Dear Friends,

While running IE6, I sometimes see a Process called "nnympb.exe" that
runs without notice and causing popups on the screen. I tried to
search for this program on my computer, and remarkably it is not on my
C:\ drive. Another remarkable thing about this process is its rather
surreptitious nature; it stays on for only a short period of time when
it creates the popup and then quits by itself. I don't have any other
drives on my computer, so it is unclear where this program is being
launched from! Has anyone found this annoying process creating havoc
with their Explorer?

If so kindly help. I must add that I have already followed Mike
Maltby's (MS-MVP (E-Mail Removed)) detailed instructions, and it
has gone a long way in minimizing my problems. These useful and
detailed instructions are attached at the end of this note.

Best and God bless,

Devika

p.s. Mike's instructions on malware removal attached:

wtoolsa.exe is malware and appears to be a new member of the IBIS
Toolbar
family (http://www.pestpatrol.com/PestInfo/i/ibis_toolbar.asp). It
certainly
doesn't form a part of the Win Me operating system. One install
mechanism it
uses is if you choose to install the toolbar from xxx.websearch.com.

Boot to Safe Mode, now enable the viewing of all files and folders in
Explorer
(Tools | Folder Options | View and check "Show hidden files and
folders" and
uncheck "Hide protected operating system files"). Next open MSConfig
(Start,
Run, enter MSConfig in the box and click OK), open the Startup tab and
uncheck
the entry being used to launch wstoolsa.exe, possibly labelled
something like
WinTools as well as any entries referring to wtoolsb.dll, wsup.exe and
tb_setup.exe.

Browse to and delete the contents of your C:\Windows\Temp folder and
also
clear you Temporary Internet Files (Internet Options | General |
Delete Files
and ensure that you check the box "Delete all offline content", then
click OK
and Apply.

Now check Add/Remove Programs and uninstall any entry for WinTools.

You should also delete the entire Wintools folder which is probably
located as a sub-folder in C:\Program Files\Common Files or
alternatively in
C:\Windows\System. Check for and delete all copies of wtoolsa.exe,
wtoolsb.dll, wsup.exe and tb_setup.exe.

Now reboot back into Normal Mode and check your system for commercial
parasites.

This might be a good time to download yourself a copy
of the free Ad-Aware 6.0 from Lavasoft
(http://www.lavasoftusa.com/software/adaware/) and also SpyBot
(http://www.safer-networking.org/) and scan your system for and remove
all
unwanted parasites, adware and spyware that might be hiding on your
PC.

I would also suggest you download and run merijn's CWShredder which
targets
the CoolWebSearch parasite. CWShredder can be downloaded from
(http://www.zerosrealm.com/downloads/CWShredder.zip or
http://www.spywareinfo.com/~merijn/files/cwshredder.zip). Details of
the many
forms of the CoolWebSearch hijacker can be found at
http://www.spywareinfo.com/~merijn/cwschronicles.html and also
http://www.pestpatrol.com/pestinfo/c/cws.asp.


****************
If you continue to have problems download a copy of HijackThis from
http://www.spywareinfo.com/~merijn/downloads.html). Create a folder
called
hijackthis on C: and copy the file you downloaded to that folder.
Close as
many applications as you can including all instances of Internet
Explorer and
then run hijackthis.exe and post back the log, provided that it isn't
too
long, to this thread, otherwise to the HijackThis Forum at
http://www.spywareinfo.com/forums/ and hopefully this will enable
someone to
identify the cause of your problem.

Entries in the HiJackThis log to remove include:

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183}
-
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe

Finally to prevent reinfection download and use SpywareBlaster
(http://www.wilderssecurity.net/spywareblaster.html) which can
inocualte your
PC against infection by many parasites and using Tools | Custom
Blocking add
the following:
Item Name - WinTools
CLSID - {87766247-311C-43B4-8499-3D5FEC94A183}
--�
Mike Maltby MS-MVP
(E-Mail Removed)

devika,

Mr. Maltby's advice is not going to remove this latest CoolWebSearch
variant, unfortunately. Advise you to follow all of his instructions
in regards to showing hidden files and folders and emptying the Temp
and Temporary Internet Files, then scanning with Hijack This and
posting the log to one of these forums :

http://forum.aumha.org/viewforum.php?f=30
http://www.spywareinfo.com/forums/


You will have to register as a User before posting your log. DO NOT
post it into another thread, start one of your own. Read the
instructions on both sites to see what each requires prior to
posting the log.

MowGreen [MVP]
===============
*-343-* FDNY
Never Forgotten
===============


devika bhattacharya wrote:

> Dear Friends,
>
> While running IE6, I sometimes see a Process called "nnympb.exe" that
> runs without notice and causing popups on the screen. I tried to
> search for this program on my computer, and remarkably it is not on my
> C:\ drive. Another remarkable thing about this process is its rather
> surreptitious nature; it stays on for only a short period of time when
> it creates the popup and then quits by itself. I don't have any other
> drives on my computer, so it is unclear where this program is being
> launched from! Has anyone found this annoying process creating havoc
> with their Explorer?
>
> If so kindly help. I must add that I have already followed Mike
> Maltby's (MS-MVP (E-Mail Removed)) detailed instructions, and it
> has gone a long way in minimizing my problems. These useful and
> detailed instructions are attached at the end of this note.
>
> Best and God bless,
>
> Devika
>
> p.s. Mike's instructions on malware removal attached:
>
> wtoolsa.exe is malware and appears to be a new member of the IBIS
> Toolbar
> family (http://www.pestpatrol.com/PestInfo/i/ibis_toolbar.asp). It
> certainly
> doesn't form a part of the Win Me operating system. One install
> mechanism it
> uses is if you choose to install the toolbar from xxx.websearch.com.
>
> Boot to Safe Mode, now enable the viewing of all files and folders in
> Explorer
> (Tools | Folder Options | View and check "Show hidden files and
> folders" and
> uncheck "Hide protected operating system files"). Next open MSConfig
> (Start,
> Run, enter MSConfig in the box and click OK), open the Startup tab and
> uncheck
> the entry being used to launch wstoolsa.exe, possibly labelled
> something like
> WinTools as well as any entries referring to wtoolsb.dll, wsup.exe and
> tb_setup.exe.
>
> Browse to and delete the contents of your C:\Windows\Temp folder and
> also
> clear you Temporary Internet Files (Internet Options | General |
> Delete Files
> and ensure that you check the box "Delete all offline content", then
> click OK
> and Apply.
>
> Now check Add/Remove Programs and uninstall any entry for WinTools.
>
> You should also delete the entire Wintools folder which is probably
> located as a sub-folder in C:\Program Files\Common Files or
> alternatively in
> C:\Windows\System. Check for and delete all copies of wtoolsa.exe,
> wtoolsb.dll, wsup.exe and tb_setup.exe.
>
> Now reboot back into Normal Mode and check your system for commercial
> parasites.
>
> This might be a good time to download yourself a copy
> of the free Ad-Aware 6.0 from Lavasoft
> (http://www.lavasoftusa.com/software/adaware/) and also SpyBot
> (http://www.safer-networking.org/) and scan your system for and remove
> all
> unwanted parasites, adware and spyware that might be hiding on your
> PC.
>
> I would also suggest you download and run merijn's CWShredder which
> targets
> the CoolWebSearch parasite. CWShredder can be downloaded from
> (http://www.zerosrealm.com/downloads/CWShredder.zip or
> http://www.spywareinfo.com/~merijn/files/cwshredder.zip). Details of
> the many
> forms of the CoolWebSearch hijacker can be found at
> http://www.spywareinfo.com/~merijn/cwschronicles.html and also
> http://www.pestpatrol.com/pestinfo/c/cws.asp.
>
>
> ****************
> If you continue to have problems download a copy of HijackThis from
> http://www.spywareinfo.com/~merijn/downloads.html). Create a folder
> called
> hijackthis on C: and copy the file you downloaded to that folder.
> Close as
> many applications as you can including all instances of Internet
> Explorer and
> then run hijackthis.exe and post back the log, provided that it isn't
> too
> long, to this thread, otherwise to the HijackThis Forum at
> http://www.spywareinfo.com/forums/ and hopefully this will enable
> someone to
> identify the cause of your problem.
>
> Entries in the HiJackThis log to remove include:
>
> R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183}
> -
> C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
> O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
> C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
> O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
> files\WinTools\WToolsA.exe
> O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common
> files\WinTools\WToolsA.exe
>
> Finally to prevent reinfection download and use SpywareBlaster
> (http://www.wilderssecurity.net/spywareblaster.html) which can
> inocualte your
> PC against infection by many parasites and using Tools | Custom
> Blocking add
> the following:
> Item Name - WinTools
> CLSID - {87766247-311C-43B4-8499-3D5FEC94A183}
> --�
> Mike Maltby MS-MVP
> (E-Mail Removed)