# Explorer error message:GWS.DLL



## cyberpumpkin (Apr 10, 2003)

I appreciate any help anyone can offer here. I have windows ME, IE 5.5.


I am getting the error message, "Explorer has caused an error in GWS.DLL. Explorer will now close."

This is preventing me from opening folders on the desktop, or being able to open documents, search, or control panel, from the Start menu.

I have gone through the Microsoft site, looked for fixes, done downloads and upgrades, nothing has helped.

I have searched high and low and posted at several tech sites trying to find someone who is familiar with this error and can help me resolve it, but so far, have been unsuccessful.

I have gotten the following suggestions, and tried them all, unfortunately, none have worked:
Run scan disk
Run system restore
Run msconfig.Startup to search for "GWS" but there is nothing.
Run anti-spyware

Several have suggested doing an internal search for programs or files with "GWS", but I can't access search.

I am at my wits end, I really hope someone will be able to offer assistance. Thanks.

Sincerely,
Pumpkin


----------



## AAPlus (Oct 29, 2001)

Hello,cyberpumpkin & Welcome

Please see if this helps at all 
just Right click on it and select "Merge" from the menu

http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/EXEfix08.reg

Good luck


----------



## cyberpumpkin (Apr 10, 2003)

Hello! I see you have posted a response to my question, which says to right click the link you included and then go to "merge", but I don't get an option of "merge" when I right click. Am I supposed to download the program from the link? It says it affects the registry, can you tell me what the program is?

I apologize for not understanding, I am fairly new to computing and do sincerely appreciate efforts to help me, I am just nervous about doing anything that affects the registry.

Thanks! I tried to send this as a private message, but I couldn't even get THAT to work! Ha ha! Not my day, I guess. I will watch e-mail closely for a response. Thanks again
Pumpkin


----------



## The_Egg (Sep 16, 2002)

According to this google search, gws.dll is associated with a program called GeoWebShare.
Do you have this program installed on your system?

http://www.swegis.com/english/software/geowebshare/gwsver101.asp

The only other reference I could find relates to BEA WebLogic (?)
http://edocs.bea.com
PDF - View as HTML Doc

If you have either of these programs installed, I suggest you either uninstall, or contact their site for updates/support.

The link AAPlus gave you is a registry fix for repairing EXE file association.
http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

Another thing you can do is to post a StartUpList.
Download and unzip StartUpList, run it, and then copy+paste the result file into a new post here.
We will then be able to tell whether you have any viruses, trojans, spyware/malware present and running, and may be able to offer further assistance from there . . .

Hope this helps


----------



## Mosaic1 (Aug 17, 2001)

First post the StartupList as per The _Egg 
Then also, post a HijackThis List. 
Here's a site with directions on doing that:

http://www.tomcoyote.org/hjt/

Someone will have a look to try and pinpoint it.

After everything has been done.....
(But please wait until you have tried everything else. This may be something in need of uninstall or another problem.)

If nothing else works, try this.

There is Search using a DOS Window. Go to Start>Run and type 
*command *
Press enter.

This will bring up a DOS Window.

To find the location of this particular file type

* cd\*
Press enter

That will take you to a C:\> (C Prompt)

copy and paste this command in: (Paste in a command by copying it and then clicking on the paste icon in the command prompt's toolbar.

*dir /s gws.dll*

The result will be the location of the file unless it's a hidden file. Then DOS won't find it.

You can rename the file by doing this:

Type cd and then surround the path to the file in quotation marks. (The quotes are there in the event there is a space in the path name or a particular name is longer than the dos limit. )

Like this, for example to get to Windows\System

* cd "C:\Windows\system"*
Press enter.
That will take you to a prompt looking like this for example. If the file were in the system folder:

C:\windows\system>

*ren gws.dll gws.old*
Press enter

Here's that last command with the spaces included. (or copy and paste it in)

ren space gws.dll space gws.old

Then please post the information here as to where you found the file.


----------



## cyberpumpkin (Apr 10, 2003)

Hooray! 

The problem is fixed, the only thing different from your instructions was that I couldn't access the file while Windows was on (it came back as "file in use"), so I had to start from the emergency backup disk to avoid Windows startup. Then did DOS commands exactly as you said, and found the file in "C:Windows\System", just like your example.

I can't thank you enough, this has plagued us for nearly a week now, and I have been requesting assistance at many tech message boards. I will go to the places I requested help and post the fix, in case anyone else ever gets in this same jam.

Thank you again, God bless you!

Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

cyberpumpkin,

I'm glad you are ok now, but we really need to know what that was if possible. Did you get a startuplist and hijackthis log before you renamed the file? Renaming the file keeps it from running. Finding out the cause and cleaning up might be better if possible. 

Do you still have the file? If so, please do not delete it. I am going to ask someone to have a look at this. They may want a copy of the file if you wouldn't mind emailing it. 


Mo

EDIT: Also, if you still have the file, could you right click on it and choose properties? What information does it give.


----------



## cyberpumpkin (Apr 10, 2003)

Oh gosh, I will try to help! I so appreciate having this fixed! 

I was just reading your response when my husband, who works an evening shift, awoke, and he read your instructions and actually performed the function, although he did have me watch and explained what was going on, so that I could respond back here. We did not however, run the "hijackthislog". 

How would I go about getting you the information you need? I am SO grateful I will do all I can to be of assistance!

