Saturday, July 28, 2007

Removing the Coolpics Virus..

I came across this crazy virus, It's a minor one, if you've got it - Read this for removal methods,

How does it work?
It first starts its life journey on one internet website. viewers of this site will then receive the virus. The virus will execute itself and kill alot of processes in your CPU. then it tries to make copies of itself on all removeable media that you plug into your computer, which will then be spread on every computer in which you inserted your media. From ym messages to flash disks, from memory cards to camera memory sticks, making it one of the most common virus that i’ve encountered.

well, because The coolpics virus is a virus that does the following:

1. Changes your yahoo messenger stat message

2. Spams your ym contact list with a tricky link to where the virus is located
3. Disables your task manager
4. Disables your regedit (Registy Editor)

5. Disables your msconfig

6. Disables the run option from the start menu.
7. Disables AVG and its updater

8. Disables your run command

9. Hides the ‘Folder Options’ in windows explorer. So that users will not see hidden files and system files

10. Disables the ‘Find’ command so you will have a hard time finding the virus. and many more…

Here's a way to get rid of the virus;

Place this link in your address bar: C:\WINDOWS\system32\drivers\etc
(that's if windows is installed on Drive C on your computer).

You will find a file named hosts.

Remove the read-only attribute from by right clicking on the file and selecting properties.

Open the file with note pad and you will see a list of web pages that you are not allowed to visit meaning your computer has been barred from visiting those pages. Here's an example:

Go to the end and add yours;

(Never click these links above, Just add to the hosts file to disable access to these links on your computer) .
Now save the file and apply the read only attribute to protect it.
At this point, u have suceeded in blocking your computer from visiting the link to where this file (virus) is downloaded, Congrats. Here's a look at what you should have

Remember to remove the "read only" attribute when you want to edit & re-apply after editing.
Congrats one again.
But dont' get too happy ;D, you haven't removed the virus from the computer. I'm sure you would have noticed that the "run" option is not available.

This is caused by the registry, here's a look;

This is what you should do.
Open the command prompt and type "gpedit.msc" (without quotes)

The above command should open a box with group policy as the head. Expand as illustrated in image below;

Browse through the group policy and re-enable every option that has been disabled.
Note that all you do is entered into this location on the registry editor " \Software\Policies" or "Software\Microsoft\Windows\CurrentVersion\Policies"
This means you can export the registry files and send to a frend if he is infected and running the same OS as u without him going through the stress above.
Also Note that the virus is spreading rapidly like wild fire. Do not open links from your yahoo messenger that you do not know.
If you experience more problems, don't hesitate to e-mail me:


Thanks for visitin' my IT Blog.
Please drop a line or two ;D