Yahoo IM coolpics.net problem!!!

Sir.
Iam stuck with coolpics too.Need ur help desperately.I have no clue how to go about the whole complicated affair and all the techinilaties involved make my head spin.Wont uninstalling the OS and then reinstalling help?

 

Sure, but try this first. (less complicated)

Download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C: ) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Coolpics Remover.
Save it in the same folder you made earlier (c:\BFU).

Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select coolpics.bfu
• Press Execute and let it do it's job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot your computer and check if it worked.

 

BFU v1.00.9
Windows XP SP2, v.2096 (WinNT 5.01.2600 SP2, v.2096)
Script started at 10:47:23 AM, on 10/10/2007

Option Delete files to Recycle Bin: Yes
Failed: ServiceDisable Themes Plug and Play (service not found)
Failed: ServiceDisable COMSystemApp (service not found)
Failed: FileSetAttributes C:\WINDOWS\system32\mfc48.dll|A (file not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavgd.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\viremoval.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe|Debugger (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe|Debugger (key not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp|Disabled (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore|DisableConfig (key not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares|shared (key not found)
Failed: FileDelete C:\DOCUME~1\Deepak\LOCALS~1\Temp\~DF8CCF.tmp (operation failed)
Script completed.

 

Sir.
I did exactly as suggested by u and posted the log.I have my task manager and run command working.Also I do not see Coolpics as my homepage in IE any more.But my system has become real slow and takes ages to boot up.Also Win XP runs some kind of scans to check the c: for some FAT 32 that takes ages to finish every time i try to boot.I have checked the registry as per ur steps but couldnt find the said files so that seems to be ok but after the startup scans are done i get a warning which says "win just recovered from a serious error" or"ur damaged registry files have been restored by win"

 

I here by post u my scan log for COMBO FIX.kindly help sir.

ComboFix 07-10-07.2 - Deepak 2007-10-10 10:49:57.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.53 [GMT 5.5:30]
Running from: C:\Documents and Settings\Deepak\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.

2007-10-10 10:43 <DIR> d-------- C:\bfu
2007-10-10 10:15 <DIR> d--hs---- C:\FOUND.003
2007-10-09 10:43 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-09 09:50 <DIR> d--hs---- C:\FOUND.002
2007-10-09 09:23 <DIR> d--hs---- C:\FOUND.001
2007-10-09 01:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 22:39 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-08 21:29 <DIR> d--h----- C:\WINDOWS\amcdl
2007-10-08 21:24 <DIR> d-------- C:\Program Files\ACCPAC Player
2007-10-08 21:02 <DIR> d-------- C:\Documents and Settings\Deepak\Application Data\CyberLink
2007-10-08 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-08 21:01 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-08 21:01 <DIR> d-------- C:\WINDOWS\Profiles
2007-10-08 21:01 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-08 21:01 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-10-08 21:01 <DIR> d-------- C:\Documents and Settings\Deepak\Application Data\InterTrust
2007-10-08 11:45 <DIR> d--hs---- C:\FOUND.000
2007-10-07 16:03 <DIR> d-------- C:\Documents and Settings\Deepak\Application Data\Apple Computer
2007-10-07 16:01 <DIR> d-------- C:\Program Files\QuickTime
2007-10-07 16:01 <DIR> d-------- C:\Program Files\iTunes
2007-10-07 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-07 15:59 <DIR> d-------- C:\Program Files\iPod
2007-10-07 15:46 26,624 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-07 14:16 109,568 --a------ C:\WINDOWS\system\cmd.exe
2007-10-07 14:02 <DIR> d---s---- C:\Documents and Settings\Deepak\UserData
2007-10-07 13:29 <DIR> d-------- C:\Driver
2007-10-07 13:07 <DIR> d-------- C:\Program Files\Winamp
2007-10-07 13:04 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-10-07 13:03 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-10-07 13:02 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-10-07 13:02 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-10-07 13:02 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-10-07 13:02 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-10-07 13:02 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-10-07 13:02 <DIR> d-------- C:\Program Files\Ahead
2007-10-07 13:00 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-07 13:00 <DIR> d-------- C:\Program Files\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 12:56 --------- d-------- C:\Program Files\Common Files\L&H
2007-10-07 12:51 --------- d-------- C:\Program Files\CA
2007-10-07 12:49 --------- d-------- C:\Program Files\Motorola
2007-10-07 12:44 294912 --a------ C:\WINDOWS\HideWin.exe
2007-10-07 12:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-10-07 12:44 --------- d-------- C:\Program Files\Realtek
2007-10-07 12:44 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-10-07 12:33 --------- d-------- C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2007-10-09_ 1.42.48.82 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 245,760 2007-10-10 05:19:56 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 163,328 2007-03-13 05:27:12 C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
----a-w 245,760 2007-10-07 10:25:04 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-25 13:07 C:\WINDOWS\RTHDCPL.EXE]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 15:01]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-03-12 00:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetTaskbar"=0 (0x0)

R3 PxHelper;PxHelper;\??\C:\WINDOWS\system32\drivers\PxHelper.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 10:51:51
Windows 5.1.2600 Service Pack 2, v.2096 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-10 10:52:21
C:\ComboFix-quarantined-files.txt ... 2007-10-10 10:52
C:\ComboFix3.txt ... 2007-10-08 16:54
C:\ComboFix2.txt ... 2007-10-09 01:43
.
--- E O F ---

 

Some one suggested to me that if i download Kaspersky.it will take care of the problem.But i have a dial up and hence speed is a constraint for me.Also this is what win had to tell me:

BCCode : c0000218 BCP1 : E1665FD8 BCP2 : 00000000 BCP3 : 00000000
BCP4 : 00000000 OSVer : 5_1_2600 SP : 2_0 Product : 256_1

 

Task manager seems to be working fine and registry seems to be clean.Buut the extra long (at least 15 mins) scan while starting up is what bothers me.Also I was denied access to 1 of my vital partition drive.I had to resort to system restore to over come that.lost quite a bit of data though!!!Kindly suggest me some thing not too complicated sir as I am not too comfortable with downloading and running scans and stuff.Have a great day..

 

Question:

Did you willingly install HideWin ?

It is a utility used to hide files from Windows and it could be responsible for Windows not being able to find certain files.

And if you could post the exact message Windows displays while booting (the one you say it is searching for FAT 32) that could be helpful.

Regards,

Pieter

 

No sir.I did not install hidewin.If it is installed how do i go about uninstalling it?Also the scan does not run of late but the screen just turns blank for a couple of minutes before starting win XP.Do i still have coolpics or is it gone for good?I do not see any visible symptoms.could my slow ram(256Mb) be the reason for the delayed starting process sir??thank u so much for ur prompt help sir.if u could tell me what time ur online i could come online the same time to enable real time assistance sir.Thanks once again.

 

also how do u find the scan logs sir?does it reflect some serious damage?

 

I see no more signs of coolpics in your logs.
Let's deal with Hidewin first.

Find the file C:\WINDOWS\HideWin.exe and doubleclick it.
A green bottle should show up in your taskbar.
Rightclick that symbol and a menu will show up.
Remove all the checkmarks in that menu by clicking on the corresponding lines.

Then delete HideWin.exe (to the trashcan so we can recover it if necessary) and reboot your computer.
I need to hear from you which items you unchecked in the menu and if this solved the problem.

I'll be back in about 13 hours.

Regards,

Pieter

 

Sir.Here is what happens during the course of the scanning.And wierdly the scanning takes place only during the 1st time i switch on the system in a day.Subsequently it does not scan each time i reboot.
It says:
Checking file system on c:
The type of file system is fat32
One or more of ur disks need to be checked for consistency.
vol serial number:2c49-c808
u may cancel the disk sheck but it is strongly recommended that u continue.
Windows replaced bad clusters in File \page file.Sys. of name (null)

File and folder verification is complete.(this process takes bout 10 minutes)
Windows is verifying free space
Windows has made corrections to ur file system(this process takes bout 5 min)
Then windows starts and i get a warning"windows has recovered from a serious error"
When i say show log this is what i see

Error signature
BCCode : c0000218 BCP1 : E1665FD8 BCP2 : 00000000 BCP3 : 00000000
BCP4 : 00000000 OSVer : 5_1_2600 SP : 2_0 Product : 256_1
Also a very reoccuring problem i noticed.Each time i boot either the mouse or the keyboard is not working.I disconnect it and reconnect or restart and the problem is solved.

 

Also sir, i tried clicking on the Hidewin.exe.the screen just goes blanck for a couple of seconds and nothing happens.I tried changing the compatability to match with XP but it just wouldnt open so i dont see the green icon on the task bar,nor do i see it on my add remove programs list.should i just go ahead and manually delete pending ur instructions sir?

 

Try if you can delete the file without problems.
If you can that means it is not active and your problem might be a damaged harddrive.
I'm no hardware expert, so you may want someone to have a look at that.

Regards,

Pieter

 

Sir
I would also like to bring to ur kind notice a significant fact.I had a pen drive inserted while i got infected with coolpics.I noticed that like my "c" drive it also showed a FAT32 file system and would refuse to open.I looked up the win support center and converted it into a "NTFS" file system and now it works fine.Taking the clue i converted my C drive also to an NTFS file system.I had my win reinstalled a couple of days back(before getting infected).The techinician must have installed it in a FAT32 format while the other partitions continued to be in an NTFS file system as i did not format my drives while uploading win.Could this be a possible reason for the starting scan each time?As for the hidewin.exe it comes from the application"HD Audio Hide windows program". In my add remove program i notice an application"High defination audio driver package-KB888111"(that is rarely used and just 33.27Mb) and another one by the name"Realtek high defination audio driver"(that is frequently used-1622Mb).Should i remove the former pending ur instructions of course sir?Hidewin still does not open but the scanning seems to have stopped.But i guess it is too early to celebrate is it not?

 

One more thing and then you can celebrate as far as I'm concerned.

The coolpics worm, at least some of its variants copy themselves to the root drive of each partition. (guess what happened to your pen drive)

If you have any more partitions or drives we would have to look at the root directory level to see if there is anything left we need to remove.

Possible filenames that I know:
New Folder.exe
AVG 2007.exe
AVG_update_2007.exe
W32.PIGLET II.jpg
Terlalu indah.exe
Tunggul.vbs
autorun.inf(.tmp)
Desktop.exe
LittleRedRidingHood.rtf
ntdelect.com
Neo32.exe
Dear Ikimo.txt
Flash 10 Setup.exe
Mario.exe
Pacman.exe
razor.inf
rz.scr

Can you look for those?
Please don't do anything yet if you find one. Just let me know what you found and where exactly.

Regards,

Pieter

 

Yes i can delete hidewin without problems but that seemed to make things slower so finally i restored it from the thrash can.Thank you..

 

I do not find any of the files that u have mentioned.Though I used to have Newfolder.exe a couple of days back and would appear every time I ran brute force uninstaller.But I was asked to delete all of thoose.Now I do not see any of them.Also The autorun and recycler keep appearing for a couple of seconds every time i insert my pendrive in its root directory but i dont see it on any of my drives as yet..Though I see some files:

Boottex.log
combofix2.txt
combofix.txt
combofix-quarantined-files.txt
combofix3.txt

and some folders:
config.msi
qoobox
Bfu
In my c drive in the root directory.Should I let them be as it is or delete them?Is this the final step?is my system clean now?can i celebrate as yet?also would installing Kaspersky help me keep such viruses at bay?or do I need to supplement it with a spyware like"Bitdefender as well"Wont they conflict with each other?Thank u so very much.I really appreciate the patient way u helped me to overcome this bloody virus.Thanks a tonn.

 

The problkem with the delayed startup and the screen going blank foir about 30 secs still persists though.Whom should i be talking to bout it?Thank you..

 

You can delete the above. Most were created by the tools we used.

About the startup prblems I would recommend using another forum.
This one is specialized in security, so you might improve your chances by trying: http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html

 

Thanks a tonn once again..and regarding the anti virus..any suggestions?

 

Several. But get what you are comfortable with in price and use.
That works best most of the times.

Regards,

Pieter