Is there a new instance of Cool Web Search out???
Results 1 to 6 of 6

Thread: Is there a new instance of Cool Web Search out???

  1. August 17th, 2004, 02:25 PM #1
    pinhead
    pinhead is offline
    Registered User pinhead's Avatar
    Join Date
    Jul 2002
    Location
    Pennsylvania
    Posts
    114

    Is there a new instance of Cool Web Search out???

    Working on a PC running WinME
    Cleaned up 99% of spyware, but cannot get rid of this one piece. It keeps redirecting the start page to: res://vpqpa.dll/index.html#96676

    I've run hjt, cwshredder, adaware se 1.03, spybot 1.3, running regmon & filemon to see if I can catch it in the act.

    I tried searching for the affected dll file and removing the contents of that file which is a workaround I came across after googling this. I've also gone through the registry looking for anything unusual (found some things and removed them, but still no help).

    Current hjt log:

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\ADDJA32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\APIQS32.EXE
    C:\WINDOWS\APIQS32.EXE
    C:\WINDOWS\MSMN.EXE
    C:\WINDOWS\MSMN.EXE
    C:\WINDOWS\SYSTEM\MFCUA32.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\NTJD32.EXE
    C:\WINDOWS\NTJD32.EXE
    C:\WINDOWS\MFCWE.EXE
    C:\WINDOWS\APIQS32.EXE
    C:\WINDOWS\SYSTEM\SDKXO32.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\APIQS32.EXE
    C:\WINDOWS\MSMN.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\SYSTEM\WINMA32.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\SYSTEM\IPVU32.EXE
    C:\WINDOWS\SYSTEM\ADDJA32.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\SYSUQ.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\MFCZO.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRDV32.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\APINI32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\SYSUQ.EXE
    C:\WINDOWS\MSKD.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\MSJS32.EXE
    C:\WINDOWS\DESKTOP\CRC\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpqpa.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpqpa.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vpqpa.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
    O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.2001.0001\EN-US\MSNTB.DLL (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {80C09E0C-DC98-3D11-008B-5D71E905BA5C} - C:\WINDOWS\SYSTEM\NETVW32.DLL
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.2001.0001\EN-US\MSNTB.DLL (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [WINMA32.EXE] C:\WINDOWS\SYSTEM\WINMA32.EXE
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [CRPH.EXE] C:\WINDOWS\SYSTEM\CRPH.EXE
    O4 - HKLM\..\RunServices: [APIQS32.EXE] C:\WINDOWS\APIQS32.EXE
    O4 - HKLM\..\RunServices: [MSMN.EXE] C:\WINDOWS\MSMN.EXE
    O4 - HKLM\..\RunServices: [APINI32.EXE] C:\WINDOWS\APINI32.EXE
    O4 - HKLM\..\RunServices: [IPVU32.EXE] C:\WINDOWS\SYSTEM\IPVU32.EXE
    O4 - HKLM\..\RunServices: [ADDJA32.EXE] C:\WINDOWS\SYSTEM\ADDJA32.EXE
    O4 - HKLM\..\RunServices: [SYSUQ.EXE] C:\WINDOWS\SYSTEM\SYSUQ.EXE
    O4 - HKLM\..\RunServices: [MFCZO.EXE] C:\WINDOWS\MFCZO.EXE
    O4 - HKLM\..\RunServices: [CRDV32.EXE] C:\WINDOWS\SYSTEM\CRDV32.EXE
    O4 - HKLM\..\RunServices: [MSKD.EXE] C:\WINDOWS\MSKD.EXE
    O4 - HKLM\..\RunServices: [MSJS32.EXE] C:\WINDOWS\SYSTEM\MSJS32.EXE
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab

    I've removed the R0's and R1's, but they keep returning.

    I'm also a little suspect of:

    C:\windows\system\crph.exe
    C:\windows\apiqs32.exe
    C:\windows\MSMN.exe

    I'm not sure exactly what these are, but none of them exist within those directories.

    Thanks for any help and not screaming at me for the long post.
    Reply With Quote Reply With Quote
  2. August 17th, 2004, 02:33 PM #2
    NooNoo
    NooNoo is offline
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    Jeepers, it would be quicker to list what to keep from that lot!!!!
    Reply With Quote Reply With Quote
  3. August 17th, 2004, 02:41 PM #3
    NooNoo
    NooNoo is offline
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    End Process tree on these running processes then find the files to which they refer and delete them - you will need system restore off and hidden and system files showing.

