virus alert keeps coming again and again

hello,

virus alert keeps coming. I deleted the file 4 times, and moved it to chest, but the alert keeps coming. what should I do in order to stop it?

the log of the alert:

27/06/2009 10:03:49 SYSTEM 1304 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Owner\LOCALS~1\Temp~temp\mlp28\mdm.exe” file.
27/06/2009 10:06:02 SYSTEM 1304 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Owner\LOCALS~1\Temp~temp\mlp28\mdm.exe” file.
27/06/2009 10:33:12 SYSTEM 1304 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Owner\LOCALS~1\Temp~temp\mlp28\mdm.exe” file.
27/06/2009 22:32:26 SYSTEM 1304 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Owner\LOCALS~1\Temp~temp\mlp28\mdm.exe” file.
28/06/2009 02:47:15 SYSTEM 1304 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Owner\LOCALS~1\Temp~temp\mlp28\mdm.exe” file.
28/06/2009 07:30:07 SYSTEM 1304 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Owner\LOCALS~1\Temp~temp\mlp28\mdm.exe” file.

thank you

Hi shai234,

Download CCleaner, install and run it- allow it to delete all junk files found including ‘temp’ files.

Then try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.)

If still having problems:

Try a scan with DrWeb CureIT!

Try the usual free adware/spyware scanners.

SUPERAntiSpyware Free
a-Squared Free
Malwarebytes’ Anti-Malware

Thank you Frank,

I ran CCleaner and did the boot time scan which showed 0 files infected.
I hope the alert will not show again so soon.

shai234

hello again,

I ran CCleaner and did the boot time scan which showed 0 files infected.

alerts keeped going.

I ran SUPERAntiSpyware Free Edition.

the log file:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/05/2009 at 11:38 AM

Application Version : 4.26.1006

Core Rules Database Version : 3972
Trace Rules Database Version: 1912

Scan type : Complete Scan
Total Scan Time : 01:48:05

Memory items scanned : 463
Memory threats detected : 1
Registry items scanned : 6153
Registry threats detected : 7
File items scanned : 22879
File threats detected : 10

Trojan.Rbot-Variant
C:\DOCUME~1\OWNER\APPLIC~1\CLIPSRV.EXE
C:\DOCUME~1\OWNER\APPLIC~1\CLIPSRV.EXE
[MstInit] C:\DOCUME~1\OWNER\APPLIC~1\MSTINIT.EXE
C:\DOCUME~1\OWNER\APPLIC~1\MSTINIT.EXE
[IEudinit] C:\DOCUME~1\OWNER\LOCALS~1\APPLIC~1\IEUDINIT.EXE
C:\DOCUME~1\OWNER\LOCALS~1\APPLIC~1\IEUDINIT.EXE
[IEudinit] C:\WINDOWS\SYSTEM\IEUDINIT.EXE
C:\WINDOWS\SYSTEM\IEUDINIT.EXE
[Logman] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\LOGMAN.EXE
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\LOGMAN.EXE
[IEudinit] C:\WINDOWS\SYSTEM\IEUDINIT.EXE
[load] C:\DOCUME~1\OWNER\APPLIC~1\CLIPSRV.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\CLIPSRV.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MSTINIT.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\IEUDINIT.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\LOGMAN.EXE
C:\SYSTEM VOLUME INFORMATION_RESTORE{700E328D-C716-401E-90DF-9C9419CB2097}\RP548\A0123235.EXE

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID{147A976F-EEE1-4377-8EA7-4716E4CDD239}

the alerts keep coming:

05/07/2009 10:51:13 Owner 1316 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Owner\LOCALS~1\Temp~temp\mlp31\mdm.exe” file.
06/07/2009 08:25:15 SYSTEM 1180 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Owner\LOCALS~1\Temp~temp\mlp31\mdm.exe” file.

what can I do in order to stop the alerts?

thank you.

Have SAS remove what it found.Then run MalwareBytes, and have it remove what it finds,then post the MBAM log,along b[/b] with a log from HijackThis, ( choose scan and save a log file ) ccopy/paste the txt log here.If the log is very big you may need to split it into more than one post
http://filehippo.com/download_hijackthis/

hello micky,

I ran SAS and removed all viruses it found (the log was on my last post).

I ran MalwareBytes and removd all. here is the log:

Malwarebytes’ Anti-Malware 1.38
Database version: 2379
Windows 5.1.2600 Service Pack 3

06/07/2009 17:10:03
mbam-log-2009-07-06 (17-10-03).txt

Scan type: Full Scan (C:|D:|G:|I:|)
Objects scanned: 251606
Time elapsed: 1 hour(s), 38 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\comrepl (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\esent utl (Trojan.Agent) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\comrepl.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\documents and settings\Owner\Local Settings\Temp\comrepl.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\esentutl.exe (Trojan.Agent) → Quarantined and deleted successfully.

I ran HijackThis.

cont. in next post

[b]hello micky,

the HijackThis log:[/b]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:29, on 06/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Barak013\Barak013_L2TP\fts.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System\clipsrv.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\System\clipsrv.exe
O2 - BHO: smartip - {00e71626-0bef-11dc-8314-0800200c9a66} - C:\Program Files\tgo\smartip094.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [%FP%Barak013 L2TP fts.exe] “C:\Program Files\Barak013\Barak013_L2TP\fts.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [LifeCam] “C:\Program Files\Microsoft LifeCam\LifeExp.exe”
O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SSBkgdUpdate] “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PaperPort PTD] “C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe”
O4 - HKLM..\Run: [IndexSearch] “C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe”
O4 - HKLM..\Run: [PPort11reminder] “C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe” -r “C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini”
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM..\RunOnce: [Malwarebytes’ Anti-Malware] C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [BitTorrent DNA] “C:\Program Files\DNA\btdna.exe”
O4 - HKLM..\Policies\Explorer\Run: [ComRepl] C:\WINDOWS\comrepl.exe /waitservice
O4 - HKCU..\Policies\Explorer\Run: [Esent Utl] C:\DOCUME~1\Owner\APPLIC~1\MICROS~1\esentutl.exe /waitservice
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Policies\Explorer\Run: [CmSTP] C:\WINDOWS\System\cmstp.exe /waitservice (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS.DEFAULT..\Policies\Explorer\Run: [CmSTP] C:\WINDOWS\System\cmstp.exe /waitservice (User ‘Default user’)
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{31D27BC6-C643-4768-B9FD-A599C2CCED05}: NameServer = 192.168.2.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


End of file - 8766 bytes

thank you,
shai234

Ok, run HJT again, choose scan only,and put ticks next to these entries

C:\WINDOWS\System\clipsrv.exe

F3 - REG:win.ini: load=C:\WINDOWS\System\clipsrv.exe

O4 - HKLM..\Policies\Explorer\Run: [ComRepl] C:\WINDOWS\comrepl.exe /waitservice

O4 - HKCU..\Policies\Explorer\Run: [Esent Utl] C:\DOCUME~1\Owner\APPLIC~1\MICROS~1\esentutl.exe /waitservice

O4 - HKUS\S-1-5-18..\Policies\Explorer\Run: [CmSTP] C:\WINDOWS\System\cmstp.exe /waitservice (User ‘SYSTEM’)

O4 - HKUS.DEFAULT..\Policies\Explorer\Run: [CmSTP] C:\WINDOWS\System\cmstp.exe
/waitservice (User ‘Default user’)

Choose fix selected, then reboot

Run MBAM and SAS QUICK SCANS then HJT and post all the logs

I will have another look at your log again now

Also send this file to virus total and post the results, smartip094.dll in C:\Program Files\tgo\smartip094.dll

http://www.virustotal.com/

hello micky,

I did not find the items:

O4 - HKLM..\Policies\Explorer\Run: [ComRepl] C:\WINDOWS\comrepl.exe /waitservice

O4 - HKCU..\Policies\Explorer\Run: [Esent Utl] C:\DOCUME~1\Owner\APPLIC~1\MICROS~1\esentutl.exe /waitservice

maybe MBAM deleted these items. when I rebooted, I got messeges that the computer can’t find them.

