# Missing or corrupted: DEVICE=C:\WINDOWS\EMM386.EXE



## genesis2003 (Feb 8, 2003)

Learn as you go person needs help!

Lately Ive been experiencing some problems with my computer. At times the computers refuses to shut down properly, the shutting down Windows screen just stays on, and the only way to resolve it is to turn the computer off at the switch. 

While using my Net Objects Fusion 3.0 Preview button to check out some of my project layouts, both Netscape and Internet Explorer, at times, refuses to open up. Also my Net Objects Fusion Help Topics, and both of my Adobe Illustrator 8 and Photoshop 5&6 index and Quick reference functions will not open.

On occasion while using my Adobe programs, my desktop file icons changes and only comes back to its original state after I have shut the computer off and restart it.

All the programs still function well except the anomalies mentioned, but my computer acts like its running on ½ of the RAM available.

I defrag my computer about once a month, but today I came into something unusual.

At start up, hoping to log on to Safe Mode to do a defrag, I pressed the spacebar at the Compaq intro, in between and during the window start up.

On the top of the screen, I received the following what appeared to be written in DOS with a black background:

"The following file is missing or corrupted: DEVICE=C:\WINDOWS\EMM386.EXE
There is an error in your Config.sys line 2. "

There were more items, but the rest of the description appeared to be a systems check with no other warnings.

I went into "Start-up", opened "Run", and typed in "msconfig".

In System Configuration Utility, under the "Config.sys" tab the second line is checked off and reads:

DEVICE=C:\WINDOWS\EMM386.EXE
; --- SB PCI mod --- DEVICE=C:\WINDOWS\HIMEM.SYS

What does it mean, does this have anything to do with the anomalies Ive been experiencing, do I need to be concerned, and if so how do I fix it?

History: A few months ago I had an error message come up when I attempted to enter into my Internet Explorer control panel. The message read, "Cannot find the file 'c:\windows\rundll32.exe' (or one of its components). Make sure the path and filename are correct and that all required libraries are available." I went ahead and used this advice:

----------------------------
If you're running Win 98, you can do this very easily with System File Checker: 

Go to Start/run, and type SFC. 
Choose 'Extract One File From Installation Disk'. 
Type rundll32.exe, not worrying about its location. Then, click Start. 

Next to 'Restore From', type in or browse for the files location, which is probably in the Win98 folder of your installation CD-ROM (typically D:\Win98), or in your Windows\Options\Cabs folder, as the case may be. 

Then, next to 'Save File In', enter C:\Windows, and click OK. System File Checker looks for the file, saves it as you requested, and then tells you that 'the file has been successfully extracted'. 

Now reboot, and try again.
-----------------------------

This fixed just the rundll32.exe problem!

Computer: Compaq Presario 7AP140 (7000 Series)
800MHz AMD Athlon Processor
128MB Memory
30.0GB Hard Drive
OS: Windows 98se
Norton Antivirus 2003 (use consistent since purchased new)

Note: Physical memory available to windows 130,500
Systems Resources 54%

Please advise!

Thanks


----------



## BTS '76 (Dec 8, 2002)

that emm386.exe is your expanded memory, You may have to reload the operating system.

I'm sure there's another way to get it, but not sure what that way is.

sounded like you may have had a virus, but you said you run Norton alot.


----------



## Rollin' Rog (Dec 9, 2000)

In plain fact Windows does not need either config.sys or autoexec.bat to load.

You could just disable the entire file.

However to correct the error, replace the two lines you just referenced with:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE

>> the device....himem.sys line must be First.

To make the edit, go to start>run and enter *sysedit* and select the config.sys file. Make the change and close the file, accepting the changes.

Also, let's have a look at your overall configuration: Go to the site below and download, unzip and run the StartupList application.

Then copy/paste the results to a reply here.

http://www.lurkhere.com/~nicefiles/

>> For the shutdown problem, try this first: go to start>run, enter *msconfig* and click on the Advanced tab. Put a check in "Disable Fast Shutdown"

You may need to install the Win98SE shutdown supplement if that doesn't help.


----------



## genesis2003 (Feb 8, 2003)

Rollin' Rog

Thanks for the advice regarding,

DEVICE=C:\WINDOWS\HIMEM.SYS 
DEVICE=C:\WINDOWS\EMM386.EXE

The changes were made as you suggested!

Regarding the Shutdown problem suggestion, Ive attempted to locate the "Disable Fast Shutdown" as you suggested, but could not find it on the list. Heres the list that it does shows under the Advance tab:

Disable System Rom Breakpoint
Disable Virtual IRO
EMM Exclude A000-FFFF
Force Compatibility mode disk access
VGA 640x480x16
Use SCSI Double-buffering (This one is checked, and appears inaccessible)
Enable Startup Menu
Disable Scandisk after shutdown
Limit memory to 128MB
Disable UDF file system
Enable Pentium FO (Lock CmpXchg) workaround

Heres the Startup list information you asked for:

StartupList report, 2/9/03, 7:44:34 AM
StartupList version: 1.51
Started from : C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\TEXTBRIDGE PRO 9.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\LOADQM.EXE
C:\IMAGEMATE COMPACTFLASH USB\SANDICON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\PROGRAM FILES\TEXTBRIDGE PRO 9.0\BIN\EREG\REMIND32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
F:\WINZIP32.EXE
C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
3DO Registration.lnk = C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
CPQEASYACC = C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
EACLEAN = C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
LexStart = Lexstart.exe
LexmarkPrinTray = PrinTray.exe
DXM6Patch_981116 = C:\WINDOWS\p_981116.exe /Q:A
LVComs = c:\windows\SYSTEM\LVComS.exe
MacLicense = "C:\Program Files\MacOpener\MacLic.exe"
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
CountrySelection = pctptt.exe
PTSNOOP = ptsnoop.exe
InstantAccess = C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
McAfeeWebScanX = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
LoadQM = loadqm.exe
SandIcon = C:\ImageMate CompactFlash USB\SandIcon.Exe
SystemTray = SysTray.Exe
Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
ScanRegistry = c:\windows\scanregw.exe /autorun
Digital Dashboard = C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
NAV CfgWiz = c:\PROGRA~1\NORTON~1\CFGWIZ.EXE /R
ccApp = c:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
internat.exe = internat.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
EnsoniqMixer = starter.exe
Welcome = C:\WINDOWS\Welcome.exe /R

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Hidserv = Hidserv.exe run
RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
SchedulingAgent = mstask.exe
ccEvtMgr = c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
msnmsgr = "C:\WINDOWS\DESKTOP\JONATHANS STUFF\STARCRAFT\MSN MESSENGER\MSNMSGR.EXE" /background
NSCheck = C:\WINDOWS\SYSTEM\NSCHECK.EXE /boot
OSSProxy = C:\WINDOWS\SYSTEM\OSSPROXY.EXE

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 8/2/2003, 20:14:56)

[Rename]
NUL=c:\windows\cusnns.bak
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][4].txt
NUL=c:\windows\cookies\[email protected][5].txt
NUL=c:\windows\cookies\[email protected][5].txt
NUL=c:\windows\cookies\[email protected][4].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][4].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][4].txt
NUL=c:\windows\cookies\[email protected][4].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][3].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][3].txt
NUL=c:\windows\cookies\[email protected][3].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected]www.qksrv[1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected]www.qksrv[2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected]www.qksrv[1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\downloaded program files\nsconfig.dll
NUL=c:\windows\temp\ccu\comet.exe
NUL=c:\windows\temp\ccu\skinui.dll
NUL=c:\windows\temp\ccu\csietb.dll
NUL=c:\windows\temp\ccu\cseng.dll
NUL=c:\windows\temp\ccu\csctx.dll
NUL=c:\windows\temp\ccu\cscore.dll
NUL=c:\windows\temp\ccu\csbho.dll
NUL=c:\windows\temp\ccu\csband.dll
NUL=c:\windows\system\csloa.dl__
NUL=c:\windows\system\nscheck.exe
NUL=c:\windows\system\csloa.dll
NUL=c:\dialler.log
NUL=c:\windows\system\ossproxy.exe

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

c:\PROGRA~1\NORTON~1\NAVDX.EXE /startup
SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
NAV Helper - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Synchronize Time.job
Check E-mail.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IFTW.DLL
CODEBASE = http://www.installfromtheweb.com/install/iftwclix.cab

[MailConfigure Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MAILCFG.DLL
CODEBASE = http://supportservices.msn.com/us/smtptool/MailCfg.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

[nsBrowserConfig Class 2]
InProcServer32 = C:\WINDOWS\DOWNLO~1\NSCONFIG.DLL
CODEBASE = https://www.marketscore.com/globalconfig/nsconfig.cab

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\NSUPDATE.DLL
CODEBASE = http://204.177.92.201/quickdl/proclaim/NSupd9x.cab

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://pluginaccess.com/Browser_Plugin.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: CSLOA.DLL (file MISSING)
Protocol #2: CSLOA.DLL (file MISSING)
Protocol #3: CSLOA.DLL (file MISSING)
Protocol #4: CSLOA.DLL (file MISSING)
Protocol #5: CSLOA.DLL (file MISSING)
Protocol #11: CSLOA.DLL (file MISSING)

--------------------------------------------------
End of report, 11,059 bytes
Report generated in 0.297 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I thought I deleted all the cookies out of my IE, what all this!

Again, thanks for your input!


----------



## Rollin' Rog (Dec 9, 2000)

Genesis... the reason Disable Fast Shutdown would not be there is if you have already installed the SE Shutdown supplement. It might be a good idea to verify if you still have a valid installation for it.

To check, go to start>run and enter *qfecheck*

Under the Win98SE tree you should see an entry for q239887. If you expand that, you should see individual files listed and whether the versions are valid.

========

We are probably going to have to solve the shutdown problem and others by trimming that startup list quite a bit.

For starters you have two antivirus programs running Nav2003 and an older McAfee:

>> McAfeeWebScanX = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe

I would recommend that you remove McAfee completely. I would also not have NAV running anything from startup in the Autoexec.bat file:

>>c:\PROGRA~1\NORTON~1\NAVDX.EXE /startup

====================

The next stage is to get rid of this interloper (marketscore ad proxy installation):

NSCheck = C:\WINDOWS\SYSTEM\NSCHECK.EXE /boot
OSSProxy = C:\WINDOWS\SYSTEM\OSSPROXY.EXE

>> Try this first: Close out Internet Explorer and your net connection, then go to start>run and enter:

*NSCheck /uninstall*

Reboot afterwards and see if those entries are still there. If they are, I would recommend installing, updating and running Spybot, which should get rid of it. Accept all the Spybot updates except for Language Tools and PGP.

http://tomcoyote.org/SPYBOT/

This is a vital program to have installed in any case.
=================================
You should also go to Internet Options > Settings > View Objects and remove these two items related to the above marketscore install:

[nsBrowserConfig Class 2]
InProcServer32 = C:\WINDOWS\DOWNLO~1\NSCONFIG.DLL
CODEBASE = https://www.marketscore.com/globalconfig/nsconfig.cab

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\NSUPDATE.DLL
CODEBASE = http://204.177.92.201/quickdl/proclaim/NSupd9x.cab

================================

Now I imagine that even at this point your shutdown problem is going to remain since you have so much funky stuff in that startuplist. By the way, when you have to do a forced shutdown, don't switch off the power. Instead, press and hold the power button down on the tower for 5-8 seconds. This is a safer method and invokes the BIOS shutdown procedure.

To troubleshoot further we need to do as "clean" a boot as possible, and then gradually re-enable files.

To do a "clean boot", run msconfig, and uncheck everything on the startup tab except the following basic files:

ScanRegistry
Systray

When re-enabling things, you should probably start with the symantec files first.

I would recommend leaving these unchecked permanently:

LoadQM = loadqm.exe

Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

3DO Registration.lnk = C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

NAV CfgWiz = c:\PROGRA~1\NORTON~1\CFGWIZ.EXE /R

Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE

Welcome = C:\WINDOWS\Welcome.exe /R

Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE

================

You can review what most of these are, and others as well, using this link:

http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM

===========

If you asking what all those cookies listed in your wininit.bak file are, they were removed. The wininit.bak file is a renamed wininit.ini file which some programs use to accomplish tasks that cannot be done from within Windows. When it has completed successfully, it is renamed wininit.bak.


----------



## genesis2003 (Feb 8, 2003)

Rollin' Rog

Thanks again for your input!

I enter qfecheck as you suggested and found Win98.SE and saw the q239887and expanded it and saw:

MSCONFIG>EXE 4.10.0.2223
PCI.VXD 4.10.0.2223
AMPBATT>SYS 4.10.0.2223
VPOWERD>VXD 4.10.0.2223

On each of these, to the left side, had the window icons; I guess its not associating with and particular program?

