[Resolved] pop up ads/bogus website restrictions

[popolop82]

most of the time when i type a URL in my address bar, a pop up window appears with a survey ad for the website i just tried to visit. now, when i try to visit facebook, it simply tells me that the website im attempting to visit is restricted by my own web preferences, which is BS b/c i have not set any. most recently, i am receiving warnings of a trojan infection called "trojanSPM/LX" from an antivirus program i did not install and it is prompting me to download and install an executable file to be rid of it. i currently run symantec endpoint for virus protection and nothing else. here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:15 PM, on 2/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\125996~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\125996~1\EE\AOLServiceHost.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe yprf.wpo moilsl
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: precisead search enhancer - {0EB23654-C654-C2A9-09DE-0C3C5E562F6C} - C:\WINDOWS\system32\tzmrnjefkwst.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1259960464\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 9360 bytes

i have utilized your services before with great results from your analyst who goes by m0le. i hope to have similar results this go-round on a much more temperamental machine =)

thanks,

popolop

[1972vet]

From their own web site:

Endpoint Protection    The next generation of AntiVirus with unmatched defense against threats for laptops, desktops, and servers.

tsk, tsk...I think we can do better here.

Please do the following:

Step 1
Please download the free utility DDS. 

Disable any script blocker you may have running, then double click dds.scr to run the tool.

• When it completes, DDS will open two (2) logs:

• DDS.txt
• Attach.txt

• Save both reports to your desktop.

Step 2
Download GMER Rootkit Scanner from  here or  here.

• Extract the contents of the zipped file to your desktop
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please agree to do so
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
• In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All <--don't miss this one
• Then click the Scan button & wait for it to finish
• Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives.

Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.

Please include the following logs in your next reply, Thanks!:

• DDS.txt
  
• Attach.txt
  
• ark.txt

[popolop82]

im sorry but my problem seems to have gotten more complicated since my initial post. one of my employees got online and experienced these same issues. he decided to reboot the machine. now it is in an endless cycle of reboots. everytime windows opens, i get a warning from my antivirus software about a worm called "worm.win32.netsky" and a application error message about "winlogon.exe" saying some memory could not be "written" and then the machine reboots itself. i dont know how to get the machine to turn on so i cannot run the scans you want me to. can you help me get the machine back on?

i realize that this machine is in terrible shape, and it mostly has to do with some reckless and totally non work related internet activities by my employees. i need to set some strict guidelines for computer use or just restrict their privileges all together. maybe we could set something like that up after we get the machine running?

thank you

popolop

[1972vet]

In order to recover that thing, I will need to know the following:
1) Is the recovery console installed
2) Do you have the Windows XP installation CD handy

...an answer in the affirmative for either one of those will be sufficient to work with.

[popolop82]

i havent dealt with this machine much so im not 100% certain on the recovery console. i may be mistaken, but doesn't that black screen with a flashing cursor that appears for like 4 seconds during each start up mean that it does have the recovery console installed?

no, i do not have an installation CD. i once got a vista machine with a similar problem to boot by downloading a very effective boot disk that had some image files on it or something. i tried to d/l a similar disk for this machine but could not remember where i found such a thing.

that do ya fine?

popolop

[1972vet]

The black screen that you mention might very well be a startup menu with the r/c option. Try it and see. When you
see the black screen on bootup, try using your arrow keys...just tap it once, up or down shouldn't matter.

[popolop82]

no luck on the black screen...what's next?

[1972vet]

Let's try this...read through the instructions Here. Let us know your results. Thanks!

[popolop82]

i do not have a floppy disk drive on either machine i am operating from. do you know where i can find a bootable CD-ROM?

[popolop82]

i just found 2 windows re-installation CDs under my desk...i suppose that could work?

[popolop82]

they say they are only for dell machines and im working on a compaq...idk if that is actually an issue.

[popolop82]

nah these reinstallation CD's are not letting me boot from them...and i did not find the system recovery console. i DO have a compaq built in system restore feature, but it involves losing all my applications, which i am trying to avoid as i do not have several of the disks needed to reinstall the software i use to run my business. id rather not have to repurchase them. the restore progream does allow me to attempt to use the windows system restore points thing, but when it tries to load windows for me to use the program...i get that same error message about memory that cant be "written" regarding winlogon.exe.

[popolop82]

i think i've sucessfully made a bootable CD with the recovery console on it by following instructions i found at this site http://tips.vlaurie.com/2006/05/recovery-console-for-those-without-an-xp-disk/. i havent used the recovery console put once...hopefully it's fairly self explanatory and i can get this machine on =)

[popolop82]

ok sorry for the long string of posts...i guess i should have waited till i sorted this all out. the disk will allow me to bring up the recovery console, though i have no idea what to do once i get there. if i select the "begin windows set up" option, i receive the same error message i have been as the machine is trying to boot up.

thanks

popolop

[1972vet]

When you boot to the Recovery console you will be asked to choose which Windows installation you would like to log into. Most users will only have one choice...make your numbered selection and press enter.

• You will be prompted to enter the administrator password. This is the password set for the user profile "Administrator". You may have set this password when you first configured your computer. If no password was set up, then just press ENTER.
• You will be presented with a C: prompt. Type or copy and paste:

chkdsk /r
...and press ENTER.

• Checkdisk will now run. The scan may run for several hours...it depends on the size of the disk and volume of data.
• When the scan is complete, a report will be displayed. At this point, you need only to type Exit at the command prompt and press "Enter"
  

Remember to eject your CD or else you'll get the installation menu again on your next reboot.
 
Post back your results. Thanks!