cOOL problem

I'm having a problem with some sort of thing called cOOL. It keeps popping up everytime I restart my computer.

I ran version 1.3 with spybot and i ran version 6.0 with ad-aware.

I think I have a bunch of viruses on my system. It's just been infested.

Can anyone help me?

Thanks.

 

Hi DarkTerror,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Services] C:\DOCUME~1\Ryan\LOCALS~1\Temp\uuhh6.exe
O4 - HKLM\..\Run: [Generic Service Process] serv1ces.exe
O4 - HKLM\..\Run: [System32.exe] System32.exe
O4 - HKLM\..\Run: [Microsoft OfficeXP] officeXP.exe
O4 - HKLM\..\Run: [servicesxp] C:\WINDOWS\System32\ja\MicroSoft.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKLM\..\Run: [NTXP] C:\WINDOWS\System32\rita\MicroSoft.exe

O4 - HKLM\..\RunServices: [Generic Service Process] serv1ces.exe
O4 - HKLM\..\RunServices: [System32.exe] System32.exe

Then reboot into safe mode and delete:
C:\WINDOWS\System32\ja\MicroSoft.exe
C:\WINDOWS\System32\desktop.exe
C:\WINDOWS\System32\rita\MicroSoft.exe
C:\WINDOWS\System32\rita\sxe8.tmp
C:\WINDOWS\System32\rita\patch.exe
C:\WINDOWS\System32\System32.exe
C:\WINDOWS\officeXP.exe
serv1ces.exe

Regards,

Pieter

 

So I did the first step, and I deleted it all.

But when I went into safe mode, I couldn't find the rest of that stuff to delete.

When I restart my computer that cOOL thing is now gone. But for a few seconds some sort of thing called XIRC is where the cOOL thing was but then dissapears. Here is the new hijack log.

 

They were replaced or they morphed.

Download and install RegProt from http://www.diamondcs.com.au/index.php?page=regprot

Allow all the entries that are already in place except for these:

O4 - HKLM\..\Run: [sxe1F3.tmp] C:\WINDOWS\System32\sxe1F3.tmp
O4 - HKLM\..\Run: [XPNT2000] C:\WINDOWS\System32\ritaa\Anti.exe
O4 - HKLM\..\Run: [sxe5.tmp] C:\WINDOWS\System32\sxe5.tmp

If they slip by Fix them with HijackThis.

Reboot and delete:
C:\WINDOWS\System32\ritaa\Anti.exe
C:\WINDOWS\System32\sxe5.tmp
C:\WINDOWS\System32\sxe1F3.tmp

Regards,

Pieter

 

I did all the steps so far which included to download and install regpot.

But now every once in a while a little window pops up saying "Do you want to add this to the registry". For a while I thought it was just something a little more I had to do, since I recognized that somehow it was associated with RegPot. But it now frequently asks me to add a bunch of stuff to the registry.

Here is the Hijack log so far.

 

Hi DarkTerror,

"A bunch" is not good. That means something is still active and Regprot is doing it's job.
But the cause will have to be removed as well.

Then download TDS-3 from http://tds.diamondcs.com.au/index.php?page=download
and update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update
Then click System Testing > Full System scan.

Post the scanlog please.

Regards,

Pieter

 

Ok here's the scan log. It seems I still have a lot of problems.

 

In the bottom window of the TDS console you can see the list of 40 alarms you got.
Rightclick one of the lines there and select "save as txt"

Can you give us that file as well?

Regards,

Pieter

 

Ok here it is.

 

Thanks. I will ask one of the DiamondCS staff to have a look before I have you delete all those. They are enjoying their well-deserved weekend so that could be a while.

Regards,

Pieter

 

Thanks.

 

So did they ever get back to us yet?

A window that is associated diamondcs.com is always asking me if I want to add important entries into the registry. Should I accept?

I mentioned a few posts before that this window was popping up. And I know that this thing started after I downloaded that thing from their site.

 

That is what it is supposed to do. did you read the info here: http://www.diamondcs.com.au/index.php?page=regprot
Let me know if that is the screen. You should only accept those that you want. Usually when you are installing something.

Everything that has a positive Identification in the Scandump made by TDS-3 can and should be deleted.

Regards,

Pieter

 

How can I delete things in the scandump? When I look in the TDS3 folder, and check out the notepad document with all the information. Is there anything I should do with it?

That diamond program, is alerting me to a few registry things, about once a day. There are no viruses on my computer (as far as I know with all my extensive looking now) and I have not installed anything new.

Is this ok?

 

Run TDS-3 again and in the bottom part of the Window (where the found problems are) delete all the items that are positively ID'ed as malware.

Then reboot, run HijackThis again and post a new log.

Regards,

Pieter

 

Ok heres the next log. Funny since the time that I posted my last message, and the time when I first read your last message. Those diamond things stopped appearing for now.

 

That's a clean log. How's the computer behaving?

Regards,

Pieter

 

It's good now.

 

Excellent.

Please read: Why did I get infected in the first place

Regards,

Pieter