Thanks again!
Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

Here's a link to a page with directions on how to get the logs.

http://www.tomcoyote.org/hjt/

Without the file you renamed I am not sure what they will find. But let's have a look.

Also, if you could find the file and right click on it and choose properties, a page with a little information should come up. It may be of help, or not.

Renaming the file back and creating the logs would be the best way to get information if you are willing. If it turns out to be something nasty. But let's wait and see what the properties say first.

If the file was running, something started it. A look at StartupList would be a very good beginning.

Since renaming the file are you getting an error on Startup?


----------



## cyberpumpkin (Apr 10, 2003)

I will go to the link you provided momentarily, and see what I can find. 

Found renamed file "GWS.OLD" using Search and clicked properties. 

Copyright 2002
Comments is blank.
Company name is blank.
File Version Description is 1,0,0,3
Internal Name is ineb
Language English (United States)
Legal Trademarks is blank
OLE Self Register is $
Original filename is ineb.DLL
Private Build Description is blank
Product name is ineb Module
Product version is 1,0,0,3
Special build description is $

Will report back after visiting the link you provided.

Thanks again!
Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

Please don't delete that file. I think it is a new nasty. ineb is key here. I am going to email some security people. They'll want to have a copy. Thank you so much for coming back to help.

Mo

here's a link regarding ineb.dll

They seem to have renamed the nasty file.

http://www.doxdesk.com/parasite/ILookup.html


----------



## cyberpumpkin (Apr 10, 2003)

I downloaded and ran "Hijackthis" and have the log saved. I see "GlobalWebSearch.com" (an unwanted toolbar that appeared the same time as the problem) says "file missing" so since the abbreviated letters are the same, (GWS) I am guessing this is what brought the problem. I intend to delete the entire program shortly, unless you need any additional information.

I hope this will help you and your security-minded friends. 

Again, I can't thank you enough for this, my whole family uses the computer daily, and things were getting pretty ugly around here!

Thanks again!
Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

I think it would be wise for youy to Download Spybot Search and Destroy.
Install Spybot.

Rename the file back. 
Run Spybot to clean it out.

Reboot. See if things are OK.

If not, run HijackThis and post the log here. It will show and we can use it to clean up everything. It's best to do it right.

Sorry. I am not up on all the latest Spyware. I have been dong other things.
Here's a link to Spybot:

http://tomcoyote.org/SPYBOT/

the download link is at the bottom of the page.


----------



## Mosaic1 (Aug 17, 2001)

I posted at a Security board and am waiting to hear if anyone wants the file or not. Would you keep a copy of the renamed file please? 

You should definitely remove the spyware.


----------



## cyberpumpkin (Apr 10, 2003)

I have the lastest version of Ad-Aware (also an anti-spyware program)... will I need to rename the file for it to catch it?

I see in the "Hijackthis" log an awful lot of data, with long strings of numbers, etc. Is all of this information safe to post on a public board? There isn't anything there that a bad hacker could use to break in to my computer? 

(Not that I have nuclear fusion secrets or anything!)

Thanks,
Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

I would rename the file and let it be removed. But first, if you would make a copy and name that copy old. I have not heard back yet. Thanks. 

This definitely smelled of a BHO. The toolbar = Browser Helper Object. And it is. 

I am not up on the latest AdAware. If you have the latest files, let it remove the spyware. See if it does the trick. 

There's nothing in a HT log which would put you in any danger. It just looks very long, I agree.


----------



## cyberpumpkin (Apr 10, 2003)

Hello again!

Sorry for the delay, I had to take care of the family, and give the kids a chance to use the computer, they haven't been able to in nearly a week!

Thank you once again for all of the help. I think the booger must have come with "GlobalWebSearch.com" toolbar which installed itself without permission, along with Xupiter and Radio toolbars.

For anyone who can make good use of it, here is the log file:

Logfile of HijackThis v1.93.0
Scan saved at 4:19:15 PM, on 4/10/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.globalwebsearch.com/ie_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.globalwebsearch.com/ie_search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: (no name) - {765E6B09-6832-4738-BDBE-25F226BA2AB0} - (no file)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: ineb Helper - {FBAA0B9E-A059-43E4-9699-76EB0AEB975B} - C:\WINDOWS\SYSTEM\GWS.DLL (file missing)
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_4.DLL
O3 - Toolbar: GlobalWebSearch.com Bar - {54A85A38-A699-4AEC-8F88-AB542210C93B} - (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_4.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: Yahoo! Chat (Java Runtime Environment 1.4.1_01) - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Sincerely,
Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

Is this how you stand currently? Or have you cleaned it up. Let me know and I'll help you finish the job.


----------



## cyberpumpkin (Apr 10, 2003)

It's been such a crazy day...I'm not sure! I will run the log program again and be right back.

Thanks so much!
Pumpkin


----------



## cyberpumpkin (Apr 10, 2003)

Here is the lastest log: (I'm sure it's a mess! LOL!)

Logfile of HijackThis v1.93.0
Scan saved at 10:22:49 PM, on 4/10/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.globalwebsearch.com/ie_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.globalwebsearch.com/ie_search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: (no name) - {765E6B09-6832-4738-BDBE-25F226BA2AB0} - (no file)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: ineb Helper - {FBAA0B9E-A059-43E4-9699-76EB0AEB975B} - C:\WINDOWS\SYSTEM\GWS.DLL (file missing)
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_4.DLL
O3 - Toolbar: GlobalWebSearch.com Bar - {54A85A38-A699-4AEC-8F88-AB542210C93B} - (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_4.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: Yahoo! Chat (Java Runtime Environment 1.4.1_01) - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Mosaic1 (Aug 17, 2001)

Here you go,

Find GWS.old and rename it back to gws.dll
Then close all IE windows and all Explorer Windows. BHO's load into memory when you open a window. Run HijackThis and select the items in bold for removal. I added some information at the bottom for you. Also, one I am not sure about. You'll have to have a look at it. If you don't know what it is, remove it too. After you have fixed the selected, reboot. Run HijackThis again. See if it cleaned up everything you selected. Run IE etc and hopefully, you'll be OK. Let us know how you did. Good luck. You said you had run Spyware Removers when you first posted. They seem to have missed a lot. HT won't. After, delete the temporary Internet Files. Tools>Internet Options> Temp int files section>Delete files button.

Then go to Internet Options>Programs tab
Click the Reset Web Settings Button to set the default Home and Search pages.
*
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.globalwebsearch.com/ie_search.html
R3 - URLSearchHook: (no name) - {765E6B09-6832-4738-BDBE-25F226BA2AB0} - (no file)
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: ineb Helper - {FBAA0B9E-A059-43E4-9699-76EB0AEB975B} - C:\WINDOWS\SYSTEM\GWS.DLL (file missing)
O3 - Toolbar: GlobalWebSearch.com Bar - {54A85A38-A699-4AEC-8F88-AB542210C93B} - (file missing)

O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
*

More information on cleaning up this one: Let HT do it and then check this out.A lot of people have these things. You'd be surprised hw they sneak in. 
R3 - URLSearchHook: (no name) - {765E6B09-6832-4738-BDBE-25F226BA2AB0} - (no file)

http://www.doxdesk.com/parasite/AdultLinks.html

More info on this one:
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
http://www.doxdesk.com/parasite/IPInsight.html

I cannot find any information on this one. Do you know what it is?

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL

After, I would suggest you use Spybot search and Destroy.

Here's that link again:

http://tomcoyote.org/SPYBOT/

Come back again tomorrow and we'll help you get some information on protecting yourself from some of these things.


----------



## cyberpumpkin (Apr 10, 2003)

Thank you!

I will follow your instructions and report back tomorrow!

Good night!


----------



## Mosaic1 (Aug 17, 2001)

Great. See you then. Good night and good luck. I have some jelly beans calling me. LOL Thanks for sending the file. It looks like new information on an old nasty.


----------



## cyberpumpkin (Apr 10, 2003)

Hello!

Beautiful day here, I was out enjoying the spring weather!

I have run my AdAware anti-spyware and deleted lots of stuff.

I have followed your instructions and run the HiJackThis program, deleting the items you listed.

The log file following the deletions is:

Logfile of HijackThis v1.93.0
Scan saved at 4:39:48 PM, on 4/11/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_4.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_4.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_4.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: Yahoo! Chat (Java Runtime Environment 1.4.1_01) - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Do you see anything there that I still need to remove? I also ran Add/Remove programs, and got rid of some junk, but there are things that I know are on the machine that I do not want, but they are not listed. Also get message when trying to remove some programs (like Juno, our former ISP) that it can't locate, so can't remove. How do I get it off the program list? I saw something called "Internet 404" that I can't figure out what it is - any idea? I left it alone in case it is something important! LOL!

I really appreciate the help! I want to get all the uneeded/unwanted programs and files removed, as we only have a 10 gig hard drive and it is quite full.

Thank you so much!

Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

You're very welcome.

That HijackThis log looks great. So long as you want Yahoo as your search page. If not, you can change that.

Internet 404 Where was that? Add/remove programs?

If there are entries in Add/remove programs for programs you no longer have and have uninstalled, you can use 
TWEAKUI to remove them from the list in there. The Add/Remove programs list is actually a list of uninstallers retrieved from the regsitry. Sometimes that key isn't cleaned up when a program is removed. However, if you do still have the program on the drive and the uninstall in Add/Remove programs doesn't work, post back.

Here's a link to TWEAKUI:
http://www.microsoft.com/ntworkstation/downloads/PowerToys/Networking/NTTweakUI.asp
Follow the directions to install. Open Control panel and find the TWEAKUI icon. Double click to open TWEAKUI.

Click the Add Remove Programs tab. Remove those items from the list which no longer exist on the hard drive.


----------



## cyberpumpkin (Apr 10, 2003)

Good evening!

Yes, I like Yahoo as home page, I can catch news headlines or check my Yahoo mail.

I have Tweak UI, so I ran it and got rid of the things like Juno, which had been uninstalled but still showed on the list. I also ran the "Repair" functions, as we've had a lot of problems with error messages, file associations, etc., so I figured it couldn't hurt! LOL!

I haven't tried any programs yet, but I am hoping this will help. 

I found the "Internet 404" folder (should have thought to do that first! Duh on me - LOL!) and it is a Microsoft HTML Help file, so I will keep it.

I got real brave and searched the registry, and even after running the anti-spyware delete, AND the HiJackThis delete, I STILL found some "GWS" stuff! I checked the long string of numbers against the instruction you so kindly provided me for deletion using HiJackThis, and they were exactly the same! 

I don't know how both removal programs could have missed it, I even ran both a second time, and it went undetected! Mighty tricky little monster! I decided to throw caution to the wind and delete the registry GWS. Nothing bad happened - LOL! How on earth did it get way down in there where even Ad-Aware and HiJackThis missed it?

Once again, let me express extreme gratitude for such great assistance!

Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

GWS is a new variant on an old file. Very possibly there will have to be some changes made at Ad-Aware to upgrade their signatures so it is detected.

Just like Anti virus programs, Spyware removers have to constantly keep up with all the changes made by the Spyware Writers. That was very brave of you to go into the registry and also very smart. To check up on how and if things were cleaned up.

Here's the thing. When you run HijackThis it unregisters a dll. But if that dll is missing, it cannot do that. So you are left with entries in the registry. I wonder if you remembered to rename gws.dll back from gws.old. If not ,that would explain HijackThis leaving behind entries. Unregistering a dll is done by reading a certain section of code contained in that dll. If the file cannot be found and read, The registry entries cannot be removed using this method. 

Also, did you find out what this was?

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL


----------



## cyberpumpkin (Apr 10, 2003)

I am so glad that it wasn't a GIANT mistake to check and delete the registry item! LOL! Yes, I renamed the file (unfortunately I had to go back and UN-rename it long enough to get HiJackThis onto the desktop, as I was unable to access it once the file was renamed - LOL!) 

THEN, I did rename the GWS to DLL from OLD and ran the delete programs after the rename. So perhaps it was an earlier version, but that long string of numbers (whatever THAT is! LOL!) matched exactly, which is what gave me the confidence to do the registry delete.

Despite the deletions, and running TweakUI to try to repair other errors, I am still not able to upgrade to IE 6, which I have tried to do several times. I always get this error saying the file is in another location (I will attach picture of the error message). 

I am assuming is from a long time ago in a galaxy far, far away (sorry, couldn't help myself) when husband split drive into C and D, then decided to reformat and make it all C again. He simply copied everything onto disks, and reloaded it all after wiping the disk clean, though. 

We have a lot of "ghost" files that think they are still in D. I attempted to locate and rename or change path on as many as I could, but I obviously didn't get them all. Is there any way to locate all of the things that "think" they are still on D, which no longer exists, and gently let them know that they have moved home to C?

I have located the, "O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL" file, but it's properties give no information at all. I can make a copy and send you if you'd like? I am happy to do whatever I can!

Thanks again,
Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

Delete that lnk and start the Download fresh.

Sure. I'll be here a while if you want to email me the file in question.


----------



## cyberpumpkin (Apr 10, 2003)

I e-mailed the DLL file and 3 .dat files that were in he same folder to you. Hope you can make heads or tails of it.

I am having problems locating the link to delete it. 

I searched and got over 1,000 results, then cut out a few of the words and got it down to about 200, so I am still refining the search to locate the link. Once I find it I will delete it, and hope for the best!

Any ideas on how to "fix" the stuff that thinks it is still in D?

Thanks a million!

Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

I emailed you a link to a site which explains what that was.l

For those items which think they are in D I need more information. You do have folders for them? But the registry points to D? You do not have folders for them on the C Drive, but the registry points to D? I am a bit confused.


----------



## Mosaic1 (Aug 17, 2001)

After opening this file in a Hex editor, I think you should just run 
HijackThis and select it. Then Fix it. I am going to send it to a friend for more inspection.

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL

It's a definite nasty. I had a closer look in a decompiler. It has references to huntbar. And trafficSyndicate. Spyware for certain. Get rid of it. I am going to send it to Mike at SpywareInfo.

Also, 'Internet 404' is a part of it. REmove all of that too. Look in AddRemove and use the uninstaller if it works. Then run HijackThis.

Here's a link to information on it's cousin:

http://www.doxdesk.com/parasite/HuntBar.html


----------



## cyberpumpkin (Apr 10, 2003)

Will do! 

I am glad you were able to get some information about it...hopefully it will help others.

On the Windows Update front lines, things are grim. I checked the link that you sent, (thank you), but I am unable to locate this darned file. 

I find it in the msconfig StartUp Utility, and I have unchecked it, because it is so annoying to have it pop up every time we reboot, but the location it gives does not have this file! I tried just going to the Microsoft Windows Update page, and re-downloaded IE6setup, but it fails after about 90% install. Tried it 3 times. It has a second option for "if setup failed", but it too fails (again after 3 unlucky tries) - LOL!

I have reloaded our ME disk, but it still doesn't correct the problem. 

Curiously, the Windows Update page shows my previous update history as ending way back in August 2002, and I know we have gotten updates since then, so I am even more confused now (if that is possible!)

I am also bewildered when checking regedit. Yesterday, I found stuff that was listed as being in D drive, but didn't touch any of it. Now I don't get that. Is it possible that Tweak UI corrected the "ghost files"? If it did though, I don't know why this darned IE update is still screwy. 

Aaargh. Going to have very large bowl of ice cream - LOL!

If you have any ideas on any of this, I would love to hear. I have really enjoyed all of your help and appreciate it tremendously.

Will check back in tomorrow. Have a great evening!

Ben and Jerry, here I come,
Pumpkin


----------



## Mosaic1 (Aug 17, 2001)

You cannot copy Program Folders. you have to install Programs. The registry is what connects the information and makes everything work.

