I have the same problem with coolpics.com

I saw the other 2 posts and I tried something to do but didn't work.
I run ComboFix and it says this:

Onutza - Sat 11/04/2006 23:27:23.79 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Onutza.ANDREEA-IOANA\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011/04/2006 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2012/23/2003 08:32 AM 174464 --a------ C:\WINDOWS\system32\drivers\yukonwxp.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"Task Manager"="C:\\WINDOWS\\system\\svchost32.exe"
"nod32kui"="C:\\Program Files\\Eset\\nod32kui.exe /WAITSERVICE"
"SVCHOST"="C:\\WINDOWS\\system\\svhost.exe"
"SDFix"="C:\\Documents and Settings\\Onutza.ANDREEA-IOANA\\Desktop\\SDFix\\RunThis.bat /second"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1148672493.job

Completion time: Sat 11/04/2006 23:28:29.81
C:\ComboFix.txt ... 11/04/2006 11:28 PM
C:\ComboFix2.txt ... 11/04/2006 09:57 PM
C:\ComboFix3.txt ... 11/04/2006 07:46 PM

 

Hi tubx,

I think there is something running interference on your computer.

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:

• regedit /e c:\registrybackup.reg

Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Then copy the part in bold below into notepad and save it as coolpics.reg
Set Filetype to "all files"

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Task Manager"=-
"SVCHOST"=-
"SDFix"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=-


Doubleclick that file and confirm you want to merge it with the registry.

Reboot into safe mode and delete:
C:\WINDOWS\system\svchost32.exe
C:\WINDOWS\system\svhost.exe

Then boot back to normal and update your scanners and run full system scans.

I removed the startup for SDFix assuming you already rebooted without it working.

Regards,

Pieter

 

First of all I want to thank you Pieter for trying to help me. I think I'm going crazy...
I changed in my first post the results from Combofix that I ran again. I don't know if something changed...
From the first post till now I succeded to make taskmanager and the Run window to be active... they weren't first time. I deleted the svhost.exe, but I cannot delete svchost.exe from C:/windows/system32. I tried many things in normal mode, in safe mode, with Advanced File Remover and with everything that was wrote about this subject.
I have a problem with the coolpics.reg. I made it (does it matter where I save it?) and when I double click it it asks me with what I want to open it. Nothing about confirming if I want to merge it with the registry.
And other problem is when I wanted to scan with Kaspersky online it had to do an update and couldn't do it. My antivirus is Nod32, before I had Kaspersky and I had to remove it cause it couldn't do the updates (and the signatures were obsolete or something like that...)
I am not very good with computers but I am a quick learner...
And more... when I run taskmanager I see at processes the svchost.exe and when I want to terminate it my computer reboots...
I hope Pieter you understood something from what I tried to explain
And thank you again!

 

Is it Qcan IM worm?

 

@ aigle,

Yes, I think so. I ended up here:
W32/Qucan.B!worm.im


@ tubx,

You will have to grasp this for us to be successfull.
The svchost.exe in C:\windows\system32 is the real one.
It is an essential windows file, which is why Windows crashes when you try and stop it.
The one that is trying to pretend to be the real one was in the folder:
C:\WINDOWS\system
Note that there were also differences in the filename.

You have to be very carefull before you jump to the (wrong) conclusion.
I would appreciate it if you did not go back and change old posts.
That is very confusing.

Doubleclick the reg again.
If it asks with which program you want to open it choose
registry-editor if it is displayed in the list of options.

If it isn't listed use the Browse button and point the way to: C:\WINDOWS\regedit.exe

Keep us posted,

Pieter

 

Thanks. One of my co-worker got it via yahoo messenger. She was not running any AV. I was able to clean it by Antivir. Later i checked it was also detected by Ewido and SuperAntispyware.
It disbaled Task manager and regedit that I did not know how to enable( I just used process explorer at that time). Later I found the tool to enable these items. Infiltration Recovery Tool.

http://www.excessive-software.tk/

Thanks to Nadirah and Rejzor.

 

I'm not sure what changes that tool makes and I was able to see which ones were necessary, so my choice wasn't that hard.

Maybe we can discuss this somewhere else so we don't go off-topic here.

Regards,

 

Of course. The thread is practically urs.

 

Hello again
Thank u very much Pieter for ur help... again.

Sorry... I didn't know... now I now

My computer couldn't find the regedit.exe sau I searched it and it was only in the C:\WINDOWS\ServicePackFiles and I made copy/paste in the C:\WINDOWS too for Run to find it... and I resolved one problem...
Then I saw the post from mohitygupta who had the same problem and I did the ieblock.reg and now everything is ok I'm so happy. I don't have any svhost.exe anywhere and my antivirus couldn't find anything and my homepage is not blocked anymore and... I am happy... I knew that I can do this and to not format C:
Thank u very very very much... u're the best... and I know from now on when I have a problem with viruses on what site to go...
Take care everybody

tubx

 

Glad we could help you tubx

Regards,

Pieter