Greatsearch.biz problem and other oddities

Discussion in 'adware, spyware & hijack cleaning' started by malcs, May 20, 2004.

Thread Status:
Not open for further replies.
  1. malcs

    malcs Registered Member

    Joined:
    May 20, 2004
    Posts:
    3
    Location:
    London, Great Britain
    Hi, I managed to get greatsearch.biz which I cannot get rid of, but I've also got other problems which arrived at the same time. I cannot open Windows Explorer, Control Panel or Printers. (When I try to print it says that no printer is found on LPT1.) Each of them starts opening a window and them hangs. I've checked the latest AVG antivirus (and got rid of a couple of viruses) and reinstalled Win98SE (which made no difference). And Spybot Search and Destroy didn't make any difference.

    Help!!!!!

    Logfile of HijackThis v1.97.7
    Scan saved at 12:43:21, on 20/05/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\PV92TRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    D:\COPY\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PowerQuest Startup Utility] C:\Program Files\PowerQuest\PartitionMagic4\UTILITY\MMOVER32\PQINIT.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [PV92TRAY] PV92TRAY.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
    O4 - Startup: Restart.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.natwestisp.net/entrance/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi malcs,

    Can you please download this zip :

    http://tools.zerosrealm.com/pv.zip

    Please unzip it to the desktop. It will not work if you run it from inside the zip.

    After unzipped go to the desktop. Open the pv folder. Double click on the runme9x.bat

    A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.

    Notepad will open with a log in it. Please copy and paste the log into this post.

    Thnx!

    Cheers,
     
  3. malcs

    malcs Registered Member

    Joined:
    May 20, 2004
    Posts:
    3
    Location:
    London, Great Britain
    Hi, I found that I cannot open PV on the desktop (again it starts opening a window, displays partial information and then hangs) so I unzipped it to a folder and used Start Run. The output you wanted is:


    Module information for 'EXPLORER.EXE'
    MODULE BASE SIZE PATH
    CFGMGR32.DLL 7f810000 45056 C:\WINDOWS\SYSTEM\CFGMGR32.DLL 4.10.1998 Configuration Manager Win32 Interface
    NTDLL.DLL bfee0000 20480 C:\WINDOWS\SYSTEM\NTDLL.DLL 4.10.1998 Win32 NTDLL core component
    MSI.DLL 24400000 1708032 C:\WINDOWS\SYSTEM\MSI.DLL 1.10.1029.1 Windows Installer
    WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.10.1998 BSD Socket API for Windows
    MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.10.2222 Microsoft WinSock Extension APIs
    WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.10.2222 Windows Socket 2.0 32-Bit DLL
    WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.10.1998 Windows Socket 2.0 Helper for Windows 98
    ES.DLL 71720000 114688 C:\WINDOWS\SYSTEM\ES.DLL 1998.09.1003.0 COM+ EventSystem Library
    OLEAUT32.DLL 65340000 610304 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4514
    SENS.DLL 60100000 90112 C:\WINDOWS\SYSTEM\SENS.DLL 5.50.4134.600 System Event Notification Service (SENS)
    ESTIER2.DLL 71770000 61440 C:\WINDOWS\SYSTEM\ESTIER2.DLL 1998.09.1003.0 COM+ EventSystem Service Library
    ESSHARED.DLL 71750000 65536 C:\WINDOWS\SYSTEM\ESSHARED.DLL 1998.09.1003.0 COM+ EventSystem Shared Utilities
    SHFOLDER.DLL 718e0000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 5.50.4134.600 Shell Folder Service
    WININET.DLL 70200000 487424 C:\WINDOWS\SYSTEM\WININET.DLL 5.50.4134.600 Internet Extensions for Win32
    TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.10.2222 Microsoft® Windows(TM) Telephony API Client DLL
    NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.10.1998 32-bit network API DLL
    NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
    RPCRT4.DLL 70100000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.2900 Remote Procedure Call DLL
    SYSTEM32.DLL 8f0000 32768 C:\WINDOWS\SYSTEM32\SYSTEM32.DLL
    COMDLG32.DLL 7fe10000 184320 C:\WINDOWS\SYSTEM\COMDLG32.DLL 4.72.3510.2300 Common Dialogs DLL
    WEBCHECK.DLL 70320000 270336 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 5.50.4134.600 Web Site Monitor
    MYDOCS.DLL 792f0000 69632 C:\WINDOWS\SYSTEM\MYDOCS.DLL 4.72.3510.2300 My Documents Folder UI
    SHD401LC.DLL 880000 61440 C:\WINDOWS\SYSTEM\SHD401LC.DLL 5.50.4134.600 Shell Doc Object and Control Library - IE 4.01 compat
    LINKINFO.DLL 7fb80000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.10.1998 Windows Volume Tracking
    MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.10.1998 WIN32 Network Interface DLL
    BROWSEUI.DLL 71110000 823296 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 5.50.4134.600 Shell Browser UI Library
    AVGOERUN.DLL 10000000 45056 C:\PROGRAM FILES\GRISOFT\AVG6\AVGOERUN.DLL 6, 0, 0, 286 AVG extension for Outlook Express 5 helper
    SHDOC401.DLL 50000000 507904 C:\WINDOWS\SYSTEM\SHDOC401.DLL 5.50.4134.600 Shell Doc Object and Control Library - IE 4.01 compat
    OLE32.DLL 65f00000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.2900 Microsoft OLE for Windows and Windows NT
    SHDOCVW.DLL 70fe0000 1159168 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 5.50.4134.600 Shell Doc Object and Control Library
    MSVCRT.DLL 78000000 278528 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.00.8797.0 Microsoft (R) C Runtime Library
    SHELL32.DLL 7fcb0000 1400832 C:\WINDOWS\SYSTEM\SHELL32.DLL 4.72.3612.1700 Windows Shell Common Dll
    EXPLORER.EXE 400000 180224 C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Windows Explorer
    COMCTL32.DLL bfb70000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
    SHLWAPI.DLL 70bd0000 311296 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4134.600 Shell Light-weight Utility Library
    USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.10.2222 Win32 USER32 core component
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.1998 Win32 GDI core component
    ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.1675 Win32 ADVAPI32 core component
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.2222 Win32 Kernel core component



    Thanks for your time.
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    aaaah!

    SYSTEM32.DLL 8f0000 32768 C:\WINDOWS\SYSTEM32\SYSTEM32.DLL

    That's the one!

    Listen it's very late, I'm gonna grab some sleep and help out first thing in the morning!

    Cheers,
     
  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ok,

    Restart PC in Safe Mode : Here's How and remove :

    C:\WINDOWS\SYSTEM32\SYSTEM32.DLL <- this dll

    Then open HijackThis and fix all greatsearch entries again

    Open registry :

    start -> run -> type regedit and press enter

    press ctrl+f

    in the find box type greatsearch and press enter

    rightclick + delete all entries found

    press F3 to find next

    When done close registry and clean temp internet files

    Restart again in normal mode

    Update IE asap at windowsupdate.com

    Finally you can merge this quote with the registry :

    Open notepad and copypaste quote into it :

    hit save as
    give it the name clear.reg
    under the filename set file types to all files.
    save it to the desktop.

    After done double click the clear.reg
    when asked to merge say yes

    Hope this helps

    Cheers,
     
  6. malcs

    malcs Registered Member

    Joined:
    May 20, 2004
    Posts:
    3
    Location:
    London, Great Britain
    Hi,

    Thanks!!!! It's absolutely brilliant!!! Everything's working fine now.

    How is it that you do all this for free? You could probably charge for your great service!

    On a different track, can you recommend any free anti-spam software that is reliable and only gets rid of spam? There seems to so many different ones around - some must be better than others. I'm getting about 150 spam e-mails every day.

    Thanks again.
     
  7. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ah that's great to hear :)

    Glad we were able to help and good job cleaning up

    For your spams on email, it's a real plague, nothing can really be done about it, unless you contact your ISP and ask if they have a spamfilter option where you can subscribe to

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.