Hello C.Ners, I am reporting back about the results of my removing this buzzard from my computer. First, I see another person posting, who tried to remove this from his machine, only to find out he can't access the net. BlueFront had suggested to remove all the .tmp file from that folder, he also suggested to remove two other extentions, which were not in my computer. He was right when he said this virus could be working from a temp file. In internet options, connections, lan settings, everytime I removed its web address, it would replace my isp address which I punched in. The problem now is similar to the post of yesterday, it seems that netsetter has been completely removed from my machine, but, somthing is preventing my browser to come on line. Pinging my isp, by name, no response, by web address, I get timed out, I would appreciate further help in tracking down this virus like spyware, again, as always, thank you for your help, charlie

I got mine out very easily....if you are at all familar with dos ur gonna be fine (even if ur not). 1. Go into Dos...I did it right from the Dos prompt in Windows (Start->Programs->MSDOS Prompt) 2. Enter this exactly as you see here.. "%WinDir%\SYSTEM\NSCheck.exe" /uninstall This will uninstall the program through dos, I did a reboot and was clean. This was all thanks to FZWG for his research on the problem. Let me know if it works for you and if not maybe there is anohter way for you.

Thanks Sabre Tigger, FZWG has being helping me throughout. I also got help from BlueFront, DAVEINCAPS and EchoLi, though most of the input was from FZWG. The line you suggested I have not tried, thanks again, charlie

Hi Sabre Tigger, I tried that line three times and my computer rejected the line. It's not an executible command, are you sure this was the exact command you used, thanks again, charlie

Just a recap on some Netsetter/Marketscore removal options. Use as checklist, if you like. Netsetter/MarketScore is spyware/foistware veiled as an "Internet Accelerator". This software causes computers to lose their browsing ability after simply changing how a connection to the Internet is achieved. In computers were Netsetter modifications are done, a browser hijack may occur, and browsing abilities may eventually cease to function, though connections and pings may still be possible. Since Netsetter tags along with so many different pieces of third-party software, it is not uncommon to get re-infected with these products again and again yielding an 'automatic configuration script' setting pointing at the Netsetter domain. Netsetter/Marketscore removal odds are low if it keeps coming back. Apparently there are clandestine files that keep recreating it. After trying several options to remove this beast, sometimes removing files and making registry edits are the only resort. Before proceeding with the following options, ensure all files in the PC are viewed by right clicking on: Start>Explore>View>Folder Options>View tab>Advanced Settings>Files and Folders>Hidden Files: >>>Show All Files\system to change to the C:\\System directory, where represents the directory where Windows is installed. 3. For Windows 98, Windows 98 Second Edition, and Windows Millenium Edition (Me), type nscheck /uninstall. For Windows 2000 and Windows XP type nscheck -uninstall. 4. You may receive the following message: "NSCHECK uninstall successful." The proxy information that was previously stored in the connection settings is now gone and connectivity is restored. Other options to try: If you voluntarily signed up for the service, go back to the Netsetter/Marketscore website, login using the email address and password you used to join, and un-register. Follow the website's instruction for removal. If the Microsoft suggestion: NSCheck /Uninstall did not work, try opening a command window and enter (for Windows 95/98/Me): "%WinDir%\SYSTEM\NSCheck.exe" /uninstall The link: [http://www.marioncomputer.com/internet/Help/netsetter.htm] has the following info: To remove Netsetter In IE: * Click on the Tools Menu. * From the dropdown menu, Click on Internet Options * The Internet Options dialog box will appear. * In the dialog box, click on the "Connections" tab at the top. If you are using Dial-up or a modem: - When the Connections tab appears, look in the area called Dial-Up settings. - Click on the top entry in the list of Dial-Up Settings. - Then, click on the "Settings" button to the right of the listing. - The Dial-Up Settings dialog box will appear. - On this page, 2 fields need to be cleared. - Delete the long string inside the "Address" input box [Probably: http://proxycfg.marketscore.com/] - Uncheck the "Use automatic configuration script" dialog box. - Click on "OK". - If there are multiple entries under the Dial-Up Settings, the last 7 steps will need to be done for each of these. (i.e. click on the entry, click on Settings, remove the settings, click OK) If you are not using Dial-up. - When the Connections tab appears, click on the button "LAN Settings" - The Local Area Network (LAN) Settings dialog box will appear. - On this page, 2 fields need to be cleared. - Delete the long string inside the "Address" input box. - Uncheck the "Use automatic configuration script" dialog box. - This section is done. - Click on "OK". - This will return you to the "Connections" tab. For all users, regardless of connection type: * The Internet Options dialog box should be displayed (If it's not, click on Tools> Internet Options to display) * With the dialog box showing, click on the "General" tab at the top. * When the General tab appears, click on the "Languages" button. * This will open the Languages dialog box. * There you may see several lines under language, some starting with x-ns. * Click on the one in the list that looks like "User Defined [x-ns] ..." (it's probably the 2nd one in the list). * Click on the "Remove" button to the right. * Repeat the last 2 steps for the other "User Defined [x-ns] ... " line Next suggestion is some work with the winsock2 key and/or Registry. At this point, you need to do a Registry back up. The procedure also requires the use of the W98 first edition, second edition, or Millennium CD, or cab files installed on the hard drive. Go to: Control Panel>Add/Remove Programs>Windows Setup Tab, select: Communications>Details. >>>Make note of all items installedNetwork icon>Configuration tab. >>>Make note of the components installedRun, key in: regedit Click OK. Delete the following keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Remote Access HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\Winsock HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\Winsock2 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services|VxD\MSTCP After all keys are deleted, Restart. Back to: Control Panel>Add/Remove Programs>Windows Setup Tab. Check Communications. Re-instate the entries that were previously installed. Check: Apply. Do not Restart. OK out of Add/Remove Programs. Back to: Control Panel>Network. Also add any components previously installed. Restart. To this point, just about all the Windows communications and networking components were removed, so that Windows had to install new registry keys. Also, Windows had to install original Operating System version files and components, unmodified by third party software. If any version conflicts develop, allow Windows to replace possible corrupt files with fresh ones. This procedure does not replace winsock.dll, wsock32.dll, or rasapi32.dll, which may also be corrupted. Check out the version of each of these dll files to either download them from: http://www.drd.dyndns.org/index2.html or obtain them from the Operating System CD. Use System File Checker utility to extract/replace the files. Items to rule out: Delete the *.tmp files on the hard drive (Do this in DOS). Some of these may contain malicious code for browser hijacking or malware reinstallation. Do a Find>Files and Folders for the following file extensions: *.hta, and also *.jse. If any of these files is found, open in Notepad (or a text editor) and look at the URLs in the file. Delete any Netsetter/Marketscore URL found. Do a Find for: Hosts (not Hosts.sam or Lmhosts). If found, open in Notepad and look at the entries. Delete any reference to the URL doing the hijacking. Rename the Hosts file to something else, like: Ghosts. Reboot. Do a Find in the Registry for each of the following: Netsetter, NSCheck, Ossproxy, or Marketscore. Run: MSConfig, and select the StartUp tab. Look for any entry with: regedit.exe /s If found, disable the entry by un-checking. Again in MSConfig, select the SYSTEM.INI tab. Expand the (+) next to [boot]. Look for: Shell=Explorer.exe. Check to ensure there is nothing following after Eplorer.exe (Example: Shell=Explorer.exe Whatever.exe). If something follows Explorer.exe, delete what follows. Do not delete Explorer.exe!!!!! Exit MSConfig. Reboot. Close all open Internet Explorer windows before effecting any of the changes described above. Reboot after any change. There are some utility programs that claim to detect and/or eradicate Netsetter. Among these are: Ad Aware, Spybot Search and Destroy, and Pest Patrol. (There may be others.) Ad Aware: Download from the Lavasoft website. Run the .exe file to install. After installing Ad Aware, but before running the program, download the Refupdate Utility. It searches for, downloads, and automatically installs the latest ref-files (spyware definitions, etc.) Run the RefUpdate.exe installation file. Once installed, go to Start>Programs, find the LavaSoft Refupdate, and run it. Select: wyvernworks.com as the download server. It is a safe site. Connect, and download the current signature file. When the above is completed, close Internet Explorer, launch Ad Aware, and look at the bottom left corner. It should say: Signature file: 042-24.09.2002 Have all drives and registry scanned. Spybot Search and Destroy: For download, go to: http://www.net-integration.net Create a new folder for Spybot. Download the Spybot program to the folder, run the setup (.exe) file to install the program, and then run the program. Click the "Online" tab and "Search for Updates", then make your selection, and click "Download Updates". Click: Check All to run the scan. After the scan is run, you will see some boxes checked and others not. Remove the checked items. The others are mainly "cleanup" options. Use the Help guide for further guidance on these. Reboot after running Spybot, even if not prompted. Also, there is Pest Patrol, found here: http://www.pestpatrol.com/ Recommendation: If all of the above options produce no joy, there are spyware/malware forums that specialize on this type of issue. There is the Browser Hijacking forum at: http://www.spywareinfo.com/yabbse/ Posting the results of a utility called: Hijack This (available at the same website), and the results of your current Startup configuration (use: StartupList available for download at: http://www.lurkhere.com/~nicefiles/) are recommended. Another forum: SpybotS&D, is located at: http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi If everything fails, Bitte Ein Bit!!!

Hello again FZWG, Again, I appreciate all your help, my computer has been idle for almost 2 weeks. It's a shame companies like this can get away with putting junk in your computer, secretly, and you are deprived of your computer with their hacker-like trash. There should be some law against actions like this, so much for soap boxing, thanks again FZWG, charlie