Spybot, Ad Aware and now Ewido have found misc spyware stuff Here's the HijackThis log and the Ewido log

Thanks in Advance :)

Logfile of HijackThis v1.99.1
Scan saved at 4:41:17 PM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\dphhs\Desktop\spyware removal\hijackthis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\uwfde.exe
F2 - REG:system.ini: UserInit=userinit.exe,frmhovr.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinlqez.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144699910468
O20 - AppInit_DLLs: C:\WINDOWS\system32\msdtc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Zetera - Zetera Corporation - C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe


Ewido -

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:31:41 PM 6/27/2006

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B6E649FA-5461-40d7-AB4D-54FC3C8DB767}\\BandCLSID -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-516116760-2805738209-4071888707-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\wh.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kwinlqez.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pkdsregk.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\zigi.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\id.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINDOWS\ts.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.57:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.58:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.98:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.10:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.105:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.106:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.107:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.117:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.9:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.30:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.32:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.33:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.34:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.31:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.85:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.86:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.87:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.88:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.101:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.102:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.93:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.94:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.95:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.45:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.49:C:\Documents and Settings\dphhs\Application Data\Mozilla\Firefox\Profiles\100crvdw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\aad.exe -> Trojan.Imiserv.c : Cleaned with backup (quarantined).
C:\WINDOWS\dslife.exe -> Trojan.Imiserv.c : Cleaned with backup (quarantined).
C:\WINDOWS\invupd.exe -> Trojan.Imiserv.c : Cleaned with backup (quarantined).
C:\WINDOWS\invupdate.exe -> Trojan.Imiserv.c : Cleaned with backup (quarantined).


::Report end

Hello and welcome to the forum. You have a Qoologic trojan, and a little more misc junk. Let's remove Qoologic first. It is important that you read and follow the directions.

Please download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.

Thanks...pskelley
Safer Networking Forums

That's a tough one, when it gets to the point where the blank password slot comes up, try OK or enter, if no password was set it might let you in??

You might want to call Microsoft and ask for their advice. I did find this:
http://www.petri.co.il/forgot_administrator_password.htm
and Google has a lot of information:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=free+recover+windows+passwords

I hope this helps...Phil

behappp, I must apologize for nedinsf because they posted in your thread and they sure should not have. I was busy and thought they were questions from the original poster, who was you.
I also received your Private Message, and I will respond to it here and not via PM though we can use that tool if it is necessary during the cleanup. To answer your questions:

1) I understand your concern, I will say this trojan is not uncommon and we remove it a lot. These are the markers in the HJT log:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\uwfde.exe
F2 - REG:system.ini: UserInit=userinit.exe,frmhovr.exe
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43264

This is the most recent variety, often we only know it is there after we run ewido. ewido is a very good program, but it will not remove this trojan. Earlier versions it was removing Qoologic in safe mode, but the lowlife who create this junk keep making it harder and harder to remove it. We are very lucky to have a tool like the one I provided otherwise the removal would be MUCH more difficult.
I hope this helps and I wish ewido would remove it, would be so much easier.

Thanks...Phil


and to nedinsf, I understand your concern, but we just create confusion when we post into the topic of another member. If you need additional information, please go here: http://forums.spybot.info/forumdisplay.php?f=22
review the information Pinned to the top (Sticky) and then choose the "New Thread" button to start your own topic.

Thanks...

ran qoolfix as instructed still get command service error from spybot but here's the log

Logfile of HijackThis v1.99.1
Scan saved at 12:57:47 PM, on 6/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\dphhs\Desktop\spyware removal\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinlqez.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144699910468
O20 - AppInit_DLLs: C:\WINDOWS\system32\msdtc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Zetera - Zetera Corporation - C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe

Thanks for the information and feedback, good job with the Qoologic trojan:bigthumb:

You already have ewido onboard, make sure it is updated first then:

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
[/list]

(hold that ewido scan report until we finish)

Windows Defender may block changes we must make, follow these directions:
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinlqez.exe
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\msdtc.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\kwinlqez.exe <<< file

C:\WINDOWS\system32\msdtc.dll <<< file

C:\WINDOWS\system32\shdocvw.dll <<< file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan report, a new HJT log and any comments you think will help. How is the computer running?

__________________________________________________

Once you post that information, that do this:

Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted !!.

http://downloads.subratam.org/Lon/ren-cmdservice.zip

Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

Thanks...Phil

How is it going behappp. :)

Going great - enjoyed the time off work and now will head back to the fray

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).