that has caused, at least, some of the other problems you have
been experiencing.

To check this theory out, locate the file :

C:\WINDOWS\system32\drivers\etc\hosts

...and open it in a simple text editor such as [edit.com] or Notepad.
Delete everything in this file except for the following line that
should be at the very beginning ;

127.0.0.1 localhost

...then save and close. There should be only this one line in your
Hosts file, unless you have either SpyWareBlaster or SpyBotSD
installed on your system.

Certain entries in the hosts file can have the unwanted effect of
re-directing any possible web address to one other than expected - it
is just one of the ways a virus may attack your computer.

==

Cheers, Tim Meddick, Peckham, London. :-)



Some of us use the HOSTS file from he

http://winhelp2002.mvps.org/hosts.htm

My problem is that I am being blocked from proceeding from Google. But
after 2 or 3 tries it works. What could cause that?

Jeremy Nicoll - news posts wrote
in nvalid:

Tim Meddick wrote:

There should be only this one line in your Hosts file, unless you
have either SpyWareBlaster or SpyBotSD installed on your system.

Well, not necessarily. I have a printer on my LAN which has its
address defined in my hosts file and I also use it to define symbolic
names for my router, cable-modem etc, eg with entries like:

127.0.0.1 localhost
192.168.1.91 myprinter
192.168.1.1 myrouter

so for example I can open the browser connection to the router by
putting

http://router

in my browser.

Lee wrote:

There are several pages which keep appearing. They look like something
you would get if a link was dead. Here is one:

http://63.209.69.107/search/web/Ms%2...3/riva-2198/v5

That looks to me like a search results page from a service called 'Scour'?


This appears when I click on a Google search link.

Do you mean a link that's presented on a Google page AFTER you've done a
search via Google, or do you mean a link on someone-else's page which claims
that clicking it will search google for something or other?


Or are you using a browser search toolbar, perhaps with a 'google' label on
it, which is directing a search to somewhere else - Scour perhaps? (I
never use browser search toolbars, just go directly to the Google advances
search page).


What precisely are you using as a search argument?


If you're using Google to do the search, are you using the simple (one line
for parameters) Google search page, eg:


http://www.google.co.uk


or the advanced one (I always use the latter), eg:

http://www.google.co.uk/advanced_search?hl=en



--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".

"Again", because, as I had to reply to "JD" that he had missed my point
(about possible abuses of the Hosts file), this was the second time I had
had to re-explain myself!

==

Cheers, Tim Meddick, Peckham, London. :-)




"Jeremy Nicoll - news posts" wrote
in message nvalid...
Tim Meddick wrote:

Again - you also seem to have missed my point!

Not at all. And what do you mean by "again"?


--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to replacing "aaa" by "284".

To make certain, just delete the contents of the Hosts file - just leaving
the fist line[s] :

127.0.0.1 localhost


....then start your copy of SpyBotSD and press the "Immunize" button and let
it re-write it's entries in the Hosts file (just one of the ways SpyBotSD
protects your PC).


This will ensure you have no erroneous or bogus entries in your Hosts file.

Then, at the very least, you can discount this as the cause.

==

Cheers, Tim Meddick, Peckham, London. :-)




"Lee" wrote in message
...
There are several pages which keep appearing. They look like something
you would get if a link was dead. Here is one:

http://63.209.69.107/search/web/Ms%2...hart/a53/riva-
2198/v5

This appears when I click on a Google search link. If I go back to
Google and do it all over again, I get the correct page.

hosts contains

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy

followed by a long list

clipped