I want to start by congratulating you for this wonderful forum and the wonderful things you do here.
The plot :couple days ago i got this msg saying ''critical system error" and a fake windows update icon on system tray.
i try using the smitfraud fix but no luck.try nod32 scan and nothing,spybot however was not able to preform it want start. I then decieded to restore my system using ''system restore''.i chose a point that goes back about 2 days and windows came up clean,the window that i used to get was gone .ran the above mentioned apps again and this time both nod32 and spybot got somthing :spybot got smitfraud-c and nod32 got some trojan and deleted it.
at this point i try going back to the original point ,before the ''system restore'',i cant restore it. i redownloaded window updates and got here. i dont have the window saying ''critical system error" anymore but i do have the infected files and every time i reboot i get the ''c:\windows\system32\spywarewarning.mht'' as my homepage.
i went over the ''must read first" section and did everything it says. i hopei have all the logs you need .i hope i do a good job posting them here .
o.k here we go, these are the logs for Malwarebytes,SUPERAntiSpyware and panda active scan
the hijackthis and uninstall_list will be on the next post (i hope its o.k)
-------------------------------------------------
Malwarebytes' Anti-Malware 1.19
Database version: 918
Windows 5.1.2600 Service Pack 2
08:53:10 03/07/2008
mbam-log-7-3-2008 (08-53-10).txt
Scan type: Quick Scan
Objects scanned: 38250
Time elapsed: 3 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (C:\WINDOWS\system32\spywarewarning.mht) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
--------------------------------------------------------------
SUPERAntiSpyware Scan Log
Generated 07/03/2008 at 09:52 AM
Application Version : 3.6.1000
Core Rules Database Version : 3496
Trace Rules Database Version: 1487
Scan type : Complete Scan
Total Scan Time : 00:49:50
Memory items scanned : 289
Memory threats detected : 0
Registry items scanned : 4834
Registry threats detected : 0
File items scanned : 34317
File threats detected : 0
--------------------------------------------------------------
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-03 11:40:02
PROTECTIONS: 1
MALWARE: 12
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Eset NOD32 antivirus system 2.51 2.51 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{4F2F4B5B-8A29-481A-9CAC-B1DB28047786}\RP15\A0003636.exe
00167704 Cookie/Xiti TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\xp@xiti[1].txt
00167738 Cookie/fe.lea.lycos TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\[email protected][1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\xp@toplist[1].txt
00171633 Cookie/Cgi-bin TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\xp@cgi-bin[5].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\xp@go[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\xp@atwola[1].txt
00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\xp@cgi-bin[1].txt
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{4F2F4B5B-8A29-481A-9CAC-B1DB28047786}\RP15\A0003635.exe
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\XP0XVGCA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\1ZBLKWCA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\MOYPETDA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\UCCFX5DA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\A3Z5RNAA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\PETBWHDA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\KPQAAIDA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\RMMG1QAA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\BGZCWVCA.NQF
03184163 Trj/Agent.DPE Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{4F2F4B5B-8A29-481A-9CAC-B1DB28047786}\RP15\A0007247.dll
03184483 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{4F2F4B5B-8A29-481A-9CAC-B1DB28047786}\RP15\A0004465.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location m
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description m
;===============================================================================
=================================================================================
===================
182048 HIGH MS07-069 m
182043 HIGH MS07-064 m
176382 HIGH MS07-057 m
170907 HIGH MS07-046 m
170906 HIGH MS07-045 m
170904 HIGH MS07-043 m
164913 HIGH MS07-033 m
160623 HIGH MS07-027 m
150253 HIGH MS07-016 m
141030 HIGH MS06-072 m
137568 HIGH MS06-067 m
129976 MEDIUM MS06-052 m
126083 HIGH MS06-042 m
120814 HIGH MS06-021 m
114664 HIGH MS06-013 m
93394 HIGH MS05-050 m
;===============================================================================
=================================================================================
===================