Is there a new instance of Cool Web Search out???

**pinhead** · August 17th, 2004, 02:25 PM

Working on a PC running WinME
Cleaned up 99% of spyware, but cannot get rid of this one piece. It keeps redirecting the start page to: res://vpqpa.dll/index.html#96676

I've run hjt, cwshredder, adaware se 1.03, spybot 1.3, running regmon & filemon to see if I can catch it in the act.

I tried searching for the affected dll file and removing the contents of that file which is a workaround I came across after googling this. I've also gone through the registry looking for anything unusual (found some things and removed them, but still no help).

Current hjt log:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ADDJA32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\APIQS32.EXE
C:\WINDOWS\APIQS32.EXE
C:\WINDOWS\MSMN.EXE
C:\WINDOWS\MSMN.EXE
C:\WINDOWS\SYSTEM\MFCUA32.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\NTJD32.EXE
C:\WINDOWS\NTJD32.EXE
C:\WINDOWS\MFCWE.EXE
C:\WINDOWS\APIQS32.EXE
C:\WINDOWS\SYSTEM\SDKXO32.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\APIQS32.EXE
C:\WINDOWS\MSMN.EXE
C:\WINDOWS\APINI32.EXE
C:\WINDOWS\SYSTEM\WINMA32.EXE
C:\WINDOWS\APINI32.EXE
C:\WINDOWS\APINI32.EXE
C:\WINDOWS\SYSTEM\IPVU32.EXE
C:\WINDOWS\SYSTEM\ADDJA32.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\SYSUQ.EXE
C:\WINDOWS\APINI32.EXE
C:\WINDOWS\MFCZO.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\CRDV32.EXE
C:\WINDOWS\APINI32.EXE
C:\WINDOWS\APINI32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SYSUQ.EXE
C:\WINDOWS\MSKD.EXE
C:\WINDOWS\SYSTEM\CRPH.EXE
C:\WINDOWS\SYSTEM\MSJS32.EXE
C:\WINDOWS\DESKTOP\CRC\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpqpa.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpqpa.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vpqpa.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.2001.0001\EN-US\MSNTB.DLL (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {80C09E0C-DC98-3D11-008B-5D71E905BA5C} - C:\WINDOWS\SYSTEM\NETVW32.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.2001.0001\EN-US\MSNTB.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINMA32.EXE] C:\WINDOWS\SYSTEM\WINMA32.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CRPH.EXE] C:\WINDOWS\SYSTEM\CRPH.EXE
O4 - HKLM\..\RunServices: [APIQS32.EXE] C:\WINDOWS\APIQS32.EXE
O4 - HKLM\..\RunServices: [MSMN.EXE] C:\WINDOWS\MSMN.EXE
O4 - HKLM\..\RunServices: [APINI32.EXE] C:\WINDOWS\APINI32.EXE
O4 - HKLM\..\RunServices: [IPVU32.EXE] C:\WINDOWS\SYSTEM\IPVU32.EXE
O4 - HKLM\..\RunServices: [ADDJA32.EXE] C:\WINDOWS\SYSTEM\ADDJA32.EXE
O4 - HKLM\..\RunServices: [SYSUQ.EXE] C:\WINDOWS\SYSTEM\SYSUQ.EXE
O4 - HKLM\..\RunServices: [MFCZO.EXE] C:\WINDOWS\MFCZO.EXE
O4 - HKLM\..\RunServices: [CRDV32.EXE] C:\WINDOWS\SYSTEM\CRDV32.EXE
O4 - HKLM\..\RunServices: [MSKD.EXE] C:\WINDOWS\MSKD.EXE
O4 - HKLM\..\RunServices: [MSJS32.EXE] C:\WINDOWS\SYSTEM\MSJS32.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab

I've removed the R0's and R1's, but they keep returning.

I'm also a little suspect of:

C:\windows\system\crph.exe
C:\windows\apiqs32.exe
C:\windows\MSMN.exe

I'm not sure exactly what these are, but none of them exist within those directories.

Thanks for any help and not screaming at me for the long post.

Thread: Is there a new instance of Cool Web Search out???

Thread Tools

Display

Threaded View

Is there a new instance of Cool Web Search out???

Similar Threads

Cool Web Search Virus

MSN Search claims to freeze out web spam

Paying search engines to have your site come up higher?

Bookmarks

Bookmarks

Posting Permissions