Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: possible tumri.net infection?

  1. #1
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default possible tumri.net infection?

    I'm hoping this time I get this right. I don't know what happened the last time. So restarting a new Topic per Tashi. We were getting pop ups from tumri.net (although at the moment we are not but I have a feeling it's lurking. Ran Microsoft Security essentials, microsoft safety scanner, spybot S&D, and microsoft malicious software removal tool (this last one was run in safe mode)and nothing popped up in any of them. Just before I got out of safe mode and AOL malware tool popped up (I don't know where that came from) and it detected two things IST bar and Mirar. I blocked both. Thought that fixed it but then tumri.net started popping up again. Then it just stopped popping up. I have my hosts and home page locked so I don't know if it just resided in a temp file somewhere that got deleted or what but I would like some help in checking to make sure we are clean.


    Here's the dds.txt file:
    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
    Run by Owner at 13:10:02 on 2013-09-02
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1896 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: ZoneAlarm Free Firewall Firewall *Enabled*
    .
    ============== Running Processes ================
    .
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\1182811536\ee\aolsoftware.exe
    c:\program files\common files\aol\1182811536\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
    C:\Program Files\Common Files\AOL\1182811536\ee\aolsoftware.exe
    C:\Program Files\AOL 9.5\waol.exe
    C:\Program Files\AOL 9.5\shellmon.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.aol.com/
    uSearch Bar = www.aol.com
    uSearch Page = www.aol.com
    mStart Page = www.aol.com
    mSearch Page = www.aol.com
    mDefault_Page_URL = www.aol.com
    mDefault_Search_URL = www.aol.com
    mSearchAssistant = www.aol.com
    mCustomizeSearch = www.aol.com
    mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
    BHO: Zonealarm Helper Object: {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - c:\program files\check point software technologies ltd\zonealarm\1.6.7.4\bh\zonealarm.dll
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
    BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: AOL Toolbar: {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - c:\program files\aol toolbar\aoltb.dll
    TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
    TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
    TB: ZoneAlarm Security Toolbar: {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - c:\program files\check point software technologies ltd\zonealarm\1.6.7.4\zonealarmTlbr.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [SpybotDeletingB87] command.com /c del "c:\windows\SchedLgU.Txt"
    uRunOnce: [SpybotDeletingD606] cmd.exe /c del "c:\windows\SchedLgU.Txt"
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [ShowWnd] ShowWnd.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
    mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRunOnce: [SpybotDeletingA7206] command.com /c del "c:\windows\SchedLgU.Txt"
    mRunOnce: [SpybotDeletingC4327] cmd.exe /c del "c:\windows\SchedLgU.Txt"
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
    DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Jewel%20Quest%20Solitaire%20III/Images/stg_drm.ocx
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272619707187
    DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Jewel%20Quest%20Solitaire%20III/Images/armhelper.ocx
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: NameServer = 208.67.220.220,208.67.222.222
    TCP: Interfaces\{A1638429-333D-4D7C-9068-DFC436FA89E3} : NameServer = 205.188.146.145
    TCP: Interfaces\{E07685AE-D7FE-43EE-A261-AEF1BC2BE0BB} : DHCPNameServer = 192.168.1.1
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
    R1 MpKsl0cd89564;MpKsl0cd89564;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9078bb8f-b852-4859-948a-ed4cba7cc033}\MpKsl0cd89564.sys [2013-9-2 29904]
    R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2013-3-27 527848]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
    R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-7-14 27056]
    R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-7-14 497320]
    R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
    S2 MSIU-a1fd3bff;MSIU-a1fd3bff;c:\windows\system32\-a1fd3bff.exe --> c:\windows\system32\-a1fd3bff.exe [?]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-26 14336]
    .
    =============== Created Last 30 ================
    .
    2013-09-02 16:34:24 388608 ----a-w- C:\HijackThis.exe
    2013-09-02 07:04:40 60872 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9078bb8f-b852-4859-948a-ed4cba7cc033}\offreg.dll
    2013-09-02 07:04:40 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9078bb8f-b852-4859-948a-ed4cba7cc033}\MpKsl0cd89564.sys
    2013-09-02 07:02:11 7166848 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9078bb8f-b852-4859-948a-ed4cba7cc033}\mpengine.dll
    2013-09-01 22:07:49 -------- d-----w- c:\documents and settings\all users\application data\Licenses
    2013-09-01 20:21:53 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
    .
    ==================== Find3M ====================
    .
    2010-10-01 11:07:10 28672752 ----a-w- c:\program files\7zip-uber-setup.exe
    .
    ============= FINISH: 13:11:19.51 ===============

    Here is the attach.txt file:

    attach.zip


    I'm will send further logs when requested. Thanks for any help you can give us.

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Hi,

    I know you posted in the waiting room, but if you still need help simply reply back. Usually the older the thread the less chance of any reply. At a glance the log looks ok.

    AOL malware tool popped up (I don't know where that came from)
    TB: AOL Toolbar: {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - c:\program files\aol toolbar\aoltb.dll
    How Can I Reduce My Risk?

  3. #3
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Yes please I would like to make sure that everything is clean on this system and this is not hiding out somewhere. Which from what I've been reading is very possible with tumri.net. Do you require further logs? And I forgot to mention that I was not able to run ERUNT. Also if you require further logs should I rerun everything again since it's been a while? Thanks for any help you can give.

    Quote Originally Posted by shelf life View Post
    Hi,

    I know you posted in the waiting room, but if you still need help simply reply back. Usually the older the thread the less chance of any reply. At a glance the log looks ok.



    TB: AOL Toolbar: {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - c:\program files\aol toolbar\aoltb.dll

  4. #4
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Lets see if Malwarebytes can dig up anything. You can keep and use the free version as a anti-malware app, then we will go from there.

    Please download the free version of Malwarebytes to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.

    Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    If an update is found, it will download and install the latest version.

    Once the program has loaded, select Perform FULL SCAN, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.

    Be sure that everything is checked, and click *Remove Selected.*

    *A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

    When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    Post the log in your reply.
    How Can I Reduce My Risk?

  5. #5
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Done. Malwarebytes found 2 items. The log is below.

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.09.14.09

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Owner :: WILSON [administrator]

    9/14/2013 3:20:41 PM
    mbam-log-2013-09-14 (15-20-41).txt

    Scan type: Full scan (C:\|D:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 343384
    Time elapsed: 41 minute(s), 14 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKCU\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 1
    HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    Quote Originally Posted by shelf life View Post
    Lets see if Malwarebytes can dig up anything. You can keep and use the free version as a anti-malware app, then we will go from there.

    Please download the free version of Malwarebytes to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.

    Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    If an update is found, it will download and install the latest version.

    Once the program has loaded, select Perform FULL SCAN, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.

    Be sure that everything is checked, and click *Remove Selected.*

    *A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

    When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    Post the log in your reply.

  6. #6
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    Lets get one more download for a closer look. Its called Combofix. There is a short guide to read first. Read through the guide then apply the directions on your own machine. Post the combofix log in your reply.

    Link
    How Can I Reduce My Risk?

  7. #7
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Ok, started to download combofix, got the disclaimer and clicked I agree. Then another screen popped up with Define Ext And this is where I stopped downloading. It will download an app that will track usage, and pop up banners, coupons and other ads. This is what I'm trying to stop. So any other ideas cause I'm not comfortable with Define Ext

    Thanks for your help.

    Quote Originally Posted by shelf life View Post
    hi,

    Lets get one more download for a closer look. Its called Combofix. There is a short guide to read first. Read through the guide then apply the directions on your own machine. Post the combofix log in your reply.

    Link

  8. #8
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Combofix dosnt bundle other software. I just downloaded it and ran the install and it went fine. Must be a coincidence that something popped up during the install process. You definitely have malware on board. run adwcleaner below then please try running combofix again.

    Please download Adwcleaner.exe to your desktop.
    Double click on AdwCleaner.exe, select OK, then Run
    Click on the Scan button
    Once its done click on the Report button
    Copy and paste the contents of the log file in your reply
    You can also find the logfile at C:\AdwCleaner[R1].txt as well
    Exit AdwCleaner with the X (close) button. click ok at the final prompt.
    How Can I Reduce My Risk?

  9. #9
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Ok, think I know what went wrong with combofix, there are two buttons on the page, a green one (which is I just discovered is a sponsered ad that contains malware according to malwarebytes ) and a blue button off to the right and down the page which I am assuming is the combofix download. Very confusing and just ran across the same thing for adwcleaner too. But this time I hit the blue button. I will try to download combofix later today but in the meantime here's the report from adwcleaner (I did not clean anything).

    # AdwCleaner v3.004 - Report created 16/09/2013 at 05:45:23
    # Updated 15/09/2013 by Xplode
    # Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
    # Username : Owner - WILSON
    # Running from : C:\Documents and Settings\Owner\Desktop\AdwCleaner.exe
    # Option : Scan

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Found C:\Documents and Settings\All Users\Application Data\Viewpoint
    Folder Found C:\Documents and Settings\Owner\Application Data\CheckPoint\ZoneAlarm LTD Toolbar
    Folder Found C:\Program Files\Common Files\Software Update Utility
    Folder Found C:\Program Files\Viewpoint

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
    Key Found : HKCU\Software\PriceGong
    Key Found : HKCU\Software\YahooPartnerToolbar
    Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{B27D9527-3762-4D71-963D-FB7A94FDD678}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Found : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
    Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
    Key Found : HKLM\SOFTWARE\Classes\dnUpdate
    Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
    Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
    Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
    Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
    Key Found : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
    Key Found : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar
    Key Found : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar.1
    Key Found : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem
    Key Found : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem.1
    Key Found : HKLM\SOFTWARE\Classes\toolband.pm_launcher
    Key Found : HKLM\SOFTWARE\Classes\toolband.pm_launcher.1
    Key Found : HKLM\SOFTWARE\Classes\toolband.pm_printmanager
    Key Found : HKLM\SOFTWARE\Classes\toolband.pm_printmanager.1
    Key Found : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback
    Key Found : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback.1
    Key Found : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler
    Key Found : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler.1
    Key Found : HKLM\SOFTWARE\Classes\toolband.tbtoolband
    Key Found : HKLM\SOFTWARE\Classes\toolband.tbtoolband.1
    Key Found : HKLM\SOFTWARE\Classes\toolband.useroptions
    Key Found : HKLM\SOFTWARE\Classes\toolband.useroptions.1
    Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2611275
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{48C9C8B0-A546-46C1-A81F-47A31E623E9D}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
    Key Found : HKLM\Software\MetaStream
    Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\alotToolbar
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\PriceGong
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar
    Key Found : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
    Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
    Key Found : HKLM\Software\Viewpoint
    Value Found : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]

    ***** [ Browsers ] *****

    -\\ Internet Explorer v8.0.6001.18702


    *************************

    AdwCleaner[R0].txt - [6845 octets] - [16/09/2013 05:45:23]

    ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [6905 octets] ##########


    Thanks for the help.

    Quote Originally Posted by shelf life View Post
    Combofix dosnt bundle other software. I just downloaded it and ran the install and it went fine. Must be a coincidence that something popped up during the install process. You definitely have malware on board. run adwcleaner below then please try running combofix again.

    Please download Adwcleaner.exe to your desktop.
    Double click on AdwCleaner.exe, select OK, then Run
    Click on the Scan button
    Once its done click on the Report button
    Copy and paste the contents of the log file in your reply
    You can also find the logfile at C:\AdwCleaner[R1].txt as well
    Exit AdwCleaner with the X (close) button. click ok at the final prompt.

  10. #10
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Your using this link for combofix. you want bleepingcomputer.com http://www.bleepingcomputer.com/comb...o-use-combofix

    Iam not seeing any buttons for other downloads unless you got it from here: http://download.cnet.com/Combofix/30...-75221073.html
    Cnet along with plenty of other sites will present several flashy download links creating plenty of confusion as to whats the real button to use.

    For adwcleaner: run it once more clicking on the scan button, save the log file somewhere, then click the clean button. Click ok at the reboot prompt. After machine reboots a new log will be displayed which you can save somewhere.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •