I'm hoping I'm doing this correctly. We were getting pop ups from tumri.net (although at the moment we are not but I have a feeling it's lurking. Ran Microsoft Security essentials, microsoft safety scanner, spybot S&D, and microsoft malicious software removal tool (this last one was run in safe mode)and nothing popped up in any of them. Just before I got out of safe mode and AOL malware tool popped up (I don't know where that came from) and it detected two things IST bar and Mirar. I blocked both. Thought that fixed it but then tumri.net started popping up again. Then it just stopped popping up. I have my hosts and home page locked so I don't know if it just resided in a temp file somewhere that got deleted or what but I would like some help in checking to make sure we are clean.
Here's the dds.txt file:

nosGetPlusHelper [2004-8-26 14336]
.
=============== Created Last 30 ================
.
2013-09-02 16:34:24 388608 ----a-w- C:\HijackThis.exe
2013-09-02 07:04:40 60872 ----a-w- c:\documents and settings\all

users\application data\microsoft\microsoft antimalware\definition

updates\{9078bb8f-b852-4859-948a-ed4cba7cc033}\offreg.dll
2013-09-02 07:04:40 29904 ----a-w- c:\documents and settings\all

users\application data\microsoft\microsoft antimalware\definition

updates\{9078bb8f-b852-4859-948a-ed4cba7cc033}\MpKsl0cd89564.sys
2013-09-02 07:02:11 7166848 ----a-w- c:\documents and settings\all

users\application data\microsoft\microsoft antimalware\definition

updates\{9078bb8f-b852-4859-948a-ed4cba7cc033}\mpengine.dll
2013-09-01 22:07:49 -------- d-----w- c:\documents and settings\all

users\application data\Licenses
2013-09-01 20:21:53 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
.
==================== Find3M ====================
.
2010-10-01 11:07:10 28672752 ----a-w- c:\program

files\7zip-uber-setup.exe
.
============= FINISH: 13:11:19.51 ===============




I can't figure out how to attach the zipped attach.txt file to this post. If you can point me in the right direction on how to do that I can send that as well.

thanks for any help you can give me with this problem. I have no idea where this thing came from.

Ok I think I figured out how to get the attachment into this thread. If I did it wrong let me know please...... Thanks again.

Oh forgot to mention that I was not successful in downloading ERUNT. So need to know what to do about that portion please. Thanks.

ASWmbr log file:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-09-02 13:15:49
-----------------------------
13:15:49.203 OS Version: Windows 5.1.2600 Service Pack 3
13:15:49.203 Number of processors: 2 586 0x401
13:15:49.203 ComputerName: WILSON UserName: Owner
13:15:56.875 Initialize success
13:17:45.781 AVAST engine defs: 13090200
13:18:46.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
13:18:46.812 Disk 0 Vendor: WDC_WD2000JD-22HBB0 08.02D08 Size: 190782MB BusType: 3
13:18:47.046 Disk 0 MBR read successfully
13:18:47.046 Disk 0 MBR scan
13:18:47.093 Disk 0 unknown MBR code
13:18:47.109 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 186386 MB offset 8980335
13:18:47.125 Disk 0 Partition 2 00 0B FAT32 RECOVERY 4384 MB offset 63
13:18:48.593 Disk 0 scanning sectors +390700800
13:18:48.687 Disk 0 scanning C:\WINDOWS\system32\drivers
13:19:12.812 Service scanning
13:19:25.515 Service MpKsl0cd89564 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9078BB8F-B852-4859-948A-ED4CBA7CC033}\MpKsl0cd89564.sys **LOCKED** 32
13:19:41.406 Modules scanning
13:19:46.828 Disk 0 trace - called modules:
13:19:46.859 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
13:19:46.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa94ab8]
13:19:46.859 3 CLASSPNP.SYS[ba168fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8aaf6d98]
13:19:47.375 AVAST engine scan C:\WINDOWS
13:20:01.843 AVAST engine scan C:\WINDOWS\system32
13:24:10.093 AVAST engine scan C:\WINDOWS\system32\drivers
13:24:40.843 AVAST engine scan C:\Documents and Settings\Owner
13:25:19.437 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
13:25:19.437 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

Hello NutherStamper,

Please refer back to the forum FAQ (http://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-%28Please-read-this-Procedure-Before-Requesting-Assistance%29) particularly post #2 which shows how to provide a complete DDS.txt log which would be helpful for our volunteer analysts. :)

Also please note,

Posting additional comments or logs before a volunteer responds can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count, they look for topics with a 0 response.

Could you start a new topic please. :)

Best regards. :greeting:

Sorry I messed that up. I thought I had copied it all. Will try again with a new Topic.


Hello NutherStamper,

Please refer back to the forum FAQ (http://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-%28Please-read-this-Procedure-Before-Requesting-Assistance%29) particularly post #2 which shows how to provide a complete DDS.txt log which would be helpful for our volunteer analysts. :)

Also please note,

Could you start a new topic please. :)

Best regards. :greeting: