Is there a new instance of Cool Web Search out???
Working on a PC running WinME
Cleaned up 99% of spyware, but cannot get rid of this one piece. It keeps redirecting the start page to: res://vpqpa.dll/index.html#96676
I've run hjt, cwshredder, adaware se 1.03, spybot 1.3, running regmon & filemon to see if I can catch it in the act.
I tried searching for the affected dll file and removing the contents of that file which is a workaround I came across after googling this. I've also gone through the registry looking for anything unusual (found some things and removed them, but still no help).
Current hjt log:
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ADDJA32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\APIQS32.EXE
C:\WINDOWS\APIQS32.EXE
C:\WINDOWS\MSMN.EXE
C:\WINDOWS\MSMN.EXE
C:\WINDOWS\SYSTEM\MFCUA32.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\NTJD32.EXE
C:\WINDOWS\NTJD32.EXE
C:\WINDOWS\MFCWE.EXE
C:\WINDOWS\APIQS32.EXE
C:\WINDOWS\SYSTEM\SDKXO32.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\APIQS32.EXE
C:\WINDOWS\MSMN.EXE
C:\WINDOWS\APINI32.EXE
C:\WINDOWS\SYSTEM\WINMA32.EXE
C:\WINDOWS\APINI32.EXE
C:\WINDOWS\APINI32.EXE
C:\WINDOWS\SYSTEM\IPVU32.EXE
C:\WINDOWS\SYSTEM\ADDJA32.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\SYSUQ.EXE
C:\WINDOWS\APINI32.EXE
C:\WINDOWS\MFCZO.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRDV32.EXE
C:\WINDOWS\APINI32.EXE
C:\WINDOWS\APINI32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SYSUQ.EXE
C:\WINDOWS\MSKD.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\MSJS32.EXE
C:\WINDOWS\DESKTOP\CRC\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpqpa.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpqpa.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vpqpa.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.2001.0001\EN-US\MSNTB.DLL (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {80C09E0C-DC98-3D11-008B-5D71E905BA5C} - C:\WINDOWS\SYSTEM\NETVW32.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.2001.0001\EN-US\MSNTB.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINMA32.EXE] C:\WINDOWS\SYSTEM\WINMA32.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CRPH.EXE] C:\WINDOWS\SYSTEM\CRPH.EXE
O4 - HKLM\..\RunServices: [APIQS32.EXE] C:\WINDOWS\APIQS32.EXE
O4 - HKLM\..\RunServices: [MSMN.EXE] C:\WINDOWS\MSMN.EXE
O4 - HKLM\..\RunServices: [APINI32.EXE] C:\WINDOWS\APINI32.EXE
O4 - HKLM\..\RunServices: [IPVU32.EXE] C:\WINDOWS\SYSTEM\IPVU32.EXE
O4 - HKLM\..\RunServices: [ADDJA32.EXE] C:\WINDOWS\SYSTEM\ADDJA32.EXE
O4 - HKLM\..\RunServices: [SYSUQ.EXE] C:\WINDOWS\SYSTEM\SYSUQ.EXE
O4 - HKLM\..\RunServices: [MFCZO.EXE] C:\WINDOWS\MFCZO.EXE
O4 - HKLM\..\RunServices: [CRDV32.EXE] C:\WINDOWS\SYSTEM\CRDV32.EXE
O4 - HKLM\..\RunServices: [MSKD.EXE] C:\WINDOWS\MSKD.EXE
O4 - HKLM\..\RunServices: [MSJS32.EXE] C:\WINDOWS\SYSTEM\MSJS32.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
I've removed the R0's and R1's, but they keep returning.
I'm also a little suspect of:
C:\windows\system\crph.exe
C:\windows\apiqs32.exe
C:\windows\MSMN.exe
I'm not sure exactly what these are, but none of them exist within those directories.
Thanks for any help and not screaming at me for the long post.
