computer seems to ave lost previous restore points & can't access windows explorer

[Dipys100]

Hi, my computer started acting strangely, i.e. wouldn't let me run registry, aadware, etc programmes. (Kept saying I needed to restart, which I was reluctant to do initially, but having failed to run nearly everything, including getting on-line, I gave in) When I tried to go to windows explorer(winXP) it would not do anything (no message). I have now managed to run spybot, adwaare, registry & bullguard antivirus but have not found anything except the normal spyware cookies - now deleted.
When trying to restore o an earlier point, I found that the only point available was the date/time when my computer was restarted. I don't know how to disable msconfig (has normal diagnostic & selective start-up) so the attached log is with it enabled. Thanks in advance for any help.

[chaslang]

It does not look like msconfig is running to me. It looks like Normal Startup.

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now continue with the below. Hopefully the O1 Host lines are already fixed from the above but I will leave them in the below procedure just incase.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com
O1 - Hosts: 212.58.240.33 www.symantec.com
O1 - Hosts: 212.58.240.33 www.sophos.com
O1 - Hosts: 212.58.240.33 www.mcafee.com
O1 - Hosts: 212.58.240.33 www.viruslist.com
O1 - Hosts: 212.58.240.33 www.f-secure.com
O1 - Hosts: 212.58.240.33 www.avp.com
O1 - Hosts: 212.58.240.33 www.kaspersky.com
O1 - Hosts: 212.58.240.33 www.networkassociates.com
O1 - Hosts: 212.58.240.33 www.ca.com
O1 - Hosts: 212.58.240.33 www.my-etrust.com
O1 - Hosts: 212.58.240.33 www.nai.com
O1 - Hosts: 212.58.240.33 www.trendmicro.com
O1 - Hosts: 212.58.240.33 securityresponse.symantec.com
O1 - Hosts: 212.58.240.33 mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com
O1 - Hosts: 212.58.240.33 viruslist.com
O1 - Hosts: 212.58.240.33 f-secure.com
O1 - Hosts: 212.58.240.33 kaspersky.com
O1 - Hosts: 212.58.240.33 kaspersky-labs.com
O1 - Hosts: 212.58.240.33 avp.com
O1 - Hosts: 212.58.240.33 networkassociates.com
O1 - Hosts: 212.58.240.33 ca.com
O1 - Hosts: 212.58.240.33 mast.mcafee.com
O1 - Hosts: 212.58.240.33 my-etrust.com
O1 - Hosts: 212.58.240.33 download.mcafee.com
O1 - Hosts: 212.58.240.33 dispatch.mcafee.com
O1 - Hosts: 212.58.240.33 secure.nai.com
O1 - Hosts: 212.58.240.33 nai.com
O1 - Hosts: 212.58.240.33 update.symantec.com
O1 - Hosts: 212.58.240.33 updates.symantec.com
O1 - Hosts: 212.58.240.33 us.mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantec.com
O1 - Hosts: 212.58.240.33 customer.symantec.com
O1 - Hosts: 212.58.240.33 rads.mcafee.com
O1 - Hosts: 212.58.240.33 trendmicro.com
O1 - Hosts: 212.58.240.33 sandbox.norman.no
O1 - Hosts: 212.58.240.33 www.pandasoftware.com
O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\mcsv.com

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

[Dipys100]

hi Chaslang, thanks for the information. The bit about the msconfig was in the read this before posting - saying to disable it. I could see normal start up selected but was not sure how to disable.
Again the log is with msconfig in this state. The problem of having lost restore points are now obviously irrelevant, but the original problem of not being able to access the windows explorer from - start - accessories - windows explorer still does not open the window (Icon is not the folder with magnifying glass but looks like a page with a box inside with blue toolbar). I am only able to gain access using the shortcut I had created for it awhle ago.
Also to clear the points raised initially about not being able to access most things, these were accessible after restarting.

p.s. the laptop freezing is my daughters!

[chaslang]

Quote:

Originally Posted by Dipys100

hi Chaslang, thanks for the information. The bit about the msconfig was in the read this before posting - saying to disable it. I could see normal start up selected but was not sure how to disable.
Again the log is with msconfig in this state. The problem of having lost restore points are now obviously irrelevant, but the original problem of not being able to access the windows explorer from - start - accessories - windows explorer still does not open the window (Icon is not the folder with magnifying glass but looks like a page with a box inside with blue toolbar). I am only able to gain access using the shortcut I had created for it awhle ago.
Also to clear the points raised initially about not being able to access most things, these were accessible after restarting.

p.s. the laptop freezing is my daughters!

You do not disable msconfig itself. What the directions are referring to by saying disable is to not use msconfig to control which startups load or do not load. So just selecting Normal Startup is what we want. This means that msconfig will not load and will not be controlling startups (it is disabled from running - maybe a poor choice of word use So I rewrote that sentence now.).

Perhaps you have broken the Properties for Windows Explorer in you Accessories menu and need to fix it. Right click on the icon and see what the below are set to:
Target:
Start in:

Also you can use Change Icon to get the proper icon back.

If you right click Start do you see the Explore selection. If so, select it. This should start windows explorer.

[chaslang]

The below is still in your log:


F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com

Did you fix it last time? Did you find and delete the C:\WINDOWS\system32\mcsv.com file?
Do you still see that file now? (Make sure view of hidden files is enabled)

[Dipys100]

O.K. Hands up I missed selecting the F2 box. I also failed to mention I didn't find the mcsv.com in system32, also did a "C" drive search folders & part word - NO SHOW. I can see - system32\userinit.exe - does this need removing in safe mode also?
Regards the win explore there is nothing in target start in boxes. Selecting find target does nothing. Although I can right click START & selecting search works fine.

All this happened while I was on AOL & I don't know if it's a coincidence but their site was having major problems next day.

I wonder if anyone else has checked their computers to see if they have lost all their restore points. Mine happened on 17 oct. at about 3.00pm GMT.
Hopefully the log is clear now. thanks again.

[chaslang]

Quote:

Originally Posted by Dipys100

O.K. Hands up I missed selecting the F2 box. I also failed to mention I didn't find the mcsv.com in system32, also did a "C" drive search folders & part word - NO

Did you enable viewing of hidden & system files per the READ ME?
Windows Search is of no use in finding hidden files unless it is configured properly. This is not the same as what we have you setup while running the READ & RUN ME sticky. That only affects Windows Explorer. The following link tells you how to properly search:

Searching for Hidden Files on WinXP

If may not matter though, because HJT may have been able to delete the file.

Quote:

Originally Posted by Dipys100

SHOW. I can see - system32\userinit.exe - does this need removing in safe mode also?

NO!!!! The would make your PC unbootable.

Quote:

Originally Posted by Dipys100

Regards the win explore there is nothing in target start in boxes. Selecting find target does nothing. Although I can right click START & selecting search works fine.

I did not say to select Search. I said click right click Start and select Explore.

Quote:

Originally Posted by Dipys100

I wonder if anyone else has checked their computers to see if they have lost all their restore points. Mine happened on 17 oct. at about 3.00pm GMT.
Hopefully the log is clear now. thanks again.

Did you run all the steps in the READ & RUN ME first sticky thread? Step 1 will clear your restore points. This is a necessary step in removing malware because restore points could be infected.


Under All Programs --> Accessories the Properties should have the following:

Target: %SystemRoot%\explorer.exe
Start in: %HOMEDRIVE%%HOMEPATH%
Shortcut key: None
Run: Normal window

[Dipys100]

Hi Chaslang,
A slight misunderstanding here I think. I did follow the read me before posting the log. I also used the link - "Searching for Hidden Files on WinXP" - Clearly says to use "search", (this I assume means windows explorer for which I had a shortcut on my desktop) & definitely couldn't find mcsv.com.


Quote:
Originally Posted by Dipys100
Regards the win explore there is nothing in target start in boxes. Selecting find target does nothing. Although I can right click START & selecting search works fine.

Sorry don't know how you did the quotes, but this was just replying to your orignal quetion about selecting START-ACCESSORIES-WINDOWS EXPLORER & right clicking whereby nothing shows in TARGET or START IN boxes. the last line (Although I can right click START & selecting search works fine.) was me just pointing out that it was accessible this way, although as I said before I used the short cut I had created awhile ago.

Quote:
I wonder if anyone else has checked their computers to see if they have lost all their restore points. Mine happened on 17 oct. at about 3.00pm GMT.

Again this was just mentioning what had happened when my computer originally played up as I wanted to resore to a previous date but couldn't. My reply on the 19th does say this point is now irreelevant (because of having to carry out steps necessary to your reply on the 18th).

As for the paths given in your reply below for the START & ACCESSORIES do I just write them in the blank boxes?

Sorry for any confusion. (I can see you pulling your out)

[chaslang]

Quote:

Originally Posted by Dipys100

Hi Chaslang,
A slight misunderstanding here I think. I did follow the read me before posting the log. I also used the link - "Searching for Hidden Files on WinXP" - Clearly says to use "search", (this I assume means windows explorer for which I had a shortcut on my desktop) & definitely couldn't find mcsv.com.

My comment about use click Explore not serach is related to the last sentence in message number 4. It has nothing to do with any of the sticky threads or other procedures. I was asking you a question to find out if Explorer ran this way and all you said was something about Start and search which is not what I asked you to do.

Please just answer the questions asked?

And as far as System Restore! Yes your first comment on the 19th did say it was irrelevant but then your brought it up again today when you said:

Quote:

I wonder if anyone else has checked their computers to see if they have lost all their restore points. Mine happened on 17 oct. at about 3.00pm GMT.

This makes it look like you still think your restore points were removed my some malware and that everyone should look to see if theirs are gone. I was just emphasizing they are gone because you ran the READ ME and not from any for of malware.

Quote:

Originally Posted by Dipys100

Hi Chaslang,
As for the paths given in your reply below for the START & ACCESSORIES do I just write them in the blank boxes?

Yes!

[Dipys100]

Regards the right click on explore thru start works O.K.

Regrds writing the paths in property window of windows explorer - no go - as both TARGET & START IN boxes are light blue (the same colour as the page when shortcut tab is selected). SHORTCUT KEY & RUN BOX showing correctly & white.
Any suggestions? (I don't fancy running windows disk as it is about 4yrs old & SP2 downloaded from MS as I believe that SP2 would have to be uninstalled plus going thru all the updates again)

These "clever" people who write viruse don't they know they are only hurting little guys like us who can't afford the specialist or sofisticated software. There are enough natural viruse to worry about & maybe they could come up with an answer to those..... just letting off steam!!

[chaslang]

You can just delete the icon that does not work and just make a new shortcut to Win Explorer in the Accessories folder yourself.

But this is not even necessary because it is actually faster to just right click Start and select Explore. Also if you want an even faster access, just put a shortcut to Windows Explorer on your Desktop.

Also you can just hit the Windows key on your keyboard and hold it down while also pressing the 'E' key.

[Dipys100]

Hi Chaslang, just to say thanks for all your help. Well everything ALMOST back to normal except now the computer just decides to restart by itself once in awhile BUT I can live that.

[chaslang]

Quote:

Originally Posted by Dipys100

Hi Chaslang, just to say thanks for all your help. Well everything ALMOST back to normal except now the computer just decides to restart by itself once in awhile BUT I can live that.

You could try running a few of the other scanning tools mentioned in the READ & RUN ME. Like:

Panda ActiveScan

Ewido Security Suite

avast! Virus Cleaner Tool

McAfee AVERT Stinger


To see if anything else is found. It would not hurt, but I'm not sure that your problem with reboots is malware related.