I didn’t understand:

Also send this file to virus total and post the results, smartip094.dll in C:\Program Files\tgo\smartip094.dll

I did what you have told me:

ran SAS and MBAM and did ripair then ran HJT. the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/06/2009 at 07:13 PM

Application Version : 4.26.1006

Core Rules Database Version : 3972
Trace Rules Database Version: 1912

Scan type : Quick Scan
Total Scan Time : 00:37:45

Memory items scanned : 486
Memory threats detected : 1
Registry items scanned : 461
Registry threats detected : 6
File items scanned : 8878
File threats detected : 9

Trojan.Rbot-Variant
C:\WINDOWS\SYSTEM32\DRIVERS\ESENTUTL.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\ESENTUTL.EXE
[Esent Utl] C:\WINDOWS\SYSTEM32\DRIVERS\ESENTUTL.EXE
[Spool] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLSV.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLSV.EXE
[Logman] C:\WINDOWS\LOGMAN.EXE
C:\WINDOWS\LOGMAN.EXE
[MqtgSVC] C:\WINDOWS\SYSTEM\MQTGSVC.EXE
C:\WINDOWS\SYSTEM\MQTGSVC.EXE
[Logman] C:\WINDOWS\LOGMAN.EXE
[load] C:\DOCUME~1\OWNER\APPLIC~1\CLIPSRV.EXE
C:\DOCUME~1\OWNER\APPLIC~1\CLIPSRV.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\CLIPSRV.EXE
C:\WINDOWS\SYSTEM\CLIPSRV.EXE
C:\WINDOWS\SYSTEM\CMSTP.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt

Malwarebytes’ Anti-Malware 1.38
Database version: 2379
Windows 5.1.2600 Service Pack 3

06/07/2009 19:01:04
mbam-log-2009-07-06 (19-01-04).txt

Scan type: Quick Scan
Objects scanned: 87135
Time elapsed: 12 minute(s), 38 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\system32\drivers\esentutl.exe (Trojan.Agent) → Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\spool (Backdoor.Bot) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\esent utl (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqtgsvc (Trojan.Agent) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\spoolsv.exe (Backdoor.Bot) → Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\esentutl.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\system\mqtgsvc.exe (Trojan.Agent) → Quarantined and deleted successfully.

cont. on next post

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:26:19, on 06/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Barak013\Barak013_L2TP\fts.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: smartip - {00e71626-0bef-11dc-8314-0800200c9a66} - C:\Program Files\tgo\smartip094.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [%FP%Barak013 L2TP fts.exe] “C:\Program Files\Barak013\Barak013_L2TP\fts.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [LifeCam] “C:\Program Files\Microsoft LifeCam\LifeExp.exe”
O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SSBkgdUpdate] “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PaperPort PTD] “C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe”
O4 - HKLM..\Run: [IndexSearch] “C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe”
O4 - HKLM..\Run: [PPort11reminder] “C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe” -r “C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini”
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [BitTorrent DNA] “C:\Program Files\DNA\btdna.exe”
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{31D27BC6-C643-4768-B9FD-A599C2CCED05}: NameServer = 192.168.2.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


End of file - 8096 bytes

I think you are getting to the bottom of this, all the entries ESENTUTL.EXE, SPOOLSV.EXE, LOGMAN.EXE, MQTGSVC.EXE, CLIPSRV.EXE, CMSTP.EXE, comrepl.exe are all related to the same malware.The HJT log is good. All we need is for the MBAM and SAS logs to be clean. So keep running them, if any threat keeps reappearing, then there is a problem.
Are you still getting alerts from Avast about MDM.exe

Thank you micky,

the alerts from avast stopped coming for now.

I quick scanned with MBAM and SAS and it was clear of viruses, I hope it will stay that way.

the answers in avast forum are rapid and efficient.

shai234

Well its possible you deleted the temp file at the beginning with Ccleaner. You said alerts kept coming,but you didn’t mention any specific file names.
Did you send that file C:\Program Files\tgo\smartip094.dll to virustotal, just out of curiosity

hello micky,
I did not delete the virus after the CCleaner: the virus alerts kept coming after I ran it, and I sent the avast log with the specific file names before and after the CCleaner ran.
I sent the C:\Program Files\tgo\smartip094.dll to virustotal now, and some programs said it is infected, so I uninstalled the tgo program and deleted the file.
today no virus alert came.
thank you again,
shai234