Spyware & Malware HELP?!?!

[jholland1964]

Go to add/remove programs and see if you find any of the following programs. If so, uninstall it/them.

MyWay or MyWayBar or MyWaySpeed or MyWaySearchBar or My Web Search Bar
MyWebSearch or MyWebSearch Email Plugin
My Web Search (Outlook, Outlook Express, and IncrediMail)
MyWay Search Assistant or My Way Search Assistant

I would also like you to boot to safe mode and do the following;
1. Click Start=>Control Panel=>Folder Options=>View tab.
2. Select "Show hidden files and folders"
3. Clear the check mark in "Hide protected operating system files"
4. Click Apply=>OK.
5. Close Control Panel.

Once in Safe Mode you will need to navigate first to;

C:\WINDOWS
look for and delete the following if found;
bvtqfvx.dll
emlkdvo.dll

Next, still in Safe Mode go to;
C:\Documents and Settings\Ellen\Desktop\
and delete the following;
SpyWare Downloads DW_12_27_07\

Next go to C:\Documents and Settings\Garrett\Local Settings\Temp\
Empty that Temp file.

Next go to C:\Documents and Settings\Garrett\My Documents\
Inside My Documents you should find the folder named Smitfraudfix.
Delete that Smitfraudfix folder.

Next go to C:\Program Files\
and look for a folder named MySearch
If you find one delete it.

Once you have completed all the above steps then reboot the computer in Normal Mode.

When you have rebooted then you will need to set a new Restore point. To do this Right Click My Computer. Choose Properties.
Click the System Restore Tab. When that opens place a checkmark in Turn Off system restore. Click Ok. You will get a warning that you are about to turn off System Restore. Click ok or yes.
Allow System Restore to turn off. Wait a moment and then do the process again only this time take that checkmark out. System Restore will be turned back on with hopefully a clean restore point.
Run the Kaspersky scan once more and post that new log.
Judy

[quest2006]

Judy,

Attached is the last Kaspersky scan report which showed no infections or problems. It looks as if you have solved our problems!!! Please let me know if you see any other issues we should take care of. Lastly can we make a donation to this site to help keep it up and running?

Thanks for all the help!

DW

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 31, 2007 9:57:30 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/12/2007
Kaspersky Anti-Virus database records: 500716
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 101182
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:18:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12272007-154730.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-12-31_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Ellen\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\Ellen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ellen\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ellen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ellen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ellen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{43FFD131-C02A-47DB-95AB-85364E0AC263} Object is locked skipped
C:\Documents and Settings\Ellen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ellen\Local Settings\History\History.IE5\MSHist012007123120080 101\index.dat Object is locked skipped
C:\Documents and Settings\Ellen\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ellen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ellen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ellen\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0160NAV~.TMP Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0772NAV~.TMP Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[jholland1964]

Everything looks good except for one item in your HJT log I missed earlier and that is License_Manager. This is known malware/adware. It will cause pop-up/pop-under advertisements when the primary user interface is not visible, or which do not appear to be associated with the product.

You need to run HiJackThis and put a checkmark next to the following;
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent

O21 - SSODL: bvtqfvx - {0C9EB175-A0B2-42B5-BCF8-B755513369A4} - C:\WINDOWS\bvtqfvx.dll

Once you have placed the checkmarks click the Fix Checked button.
Exit HJT.
Reboot the computer then go to
C:\Program Files\License_Manager\
Delete the License_Manager folder.
Then run a new HJT scan and post the log here.