Member Panel

frogspasm · 08:05 AM

My sister's lap top is getting random green links and popups with this link http://xml3.trafficengine.net/redir?xargs=YWlkPT
She is in New York and I am in Australia so I have to be more careful what I do or rather tell her to do as she is not very computer literate. So I have attached the hijackthis log to see if you guys can help me.
We have run adaware and spybot and Avg and she assures me ALL updates have been done including windows. The things I thought were strange in the log were: C:\Program Files\RXToolBar\sfcont.dll
C:\WINDOWS\system32\irsmvzmg.dll

winnt.exe and the registry entries:

9AC54695-69A4-46F1-BE10-10C74F9520D5
B6E649FA-5461-40d7-AB4D-54FC3C8DB767
70F6A776-579A-4C95-BA88-134253907752
01EB5130-FC0C-4d75-B9CE-4801B1B854F5
1239CC52-59EF-4DFA-8C61-90FFA846DF7E

2AB289AE-4B90-4281-B2AE-1F4BB034B647

So do I tell her to delete these files and removes the registry key? and of course get her to disable windows restore?
best regards,
Rick

joe5

Hi there Frogspasm and welcome to PCHF.

Before fixing things with HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Please download CCleaner

Then uninstall "RXToolbar" and "DropSpam" in add/remove programs if present.

Now boot in safemode (hit f8 when booting up) and fix these with hjt:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsv2F.dll
O2 - BHO: Drop Spam Toolbar - {2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} - C:\Program Files\DropSpam\ewwie.dll (file missing)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmvzmg.dll
O4 - HKLM\..\Run: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\Program Files\DropSpam\ewwie.dll (file missing)
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\Program Files\DropSpam\ewwie.dll (file missing)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll

Then delete the files marked in bold , and run Ccleaner.

Do a search for "winnt.exe" and delete what you find.

When youre done , please post a new hjt log to check.

Member Panel

Sponsors and Ads

Noticeboard