Results 1 to 6 of 6

Thread: Help with tumri.net infection?

  1. #1
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default Help with tumri.net infection?

    I'm hoping I'm doing this correctly. We were getting pop ups from tumri.net (although at the moment we are not but I have a feeling it's lurking. Ran Microsoft Security essentials, microsoft safety scanner, spybot S&D, and microsoft malicious software removal tool (this last one was run in safe mode)and nothing popped up in any of them. Just before I got out of safe mode and AOL malware tool popped up (I don't know where that came from) and it detected two things IST bar and Mirar. I blocked both. Thought that fixed it but then tumri.net started popping up again. Then it just stopped popping up. I have my hosts and home page locked so I don't know if it just resided in a temp file somewhere that got deleted or what but I would like some help in checking to make sure we are clean.
    Here's the dds.txt file:

    nosGetPlusHelper [2004-8-26 14336]
    .
    =============== Created Last 30 ================
    .
    2013-09-02 16:34:24 388608 ----a-w- C:\HijackThis.exe
    2013-09-02 07:04:40 60872 ----a-w- c:\documents and settings\all

    users\application data\microsoft\microsoft antimalware\definition

    updates\{9078bb8f-b852-4859-948a-ed4cba7cc033}\offreg.dll
    2013-09-02 07:04:40 29904 ----a-w- c:\documents and settings\all

    users\application data\microsoft\microsoft antimalware\definition

    updates\{9078bb8f-b852-4859-948a-ed4cba7cc033}\MpKsl0cd89564.sys
    2013-09-02 07:02:11 7166848 ----a-w- c:\documents and settings\all

    users\application data\microsoft\microsoft antimalware\definition

    updates\{9078bb8f-b852-4859-948a-ed4cba7cc033}\mpengine.dll
    2013-09-01 22:07:49 -------- d-----w- c:\documents and settings\all

    users\application data\Licenses
    2013-09-01 20:21:53 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
    .
    ==================== Find3M ====================
    .
    2010-10-01 11:07:10 28672752 ----a-w- c:\program

    files\7zip-uber-setup.exe
    .
    ============= FINISH: 13:11:19.51 ===============




    I can't figure out how to attach the zipped attach.txt file to this post. If you can point me in the right direction on how to do that I can send that as well.

    thanks for any help you can give me with this problem. I have no idea where this thing came from.

  2. #2
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default re: Help with tumri.net infection?

    Ok I think I figured out how to get the attachment into this thread. If I did it wrong let me know please...... Thanks again.
    Attached Files Attached Files

  3. #3
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Oh forgot to mention that I was not successful in downloading ERUNT. So need to know what to do about that portion please. Thanks.

  4. #4
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default help with tumri.net infection?

    ASWmbr log file:

    aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
    Run date: 2013-09-02 13:15:49
    -----------------------------
    13:15:49.203 OS Version: Windows 5.1.2600 Service Pack 3
    13:15:49.203 Number of processors: 2 586 0x401
    13:15:49.203 ComputerName: WILSON UserName: Owner
    13:15:56.875 Initialize success
    13:17:45.781 AVAST engine defs: 13090200
    13:18:46.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
    13:18:46.812 Disk 0 Vendor: WDC_WD2000JD-22HBB0 08.02D08 Size: 190782MB BusType: 3
    13:18:47.046 Disk 0 MBR read successfully
    13:18:47.046 Disk 0 MBR scan
    13:18:47.093 Disk 0 unknown MBR code
    13:18:47.109 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 186386 MB offset 8980335
    13:18:47.125 Disk 0 Partition 2 00 0B FAT32 RECOVERY 4384 MB offset 63
    13:18:48.593 Disk 0 scanning sectors +390700800
    13:18:48.687 Disk 0 scanning C:\WINDOWS\system32\drivers
    13:19:12.812 Service scanning
    13:19:25.515 Service MpKsl0cd89564 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9078BB8F-B852-4859-948A-ED4CBA7CC033}\MpKsl0cd89564.sys **LOCKED** 32
    13:19:41.406 Modules scanning
    13:19:46.828 Disk 0 trace - called modules:
    13:19:46.859 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    13:19:46.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa94ab8]
    13:19:46.859 3 CLASSPNP.SYS[ba168fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8aaf6d98]
    13:19:47.375 AVAST engine scan C:\WINDOWS
    13:20:01.843 AVAST engine scan C:\WINDOWS\system32
    13:24:10.093 AVAST engine scan C:\WINDOWS\system32\drivers
    13:24:40.843 AVAST engine scan C:\Documents and Settings\Owner
    13:25:19.437 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
    13:25:19.437 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

  5. #5
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello NutherStamper,

    Please refer back to the forum FAQ particularly post #2 which shows how to provide a complete DDS.txt log which would be helpful for our volunteer analysts.

    Also please note,
    Posting additional comments or logs before a volunteer responds can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count, they look for topics with a 0 response.
    Could you start a new topic please.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  6. #6
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default Help with tumri.net infection?

    Sorry I messed that up. I thought I had copied it all. Will try again with a new Topic.

    Quote Originally Posted by tashi View Post
    Hello NutherStamper,

    Please refer back to the forum FAQ particularly post #2 which shows how to provide a complete DDS.txt log which would be helpful for our volunteer analysts.

    Also please note,

    Could you start a new topic please.

    Best regards.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •