Internet Explorer, Windows Explorer, and RPCSS.EXE

Here is a troubling failure to load IE6 (and IE5.5 before it) that has
happened many times. It usually happens on the first load of IE6 after
making a dialup connection. After that it is ok.

(PC has Win98SE, Dialup 56K, no network, all windows updates
installed)

Firewall status: Zonealarm internet lock was on.

1 Dialed up 56K connection

2 Started IE6. It froze, didn't finish its startup.

3 Checked ZoneAlarm log. Windows Explorer tried to act as a server,
but was stopped by the firewall. (This happens often on the first
start of IE6 after dialup.)

4 IE6 is shown on the start bar but is not on screen. Can't start any
other program. [ctl][alt][del] Killed explorer (Windows Explorer) (not
responding) with "end task". Another instance of explorer remained in
the "close program" window.

5 IE6 not responding -- end task

6 Upon changing NoteTab from full screen to normal position, got this
message: "RPCSS.exe has performed an illegal operation and will be
shut down." (RPCSS.exe is called "Distributed COM Services" in the
firewall log.)

7 The windows start bar is missing. [alt][tab] brings it back and show
IR6, even though I had "end task" it previously.

8 The dialup icon is missing from the bottom right, even though the
connection is still active.

This pattern, or a variation on it, happens repeatedly.

QUESTION 1: What could be happening?

QUESTION 2: Is it safe to permit the firewall to allow Windows
Explorer and RPCSS to access the internet as servers?

QUESTION 3: Another alternative would be to rename RPCSS.exe. Is that
a good idea?

PS: I use Adaware, Spybot S&D, Fprot.

Sincerely, Stan Hilliard

On Thu, 29 Apr 2004 23:32:40 -0500, Stan Hilliard
<(E-Mail Removed)> wrote:

>Here is a troubling failure to load IE6 (and IE5.5 before it) that has
>happened many times. It usually happens on the first load of IE6 after
>making a dialup connection. After that it is ok.
>
>(PC has Win98SE, Dialup 56K, no network, all windows updates
>installed)
>
>Firewall status: Zonealarm internet lock was on.
>
>1 Dialed up 56K connection
>
>2 Started IE6. It froze, didn't finish its startup.
>
>3 Checked ZoneAlarm log. Windows Explorer tried to act as a server,
>but was stopped by the firewall. (This happens often on the first
>start of IE6 after dialup.)
>
>4 IE6 is shown on the start bar but is not on screen. Can't start any
>other program. [ctl][alt][del] Killed explorer (Windows Explorer) (not
>responding) with "end task". Another instance of explorer remained in
>the "close program" window.
>
>5 IE6 not responding -- end task
>
>6 Upon changing NoteTab from full screen to normal position, got this
>message: "RPCSS.exe has performed an illegal operation and will be
>shut down." (RPCSS.exe is called "Distributed COM Services" in the
>firewall log.)
>
>7 The windows start bar is missing. [alt][tab] brings it back and show
>IR6, even though I had "end task" it previously.
>
>8 The dialup icon is missing from the bottom right, even though the
>connection is still active.
>
>This pattern, or a variation on it, happens repeatedly.
>
>QUESTION 1: What could be happening?
>
>QUESTION 2: Is it safe to permit the firewall to allow Windows
>Explorer and RPCSS to access the internet as servers?
>
>QUESTION 3: Another alternative would be to rename RPCSS.exe. Is that
>a good idea?
>
>PS: I use Adaware, Spybot S&D, Fprot.
>
>Sincerely, Stan Hilliard

This might be related to the problem.

I forgot to mention that once a small window popped up in the middle
of my screen with "URL proxy" in the title bar. The rest of the window
was blank. The "URL proxy" window closed when I closed IE6.

What was going on with the "URL proxy" window?

Stan Hilliard

Start here.

http://groups.google.ca/groups?hl=en&lr=lang_en|lang_fr&ie=UTF-8&oe=UTF-8&newwindow=1&threadm=MPG.1a49b5fe263fdaf0989b14%4 0netnews.worldnet.att.net&rnum=7&prev=/groups%3Fq%3D%2522URL%2Bproxy%2522%26hl%3Den%26lr% 3Dlang_en%257Clang_fr%26ie%3DUTF-8%26oe%3DUTF-8%26newwindow%3D1%26sa%3DG%26scoring%3Dd
--

If no joy search for "ULR proxy" on google.com groups.

Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
===
"Stan Hilliard" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 29 Apr 2004 23:32:40 -0500, Stan Hilliard
> <(E-Mail Removed)> wrote:
>
> >Here is a troubling failure to load IE6 (and IE5.5 before it) that has
> >happened many times. It usually happens on the first load of IE6 after
> >making a dialup connection. After that it is ok.
> >
> >(PC has Win98SE, Dialup 56K, no network, all windows updates
> >installed)
> >
> >Firewall status: Zonealarm internet lock was on.
> >
> >1 Dialed up 56K connection
> >
> >2 Started IE6. It froze, didn't finish its startup.
> >
> >3 Checked ZoneAlarm log. Windows Explorer tried to act as a server,
> >but was stopped by the firewall. (This happens often on the first
> >start of IE6 after dialup.)
> >
> >4 IE6 is shown on the start bar but is not on screen. Can't start any
> >other program. [ctl][alt][del] Killed explorer (Windows Explorer) (not
> >responding) with "end task". Another instance of explorer remained in
> >the "close program" window.
> >
> >5 IE6 not responding -- end task
> >
> >6 Upon changing NoteTab from full screen to normal position, got this
> >message: "RPCSS.exe has performed an illegal operation and will be
> >shut down." (RPCSS.exe is called "Distributed COM Services" in the
> >firewall log.)
> >
> >7 The windows start bar is missing. [alt][tab] brings it back and show
> >IR6, even though I had "end task" it previously.
> >
> >8 The dialup icon is missing from the bottom right, even though the
> >connection is still active.
> >
> >This pattern, or a variation on it, happens repeatedly.
> >
> >QUESTION 1: What could be happening?
> >
> >QUESTION 2: Is it safe to permit the firewall to allow Windows
> >Explorer and RPCSS to access the internet as servers?
> >
> >QUESTION 3: Another alternative would be to rename RPCSS.exe. Is that
> >a good idea?
> >
> >PS: I use Adaware, Spybot S&D, Fprot.
> >
> >Sincerely, Stan Hilliard
>
> This might be related to the problem.
>
> I forgot to mention that once a small window popped up in the middle
> of my screen with "URL proxy" in the title bar. The rest of the window
> was blank. The "URL proxy" window closed when I closed IE6.
>
> What was going on with the "URL proxy" window?
>
> Stan Hilliard

Stan,

First, *why* is ZoneAlarm blocking all internet access?

For IE freezing issues check out the advice at the URL below:
http://www.mvps.org/inetexplorer/answers3.htm#freezing

You have not provided enough information about the Notepad error.

rpcss.exe is a legitimate file; do not rename it. There is no way to tell
whether a legitimate file, or malware, is using it. If you rename it in
Win98 you'll have weird problems pop up all over the place. If you rename it
in later OS, you kill your computer.

IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware can kill your internet connection when it is
removed, and this software should get things going for you again:
http://www.cexx.org/lspfix.htm

Get yourself a copy of BHODemon, available at
http://www.definitivesolutions.com/bhodemon.htm .

It does not need installing - simply unzip and run the EXE programme. It is
very easy to use. It will often find the following hijackware DLL files,
and give you the ability to disable them easily.

Many people like AdAware, available at www.lavasoft.de. Make sure you keep
the signature files up to date and remember, AdAware only removes the
current install; it can't do anything about software that reinstalls itself
(unless you want to get stuck in an endless loop of
hijack/cleanout/hijack/cleanout). Sometimes you will have to track down and
remove the software that keeps putting the hijackware back - hence this
advice section. Warning: AdAware is now version 6.181. All previous
versions are NO LONGER SUPPORTED and will not be updated.

The more experienced user can try Spybot. Again, it is a free programme
which can be downloaded from: http://spybot.eon.net.au/. Warning: it is NOT
a good programme for the inexperienced. If you want to use this programme,
please get the advice of those more experienced before 'fixing' anything
that it finds.

Go to the link below to check your system for parasites (supplied by
Doxdesk.com):
http://www.mvps.org/inetexplorer/parasite.htm

Another excellent programme that allows you to examine your system and
*create a results log for experts to examine* is HijackThis, available from:
http://www.tomcoyote.org/hjt/

Download and run the latest version of "Cool Web Shredder"
http://www.merijn.org/files/CWShredder.exe

Here is advice specific to:

home page hijackings
http://www.mvps.org/inetexplorer/answers.htm#home_page

pop-up ads
http://www.mvps.org/inetexplorer/data/popup.htm

search engine hijackings
http://www.mvps.org/inetexplorer/ans...#search_engine

IMPORTANT: The above programmes are excellent, and a lot of credit goes to
those who authored and update the programmes, but they can NOT detect
everything that is out there - as time goes on the programmes will become
more and more unwieldy if they try to maintain a standard of positive
identification for as much spyware as possible, and it will be harder and
harder for the programmes to catch everything that is out there. More and
more spyware uses RANDOM names as part of their programme making it
impossible for positive identification to occur, therefore....

It is VERY IMPORTANT that you learn how to examine your system for potential
problems as well as using 'fixit' programme such as AdAware or Spybot.

Check your startup folder and MSCONFIG (startup tab). You can also check
the following registry keys and edit as appropriate (if you have experience
with same).

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Runonce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Runonce

The following link will lead you to some Microsoft KB articles about the
basics of the Registry and working with it:
http://www.mvps.org/inetexplorer/answers.htm#Registry

An experienced computer technician can use programme such as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer

Empty your IE cache and your other temporary file folders, eg:
c:\windows\temp (if using Windows 98) or C:\Documents and
Settings\<name>\Local Settings\Temp (the path to your temp folder will
change depending on your name) - sometimes programmes can be hidden in
there - watch out for mysterious *.exe files or *.dll files in those
folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Programme Files. Check for unusual objects
there.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no
style sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.

It is possible to turn off third party extensions (Enable third-party
browser extensions (requires restart) at IE tools, internet options,
advanced) to disable *all* plug-ins but troubleshooting will be difficult
and it is only a BANDAID. Nothing gets fixed. There is software that
depends on 'third party browser extensions" to work, including Acrobat,
Microsoft Money, and many other programmes.

--
Hyperlinks are used to ensure advice remains current
Do NOT send me an email. I will NOT see it (thank the spammers and viruses)
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/


"Stan Hilliard" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Here is a troubling failure to load IE6 (and IE5.5 before it) that has
> happened many times. It usually happens on the first load of IE6 after
> making a dialup connection. After that it is ok.
>
> (PC has Win98SE, Dialup 56K, no network, all windows updates
> installed)
>
> Firewall status: Zonealarm internet lock was on.
>
> 1 Dialed up 56K connection
>
> 2 Started IE6. It froze, didn't finish its startup.
>
> 3 Checked ZoneAlarm log. Windows Explorer tried to act as a server,
> but was stopped by the firewall. (This happens often on the first
> start of IE6 after dialup.)
>
> 4 IE6 is shown on the start bar but is not on screen. Can't start any
> other program. [ctl][alt][del] Killed explorer (Windows Explorer) (not
> responding) with "end task". Another instance of explorer remained in
> the "close program" window.
>
> 5 IE6 not responding -- end task
>
> 6 Upon changing NoteTab from full screen to normal position, got this
> message: "RPCSS.exe has performed an illegal operation and will be
> shut down." (RPCSS.exe is called "Distributed COM Services" in the
> firewall log.)
>
> 7 The windows start bar is missing. [alt][tab] brings it back and show
> IR6, even though I had "end task" it previously.
>
> 8 The dialup icon is missing from the bottom right, even though the
> connection is still active.
>
> This pattern, or a variation on it, happens repeatedly.
>
> QUESTION 1: What could be happening?
>
> QUESTION 2: Is it safe to permit the firewall to allow Windows
> Explorer and RPCSS to access the internet as servers?
>
> QUESTION 3: Another alternative would be to rename RPCSS.exe. Is that
> a good idea?
>
> PS: I use Adaware, Spybot S&D, Fprot.
>
> Sincerely, Stan Hilliard

>> This might be related to the problem.
>>
>> I forgot to mention that once a small window popped up in the middle
>> of my screen with "URL proxy" in the title bar. The rest of the window
>> was blank. The "URL proxy" window closed when I closed IE6.
>>
>> What was going on with the "URL proxy" window?
>>
>> Stan Hilliard

>Start here.
>
>http://groups.google.ca/groups?hl=en&lr=lang_en|lang_fr&ie=UTF-8&oe=UTF-8&newwindow=1&threadm=MPG.1a49b5fe263fdaf0989b14%4 0netnews.worldnet.att.net&rnum=7&prev=/groups%3Fq%3D%2522URL%2Bproxy%2522%26hl%3Den%26lr% 3Dlang_en%257Clang_fr%26ie%3DUTF-8%26oe%3DUTF-8%26newwindow%3D1%26sa%3DG%26scoring%3Dd
>
>"H Leboeuf"

Thanks. That sounds a lot like my problem. I use Pegasus 4.12a as in
that case.

In Pegasus [alt][F10] and [incoming mail, hyperlinks] I unchecked "Use
URLPROXY". I also clicked "Use the non-standard URLs used by internet
explorer. I think that this fixed the problem with the URLPROXY
window.

On Fri, 30 Apr 2004 21:38:04 +0800, "Sandi - Microsoft MVP"
<(E-Mail Removed)> wrote:

>Stan,
>
>First, *why* is ZoneAlarm blocking all internet access?

The internet lock doesn't prevent all internet access. But having it
on blocks all incoming and outgoing attempts on any port except for
the programs that are specifically set to pass the lock.

>For IE freezing issues check out the advice at the URL below:
>http://www.mvps.org/inetexplorer/answers3.htm#freezing

Thanks. I did.

>You have not provided enough information about the Notepad error.

I was using NoteTAB. I just noticed what happened but do not have any
additional information.

>rpcss.exe is a legitimate file; do not rename it. There is no way to tell
>whether a legitimate file, or malware, is using it. If you rename it in
>Win98 you'll have weird problems pop up all over the place. If you rename it
>in later OS, you kill your computer.

I will leave it alone. Right now the ZoneAlarm firewall is set to
allow RPCSS to start and access the internet, but not as a server. Is
that a good setting?

>IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
>the URL below - some malware can kill your internet connection when it is
>removed, and this software should get things going for you again:
>http://www.cexx.org/lspfix.htm

Thanks. I did.

>Get yourself a copy of BHODemon, available at
>http://www.definitivesolutions.com/bhodemon.htm .
>
>It does not need installing - simply unzip and run the EXE programme. It is
>very easy to use. It will often find the following hijackware DLL files,
>and give you the ability to disable them easily.

Thanks. BHODemon only detects my Google toolbar.

However, prior to running BHODemon , earlier today, I noticed that my
Google toolbar was missing from the IE6 screen. So I uninstalled it
and then downloaded a new toolbar and installed it.

Since I uninstalled/installed the Google toolbar I have not had IE6
freeze! It used to always freeze on the first load after making a
dialup connection.

This seems to have fixed the freeze problem -- at least temporarily.

>Many people like AdAware, available at www.lavasoft.de. Make sure you keep
>the signature files up to date and remember, AdAware only removes the
>current install; it can't do anything about software that reinstalls itself
>(unless you want to get stuck in an endless loop of
>hijack/cleanout/hijack/cleanout). Sometimes you will have to track down and
>remove the software that keeps putting the hijackware back - hence this
>advice section. Warning: AdAware is now version 6.181. All previous
>versions are NO LONGER SUPPORTED and will not be updated.

Yes, I have Ad-aware 6.181 and I run every week. It always finds
something.

>The more experienced user can try Spybot. Again, it is a free programme
>which can be downloaded from: http://spybot.eon.net.au/. Warning: it is NOT
>a good programme for the inexperienced. If you want to use this programme,
>please get the advice of those more experienced before 'fixing' anything
>that it finds.

I have started using Spybot S & D. It found five things that Ad-aware
didn't.

>Go to the link below to check your system for parasites (supplied by
>Doxdesk.com):
>http://www.mvps.org/inetexplorer/parasite.htm

Thanks.

>Another excellent programme that allows you to examine your system and
>*create a results log for experts to examine* is HijackThis, available from:
>http://www.tomcoyote.org/hjt/

I have this.

>Download and run the latest version of "Cool Web Shredder"
>http://www.merijn.org/files/CWShredder.exe

Thanks.

>Here is advice specific to:
>home page hijackings
>http://www.mvps.org/inetexplorer/answers.htm#home_page

Thanks.

>pop-up ads
>http://www.mvps.org/inetexplorer/data/popup.htm

Thanks.

>search engine hijackings
>http://www.mvps.org/inetexplorer/ans...#search_engine
>
>IMPORTANT: The above programmes are excellent, and a lot of credit goes to
>those who authored and update the programmes, but they can NOT detect
>everything that is out there - as time goes on the programmes will become
>more and more unwieldy if they try to maintain a standard of positive
>identification for as much spyware as possible, and it will be harder and
>harder for the programmes to catch everything that is out there. More and
>more spyware uses RANDOM names as part of their programme making it
>impossible for positive identification to occur, therefore....
>
>It is VERY IMPORTANT that you learn how to examine your system for potential
>problems as well as using 'fixit' programme such as AdAware or Spybot.
>
>Check your startup folder and MSCONFIG (startup tab). You can also check
>the following registry keys and edit as appropriate (if you have experience
>with same).
>
>HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Run
>
>HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Runonce
>
>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run
>
>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Runonce
>
>The following link will lead you to some Microsoft KB articles about the
>basics of the Registry and working with it:
>http://www.mvps.org/inetexplorer/answers.htm#Registry
>
>An experienced computer technician can use programme such as AutoStart
>Viewer for in-depth diagnosis:
>http://www.diamondcs.com.au/index.php?page=asviewer
>
>Empty your IE cache and your other temporary file folders, eg:
>c:\windows\temp (if using Windows 98) or C:\Documents and
>Settings\<name>\Local Settings\Temp (the path to your temp folder will
>change depending on your name) - sometimes programmes can be hidden in
>there - watch out for mysterious *.exe files or *.dll files in those
>folders.
>
>Go to IE Tools, Internet Options, Temporary Internet Files {Settings
>Button}, View Objects, Downloaded Programme Files. Check for unusual objects
>there.
>
>Go to IE Tools, Internet Options, Accessibility. Make sure there is no
>style sheet chosen (under User Style Sheet - format documents using my style
>sheet). If the option is turned on, turn it OFF.
>
>It is possible to turn off third party extensions (Enable third-party
>browser extensions (requires restart) at IE tools, internet options,
>advanced) to disable *all* plug-ins but troubleshooting will be difficult
>and it is only a BANDAID. Nothing gets fixed. There is software that
>depends on 'third party browser extensions" to work, including Acrobat,
>Microsoft Money, and many other programmes.

I thought that I has solved the problem of the first IE6 instance
after dialup hanging -- by uninstalling/reinstalling the google
toolbar.

That worked for a while, but the next day the problem was back. I made
it go away again by again uninstalling/reinstallihg the google
toolbar.

Spybot S&D finds file AtHoc.log in the root directory dated 1/15/01,
138KB. What is that?

Spybot also flagged Windows Media Player, but that doesn't sound to me
like something bad.

I changed the ZoneAlarm firewall settings for RPCSS and Windows
Explorer to allow them to access the Internet as servers -- since they
kept trying to do that. Is that a problem?

Sincerely, Stan Hilliard

=================
On Sat, 01 May 2004 13:26:15 -0500, Stan Hilliard
<(E-Mail Removed)> wrote:

>On Fri, 30 Apr 2004 21:38:04 +0800, "Sandi - Microsoft MVP"
><(E-Mail Removed)> wrote:
>
>>Stan,
>>
>>First, *why* is ZoneAlarm blocking all internet access?
>
>The internet lock doesn't prevent all internet access. But having it
>on blocks all incoming and outgoing attempts on any port except for
>the programs that are specifically set to pass the lock.
>
>>For IE freezing issues check out the advice at the URL below:
>>http://www.mvps.org/inetexplorer/answers3.htm#freezing
>
>Thanks. I did.
>
>>You have not provided enough information about the Notepad error.
>
>I was using NoteTAB. I just noticed what happened but do not have any
>additional information.
>
>>rpcss.exe is a legitimate file; do not rename it. There is no way to tell
>>whether a legitimate file, or malware, is using it. If you rename it in
>>Win98 you'll have weird problems pop up all over the place. If you rename it
>>in later OS, you kill your computer.
>
>I will leave it alone. Right now the ZoneAlarm firewall is set to
>allow RPCSS to start and access the internet, but not as a server. Is
>that a good setting?
>
>>IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
>>the URL below - some malware can kill your internet connection when it is
>>removed, and this software should get things going for you again:
>>http://www.cexx.org/lspfix.htm
>
>Thanks. I did.
>
>>Get yourself a copy of BHODemon, available at
>>http://www.definitivesolutions.com/bhodemon.htm .
>>
>>It does not need installing - simply unzip and run the EXE programme. It is
>>very easy to use. It will often find the following hijackware DLL files,
>>and give you the ability to disable them easily.
>
>Thanks. BHODemon only detects my Google toolbar.
>
>However, prior to running BHODemon , earlier today, I noticed that my
>Google toolbar was missing from the IE6 screen. So I uninstalled it
>and then downloaded a new toolbar and installed it.
>
>Since I uninstalled/installed the Google toolbar I have not had IE6
>freeze! It used to always freeze on the first load after making a
>dialup connection.
>
>This seems to have fixed the freeze problem -- at least temporarily.
>
>>Many people like AdAware, available at www.lavasoft.de. Make sure you keep
>>the signature files up to date and remember, AdAware only removes the
>>current install; it can't do anything about software that reinstalls itself
>>(unless you want to get stuck in an endless loop of
>>hijack/cleanout/hijack/cleanout). Sometimes you will have to track down and
>>remove the software that keeps putting the hijackware back - hence this
>>advice section. Warning: AdAware is now version 6.181. All previous
>>versions are NO LONGER SUPPORTED and will not be updated.
>
>Yes, I have Ad-aware 6.181 and I run every week. It always finds
>something.
>
>>The more experienced user can try Spybot. Again, it is a free programme
>>which can be downloaded from: http://spybot.eon.net.au/. Warning: it is NOT
>>a good programme for the inexperienced. If you want to use this programme,
>>please get the advice of those more experienced before 'fixing' anything
>>that it finds.
>
>I have started using Spybot S & D. It found five things that Ad-aware
>didn't.
>
>>Go to the link below to check your system for parasites (supplied by
>>Doxdesk.com):
>>http://www.mvps.org/inetexplorer/parasite.htm
>
>Thanks.
>
>>Another excellent programme that allows you to examine your system and
>>*create a results log for experts to examine* is HijackThis, available from:
>>http://www.tomcoyote.org/hjt/
>
>I have this.
>
>>Download and run the latest version of "Cool Web Shredder"
>>http://www.merijn.org/files/CWShredder.exe
>
>Thanks.
>
>>Here is advice specific to:
>>home page hijackings
>>http://www.mvps.org/inetexplorer/answers.htm#home_page
>
>Thanks.
>
>>pop-up ads
>>http://www.mvps.org/inetexplorer/data/popup.htm
>
>Thanks.
>
>>search engine hijackings
>>http://www.mvps.org/inetexplorer/ans...#search_engine
>>
>>IMPORTANT: The above programmes are excellent, and a lot of credit goes to
>>those who authored and update the programmes, but they can NOT detect
>>everything that is out there - as time goes on the programmes will become
>>more and more unwieldy if they try to maintain a standard of positive
>>identification for as much spyware as possible, and it will be harder and
>>harder for the programmes to catch everything that is out there. More and
>>more spyware uses RANDOM names as part of their programme making it
>>impossible for positive identification to occur, therefore....
>>
>>It is VERY IMPORTANT that you learn how to examine your system for potential
>>problems as well as using 'fixit' programme such as AdAware or Spybot.
>>
>>Check your startup folder and MSCONFIG (startup tab). You can also check
>>the following registry keys and edit as appropriate (if you have experience
>>with same).
>>
>>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur rentVersion\Run
>>
>>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur rentVersion\Runonce
>>
>>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Run
>>
>>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Runonce
>>
>>The following link will lead you to some Microsoft KB articles about the
>>basics of the Registry and working with it:
>>http://www.mvps.org/inetexplorer/answers.htm#Registry
>>
>>An experienced computer technician can use programme such as AutoStart
>>Viewer for in-depth diagnosis:
>>http://www.diamondcs.com.au/index.php?page=asviewer
>>
>>Empty your IE cache and your other temporary file folders, eg:
>>c:\windows\temp (if using Windows 98) or C:\Documents and
>>Settings\<name>\Local Settings\Temp (the path to your temp folder will
>>change depending on your name) - sometimes programmes can be hidden in
>>there - watch out for mysterious *.exe files or *.dll files in those
>>folders.
>>
>>Go to IE Tools, Internet Options, Temporary Internet Files {Settings
>>Button}, View Objects, Downloaded Programme Files. Check for unusual objects
>>there.
>>
>>Go to IE Tools, Internet Options, Accessibility. Make sure there is no
>>style sheet chosen (under User Style Sheet - format documents using my style
>>sheet). If the option is turned on, turn it OFF.
>>
>>It is possible to turn off third party extensions (Enable third-party
>>browser extensions (requires restart) at IE tools, internet options,
>>advanced) to disable *all* plug-ins but troubleshooting will be difficult
>>and it is only a BANDAID. Nothing gets fixed. There is software that
>>depends on 'third party browser extensions" to work, including Acrobat,
>>Microsoft Money, and many other programmes.

Was this tool bar installed on your computer at one time?
AtHoc http://www.athoc.com/site/products/portalToolbar.asp
More: http://www.safer-networking.org/inde...ats&detail=297
More: http://siliconvalley.internet.com/ne...hp/3531_479951
--

Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
===
"Stan Hilliard" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I thought that I has solved the problem of the first IE6 instance
> after dialup hanging -- by uninstalling/reinstalling the google
> toolbar.
>
> That worked for a while, but the next day the problem was back. I made
> it go away again by again uninstalling/reinstallihg the google
> toolbar.
>
> Spybot S&D finds file AtHoc.log in the root directory dated 1/15/01,
> 138KB. What is that?
>
> Spybot also flagged Windows Media Player, but that doesn't sound to me
> like something bad.
>
> I changed the ZoneAlarm firewall settings for RPCSS and Windows
> Explorer to allow them to access the Internet as servers -- since they
> kept trying to do that. Is that a problem?
>
> Sincerely, Stan Hilliard
>
> =================
> On Sat, 01 May 2004 13:26:15 -0500, Stan Hilliard
> <(E-Mail Removed)> wrote:
>
> >On Fri, 30 Apr 2004 21:38:04 +0800, "Sandi - Microsoft MVP"
> ><(E-Mail Removed)> wrote:
> >
> >>Stan,
> >>
> >>First, *why* is ZoneAlarm blocking all internet access?
> >
> >The internet lock doesn't prevent all internet access. But having it
> >on blocks all incoming and outgoing attempts on any port except for
> >the programs that are specifically set to pass the lock.
> >
> >>For IE freezing issues check out the advice at the URL below:
> >>http://www.mvps.org/inetexplorer/answers3.htm#freezing
> >
> >Thanks. I did.
> >
> >>You have not provided enough information about the Notepad error.
> >
> >I was using NoteTAB. I just noticed what happened but do not have any
> >additional information.
> >
> >>rpcss.exe is a legitimate file; do not rename it. There is no way to
tell
> >>whether a legitimate file, or malware, is using it. If you rename it in
> >>Win98 you'll have weird problems pop up all over the place. If you
rename it
> >>in later OS, you kill your computer.
> >
> >I will leave it alone. Right now the ZoneAlarm firewall is set to
> >allow RPCSS to start and access the internet, but not as a server. Is
> >that a good setting?
> >
> >>IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX
from
> >>the URL below - some malware can kill your internet connection when it
is
> >>removed, and this software should get things going for you again:
> >>http://www.cexx.org/lspfix.htm
> >
> >Thanks. I did.
> >
> >>Get yourself a copy of BHODemon, available at
> >>http://www.definitivesolutions.com/bhodemon.htm .
> >>
> >>It does not need installing - simply unzip and run the EXE programme. It
is
> >>very easy to use. It will often find the following hijackware DLL
files,
> >>and give you the ability to disable them easily.
> >
> >Thanks. BHODemon only detects my Google toolbar.
> >
> >However, prior to running BHODemon , earlier today, I noticed that my
> >Google toolbar was missing from the IE6 screen. So I uninstalled it
> >and then downloaded a new toolbar and installed it.
> >
> >Since I uninstalled/installed the Google toolbar I have not had IE6
> >freeze! It used to always freeze on the first load after making a
> >dialup connection.
> >
> >This seems to have fixed the freeze problem -- at least temporarily.
> >
> >>Many people like AdAware, available at www.lavasoft.de. Make sure you
keep
> >>the signature files up to date and remember, AdAware only removes the
> >>current install; it can't do anything about software that reinstalls
itself
> >>(unless you want to get stuck in an endless loop of
> >>hijack/cleanout/hijack/cleanout). Sometimes you will have to track down
and
> >>remove the software that keeps putting the hijackware back - hence this
> >>advice section. Warning: AdAware is now version 6.181. All previous
> >>versions are NO LONGER SUPPORTED and will not be updated.
> >
> >Yes, I have Ad-aware 6.181 and I run every week. It always finds
> >something.
> >
> >>The more experienced user can try Spybot. Again, it is a free programme
> >>which can be downloaded from: http://spybot.eon.net.au/. Warning: it is
NOT
> >>a good programme for the inexperienced. If you want to use this
programme,
> >>please get the advice of those more experienced before 'fixing' anything
> >>that it finds.
> >
> >I have started using Spybot S & D. It found five things that Ad-aware
> >didn't.
> >
> >>Go to the link below to check your system for parasites (supplied by
> >>Doxdesk.com):
> >>http://www.mvps.org/inetexplorer/parasite.htm
> >
> >Thanks.
> >
> >>Another excellent programme that allows you to examine your system and
> >>*create a results log for experts to examine* is HijackThis, available
from:
> >>http://www.tomcoyote.org/hjt/
> >
> >I have this.
> >
> >>Download and run the latest version of "Cool Web Shredder"
> >>http://www.merijn.org/files/CWShredder.exe
> >
> >Thanks.
> >
> >>Here is advice specific to:
> >>home page hijackings
> >>http://www.mvps.org/inetexplorer/answers.htm#home_page
> >
> >Thanks.
> >
> >>pop-up ads
> >>http://www.mvps.org/inetexplorer/data/popup.htm
> >
> >Thanks.
> >
> >>search engine hijackings
> >>http://www.mvps.org/inetexplorer/ans...#search_engine
> >>
> >>IMPORTANT: The above programmes are excellent, and a lot of credit goes
to
> >>those who authored and update the programmes, but they can NOT detect
> >>everything that is out there - as time goes on the programmes will
become
> >>more and more unwieldy if they try to maintain a standard of positive
> >>identification for as much spyware as possible, and it will be harder
and
> >>harder for the programmes to catch everything that is out there. More
and
> >>more spyware uses RANDOM names as part of their programme making it
> >>impossible for positive identification to occur, therefore....
> >>
> >>It is VERY IMPORTANT that you learn how to examine your system for
potential
> >>problems as well as using 'fixit' programme such as AdAware or Spybot.
> >>
> >>Check your startup folder and MSCONFIG (startup tab). You can also
check
> >>the following registry keys and edit as appropriate (if you have
experience
> >>with same).
> >>
> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur rentVersion\Run
> >>
> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur rentVersion\Runonce
> >>
> >>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Run
> >>
> >>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Runonce
> >>
> >>The following link will lead you to some Microsoft KB articles about the
> >>basics of the Registry and working with it:
> >>http://www.mvps.org/inetexplorer/answers.htm#Registry
> >>
> >>An experienced computer technician can use programme such as AutoStart
> >>Viewer for in-depth diagnosis:
> >>http://www.diamondcs.com.au/index.php?page=asviewer
> >>
> >>Empty your IE cache and your other temporary file folders, eg:
> >>c:\windows\temp (if using Windows 98) or C:\Documents and
> >>Settings\<name>\Local Settings\Temp (the path to your temp folder will
> >>change depending on your name) - sometimes programmes can be hidden in
> >>there - watch out for mysterious *.exe files or *.dll files in those
> >>folders.
> >>
> >>Go to IE Tools, Internet Options, Temporary Internet Files {Settings
> >>Button}, View Objects, Downloaded Programme Files. Check for unusual
objects
> >>there.
> >>
> >>Go to IE Tools, Internet Options, Accessibility. Make sure there is no
> >>style sheet chosen (under User Style Sheet - format documents using my
style
> >>sheet). If the option is turned on, turn it OFF.
> >>
> >>It is possible to turn off third party extensions (Enable third-party
> >>browser extensions (requires restart) at IE tools, internet options,
> >>advanced) to disable *all* plug-ins but troubleshooting will be
difficult
> >>and it is only a BANDAID. Nothing gets fixed. There is software that
> >>depends on 'third party browser extensions" to work, including Acrobat,
> >>Microsoft Money, and many other programmes.
>

On Mon, 3 May 2004 08:10:58 -0400, "H Leboeuf"
<(E-Mail Removed)> wrote:

>Was this tool bar installed on your computer at one time?
>AtHoc http://www.athoc.com/site/products/portalToolbar.asp
>More: http://www.safer-networking.org/inde...ats&detail=297
>More: http://siliconvalley.internet.com/ne...hp/3531_479951

I did not (voluntarily) have that tool bar. But the article in link
(3) implies (I think) that if I did it might not be visible to me.

(1) The first link is to a page that apparently does not exist at this
time.

(2) The second link tries to download a file, but I don't know what
the file is.

(3) The third link is to an article that I find interesting because it
reminds me of a button (inactive now) on my website from NetMind
Mind-It.

The dead button is on this page:

http://samplingplans.com/latestchanges.htm

When the button worked, visitors to that page would be informed by
email from NetMind any time that the page changed.

I think that the button went inactive when NetMind was bought out and
they stopped making it free and I didn't pay.

Stan Hilliard

===
>Henri Leboeuf
>Web page: http://www.colba.net/~hlebo49/index.htm
>===
>"Stan Hilliard" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> I thought that I has solved the problem of the first IE6 instance
>> after dialup hanging -- by uninstalling/reinstalling the google
>> toolbar.
>>
>> That worked for a while, but the next day the problem was back. I made
>> it go away again by again uninstalling/reinstallihg the google
>> toolbar.
>>
>> Spybot S&D finds file AtHoc.log in the root directory dated 1/15/01,
>> 138KB. What is that?
>>
>> Spybot also flagged Windows Media Player, but that doesn't sound to me
>> like something bad.
>>
>> I changed the ZoneAlarm firewall settings for RPCSS and Windows
>> Explorer to allow them to access the Internet as servers -- since they
>> kept trying to do that. Is that a problem?
>>
>> Sincerely, Stan Hilliard
>>
>> =================
>> On Sat, 01 May 2004 13:26:15 -0500, Stan Hilliard
>> <(E-Mail Removed)> wrote:
>>
>> >On Fri, 30 Apr 2004 21:38:04 +0800, "Sandi - Microsoft MVP"
>> ><(E-Mail Removed)> wrote:
>> >
>> >>Stan,
>> >>
>> >>First, *why* is ZoneAlarm blocking all internet access?
>> >
>> >The internet lock doesn't prevent all internet access. But having it
>> >on blocks all incoming and outgoing attempts on any port except for
>> >the programs that are specifically set to pass the lock.
>> >
>> >>For IE freezing issues check out the advice at the URL below:
>> >>http://www.mvps.org/inetexplorer/answers3.htm#freezing
>> >
>> >Thanks. I did.
>> >
>> >>You have not provided enough information about the Notepad error.
>> >
>> >I was using NoteTAB. I just noticed what happened but do not have any
>> >additional information.
>> >
>> >>rpcss.exe is a legitimate file; do not rename it. There is no way to
>tell
>> >>whether a legitimate file, or malware, is using it. If you rename it in
>> >>Win98 you'll have weird problems pop up all over the place. If you
>rename it
>> >>in later OS, you kill your computer.
>> >
>> >I will leave it alone. Right now the ZoneAlarm firewall is set to
>> >allow RPCSS to start and access the internet, but not as a server. Is
>> >that a good setting?
>> >
>> >>IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX
>from
>> >>the URL below - some malware can kill your internet connection when it
>is
>> >>removed, and this software should get things going for you again:
>> >>http://www.cexx.org/lspfix.htm
>> >
>> >Thanks. I did.
>> >
>> >>Get yourself a copy of BHODemon, available at
>> >>http://www.definitivesolutions.com/bhodemon.htm .
>> >>
>> >>It does not need installing - simply unzip and run the EXE programme. It
>is
>> >>very easy to use. It will often find the following hijackware DLL
>files,
>> >>and give you the ability to disable them easily.
>> >
>> >Thanks. BHODemon only detects my Google toolbar.
>> >
>> >However, prior to running BHODemon , earlier today, I noticed that my
>> >Google toolbar was missing from the IE6 screen. So I uninstalled it
>> >and then downloaded a new toolbar and installed it.
>> >
>> >Since I uninstalled/installed the Google toolbar I have not had IE6
>> >freeze! It used to always freeze on the first load after making a
>> >dialup connection.
>> >
>> >This seems to have fixed the freeze problem -- at least temporarily.
>> >
>> >>Many people like AdAware, available at www.lavasoft.de. Make sure you
>keep
>> >>the signature files up to date and remember, AdAware only removes the
>> >>current install; it can't do anything about software that reinstalls
>itself
>> >>(unless you want to get stuck in an endless loop of
>> >>hijack/cleanout/hijack/cleanout). Sometimes you will have to track down
>and
>> >>remove the software that keeps putting the hijackware back - hence this
>> >>advice section. Warning: AdAware is now version 6.181. All previous
>> >>versions are NO LONGER SUPPORTED and will not be updated.
>> >
>> >Yes, I have Ad-aware 6.181 and I run every week. It always finds
>> >something.
>> >
>> >>The more experienced user can try Spybot. Again, it is a free programme
>> >>which can be downloaded from: http://spybot.eon.net.au/. Warning: it is
>NOT
>> >>a good programme for the inexperienced. If you want to use this
>programme,
>> >>please get the advice of those more experienced before 'fixing' anything
>> >>that it finds.
>> >
>> >I have started using Spybot S & D. It found five things that Ad-aware
>> >didn't.
>> >
>> >>Go to the link below to check your system for parasites (supplied by
>> >>Doxdesk.com):
>> >>http://www.mvps.org/inetexplorer/parasite.htm
>> >
>> >Thanks.
>> >
>> >>Another excellent programme that allows you to examine your system and
>> >>*create a results log for experts to examine* is HijackThis, available
>from:
>> >>http://www.tomcoyote.org/hjt/
>> >
>> >I have this.
>> >
>> >>Download and run the latest version of "Cool Web Shredder"
>> >>http://www.merijn.org/files/CWShredder.exe
>> >
>> >Thanks.
>> >
>> >>Here is advice specific to:
>> >>home page hijackings
>> >>http://www.mvps.org/inetexplorer/answers.htm#home_page
>> >
>> >Thanks.
>> >
>> >>pop-up ads
>> >>http://www.mvps.org/inetexplorer/data/popup.htm
>> >
>> >Thanks.
>> >
>> >>search engine hijackings
>> >>http://www.mvps.org/inetexplorer/ans...#search_engine
>> >>
>> >>IMPORTANT: The above programmes are excellent, and a lot of credit goes
>to
>> >>those who authored and update the programmes, but they can NOT detect
>> >>everything that is out there - as time goes on the programmes will
>become
>> >>more and more unwieldy if they try to maintain a standard of positive
>> >>identification for as much spyware as possible, and it will be harder
>and
>> >>harder for the programmes to catch everything that is out there. More
>and
>> >>more spyware uses RANDOM names as part of their programme making it
>> >>impossible for positive identification to occur, therefore....
>> >>
>> >>It is VERY IMPORTANT that you learn how to examine your system for
>potential
>> >>problems as well as using 'fixit' programme such as AdAware or Spybot.
>> >>
>> >>Check your startup folder and MSCONFIG (startup tab). You can also
>check
>> >>the following registry keys and edit as appropriate (if you have
>experience
>> >>with same).
>> >>
>> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur rentVersion\Run
>> >>
>> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur rentVersion\Runonce
>> >>
>> >>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Run
>> >>
>> >>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Runonce
>> >>
>> >>The following link will lead you to some Microsoft KB articles about the
>> >>basics of the Registry and working with it:
>> >>http://www.mvps.org/inetexplorer/answers.htm#Registry
>> >>
>> >>An experienced computer technician can use programme such as AutoStart
>> >>Viewer for in-depth diagnosis:
>> >>http://www.diamondcs.com.au/index.php?page=asviewer
>> >>
>> >>Empty your IE cache and your other temporary file folders, eg:
>> >>c:\windows\temp (if using Windows 98) or C:\Documents and
>> >>Settings\<name>\Local Settings\Temp (the path to your temp folder will
>> >>change depending on your name) - sometimes programmes can be hidden in
>> >>there - watch out for mysterious *.exe files or *.dll files in those
>> >>folders.
>> >>
>> >>Go to IE Tools, Internet Options, Temporary Internet Files {Settings
>> >>Button}, View Objects, Downloaded Programme Files. Check for unusual
>objects
>> >>there.
>> >>
>> >>Go to IE Tools, Internet Options, Accessibility. Make sure there is no
>> >>style sheet chosen (under User Style Sheet - format documents using my
>style
>> >>sheet). If the option is turned on, turn it OFF.
>> >>
>> >>It is possible to turn off third party extensions (Enable third-party
>> >>browser extensions (requires restart) at IE tools, internet options,
>> >>advanced) to disable *all* plug-ins but troubleshooting will be
>difficult
>> >>and it is only a BANDAID. Nothing gets fixed. There is software that
>> >>depends on 'third party browser extensions" to work, including Acrobat,
>> >>Microsoft Money, and many other programmes.
>>

1- Thanks I will make the necessary correction, it now a 404 no longer
availabe site.

2- This is what I get on the link. Why you would think it's trying to
download some programs is not known to me.

Quote
URLs Company URL (http://www.athoc.com/)
Product URL (http://www.athoc.com/site/products/portalToolbar.asp)
Privacy URL (http://www.athoc.com/site/misc/privacyPolicy.asp)

Functionality Toolbar
Description From their own description: "Our technology keeps your business
continuously connected to employees and customers even when they're not on
your Web site." as well as "Features include: [...]Tracking and Reporting".
Whether your installation of this toolbar is a threat or not depends mostly
on the AtHoc customer that provides your toolbar variant. The toolbar allows
the customer tracking, and user information may be shared with associates
for advertisement purposes. Our recommendation: keep the toolbar if you've
installed it intentionally, otherwise remove it.
Privacy AtHoc uses this information primarily to personalize your experience
on the Web, improve service to you, monitor Website traffic generated by
your use of this service, and determine appropriate fees to charge your
Toolbar providers ("AtHoc Clients") and Websites you visit as a result of
placement on your Toolbar ("AtHoc Affiliates"). AtHoc may combine
information it collects from you with information from other sources. AtHoc
may also use the information collected to provide you with targeted
marketing or promotional information, which you can choose not to receive.
Data collected by AtHoc may be provided by or distributed to the specific
AtHoc Toolbar Partner who is providing the AtHoc Toolbar service for your
use. Please see their privacy policies to understand their practices in
handling the information collected.[...] AtHoc, AtHoc Clients, and AtHoc
Affiliates may send you marketing or promotional offers[...]
Unquote.
--

That may be is the reason you are getting a False Positive Hit on your virus
scan.

See what can be deleted from your system registry and computer.

Go to http://www.spywareinfo.com/downloads.php#det
Download "Hijack This!" [freeware] or download direct (below):
http://www.merijn.org/files/hijackthis.zip

If you get a 404 error or Access denied, try:
http://216.180.252.218/~spywareinfo....hijackthis.zip

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button] (generates "startuplist.txt")

Next, go to the below location:
http://www.spywareinfo.com/forums/

Sign in, then copy and paste both files in your message.

HijackThis Quick Start Help
http://www.tomcoyote.org/hjt/

The Tutorial if you want to know more about the results or the .log file.
http://www.merijn.org/htlogtutorial.html
_______________________________________



Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
===
"Stan Hilliard" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mon, 3 May 2004 08:10:58 -0400, "H Leboeuf"
> <(E-Mail Removed)> wrote:
>
> >Was this tool bar installed on your computer at one time?
> >AtHoc http://www.athoc.com/site/products/portalToolbar.asp
> >More: http://www.safer-networking.org/inde...ats&detail=297
> >More: http://siliconvalley.internet.com/ne...hp/3531_479951
>
> I did not (voluntarily) have that tool bar. But the article in link
> (3) implies (I think) that if I did it might not be visible to me.
>
> (1) The first link is to a page that apparently does not exist at this
> time.
>
> (2) The second link tries to download a file, but I don't know what
> the file is.
>
> (3) The third link is to an article that I find interesting because it
> reminds me of a button (inactive now) on my website from NetMind
> Mind-It.
>
> The dead button is on this page:
>
> http://samplingplans.com/latestchanges.htm
>
> When the button worked, visitors to that page would be informed by
> email from NetMind any time that the page changed.
>
> I think that the button went inactive when NetMind was bought out and
> they stopped making it free and I didn't pay.
>
> Stan Hilliard
>
> ===
> >Henri Leboeuf
> >Web page: http://www.colba.net/~hlebo49/index.htm
> >===
> >"Stan Hilliard" <(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed).. .
> >> I thought that I has solved the problem of the first IE6 instance
> >> after dialup hanging -- by uninstalling/reinstalling the google
> >> toolbar.
> >>
> >> That worked for a while, but the next day the problem was back. I made
> >> it go away again by again uninstalling/reinstallihg the google
> >> toolbar.
> >>
> >> Spybot S&D finds file AtHoc.log in the root directory dated 1/15/01,
> >> 138KB. What is that?
> >>
> >> Spybot also flagged Windows Media Player, but that doesn't sound to me
> >> like something bad.
> >>
> >> I changed the ZoneAlarm firewall settings for RPCSS and Windows
> >> Explorer to allow them to access the Internet as servers -- since they
> >> kept trying to do that. Is that a problem?
> >>
> >> Sincerely, Stan Hilliard
> >>
> >> =================
> >> On Sat, 01 May 2004 13:26:15 -0500, Stan Hilliard
> >> <(E-Mail Removed)> wrote:
> >>
> >> >On Fri, 30 Apr 2004 21:38:04 +0800, "Sandi - Microsoft MVP"
> >> ><(E-Mail Removed)> wrote:
> >> >
> >> >>Stan,
> >> >>
> >> >>First, *why* is ZoneAlarm blocking all internet access?
> >> >
> >> >The internet lock doesn't prevent all internet access. But having it
> >> >on blocks all incoming and outgoing attempts on any port except for
> >> >the programs that are specifically set to pass the lock.
> >> >
> >> >>For IE freezing issues check out the advice at the URL below:
> >> >>http://www.mvps.org/inetexplorer/answers3.htm#freezing
> >> >
> >> >Thanks. I did.
> >> >
> >> >>You have not provided enough information about the Notepad error.
> >> >
> >> >I was using NoteTAB. I just noticed what happened but do not have any
> >> >additional information.
> >> >
> >> >>rpcss.exe is a legitimate file; do not rename it. There is no way to
> >tell
> >> >>whether a legitimate file, or malware, is using it. If you rename it
in
> >> >>Win98 you'll have weird problems pop up all over the place. If you
> >rename it
> >> >>in later OS, you kill your computer.
> >> >
> >> >I will leave it alone. Right now the ZoneAlarm firewall is set to
> >> >allow RPCSS to start and access the internet, but not as a server. Is
> >> >that a good setting?
> >> >
> >> >>IMPORTANT: Before trying to remove spyware, download a copy of
LSPFIX
> >from
> >> >>the URL below - some malware can kill your internet connection when
it
> >is
> >> >>removed, and this software should get things going for you again:
> >> >>http://www.cexx.org/lspfix.htm
> >> >
> >> >Thanks. I did.
> >> >
> >> >>Get yourself a copy of BHODemon, available at
> >> >>http://www.definitivesolutions.com/bhodemon.htm .
> >> >>
> >> >>It does not need installing - simply unzip and run the EXE programme.
It
> >is
> >> >>very easy to use. It will often find the following hijackware DLL
> >files,
> >> >>and give you the ability to disable them easily.
> >> >
> >> >Thanks. BHODemon only detects my Google toolbar.
> >> >
> >> >However, prior to running BHODemon , earlier today, I noticed that my
> >> >Google toolbar was missing from the IE6 screen. So I uninstalled it
> >> >and then downloaded a new toolbar and installed it.
> >> >
> >> >Since I uninstalled/installed the Google toolbar I have not had IE6
> >> >freeze! It used to always freeze on the first load after making a
> >> >dialup connection.
> >> >
> >> >This seems to have fixed the freeze problem -- at least temporarily.
> >> >
> >> >>Many people like AdAware, available at www.lavasoft.de. Make sure you
> >keep
> >> >>the signature files up to date and remember, AdAware only removes the
> >> >>current install; it can't do anything about software that reinstalls
> >itself
> >> >>(unless you want to get stuck in an endless loop of
> >> >>hijack/cleanout/hijack/cleanout). Sometimes you will have to track
down
> >and
> >> >>remove the software that keeps putting the hijackware back - hence
this
> >> >>advice section. Warning: AdAware is now version 6.181. All previous
> >> >>versions are NO LONGER SUPPORTED and will not be updated.
> >> >
> >> >Yes, I have Ad-aware 6.181 and I run every week. It always finds
> >> >something.
> >> >
> >> >>The more experienced user can try Spybot. Again, it is a free
programme
> >> >>which can be downloaded from: http://spybot.eon.net.au/. Warning: it
is
> >NOT
> >> >>a good programme for the inexperienced. If you want to use this
> >programme,
> >> >>please get the advice of those more experienced before 'fixing'
anything
> >> >>that it finds.
> >> >
> >> >I have started using Spybot S & D. It found five things that Ad-aware
> >> >didn't.
> >> >
> >> >>Go to the link below to check your system for parasites (supplied by
> >> >>Doxdesk.com):
> >> >>http://www.mvps.org/inetexplorer/parasite.htm
> >> >
> >> >Thanks.
> >> >
> >> >>Another excellent programme that allows you to examine your system
and
> >> >>*create a results log for experts to examine* is HijackThis,
available
> >from:
> >> >>http://www.tomcoyote.org/hjt/
> >> >
> >> >I have this.
> >> >
> >> >>Download and run the latest version of "Cool Web Shredder"
> >> >>http://www.merijn.org/files/CWShredder.exe
> >> >
> >> >Thanks.
> >> >
> >> >>Here is advice specific to:
> >> >>home page hijackings
> >> >>http://www.mvps.org/inetexplorer/answers.htm#home_page
> >> >
> >> >Thanks.
> >> >
> >> >>pop-up ads
> >> >>http://www.mvps.org/inetexplorer/data/popup.htm
> >> >
> >> >Thanks.
> >> >
> >> >>search engine hijackings
> >> >>http://www.mvps.org/inetexplorer/ans...#search_engine
> >> >>
> >> >>IMPORTANT: The above programmes are excellent, and a lot of credit
goes
> >to
> >> >>those who authored and update the programmes, but they can NOT detect
> >> >>everything that is out there - as time goes on the programmes will
> >become
> >> >>more and more unwieldy if they try to maintain a standard of positive
> >> >>identification for as much spyware as possible, and it will be harder
> >and
> >> >>harder for the programmes to catch everything that is out there. More
> >and
> >> >>more spyware uses RANDOM names as part of their programme making it
> >> >>impossible for positive identification to occur, therefore....
> >> >>
> >> >>It is VERY IMPORTANT that you learn how to examine your system for
> >potential
> >> >>problems as well as using 'fixit' programme such as AdAware or
Spybot.
> >> >>
> >> >>Check your startup folder and MSCONFIG (startup tab). You can also
> >check
> >> >>the following registry keys and edit as appropriate (if you have
> >experience
> >> >>with same).
> >> >>
> >> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur rentVersion\Run
> >> >>
> >> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur rentVersion\Runonce
> >> >>
> >> >>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Run
> >> >>
> >> >>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Runonce
> >> >>
> >> >>The following link will lead you to some Microsoft KB articles about
the
> >> >>basics of the Registry and working with it:
> >> >>http://www.mvps.org/inetexplorer/answers.htm#Registry
> >> >>
> >> >>An experienced computer technician can use programme such as
AutoStart
> >> >>Viewer for in-depth diagnosis:
> >> >>http://www.diamondcs.com.au/index.php?page=asviewer
> >> >>
> >> >>Empty your IE cache and your other temporary file folders, eg:
> >> >>c:\windows\temp (if using Windows 98) or C:\Documents and
> >> >>Settings\<name>\Local Settings\Temp (the path to your temp folder
will
> >> >>change depending on your name) - sometimes programmes can be hidden
in
> >> >>there - watch out for mysterious *.exe files or *.dll files in those
> >> >>folders.
> >> >>
> >> >>Go to IE Tools, Internet Options, Temporary Internet Files {Settings
> >> >>Button}, View Objects, Downloaded Programme Files. Check for unusual
> >objects
> >> >>there.
> >> >>
> >> >>Go to IE Tools, Internet Options, Accessibility. Make sure there is
no
> >> >>style sheet chosen (under User Style Sheet - format documents using
my
> >style
> >> >>sheet). If the option is turned on, turn it OFF.
> >> >>
> >> >>It is possible to turn off third party extensions (Enable third-party
> >> >>browser extensions (requires restart) at IE tools, internet options,
> >> >>advanced) to disable *all* plug-ins but troubleshooting will be
> >difficult
> >> >>and it is only a BANDAID. Nothing gets fixed. There is software that
> >> >>depends on 'third party browser extensions" to work, including
Acrobat,
> >> >>Microsoft Money, and many other programmes.
> >>
>