jsobryan Posted November 6, 2007 Share Posted November 6, 2007 Hey everyone,Ok, here's the problem, and I 'm sure it's not an unusual one. I use Firefox almost exclusively, and have hardly ever had any spyware/malware problems. However, in the past week or so, I've been getting several IE pop-ups every time I use my browser. Neither Adaware nor my antivirus software seems to help. What should I do? Here's my Hijackthis log... Any help would be GREATLY appreciated.Logfile of HijackThis v1.99.1Scan saved at 10:16:24 PM, on 11/5/2007Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\svchost.exeC:\WINDOWS\mrofinu572.exeC:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exeC:\Program Files\AIM6\aim6.exeC:\Program Files\Last.fm\LastFMHelper.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\AIM6\aolsoftware.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\WINDOWS\System32\NMSSvc.exec:\program files\winamp toolbar\WinampTbServer.exeC:\program files\internet explorer\iexplore.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\rundll32.exeC:\program files\internet explorer\iexplore.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllF3 - REG:win.ini: load=C:\WINDOWS\svchost.exeO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4D91-8333-CF10577473F7} - C:\Program Files\Google\googletoolbar1.dllO2 - BHO: (no name) - {FAE15F7F-939C-4E3C-B4F5-F81576FE72C6} - C:\Program Files\Messenger\hoqezigo83122.dllO2 - BHO: (no name) - {FB93CED7-E0D5-4351-A6D5-0691903AD813} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dllO4 - HKLM\..\Run: [crtfmon] C:\Documents and Settings\J\explorer.exeO4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbtO4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbtO4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exeO4 - HKCU\..\Run: [Pop up Blocker Pro Rich-Media Ads Edition] "C:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exe" MinimizeO4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imAppO4 - HKCU\..\Run: [IESet] IExplorer.dll .dbtO4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dllO9 - Extra button: Pop up Blocker Pro Rich-Media Ads Edition - {25C049A3-4896-453F-9C77-07461C711CDD} - C:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exeO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocxO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174118682327"]http://update.microsoft.com/microsoftupdat...b?1174118682327[/url]O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174118675686"]http://update.microsoft.com/microsoftupdat...b?1174118675686[/url]O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROG Link to comment Share on other sites More sharing options...
PC_LOAD_LETTER Posted November 6, 2007 Share Posted November 6, 2007 ok first thing: open task manager (Ctrl+Shift+Esc)on the processes tab, find mrofinu572.exe and end task on itthen this might be tricky without process explorer or icesword but we need to find the svchost.exe that is running under your username (NOT SYSTEM or NETWORK SERVICE) and end task on it as wellcheck taskmgr again and see if these processes restarted themselves if they are working together, we will need other softwareif they are both gone from the list, then re run hijackthis! and check the following:C:\WINDOWS\mrofinu572.exeC:\WINDOWS\svchost.exe (yes this sounds like something you wouldnt want to do but the real svchost is in C:\WINDOWS\system32\svchost.exe NOT C:\WINDOWS\svchost.exe)O2 - BHO: (no name) - {FAE15F7F-939C-4E3C-B4F5-F81576FE72C6} - C:\Program Files\Messenger\hoqezigo83122.dllO2 - BHO: (no name) - {FB93CED7-E0D5-4351-A6D5-0691903AD813} - (no file)O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139O4 - HKLM\..\Run: [iESet] IExplorer.dll .dbtO4 - HKLM\..\RunServices: [iESet] IExplorer.dll .dbtO4 - HKCU\..\Run: [iESet] IExplorer.dll .dbtdo a fix checked on those then wait about 5 seconds and scan again to see if all the items were removed or if we have a porcess running still thats adding them back for us.if everything else goes well, run a complete virus scan with anything but Norton (AVG is free) and reboot. Link to comment Share on other sites More sharing options...
Tarun Posted November 6, 2007 Share Posted November 6, 2007 Hi jsobyran,Please read this topic and post a new log after following all of the directions. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now