=====================

I went ahead and checked off C:\PROG~1\NORTON~\NAVDX>EXE/startup located in the Autoexec.bat.file

No McAfee related items were found in my ADD/REMOVE program file. I tried locating the file under Windows Explorer but couldnt find c:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe 

I ran Start>Find>File or Folder, I look for any McAfee files under My Computer and found some files located on c:\cpqs folder. Should I delete any McAfee related items in that folder? Is there somewhere else to find this stuff that I dont know about?

================================

Re: 

NSCheck = C:\WINDOWS\SYSTEM\NSCHECK.EXE /boot
OSSProxy = C:\WINDOWS\SYSTEM\OSSPROXY.EXE

I tried Start>run and enter: NSCheck/unistall, but the computer could not run this because couldnt find the file.

I havent yet attempted to download the Spybot program you suggested. I did download, before submitting all this material, Ad-ware 6.0 Spybot program which I heard suggested by Jeff Levy on the radio. I ran it, but wasnt sure what to do with the info it generated, so I just exited out without deleting or quarantine anything.

====================================

I could only find Internet Options located in my Control Panel, no Setting folder tab was found. Instead Internet Properties with related folder tabs was opened, but no Setting was found. Again, am I looking for this in the right spot?

Again, thanks for your input!


----------



## Rollin' Rog (Dec 9, 2000)

Your files for the Win98SE shutdown patch look to be in order, so there is nothing further you need to do there.

We can just remove the startup for that McAfee application from the registry. To do that, click Start>Run and enter *regedit*

Navigate to:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

By clicking the + signs beside each entry in the file tree. Select (Highlight) the RUN folder and look in the Right hand pane for

McAfeeWebScanX = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe

Just right click on that and delete it. Don't delete anything else from the run folder. If you've disabled it (unchecked it) first in Msconfig, it will be found in the Run- folder nearby.

I haven't installed the new Ad-Aware; I guess I'm going to have to do that and have a look. The old one gave the option to backup any removals before proceeding. Typically you could just select all entries it found. If problems resulted you could restore the backup.

Did it detect Marketscore and ossproxy among what it listed?

Finally the Downloaded Programs folder can be found by clicking Tools > Internet Options. Then under "Delete Temporary Internet 
Files" you will see a "settings" tab and under that "view objects". That's the folder.


----------



## genesis2003 (Feb 8, 2003)

Oops, forgot to mention this.

I forgot to add this to my last response.

I went ahead and the clean boot as you suggested, I checked off everything except:

ScanRegistry
System Tray

clicked Applied and Oked. Restart was initialized, and I noticed an EQ icon in my start up tray. I went ahead and checked the startup tab in msconfig, and these items were found checked.

ScanRegistry c:\windows\scanregw.exe/autorun
System Tray systray.exe
Country Selection pctptt.exe
PTSNOOP ptsnoop.exe
EnsoniqMixer starter.exe

Again, I checked off:

Country Selection pctptt.exe
PTSNOOP ptsnoop.exe
EnsoniqMixer starter.exe

And again it came back, is this something to be concerned about?
Frankly, I like to get rid of that EQ icon, I never seem to use it anyways.

When re-enabling things, how will I know what and when to re-enable?

Thanks!
-----------

PS, your last responce was quick, I appreciate it!


----------



## VirtualMe (Sep 27, 2002)

Here is what Adaware help says.

Working with the quarantine-manager 



Moving objects into quaratine.. 

Quarantine-files are used to isolate and backup items detected during the scan, giving you an option to reinstall them at a later time. 
Items moved to the quarantine folder will be encrypted and compressed, and can only be read and restored using the built in quarantine-manager. 
Any of the objects from the Ad-aware result list can be quarantined, including registry keys, values, data as well as files and folders. 

You can quarantine a particular system by selecting all objects belonging to the associated Vendor using the "Quarantine selection" option from the Result-list pop up menu.Eventually enter a name for the archive and click "ok" to create it. 

Note: For details about the result-list menu features, see "Scan results" 

You can create as many quarantine-files as you desire.For each quarantine-file created, a log will be created and merged to the archive. 

The quarantine-log can be viewed from within the quarantine-manager by either double-clicking on the quarantine-file or selecting it and 
clicking the "Contains" button. 



Quarantine Objects (backups) screen options 
You can edit the quarantine-list either by using the right-click pop-up menu, or by the three buttons below the list. 
The three lower buttons have the following functions : 

· Contains - Displays the quarantine log, containing the names of all of the objects included in the archive. 

· Delete - Deletes the selected archive. 

· Restore - Reinstalls the content from the selected archive to their original location prior to deletion. 



Note : double-click on an archive in the list to view its quarantine-log 

Each item in the list features four parameters which are : 

· File name - Date, and quarantine #. Quarantine-archives are saved with the .bckp extension. 

· Size - Total size of the all objects within the quarantine-archive. 

· Creation Date - Month, day, and year on which the quarantine-archive was created. 

· Objects Total - Total number of objects within the quarantine-archive. 



The total amount of all quarantined objects is shown on the Ad-aware status screen. 
If you reset your usage stastics, your quarantine-archives will not be deleted. 

Right click in the quarantine-list to open the quarantine-list menu. 
The following options are available: 

· Item details - Displays the quarantine log, containing the names of all of the objects included in the archive. 

· Reinstall - Reinstalls the content from the selected archive to their original location prior to deletion. 

· Delete archive - Deletes the selected archive. 

· Delete all archives - Deletes all quarantine-archives at once. 

· Help - Opens the Ad-aware 6 user manual. 





--------------------------------------------------------------------------------

Working with the quarantine-manager: 


1. Creating quarantine-archives automatically (Auto-backup) 




Open Ad-aware, 

Click the "Settings" quick launch button at the top right of the interface, 

Click "General", 

Check "Automatically quarantine objects prior to removal", 

Click "Proceed". 



Note: An automatically created archive will contain a remark in the file-name, and the time and date when it has been created. 





2. Creating quarantine-archives manually 




When the Ad-aware scan is complete; 

Select the items you wish to quarantine, 

Click "Quarantine", 

Enter a filename for the archive, 

Click "OK". 





3. Viewing all of the items within a quarantine-archive 




To view all entries within individual quarantined items, open the quarantine manager from the "Status" screen. 

Click "Status", 

Click on "View quarantined objects". 

To return to the status-screen, click 'Status'. 





4. Reinstalling/restoring quarantined-objects 





If you wish to re-install components you previously removed using Ad-aware, open the quarantine manager from the 

'Status' screen. 

Click 'Status', 

Click on 'View quarantined objects'. 

Click on the item in the list that you want to restore, 

Click 'Contains' to verify that the selected item is the desired item to restore, 

Click 'Restore', 

Click 'OK'. 

To return to the status-screen, click 'Status'. 





5. Deleting quarantine-archives 




To delete quarantined items, open the quarantine manager from the 'Status' screen. 

Click 'Status', 

Click on 'View quarantined objects'. 

Click 'Contains' to verify that the selected item is the desired item for deletion, 

Click 'Delete', 

Click 'OK'. 

To return to the status-screen, click 'Status'.


----------



## Rollin' Rog (Dec 9, 2000)

Well I just got back from installing and running the new version. Sure takes long time to complete on XP and really doesn't belong scanning in the restore archive or dllcache folders. But no matter. It looks to be pretty fail-safe to use.

Unlike the older version which required you to manually select "backup", the new version configures "quarantine" to automatically run, and this backs up the files. If you want to reinstall you open the quarantine folder and click "restore" for the selected archive.

My run found all of 14 "objects". 13 of them were just tracking cookies and I removed those. The remaining was an Alexa registry entry. Since I understand this to be a default key in later IE versions, I did not remove it. I think it just gets recreated anyway.

You are most likely safe if you just let it remove everything.

About the EQ icon. Was that there previously? I'd suspect it is for the Ensonique Mixer\starter.exe (equalizer function). You can't get rid of Ensonique's Start.exe. It will just keep coming back when unchecked.

You can double click the EQ icon to see what it opens.

Did Windows shutdown normally in that minimal startup config?

The order in which you re-enable things isn't all that important, but I would recheck all the symantec related entries at one time.

I would leave unchecked the entries I mentioned in a previous post. If you leave Stimon unchecked you would have to run it manually to use your scanner, so eventually you will need that.


----------



## VirtualMe (Sep 27, 2002)

See if you have the option to disable Ensonique's Start.exe icon this way.

go to start/control panel/system
click device manager
click sound video and game controllers
click soundblaster audio pciXX
click properties
click settings
uncheck add mixer icon to taskbar


----------



## Rollin' Rog (Dec 9, 2000)

Actually there is another way I know of to disable it. I was getting it confused with SBlive's devldr.exe which is more troublesome.

Whether it's worth the effort I don't know, but see Whitphil's post here:

http://forums.techguy.org/showthread.php?postid=285545#post285545

VirtualMe's way would certainly be easiest if it works, but I don't know if it keeps starter.exe out of msconfig.


----------



## genesis2003 (Feb 8, 2003)

Rollin Rog,

Thanks again!!!!!

The Windows shutdown appears normal in that minimal startup config. 

I went ahead and checked off:

CcEvtMgr
Scriptblocking

Which have the Symantec info you suggested. 

I also checked off:

StillImageMonitor

Which has the Stimon info for my scanner.

I havent had a chance to do much more today, but I will tackle the rest of this tomorrow (Tuesday 11th).

I want to thank not only Rollin Rog, but VirtualMe and BTS76 for all your help so far!


----------



## Rollin' Rog (Dec 9, 2000)

Okedoke, that's good to hear. I would also promptly enable these two Symantec files, as they are a part of the NAV2003 set:

ccApp = c:\Program Files\Common Files\Symantec Shared\ccApp.exe

ccRegVfy = c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe


----------



## genesis2003 (Feb 8, 2003)

Again, thanks for the advise!!

Well here's the latest scoop..

I entered regedit, and Im trying to locate HKLM\Software\Microsoft\Windows\CurrentVersion\Run, however I see only the items listed:

HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA

Am I missing a turn somewhere?

==============================

Good News!! Located in the view Objects folder I finally got rid of:

[nsBrowserConfig Class 2] 
InProcServer32 = C:\WINDOWS\DOWNLO~1\NSCONFIG.DLL 
CODEBASE = https://www.marketscore.com/globalconfig/nsconfig.cab

[NSUpdateLiteCtrl Class] 
InProcServer32 = C:\WINDOWS\SYSTEM\NSUPDATE.DLL 
CODEBASE = http://204.177.92.201/quickdl/proclaim/NSupd9x.cab

=============================

RE: Ad-ware 6.0

I ran the program, 83 items were found, and I went ahead and removed them all except the Alexa entry.

When I attempted to get on the net, I got connected at 115,100bps, bytes received 1260, and bytes sent 2242.
My Browser would not connect me; the only way I could get on was to restore all the 83 quarantined objects.

This happened the first time I tried running this program prior to submitting all this material, it kind of freaked me out at the time.

Heres the info that was stated in the Quarantine file prior to restore:

ArchiveData(auto-quarantine- 11-02-2003 17-30-40.bckp)
============================================

COMETCURSOR
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegKey : CLSID\{6F2D6A5E-E3E7-4F18-887C-C777650DEF57}
obj[1]=RegKey : CLSID\{7F0F5DA7-84CB-11D4-8137-00500487B1C5}
obj[2]=RegKey : CLSID\{827A2ECE-D76F-4BCC-82ED-D6A287C11211}
obj[3]=RegKey : CLSID\{A335D52F-D489-472D-9EAA-D72A40AAF7CA}
obj[4]=RegKey : CLSID\{C38FC998-3B1B-4F59-A710-5A6C9CF8BD92}
obj[12]=RegValue : Software\Microsoft\Windows\CurrentVersion\SharedDLLs
obj[16]=File : c:\windows\temp\ccu\csband.dll
obj[17]=File : c:\windows\temp\ccu\csbho.dll
obj[18]=File : c:\windows\temp\ccu\cscore.dll
obj[19]=File : c:\windows\temp\ccu\csctx.dll
obj[20]=File : c:\windows\temp\ccu\cseng.dll
obj[21]=File : c:\windows\temp\ccu\csietb.dll
obj[22]=File : c:\windows\temp\ccu\skinui.dll
obj[23]=File : c:\windows\temp\ccu\comet.exe

MARKETSCORE(NETSETTER)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[5]=RegKey : Interface\{F88527E2-A8A7-4227-8683-05CFA4EEC511}
obj[6]=RegKey : Nsconfig.nsBrowserConfig.2
obj[8]=RegKey : Software\Netsetter
obj[9]=RegKey : Software\Netsetter
obj[14]=File : c:\windows\system\csloa.dll
obj[15]=File : c:\windows\system\csloa.dl__
obj[82]=File : c:\windows\cusnns.bak

DIALER
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[7]=RegKey : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A1DC3241-B122-195F-B21A-000000000000}
obj[10]=RegKey : Software\SiteIcons
obj[11]=RegKey : Software\SiteIcons
obj[13]=File : c:\dialler.log

TRACKING COOKIE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[24]=File : c:\windows\cookies\[email protected][1].txt
obj[25]=File : c:\windows\cookies\[email protected][1].txt
obj[26]=File : c:\windows\cookies\[email protected][2].txt
obj[27]=File : c:\windows\cookies\[email protected]www.qksrv[1].txt
obj[28]=File : c:\windows\cookies\[email protected][2].txt
obj[29]=File : c:\windows\cookies\[email protected][1].txt
obj[30]=File : c:\windows\cookies\[email protected][2].txt
obj[31]=File : c:\windows\cookies\[email protected]www.qksrv[2].txt
obj[32]=File : c:\windows\cookies\[email protected][1].txt
obj[33]=File : c:\windows\cookies\[email protected][2].txt
obj[34]=File : c:\windows\cookies\[email protected][2].txt
obj[35]=File : c:\windows\cookies\[email protected][2].txt
obj[36]=File : c:\windows\cookies\[email protected][2].txt
obj[37]=File : c:\windows\cookies\[email protected][2].txt
obj[38]=File : c:\windows\cookies\[email protected][1].txt
obj[39]=File : c:\windows\cookies\[email protected][1].txt
obj[40]=File : c:\windows\cookies\[email protected][1].txt
obj[41]=File : c:\windows\cookies\[email protected][1].txt
obj[42]=File : c:\windows\cookies\[email protected][2].txt
obj[43]=File : c:\windows\cookies\[email protected][2].txt
obj[44]=File : c:\windows\cookies\[email protected][2].txt
obj[45]=File : c:\windows\cookies\[email protected][1].txt
obj[46]=File : c:\windows\cookies\[email protected][1].txt
obj[47]=File : c:\windows\cookies\[email protected][1].txt
obj[48]=File : c:\windows\cookies\[email protected][2].txt
obj[49]=File : c:\windows\cookies\[email protected][1].txt
obj[50]=File : c:\windows\cookies\[email protected][1].txt
obj[51]=File : c:\windows\cookies\[email protected][1].txt
obj[52]=File : c:\windows\cookies\[email protected][2].txt
obj[53]=File : c:\windows\cookies\[email protected][1].txt
obj[54]=File : c:\windows\cookies\[email protected][1].txt
obj[55]=File : c:\windows\cookies\[email protected]www.qksrv[1].txt
obj[56]=File : c:\windows\cookies\[email protected][1].txt
obj[57]=File : c:\windows\cookies\[email protected][1].txt
obj[58]=File : c:\windows\cookies\[email protected][2].txt
obj[59]=File : c:\windows\cookies\[email protected][2].txt
obj[60]=File : c:\windows\cookies\[email protected][3].txt
obj[61]=File : c:\windows\cookies\[email protected][3].txt
obj[62]=File : c:\windows\cookies\[email protected][2].txt
obj[63]=File : c:\windows\cookies\[email protected][1].txt
obj[64]=File : c:\windows\cookies\[email protected][2].txt
obj[65]=File : c:\windows\cookies\[email protected][3].txt
obj[66]=File : c:\windows\cookies\[email protected][1].txt
obj[67]=File : c:\windows\cookies\[email protected][1].txt
obj[68]=File : c:\windows\cookies\[email protected][4].txt
obj[69]=File : c:\windows\cookies\[email protected][4].txt
obj[70]=File : c:\windows\cookies\[email protected][1].txt
obj[71]=File : c:\windows\cookies\[email protected][2].txt
obj[72]=File : c:\windows\cookies\[email protected][2].txt
obj[73]=File : c:\windows\cookies\[email protected][4].txt
obj[74]=File : c:\windows\cookies\[email protected][1].txt
obj[75]=File : c:\windows\cookies\[email protected][2].txt
obj[76]=File : c:\windows\cookies\[email protected][4].txt
obj[77]=File : c:\windows\cookies\[email protected][5].txt
obj[78]=File : c:\windows\cookies\[email protected][5].txt
obj[79]=File : c:\windows\cookies\[email protected][4].txt
obj[80]=File : c:\windows\cookies\[email protected][1].txt
obj[81]=File : c:\windows\cookies\[email protected]www.qksrv[3].txt

Ok, what did I do wrong?

Should I dump this program and try your suggestion instead > http://tomcoyote.org/SPYBOT/

Thanks again!!!!


----------



## Rollin' Rog (Dec 9, 2000)

Yes I would try Spybot instead. It looks like the new AdAware screwed up in its removal of:

MARKETSCORE(NETSETTER)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[5]=RegKey : Interface\{F88527E2-A8A7-4227-8683-05CFA4EEC511}
obj[6]=RegKey : Nsconfig.nsBrowserConfig.2
obj[8]=RegKey : Software\Netsetter
obj[9]=RegKey : Software\Netsetter
obj[14]=File : c:\windows\system\csloa.dll
obj[15]=File : c:\windows\system\csloa.dl__
obj[82]=File : c:\windows\cusnns.bak

=======================

Improperly removing the clsoa.dll will cause just the problem you had. Boy are they going to catch hell.

By the way HKLM and HKey_Local_Machine are the same.

Be sure to update Spybot before you run it. Should Spybot make the same error, click the "Recovery" tab and select the netsetter/market score entries for restoration. If you can't identify them then select everything. You can run Spybot again, but exclude netsetter/marketscore from removal under the "Excludes" (spybots) tab.

I think Ad-Aware has something similar but it might be more difficult to use since you have to know each entry to ignore.

Edit: after doing a little research, it appears this is a known problem with even the new Ad-Aware. They have an "lsp" plugin for this, but sorry -- that's not going to cut it. Spybot has this integrated and should do the job without any user knowledge or interaction. You may get a prompt, but that's all.

http://www.lavasoftsupport.com/index.php?act=ST&f=26&t=3760


----------



## genesis2003 (Feb 8, 2003)

Great advise!!!!!!!!!!!!!!!!!
I Downloaded Spybot as you recommended, boy that was much easier to work than Ad-ware 6.0.
I did run into a little sag, but I opened up the Recovery section, found and excluded the netsetter/market score file and Bingo! Im here!!!

Great News!!!
I finally found the McAfeeWebscanx+ C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSCAN\WebScanX.exe, and deleted it!!!!

I think thats everything you suggested. All appears to work fine now in regards to the OS.

Some last Questions: 

·If I excluded, under the spybots.sbi Tab, Marketscore will this just exclude the netsetter or will this include all of their stuff?

·Also, from time to time and recently I noticed that the short cut arrows on my desktop would disappear and reappear. Before, when running my Adobe Illustrator or Photoshop programs, the MSWord, Notepad, Shortcut Icons, and jpegs would also changed, usually all with the same figure.

·Finally, just before and after repairing of the rundll32.exe problem, my Index and "Quick reference" function would not open specifically on Net Objects Fusion 3.0, and all my adobe programs. I just checked it out and it still doesnt work.

Any advice is greatly appreciated!

Again, thank you very, very much for all your help!!!!


----------



## Rollin' Rog (Dec 9, 2000)

Ok, now that you know how to exclude marketscore with Spybot if you really need to, what we really want is to de-louse you of it completely. Unlike AdAware, Spybot _should_ be able to do this without causing you to lose your internet connection. So I'd remove it from the Excludes list and run Spybot again and let it remove marketscore. Reboot and cross fingers.

Now on the shortcut arrows that are coming and going: do the icons still act as proper shortcuts, but just the arrows are gone? Are they the "small" arrows and did you use TweakUI or some other tweaker to make them that way?

If yes, the problem is due to one of the Windows updates, and I believe there is a workaround but I'll have to hunt it down.

If one aspect of the problem is that all the icons are changing to some default icon, then this is a problem with the *shelliconcache* which is a hidden file in the Windows directory. It can be deleted and will be rebuilt on restarting. You can also just restart to Safe Mode and then return to normal. There is a registry tweak to increase the size of the cache and I will give you that if in fact this is the problem.

For the other problems I'm going to suggest you post a separate topic in the "all other software" forum. You're going to need a fresh start in sorting them out. I suspect you are going to have to remove and reinstall them because off hand I can't think of what would cause them to fail like that as long as rundll32.exe is undamaged.


----------



## genesis2003 (Feb 8, 2003)

Thanks, Rollin' Rog!

The Icons still function normally as short cuts; yes, theyre the small arrows, and at times just the arrows come and go. No TweakUI or any other tweaker has been used to my knowledge. 

The entire Icons themselves also change from time to time, but the image(s) appears to default randomly. It appears to select one of many jpegs available, usually originates from an Adobe file artwork created under illustrator 8.0. The Icons, evening during this state, functions normally.

My computer was set-up to look into Window updates, and some of these were downloaded. I turned it off about three months ago from an advise heard on Jeff Levys show, if it works, dont mess with it, this may have been an advise taken to late. Then again, a member of family likes to play games via the net, which of course worries me.

As for the Index and Quick reference function problems, Ill post then later as you suggested.

Ill mess with Spybot program as you suggested tomorrow, as for now its late.

Anyways, thanks again!!


----------



## Rollin' Rog (Dec 9, 2000)

Ok, it really sounds like the problem is emanating from some occasional corruption in the shelliconcache. Since all's well now I'm going to include a registry patch attachment in this post which hopefully will prevent it from happening in the future.

Download the attached file to the desktop. You are going to have to rename it with a .reg extension instead of .txt -- that is make it 

iconca.reg

The icon should change to a registry icon. Sometimes it is necessary to resave the file through Notepad, making the save as type: "all files" for it to retain the .reg extension.

Once it is saved properly and has the registry icon, you can double click it to merge to the registry and confirm when prompted.


----------



## genesis2003 (Feb 8, 2003)

Rollin' Rog

Hello, and thanks again for the help!

I'm attempting to rename the patch, however, the only way I know how is to right click and select rename, is this right?

I tried it, but the icon didn't change. I went ahead and "Save as" under "All files" in Notepad and it read "iconca.reg.txt" already exist.

I'm missing a procedure somewhere, right? 

By the way, I had a little trouble getting back up on the net. My home page screen fonts appeared larger and slightly out of place. 

I exited out and signed on again, nothing changed. I went ahead and proceeded to selected this page and I had an error message.

I reboot the computer signed on and again the same problem. I exited out again and signed on and all appeared to look and work fine.

Should I be concerned?


----------



## genesis2003 (Feb 8, 2003)

Rollin' Rog 

Hello, and thanks again for the help! 

I'm attempting to rename the patch, however, the only way I know how is to right click and select rename, is this right? 

I tried it, but the icon didn't change. I went ahead and "Save as" under "All files" in Notepad and it read "iconca.reg.txt" already exist. 

I'm missing a procedure somewhere, right? 

By the way, I had a little trouble getting back up on the net. My home page screen fonts appeared larger and slightly out of place. 

I exited out and signed on again, nothing changed. I went ahead and proceeded to selected this page and I had an error message. 

I reboot the computer signed on and again the same problem. I exited out again and signed on and all appeared to look and work fine. 

Should I be concerned?


----------



## Rollin' Rog (Dec 9, 2000)

This site may be down for service tonight so if you can't get here, that's the problem.

When you save the file in Notepad, erase completely any name in the save as field and replace it with:

iconca.reg

make sure "all files" is selected under "save as type". 

If you still have problems, I will give you step by step instructions for editing the registry.

Be aware that with a scrollable mouse you can sometimes inadvertantly reset the font size if you scroll with the ctrl key pressed.

I still recommend running the Spybot program to remove MarketScore, because that is acting as a proxy between you and the web.


----------



## genesis2003 (Feb 8, 2003)

Ok, I got the Icon registry to work and implemented accordingly, so far so good!

I went ahead and removed all excludes from Spybot and re-ran the program, found three Red items two from Avenue A, Inc and one from MarketScore. These were checked off and the system was rebooted.

Spybot also created some Green items also, mostly pertaining to Internet Explorer and MS junk. Should I go ahead and remove all these also, or should I beware of something? 

The reason why I ask - I'm wondering when the last time removed all this stuff if, perhaps, it contributed with the log on problem???


----------



## Rollin' Rog (Dec 9, 2000)

Sigh, I'm still seeing marketscore in your IP:

..... The host name is: proxy.ia3.marketscore.com. ....

So it hasn't been fully removed. I would expect more than one entry to be detected. And you should probably get some kind of prompt regarding your Layered Service Protocol (LSP) if it was going to repair that.

Also Spybot should be run with IE and your internet connection closed. That may be a factor in its hanging on.

Try running Spybot again, then give me another post of the startups.

Also check your Internet Options > Connections > settings page and make sure that you don't have it showing as a proxy service there.

With MarketScore still there, I would suspect it more than anything else being an issue with any kind of web related problem.

If this insists on hanging on, I'll ask TonyKlein to have a look in; he is top drawer at dealing with Spybots like this.

The other items Spybot finds, I would just ignore; while it's usually safe to remove them there is no harm in leaving them and without knowing exactly what they are I can't tell you whether removing them would result in any inconvenience.


----------



## genesis2003 (Feb 8, 2003)

Rollin' Rog

I checked Internet Options>Connections>Setting, no proxy service is noted.

I ran Spybot again and rebooted.

Here are the Startup Info:

StartupList report, 2/12/03, 10:32:12 PM
StartupList version: 1.51
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
F:\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
ScanRegistry = c:\windows\scanregw.exe /autorun
CountrySelection = pctptt.exe
PTSNOOP = ptsnoop.exe
EnsoniqMixer = starter.exe
ccApp = c:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ccEvtMgr = c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 11/2/2003, 19:20:20)

[rename]
NUL=c:\windows\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
NAV Helper - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Synchronize Time.job
Check E-mail.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IFTW.DLL
CODEBASE = http://www.installfromtheweb.com/install/iftwclix.cab

[MailConfigure Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MAILCFG.DLL
CODEBASE = http://supportservices.msn.com/us/smtptool/MailCfg.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: CSLOA.DLL (file MISSING)
Protocol #2: CSLOA.DLL (file MISSING)
Protocol #3: CSLOA.DLL (file MISSING)
Protocol #4: CSLOA.DLL (file MISSING)
Protocol #5: CSLOA.DLL (file MISSING)
Protocol #11: CSLOA.DLL (file MISSING)

--------------------------------------------------
End of report, 4,307 bytes
Report generated in 0.305 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks Again!!


----------



## Rollin' Rog (Dec 9, 2000)

Well, although Spybot has removed nscheck and ossproxy from your startups it has left this:

Enumerating Winsock LSP files:

Protocol #1: CSLOA.DLL (file MISSING)
Protocol #2: CSLOA.DLL (file MISSING)
Protocol #3: CSLOA.DLL (file MISSING)
Protocol #4: CSLOA.DLL (file MISSING)
Protocol #5: CSLOA.DLL (file MISSING)
Protocol #11: CSLOA.DLL (file MISSING)

Which is why Marketscore is probably still showing as a proxy.

It was my understanding that Spybot would remove these, but for some reason it isn't. There are some other utilities that will do it, but I'd like to PM TonyKlein and get his opinion if possible before having you run one, or you could have the same problem as with Ad-Aware. In this case you would have to restore a backed up registry to recover.

So hang in there and give us a day to get back to you.

By the way, when you installed Spybot, did you update it by clicking the Online tab, then "search for updates" and download all updates (except the skins if you don't want those)?

*Edit:*

I found this, check the netsetter instructions here (used to be marketscore):

http://www.marioncomputer.com/internet/Help/netsetter.htm


----------



## TonyKlein (Aug 26, 2001)

Hi everyone.

It seems that Marketscore sure continues to be a pain to remove... 

If I'm not mistaken its install creates a *AutoConfigURL* string value 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings , which is used to auto-configure the proxy settings for the browser. It may explain why it's proved so hard to get rid of.

Would you please do this:

Go to http://www.spywareinfo.com/downloads.php#det , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

We may be able to use HT to fix this problem.


----------



## genesis2003 (Feb 8, 2003)

Ok guys!

Here the "Hijack this" log file content.

Thanks again!!!!

Logfile of HijackThis v1.91.2
Scan saved at 4:02:54 PM, on 2/13/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL=http://proxycfg.marketscore.com/gencfg.asp?id1=xfQMXDQTNh6&id2=U220btwUq5f&lp=1&nsv=5.2.4.3
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n7vdz7wp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n7vdz7wp.slt\prefs.js)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ccApp] c:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'CSLOA.DLL' missing
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/smtptool/MailCfg.cab


----------



## genesis2003 (Feb 8, 2003)

P.S.

Re: Netsetter uninstall attempt. (Rollin' Rog)

Inside my IE I clicked tools, from the drop down box clicked on Internet Option, click on the "connections" tab.

At the top of the entry in the list of Dial-Up Setting I click on the "Settings" button, the Dial-up box appeared.

I deleted the long string info inside the "address" input box, then I unchecked the "Use automatic Configuration script" dialog box and clicked OK.

After closing down the IE options, I went back through the procedure, curious to see if the string info was still there and Yup! Sure was!! Except the "Use automatic Configuration script" dialog box and remained unchecked.

Here's the string info:

http://proxycfg.marketscore.com/gencfg.asp?id1=xfQMXDQTNh6&id2=U220btwUq5f&lp=1&nsv=5.2.4.3


----------



## Rollin' Rog (Dec 9, 2000)

Great, this is the first post I've seen from you which has your natural ISP information:

host name is: 1Cust250.tnt1.rancho-cucamonga.ca.da.uu.net

I believe at this point all you may need to do is check and 'fix' these entries in HijackThis:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL=http://proxycfg.marketscore.com/ gencfg.asp?id1=xfQMXDQTNh6&id2=U220btwUq5f&lp=1&nsv=5.2.4.3

O10 - Broken Internet access because of LSP provider 'CSLOA.DLL' missing

I don't know whether 010 is just informational or will repair the LSP. You can run run StartupList again afterwards and see if it still shows those csloa protocols. If it does, I'd suggest downloading this repair utility and remove them with it.

http://www.cexx.org/lspfix.htm

In fact, it might be a good idea to have it on hand first; I don't think you are going to have any access problems from here on out. But if you do, that's the first thing to run and remove any entries you see in its right hand panel.

You also have a BHO for Netzip, download demon (NZDD), probably came with RealPlayer; I don't know whether this is something that really needs to be removed or not. Personally I wouldn't want it.


----------



## genesis2003 (Feb 8, 2003)

Rollin Rog

Ok, heres what is happening. When I went into High Jack This to remove:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL=http://proxycfg.marketscore.com/ gencfg.asp?id1=xfQMXDQTNh6&id2=U220btwUq5f&lp=1&nsv=5.2.4.3

It wasnt there! There were only a total of five of the R1 HKCU and HKLM files versus six shown on the High Jack log list.

Guess which one wasnt there, you got it, it was:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL=http://proxycfg.marketscore.com/ gencfg.asp?id1=xfQMXDQTNh6&id2=U220btwUq5f&lp=1&nsv=5.2.4.3

Now I had an Idea, I checked into your suggestion and implemented regarding the netsetter instructions from:

http://www.marioncomputer.com/inter...p/netsetter.htm

Although the "Use automatic Configuration script" dialog box remained unchecked, the http://proxycfg.marketscore.com/gen...p=1&nsv=5.2.4.3 was still in the "address" input box but not highlighted. I decided to re-check the "Use automatic Configuration script" and pressed OK.

I ran High Jack this and guess what I found?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL=http://proxycfg.marketscore.com/ gencfg.asp?id1=xfQMXDQTNh6&id2=U220btwUq5f&lp=1&nsv=5.2.4.3

I selected this and -

O10 - Broken Internet access because of LSP provider 'CSLOA.DLL' missing

After reboot, both items were removed. I decided to check my Internet Option> Connection> Setting. And found checked off in the "Use automatic Configuration script was 

http://proxycfg.marketscore.com/gen...p=1&nsv=5.2.4.3

Heck, at this point I went ahead and unchecked it again.

I ran the a Startup list, heres the results:

StartupList report, 2/13/03, 6:17:05 PM
StartupList version: 1.51
Started from : C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
ScanRegistry = c:\windows\scanregw.exe /autorun
CountrySelection = pctptt.exe
PTSNOOP = ptsnoop.exe
EnsoniqMixer = starter.exe
ccApp = c:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ccEvtMgr = c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 11/2/2003, 19:20:20)

[rename]
NUL=c:\windows\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
NAV Helper - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Synchronize Time.job
Check E-mail.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IFTW.DLL
CODEBASE = http://www.installfromtheweb.com/install/iftwclix.cab

[MailConfigure Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MAILCFG.DLL
CODEBASE = http://supportservices.msn.com/us/smtptool/MailCfg.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

--------------------------------------------------
End of report, 3,922 bytes
Report generated in 0.110 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Ok, what do you think?

I downloaded LspFix.exe, but havn't used it.


----------



## Rollin' Rog (Dec 9, 2000)

Strange that the key came back like that after deleting. However the good news is that the csloa protocols have been removed, so I assume HijackThis repaired that. You won't need to run the lsp fix program then.

I see you have Netscape, and I'm wondering if Netscape has something similar that may be replacing the key, albeit it isn't being actually used by Internet Explorer.

This link is giving instructions for how to 'enable' the automatic configuration script in Netscape. You should be able to use it to disable it as well.

Then see if you can permanently delete the registry value again.

http://www.library.unr.edu/authenticate/netscape6up.html


----------



## genesis2003 (Feb 8, 2003)

Thanks again!

RE: Netscape. I went ahead and enable the automatic configuration script.

I wasnt sure about the deleting the permanent registry value?

I went ahead and ran the High Jack This log, and the StartupList again. I just wanted to be sure, since after your last suggestion that everything is still ok.

Just wanted to be proactive and hopefully not to take up much more of your time.

Plus I needed to know where to delete the permanent registry value you suggested.

***************************************************************************

Logfile of HijackThis v1.91.2
Scan saved at 8:13:57 PM, on 2/13/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n7vdz7wp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n7vdz7wp.slt\prefs.js)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ccApp] c:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/smtptool/MailCfg.cab
**************************************************************
StartupList report, 2/13/03, 8:14:09 PM
StartupList version: 1.51
Started from : C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
ScanRegistry = c:\windows\scanregw.exe /autorun
CountrySelection = pctptt.exe
PTSNOOP = ptsnoop.exe
EnsoniqMixer = starter.exe
ccApp = c:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ccEvtMgr = c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 11/2/2003, 19:20:20)

[rename]
NUL=c:\windows\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
NAV Helper - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Synchronize Time.job
Check E-mail.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IFTW.DLL
CODEBASE = http://www.installfromtheweb.com/install/iftwclix.cab

[MailConfigure Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MAILCFG.DLL
CODEBASE = http://supportservices.msn.com/us/smtptool/MailCfg.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

--------------------------------------------------
End of report, 3,941 bytes
Report generated in 0.171 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Rollin' Rog (Dec 9, 2000)

Ok, you're still looking clean as far as the lists are concerned, and your IP as only we mods can see it, is what it should be.

So what you 'enabled' in Netscape did not alter anything. However, you should leave that disabled. If there is a marketscore line present in the automatic configurtion url, I would delete that. Try again to remove it as well in IE.

If you can't permanently remove it, we just may leave well enough alone or at least wait to see if Tony knows what the problem might be.

I don't know where the data in the registry would be stored other than what HijackThis would point to, and that apparently has been removed.

Don't worry about my time, I've got plenty


----------



## IMM (Feb 1, 2002)

Did you install winzip to the root of drive F: ? It's not the default and strikes me as odd. (and several virii have been using that filename)


----------



## genesis2003 (Feb 8, 2003)

IMM

Just, out of shear desperation!!

My F Drive is my CD reader. 

In my haste for being able to read zip files for this situation, I acquired a demo WinZip 8.0 version that was copied on a mini CD Disc. Whenever I need to decompress a file, especially in these occasions, I slip the Disc in the F drive and the system reads the program from there. I attempted to install as described, and thought I did so properly, but instead when I attempt to access via Start>Programs>WinZip and attempt to open it, a Problem with Shortcut opens up stating:

The drive or network connection that the shortcut WinZip 8.0.Ink refers to is unavailable. Make sure that the disk is properly inserted or the network resources is available, and then try again.

I used to have another Zip program, which I hardly used, but heck if I know where it disappeared too!

I hope I didn't mess anything up by doing it this way?

Thanks for asking!!!


----------