I would say reinstall anything giving you problems. Reinstall into the same folders. If you have a program named something in C:\program files\ something, reinstall it to C:\program files\something. This will rewrite the registry entries. Reboot. See if that one works. If not, you may have to do some major registry cleaning or try to find a utility which moves programs.
As for windows update, you might have the same type of thing going on. Install the updates you need.

If you cannot upgrade IE, try again. If no joy after a bit, we may have to look at using a utilityh called IEradicator. Let's not jump the gun on that though. There are considerations. Like no IE and you have to get on the internet. So you
ll need to either install Win ME on top of itself or get an IE install disk to install it after. Ieradicator also removes the Java Virtual Machine, so that would need to be reinstalled. 
Sometimes wiping out IE and starting fresh can clear out the cobwebs.


EDIT: Which file can't you find? Something form the doxdesk link I sent? I only sent that to show you the similarities to the file you have and its cousin. Sorry if I confused you. I wanted to go slowly because you have more issues and when there are new files with posible spyware issues, deleting them is losing them forever. The information you have provided will be extremely helpful. 

We'll get your computer fixed. At the moment, eat more ice cream and just let's go at this slowly. Maybe we'll get lucky and Ie will install correctly. If not, we have alternatives. Do not go off and overinstall windows though. If you have a newer IE version than the origianal which came with Win ME , you could end up with an unbootable Windows.


----------



## cyberpumpkin (Apr 10, 2003)

Greetings!

Whew! Whatta day! I live on a farm and had to do lots of work outside today. Am now v-e-r-y grubby, need to clean up and fix dinner, then probably lay my aching bones down! LOL!

I will check back in tomorrow. 

Hope you have a great Saturday night!

Pumpkin


----------



## cyberpumpkin (Apr 10, 2003)

Hello! Sorry for the long delay, the first yard work of the season always wears me out and makes me ache! LOL!

I am one of those awful procrastinators who is still working on their taxes, so I won't be able to do anything with the computer tonight, but I do look forward to getting the problems with it corrected, and will check in tomorrow. Thanks again for all your help and patience with me!
Pumpkin


----------



## Saeiful_boy (May 22, 2003)

Please... can someone teach me from the start....
I'm having trouble with this GWS.DLL...
I Dont know what to do even I followed the order...
Maybe I do all the thing but I didn't know if it was right...
Please teach me with a full instruction like teaching a boy who was at first day in school.... I need a quick reply.... or Someone can email me at [email protected] .... please... I'm In hurry .... or I will be cooked.... Help me
Ibeg someone...


----------



## cyberpumpkin (Apr 10, 2003)

Hello!
I was given wonderful assistance by the people here. Can you please explain what type of problem the GWS.DLL is causing you? Are you unable to open folders? If you could please give a clear explanation of what is wrong, or not working like it used to, I am sure some help can be found.

Thank you and good luck!


----------



## Saeiful_boy (May 22, 2003)

Its okay cyber pumpkin..... I already fix it.... Thank you because teach on how to fix this gws.dll problem... Shock haa.... No, u didn't teach me but u teach other people and i read it and learn... about an hour... than walla... my computer back to normal....

Can you teach me more about on how to fix computer problem...\





anything..... Iwill appreciate it.....


----------



## classylassy (May 28, 2003)

This thread was very useful and i would like to thank all for the info included here. I have the gws.dll on my pc.. i have renamed it as suggested to gws old. but(sorry little bit confused) how do i go about clearing the whole thing off my system, I found it a bit difficult to understand where i should go next to do this. I dont know anythign about spy stuff. Thanks a billion


----------



## TonyKlein (Aug 26, 2001)

Hi, and welcome to the board!

Please do the following:

Download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.
Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

That ought to get rid of most of your spyware.

When you've done all that, go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

Cheers,


----------



## classylassy (May 28, 2003)

Thanks Tony for your reply,
I hope that by clicking on the post reply button at the topR/H side of this page is the right thing to do
Question..... Should i rename the gws old file back to its original name of gws.dll? before i run the spybot (and if so how exactly do i do that)??

And as for do NOT fix anything im not sure I know how,,,, but with all these things that seem to happen im learning fast...lol


----------



## TonyKlein (Aug 26, 2001)

You can rename back gds.old to gds.dll before running SpyBot

Just go here: http://www.tomcoyote.org/SPYBOT/

That will explain exactly how to go about it.

After having SpyBot remove all it finds, run Hijack This and post a log, like I explained.
Just wait for advice on what to do with what Hijack This dug up.


----------



## classylassy (May 28, 2003)

thanks Tony... i ran the spy bot b4 renaming the gws file.. Silly me am not sure how to rename it back so that the spybot picks it up..
Am assuming i can do a search and then rename it????

However spybot picked up lots a stuff anyway,,, thanks

Originally renamed it thru the start/run/command,, 

sorry to be a pest but am not up on this stuff..


----------



## TonyKlein (Aug 26, 2001)

You're doing fine! 

Would you now please run Hijack This, and post that log?

That will allow us to remove a few crumbs SpyBot might have left behind.


----------



## cyberpumpkin (Apr 10, 2003)

I am so glad that the wonderful folks here at this board are willing to share their expertise! I would never have gotten my computer straightened out without their wonderful help. Just follow their instructions carefully, and they will get all those things you don't want on your computer taken care of!

Good luck!


----------



## classylassy (May 28, 2003)

Thank u Tony
ok I think i have done all the right things.
heres the log from hi jack this.......

Logfile of HijackThis v1.94.0
Scan saved at 8:09:18 AM, on 5/31/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.GlobalWebSearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.GlobalWebSearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.GlobalWebSearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.GlobalWebSearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.searchalot.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_7.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_7.DLL
O3 - Toolbar: (no name) - {337D0C1D-4053-4FAB-AF2B-45C2F7B0FAA6} - (no file)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SecondChance] C:\PQSC\PROGRAM\SCTRAY.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Mentor (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {48C20DEE-B00A-11D4-9B2F-0060975D990E} (Hi2Lobby Class) - http://217.205.42.204/lobby/atlclient.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://www.paltalk.com/prod/RegDload.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37646.5230439815
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O16 - DPF: Yahoo! Gin (Yahoo! Companion) - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
O16 - DPF: Yahoo! Pool 2 (Yahoo! Companion) - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/characters/caesar.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2/win/PulsePlayer5.2AxWin.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C759EC6-96BD-4551-A320-E61A1D68437F} - http://209.189.52.77/toolbar/gws.cab

That GWS thing at the bottom looks alittle dodgy to me!!let alone the global web s at the top!!!

What do i need to ged rid of now 

Would like to say thanks again...And maybe will be able to help 
out others with this problem... now that im getting to learn all about this stuff too.. A big thanks to pumpkin again!!!


----------



## TonyKlein (Aug 26, 2001)

Thanks! 

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, shut down _all_ browser Windows, and have HT fix all checked.

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.GlobalWebSearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.GlobalWebSearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.GlobalWebSearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.GlobalWebSearch.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.searchalot.com

O3 - Toolbar: (no name) - {337D0C1D-4053-4FAB-AF2B-45C2F7B0FAA6} - (no file)

O15 - Trusted Zone: http://free.aol.com

O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/characters/caesar.exe
O16 - DPF: {4C759EC6-96BD-4551-A320-E61A1D68437F} - http//209.189.52.77/toolbar/gws.cab*

Cheers,


----------



## classylassy (May 28, 2003)

Thanks Tony

I did as u said.. everything seems to be running smoother now.

Have learnt a lot Thanks!!!! 

Clever stuff this HT... i had been looking for a way to get rid of the unwanted bit on O/E view/toolbars...now i know..

Thanks once again,,,

Cheers,, have a pint on me!!

I think im all done now,, not only that,, now i can do it myself and cant let u continue the brilliant job u are doing ,, HELPING PEOPLE.

Fantastic job,, must take up lots of your time... Full time job!!!

Best wishes
Shirley


----------



## TonyKlein (Aug 26, 2001)

You're welcome, Shirley. Glad to hear that helped!


----------



## Unregistered (Jul 30, 2002)

went to command promt and gave a command:
c:\windows\system\regsvr32 /u gws.dll - Success
It got resolved.
My E mail id is [email protected]


----------



## classylassy (May 28, 2003)

Am glad its now resolved.. It seems this gws.dll is a growing concern.

Maybe u should also give spybot a go and have it remove all it finds,, as per previous postings.

http://www.tomcoyote.org/SPYBOT/


----------



## feli_l89 (Jun 8, 2003)

i have globalwebsearch toolbar installed on iz own and oso xupiter...i want to delete it.. how do i do it? i cant locate it in the c drive..? there is also the gain adserver thing.


----------



## feli_l89 (Jun 8, 2003)

i have globalwebsearch toolbar installed on iz own and oso xupiter...i want to delete it.. how do i do it? i cant locate it in the c drive..? there is also the gain adserver thing.


----------



## TonyKlein (Aug 26, 2001)

Hi, and welcome to the board. 

Please do the following:

Download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.
Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

That ought to get rid of most of your spyware.

When you've done all that, go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

Cheers,


----------



## classylassy (May 28, 2003)

Thanks tony

Such a helpful guy

Beat me to it lol

Have a great day!!


----------



## IrishTCG (Jun 12, 2003)

Thanks to all the folks that contributed to this problem. I had the same thing happen to me. It was a royal pain in the but to say the least I was rakin my brain like crazy. After I renamed the gws file I got two more dll's and an ocx file that popped up as error. I renamed those to old as well and presto everything works. I was so desperate I almost went to pay someone to fix this thing. 

AGHHHHHHHHH DOWN WITH SPYWARE!!!!!!!!!!!!!!!

hahaha thanks again to you all

IrishTCG (Tim)


----------



## classylassy (May 28, 2003)

its good to know that others problems solve 'others' problems.
Quite something knowing that WE ARE NOT ALONE..
And so satisfying to find the problem and sort it yourself... and learning along the way..
Good luck


----------



## CDobard (Jun 16, 2003)

I am having this problem as well can anyone help me out. I am not computer savy but I am willing to learn.


----------



## Top Banana (Nov 11, 2002)

Download HijackThis. Unzip, run, "Scan", "Scan" changes to "Save log". Save the log and copy and paste the HijackThis log into your next post.

Do not fix anything in HijackThis. Most entries will be harmless.


----------



## CDobard (Jun 16, 2003)

Logfile of HijackThis v1.94.0
Scan saved at 8:13:21 PM, on 6/16/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL=http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://search.bisextop.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://search.bisextop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://search.bisextop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=*.r3.attbi.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://search.bisextop.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O2 - BHO: ineb Helper - {FBAA0B9E-A059-43E4-9699-76EB0AEB975B} - C:\WINDOWS\SYSTEM\GWS.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: GlobalWebSearch.com Bar - {54A85A38-A699-4AEC-8F88-AB542210C93B} - C:\WINDOWS\SYSTEM\GWS.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~4.DLL,NewDotNetStartup
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Personal Firewall\NISUM.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - Startup: USDM.LNK = C:\WINDOWS\SYSTEM\USDM.CPL
O4 - Startup: CLEANSWEEP SMART SWEEP-INTERNET SWEEP.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: HTMButton - http://hounet.interealty.com/HOU/cab/HTMButton.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4C759EC6-96BD-4551-A320-E61A1D68437F} (Inst Class) - http://209.189.52.77/toolbar/gws.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


----------



## Top Banana (Nov 11, 2002)

Go to Add/Remove and remove New.net from your computer. Not related to your problem but I imagine it's unrequired. Do this offline.

Scan with HijackThis, put a checkmark at and "Fix checked" *all* the following entries.

Close Internet Explorer before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL=http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://search.bisextop.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://search.bisextop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://search.bisextop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.globalwebsearch.com/ie_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://search.bisextop.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: ineb Helper - {FBAA0B9E-A059-43E4-9699-76EB0AEB975B} - C:\WINDOWS\SYSTEM\GWS.DLL
O3 - Toolbar: GlobalWebSearch.com Bar - {54A85A38-A699-4AEC-8F88-AB542210C93B} - C:\WINDOWS\SYSTEM\GWS.DLL
O16 - DPF: {4C759EC6-96BD-4551-A320-E61A1D68437F} (Inst Class) - http://209.189.52.77/toolbar/gws.cab

To restore Search and Home Pages...

Internet Explorer > Tools > Internet Options > Programs > Reset Web Settings.


----------



## CDobard (Jun 16, 2003)

Thank you so much that has fixed my problem!!!!

Everyone at this site is great and I will recommend to my Friends.

CDF


----------



## CDobard (Jun 16, 2003)

One thing though, It seems that my computer is now stuck in safe mode where the icons are enormous as well as well I right Click I get a strange error that which I continue to click to get to the properties function.


Why are these things happening.


----------



## Top Banana (Nov 11, 2002)

Restart your computer. If no good, is there an error message?


----------



## CDobard (Jun 16, 2003)

No error message,

I have restarted a few times now.


----------



## CDobard (Jun 16, 2003)

I have Figured out the problem.

Thank for everything Top Banana


----------



## Top Banana (Nov 11, 2002)

:up:


----------



## gwsdll (Jun 18, 2003)

Very Simple Fix.

Just visit http://www.globalwebsearch.com/faq.html and download uninstall.zip and bottom of page.

That's it!


----------



## pammy jo (Jun 19, 2003)

I am having the same problem x 2. I have a globalwebsearch.com bar AND a searchbus.com bar and IE 6 will only open as the home page at www.searchbus.com . There are tons of obsene pop up windows that come along with the package. Although the computer is working ok, I can't let my kids in the room or let them use it!

I already d/l and ran spybot search and destroy (which found mega stuff to delete, but not searchbus or globalwebsearch)

I really thank you all so much in advance for helping with this problem. I have been going crazy for 2 weeks and have been on the phone with Compaq for HOURS each night for 3 nights. They almost had me restore my computer to it's original state last night and I would have lost all my data/programs etc. !!

Luckily we finally got my computer up and running ok. I ran regclean, but was leary on what to delete????

I followed the advice I read here and d/l hijackthis and here is the log:

Logfile of HijackThis v1.94.0
Scan saved at 5:28:11 PM, on 6/19/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.searchbus.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchbus.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchbus.com/ie_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchbus.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchbus.com/ie_search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchbus.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\SDPH20.DLL
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: sbus Helper - {19A447BA-9C2E-4864-93F5-A0645229771E} - C:\WINDOWS\SYSTEM\SBUS.DLL
O2 - BHO: ineb Helper - {FBAA0B9E-A059-43E4-9699-76EB0AEB975B} - C:\WINDOWS\SYSTEM\GWS.DLL
O3 - Toolbar: SearchBus.com Bar - {1B13BF1B-A528-4CC4-B5BF-553CAA6487AC} - C:\WINDOWS\SYSTEM\SBUS.DLL
O3 - Toolbar: GlobalWebSearch.com Bar - {54A85A38-A699-4AEC-8F88-AB542210C93B} - C:\WINDOWS\SYSTEM\GWS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Dialpad Java Applet (CV3 Class) - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} (PWImageControl Class) - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://128.11.20.135/tools/WONWebLauncherControl.cab
O16 - DPF: {D30CAFF0-087B-11D3-82D8-006094695CEC} (McAfee PC Clinic FaManager Class) - http://download.mcafee.com/molbin/Clinic/FirstAid/FACheck/mgfactl.cab
O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab
O16 - DPF: {2E3811E9-5504-11D0-A1C4-444553540000} (Tree.PracticeTree) - http://www.prestage.com/ActiveX/holeshot.cab
O16 - DPF: {F8DCFE8E-7B2B-4FF8-B8A7-A52B6C4B0170} (AvzPrintingComponent Class) - http://nesteggz.about.com/NEUtility/PrintingComponents/AvzPrintingActiveX.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,55/mcinsctl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37668.2340625
O16 - DPF: {4C759EC6-96BD-4551-A320-E61A1D68437F} (Inst Class) - http://209.189.52.77/toolbar/gws.cab

I will look forward to your directions on what to 'fix'. THanks soooo much.... I can't wait to tell all my friends and sister about this site!!!

pammy jo


----------



## Top Banana (Nov 11, 2002)

Scan with HijackThis, put a checkmark at and "Fix checked" the following entries.

Close all browser windows before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.searchbus.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchbus.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchbus.com/ie_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchbus.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchbus.com/ie_search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchbus.com/ie_search.html
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\SDPH20.DLL
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: sbus Helper - {19A447BA-9C2E-4864-93F5-A0645229771E} - C:\WINDOWS\SYSTEM\SBUS.DLL
O2 - BHO: ineb Helper - {FBAA0B9E-A059-43E4-9699-76EB0AEB975B} - C:\WINDOWS\SYSTEM\GWS.DLL
O3 - Toolbar: SearchBus.com Bar - {1B13BF1B-A528-4CC4-B5BF-553CAA6487AC} - C:\WINDOWS\SYSTEM\SBUS.DLL
O3 - Toolbar: GlobalWebSearch.com Bar - {54A85A38-A699-4AEC-8F88-AB542210C93B} - C:\WINDOWS\SYSTEM\GWS.DLL
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://128.11.20.135/tools/WONWebLauncherControl.cab
O16 - DPF: {4C759EC6-96BD-4551-A320-E61A1D68437F} (Inst Class) - http://209.189.52.77/toolbar/gws.cab


----------



## pammy jo (Jun 19, 2003)

Top Banana!! You are the B*E*S*T!! 

You replied faster than I could get a pizza delivered and it WORKED LIKE A CHARM!!!!! 

I can't believe it! Thanks so much!! If there is anything I can do to help you out, please let me know. 

How often should I use spybot search/destroy or hijackthis for maintainance? Or should I just save them for emergencies like this one?? 

This site is ACE and Top Banana certainly earned his/her name!!!


----------



## Top Banana (Nov 11, 2002)

Good work pammy jo  

Spybot Search and Destroy can be run as often as you want. At least once a week sounds good. Some people scan every day. It's up to you. Update it before every scan.

HijackThis is a very useful tool used for troubleshooting on various tech forums. It is not a spyware detection program. It lists both good and bad entries.

If you have any probs in the future, visit here. Someone is always willing to help.


----------



## pammy jo (Jun 19, 2003)

Hi, It's me again. I don't know if this minor problem is from the 'fix' we did above, or from something that Compaq had me do when they TRIED to help me to no avail, but .....and it's just annoying, but not life or death......

When my dial up connection window comes up, I have to type my password each time even though I put the check mark in "save my password". The next time, it's gone and I have to type it again. I was so used to clicking connect without even thinking that it's annoying to have to type password each time. 

My isp had me go into start-settings-control panel- network> and then had me "add" "client for microsoft networks" as my "primary network logon" and then reboot...but when that didn't work, he gave up!?

any ideas would be greatly appreciated! Thanks.


----------



## TonyKlein (Aug 26, 2001)

Pammy Jo,

Go to Start/Find/Files or Folders, and type *.pwl in the 'named' field. 
Delete the files with the *.pwl extension that come up.

Now reboot

You should now get the login box. Type your name and password, or leave the password field blank for no password. 
Click OK.

Try making a Dial-Up Networking connection, and see whether your password's retained.

If no joy, do this:

Download the attached Dialuppw.txt, save the file anywhere you like as (rename to) Dialuppw._reg_ (save as 'all file types') .

Doubleclick Dialuppw.reg, and answer 'yes' when prompted to add its contents to the Registry.

Reboot when you're done.
That ought to do the trick.

Also, here are two articles:

Dial-Up Networking Password Is Not Saved

Damaged Password List File Does Not Save Passwords

Good luck,


----------



## pammy jo (Jun 19, 2003)

Thanks Tony!! I did the first step, but there were NO files with *.pwl to delete....but I did the download ......rebooted...and it did save my password. Thanks a BILLION!!

I am putting this site as one of my HOTLINKS!! You guys are fantastic. 

I will recommend this site to anyone!. Fast>accurate>friendly> Helpful! What more could a girl want????


----------



## pammy jo (Jun 19, 2003)

ps. Tony. Thanks for translating all that "greek" in the articles you attatched into English for me. Had I just found those articles I would have been to Chicken to try anything for fear that I didn't understand all that garble in the teeny tiny print. 

Your instructions were clear, consise and to the point. Thanks again! 

pammy jo


----------



## TonyKlein (Aug 26, 2001)

Glad to hear we were able to help.


----------



## Saeiful_boy (May 22, 2003)

I had install a new WindowsXp program into my notebook....
After I finished the installation the program still running (FYI I'd install it in dos prompt at the startup)

After that... I try logged on to Windows
It's succesful... but there is a problem....
There is some file that have been missing...
and tha main thing that is my SOUND SYSTEM CANNOT BEEN USED...
it said that the Intel(r) AC'97 Audio Controller are missing or corrupted.... I try to reinstall it but it said there were an error and something bout recyle... redudency... arghhh... I don't what it is... but can some help me.....


----------

