======================================================== HOW TO REMOVE THECOOLSPICS.NET VIRUS FROM YOUR COMPUTER: ======================================================== Update the product of your virus to the latest version. Restart the system in safe mode. Run a full system scan. Delete all the files detected as infected with this virus. Open the Windows Registry Editor. Delete the value Task Manager = %Windows%\system\svchost32.exe Svchost = %Windows%\system\svhost.exe under the key HKEY_LOCAL_MACHINE\SOFTWARE\Mi... Delete the value DisableTaskMgr = 1 DisableRegistryTools = 1 under the key HKEY_CURRENT_USER\Software\Mic... Delete the keys YMSGR_buzz YMSGR_Launchcast under the keys HKEY_CURRENT_USER\Software\Yah... HKEY_CURRENT_USER\Software\Yah... Restore the Default value Start Page = http://{BLOCKED}ecoolpics.com to Start Page = about:blank under the key HKEY_CURRENT_USER\Software\Mic... Explorer\Main Close the Windows Registry Editor. Restart the system. Source: http://answers.yahoo.com ===================== INDONESIAN VERSION >> ===================== Menghapus Virus thecoolpics dari Yahoo messenger ( YM ) 1. Update antivirus anda 2. Restart komputer kemudian login ke Safe Mode 3. Jalankan Full Scan dari antivirus anda dan bila ada virus terdetek langsung saja hapus. 4. Buka registry editor 5. Hapus, Task Manager = %Windows%\system\svchost32.exe Svchost = %Windows%\system\svhost.exe yang berada di dalam HKEY_LOCAL_MACHINE\SOFTWARE\Mi... 6. Hapus juga value dari, DisableTaskMgr = 1 DisableRegistryTools = 1 yang ada di dalam HKEY_CURRENT_USER\Software\Mic... 7. hapus key, YMSGR_buzz YMSGR_Launchcast yang ada di dalam HKEY_CURRENT_USER\Software\Yah... HKEY_CURRENT_USER\Software\Yah... 8. Kembalikan, Start Page = http://{BLOCKED}ecoolpics.com ke Start Page = about:blank letaknya di dalam HKEY_CURRENT_USER\Software\Mic... Explorer\Main 9. Tutup Registry Editor. 10. Selaesai, Restart Komputer anda. ================================================= THE EXAMPLE #1 OF THECOOLPICS.NET VIRUS INFECTED: ================================================= Logfile of HijackThis v1.99.1 Scan saved at 1:57:51 AM, on 11/19/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\DU Meter\DUMeter.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Excellence Hotkey\Hotkey.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\bgsmsnd .exe C:\Program Files\VIAudioi\SBADeck\ADeck.exe C:\Program Files\NetLimiter\NetLimiter.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Azureus\Azureus.exe C:\Program Files\TrojanHunter 4.6\TrojanHunter.exe C:\Program Files\TrojanHunter 4.6\THGuard.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\Documents and Settings\Girish\Desktop\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-E22ABC2EED3F} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Excellence HotKey] C:\Program Files\Excellence Hotkey\Hotkey.exe /h O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [bgsmsnd.exe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\bgsmsnd .exe O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost32.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe" O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe Source: techenclave.com ================================================= THE EXAMPLE #2 OF THECOOLPICS.NET VIRUS INFECTED: ================================================= I’ve just got some links from my friends through yahoo messenger, most of them ’sez something like this. Do you realize who is in this image: http://thecoolpics.net/who.jpg . Just think for a moment and tell me soon Not just that, her/his yahoo messenger status also had something like that. Somehow I had a bad feeling about this but I encourage myself to click the link. It will redirect the file to http://survey-sales.com/ipn/transactions/index2.html, and this is the result : High security alert!!! You are not permitted to download the file “index2.html” because it is infected with the virus “JS/Inor.A!tr.dldr”. URL = http://survey-sales.com/ipn/transactions/index2.html File quarantined as: . http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=quickSearchDirectly&virusName=JS%2FInor.A%21tr.dldr Well, fortigate has done a great job. A friend of mine wrote on the mailing list about this virus, he click the link and all his IE preferences ruined, and somehow his yahoo account automagicly send links to all his YM friend list. To all of you, please aware to this kind of virus. But how to clean the virus ? I still haven’t got any clue about this. Just make sure not to click on something suspicious. For example: Mostly, your friend talks in Bahasa Indonesia, Sunda, or perhaps Jawa Ngoko. But suddenly he/she speaks English. That’s strange right ? :p Based on dnsstuff.com, I found that domain survey-sales.com are registered on behalf this company : Registrant: Survey and Construction Supply Co., Inc. 930 W. Byers Pl. Denver, CO 80223 US Domain name: SURVEY-SALES.COM Administrative Contact: Aregood, Brian surveysales@comcast.net 930 W. Byers Pl. Denver, CO 80223 US 303-282-8900 Fax: 303-698-4899 Technical Contact: Manager, Domain hostmaster@startlogic.com 919 E Jefferson St. Suite 100 Phoenix, AZ 85034 US +1.8007258064 Registration Service Provider: StartLogic, Inc., hostmaster@startlogic.com 1-800-725-8064 http://www.startlogic.com Registrar of Record: TUCOWS, INC. Record last updated on 26-Sep-2006. Record expires on 08-Jan-2007. Record created on 08-Jan-2005. Domain servers in listed order: NS1.STARTLOGIC.COM 216.207.124.77 NS2.STARTLOGIC.COM 66.235.217.210 Domain status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited Meanwhile, domain thecoolpics.net are registered through godaddy and it was under supervision of domainsbyproxy.com. On their website, domainsbyproxy.com said that : Domains By Proxy® will not do business with you, nor protect your identity, if you: • Transmit spam, viruses or harmful computer programs; • Violate the law or infringe a third party’s trademark or copyright; • Engage in morally objectionable activities, including but not limited to those which are child pornographic, defamatory, abusive, harassing, obscene, racist, or otherwise objectionable. So, if any of you have any objections about that virus-contained-page, please report at abuse@domainsbyproxy.com and/or email ebove. Source: achmadi.net ================================================================