    C:\WINDOWS\SYSTEM\ADDJA32.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\APIQS32.EXE
    C:\WINDOWS\APIQS32.EXE
    C:\WINDOWS\MSMN.EXE << backdoor trojan
    C:\WINDOWS\MSMN.EXE
    C:\WINDOWS\SYSTEM\MFCUA32.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\NTJD32.EXE
    C:\WINDOWS\NTJD32.EXE
    C:\WINDOWS\MFCWE.EXE
    C:\WINDOWS\APIQS32.EXE
    C:\WINDOWS\SYSTEM\SDKXO32.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\APIQS32.EXE
    C:\WINDOWS\MSMN.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\SYSTEM\WINMA32.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\SYSTEM\IPVU32.EXE
    C:\WINDOWS\SYSTEM\ADDJA32.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\SYSUQ.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\MFCZO.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\CRDV32.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\APINI32.EXE
    C:\WINDOWS\SYSTEM\SYSUQ.EXE
    C:\WINDOWS\MSKD.EXE
    C:\WINDOWS\SYSTEM\CRPH.EXE
    C:\WINDOWS\SYSTEM\MSJS32.EXE


    Now have hijack kill ALL of this - you will need to reinstall google toolbar and flash afterwards.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpqpa.dll/index.html#96676 <<< find the dll and delete it
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpqpa.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vpqpa.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vpqpa.dll/sp.html#96676
    O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.2001.0001\EN-US\MSNTB.DLL (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {80C09E0C-DC98-3D11-008B-5D71E905BA5C} - C:\WINDOWS\SYSTEM\NETVW32.DLL
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.2001.0001\EN-US\MSNTB.DLL (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [WINMA32.EXE] C:\WINDOWS\SYSTEM\WINMA32.EXE
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [CRPH.EXE] C:\WINDOWS\SYSTEM\CRPH.EXE
    O4 - HKLM\..\RunServices: [APIQS32.EXE] C:\WINDOWS\APIQS32.EXE
    O4 - HKLM\..\RunServices: [MSMN.EXE] C:\WINDOWS\MSMN.EXE
    O4 - HKLM\..\RunServices: [APINI32.EXE] C:\WINDOWS\APINI32.EXE
    O4 - HKLM\..\RunServices: [IPVU32.EXE] C:\WINDOWS\SYSTEM\IPVU32.EXE
    O4 - HKLM\..\RunServices: [ADDJA32.EXE] C:\WINDOWS\SYSTEM\ADDJA32.EXE
    O4 - HKLM\..\RunServices: [SYSUQ.EXE] C:\WINDOWS\SYSTEM\SYSUQ.EXE
    O4 - HKLM\..\RunServices: [MFCZO.EXE] C:\WINDOWS\MFCZO.EXE
    O4 - HKLM\..\RunServices: [CRDV32.EXE] C:\WINDOWS\SYSTEM\CRDV32.EXE
    O4 - HKLM\..\RunServices: [MSKD.EXE] C:\WINDOWS\MSKD.EXE
    O4 - HKLM\..\RunServices: [MSJS32.EXE] C:\WINDOWS\SYSTEM\MSJS32.EXE
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab

    Dear me.... can you say 0wn3d??
    Never, ever approach a computer saying or even thinking "I will just do this quickly."
    Reply With Quote Reply With Quote
  4. August 17th, 2004, 02:56 PM #4
    pinhead
    pinhead is offline
    Registered User pinhead's Avatar
    Join Date
    Jul 2002
    Location
    Pennsylvania
    Posts
    114
    I'm terribly sorry, noo, I had said that these files weren't there when I looked for them. I had show hidden files checked, but forgot to uncheck "hide protected operating system files".

    :Feeling like moron now:

    Thanks for the help, though, I appreciate it.
    Reply With Quote Reply With Quote
  5. August 18th, 2004, 04:34 AM #5
    NooNoo
    NooNoo is offline
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    anytime
    Reply With Quote Reply With Quote
  6. August 18th, 2004, 01:32 PM #6
    arch0nmyc0n
    arch0nmyc0n is offline
    Registered User arch0nmyc0n's Avatar
    Join Date
    Oct 2002
    Location
    It's all relative.
    Posts
    1,820
    Quote Originally Posted by pinhead
    I'm terribly sorry, noo, I had said that these files weren't there when I looked for them. I had show hidden files checked, but forgot to uncheck "hide protected operating system files".

    :Feeling like moron now:

    Thanks for the help, though, I appreciate it.

    I forget that all the time so yer not the only one!
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. Cool Web Search Virus
    By johnlem in forum Spyware & Antivirus - Security
    Replies: 1
    Last Post: June 28th, 2004, 07:10 AM
  2. MSN Search claims to freeze out web spam
    By GrandDad in forum Tech Lounge & Tales
    Replies: 1
    Last Post: June 10th, 2004, 05:06 PM
  3. Paying search engines to have your site come up higher?
    By Draggar in forum Tech Lounge & Tales
    Replies: 3
    Last Post: April 7th, 2002, 12:35 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules