IE pop-ups when using Firefox?

[jsobryan]

Hey everyone,

Ok, here's the problem, and I 'm sure it's not an unusual one. I use Firefox almost exclusively, and have hardly ever had any spyware/malware problems. However, in the past week or so, I've been getting several IE pop-ups every time I use my browser. Neither Adaware nor my antivirus software seems to help. What should I do? Here's my Hijackthis log... Any help would be GREATLY appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 10:16:24 PM, on 11/5/2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\svchost.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4D91-8333-CF10577473F7} - C:\Program Files\Google\googletoolbar1.dll
O2 - BHO: (no name) - {FAE15F7F-939C-4E3C-B4F5-F81576FE72C6} - C:\Program Files\Messenger\hoqezigo83122.dll
O2 - BHO: (no name) - {FB93CED7-E0D5-4351-A6D5-0691903AD813} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [crtfmon] C:\Documents and Settings\J\explorer.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [IESet] IExplorer.dll															  .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll															  .dbt
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Pop up Blocker Pro Rich-Media Ads Edition] "C:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exe" Minimize
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [IESet] IExplorer.dll															  .dbt
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Pop up Blocker Pro Rich-Media Ads Edition - {25C049A3-4896-453F-9C77-07461C711CDD} - C:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174118682327"]http://update.microsoft.com/microsoftupdat...b?1174118682327[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174118675686"]http://update.microsoft.com/microsoftupdat...b?1174118675686[/url]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROG

[PC_LOAD_LETTER]

ok first thing: open task manager (Ctrl+Shift+Esc)

on the processes tab, find mrofinu572.exe and end task on it

then this might be tricky without process explorer or icesword but we need to find the svchost.exe that is running under your username (NOT SYSTEM or NETWORK SERVICE) and end task on it as well

check taskmgr again and see if these processes restarted themselves if they are working together, we will need other software

if they are both gone from the list, then re run hijackthis! and check the following:

C:\WINDOWS\mrofinu572.exe

C:\WINDOWS\svchost.exe (yes this sounds like something you wouldnt want to do but the real svchost is in C:\WINDOWS\system32\svchost.exe NOT C:\WINDOWS\svchost.exe)

O2 - BHO: (no name) - {FAE15F7F-939C-4E3C-B4F5-F81576FE72C6} - C:\Program Files\Messenger\hoqezigo83122.dll

O2 - BHO: (no name) - {FB93CED7-E0D5-4351-A6D5-0691903AD813} - (no file)

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

O4 - HKLM\..\Run: [iESet] IExplorer.dll .dbt

O4 - HKLM\..\RunServices: [iESet] IExplorer.dll .dbt

O4 - HKCU\..\Run: [iESet] IExplorer.dll .dbt

do a fix checked on those then wait about 5 seconds and scan again to see if all the items were removed or if we have a porcess running still thats adding them back for us.

if everything else goes well, run a complete virus scan with anything but Norton (AVG is free) and reboot.

[Tarun]

Hi jsobyran,

Please read this topic and post a new log after following all of the directions.