Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: possible tumri.net infection?

  1. #11
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Hmmmm, not sure on the combofix but I did use the link you sent, so I'll double check that again and see where it sends me. For the adwcleaner, there was a whole lot of stuff checked, should I leave it all checked and then hit clean? I don't want to remove something that I shouldn't. Also I think I mentioned I WAS NOT able to run Erunt so I want to make sure I don't mess something up and not be able to get into the computer. Should I run adwcleaner first and then combofix? Thanks for the help.

    Quote Originally Posted by shelf life View Post
    Your using this link for combofix. you want bleepingcomputer.com http://www.bleepingcomputer.com/comb...o-use-combofix

    Iam not seeing any buttons for other downloads unless you got it from here: http://download.cnet.com/Combofix/30...-75221073.html
    Cnet along with plenty of other sites will present several flashy download links creating plenty of confusion as to whats the real button to use.

    For adwcleaner: run it once more clicking on the scan button, save the log file somewhere, then click the clean button. Click ok at the reboot prompt. After machine reboots a new log will be displayed which you can save somewhere.

  2. #12
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    You can leave all those items checked in adwcleaner, they can all be deleted. Attached is a screen shot of the combofix page. It explains how to use it and provides a download link. Yours should look like that. run adwcleaner then combofix.

    After the above you can get another download also:

    Please download aswmbr.exe.exe to your desktop.

    Right click and "run as admin" on the icon
    For the question: Would you like to download latest Avast! virus definitions?" Click YES to download the additional files..then
    Click the "Scan" button to start scan.
    Once the scan is done click the"Save log", save it to your desktop and post it in your next reply.
    Attached Images Attached Images
    How Can I Reduce My Risk?

  3. #13
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Ran Adwcleaner again and noticed items checked for Viewpoint software on a couple of pages. This is part of AOL software and I believe it's necessary for things I use in AOL so I hesitate to remove those. Also I see Zone alarm toolbar, not sure if I should remove that. Also there are a couple of lines that are for print manager and not sure if that's for some software I run or my printer. Also I see one for Control Panel. Just want to double check to make sure I'm not going to leave my software programs broken by removing some of these things. I do not have XP disks to reload software if something goes wrong. I'm running ASWMBR at the moment and it's taking a long time so will post the log as soon as it's done. I do see ads on bleepingcomputer.com but will be careful and make sure I'm downloading combofix and not one of those ads. I don't know why I see them and you don't except that I don't run ad blocking software. Will run combofix after I get these other two done as I have limited time today online. Thanks for the help.


    Quote Originally Posted by shelf life View Post
    You can leave all those items checked in adwcleaner, they can all be deleted. Attached is a screen shot of the combofix page. It explains how to use it and provides a download link. Yours should look like that. run adwcleaner then combofix.

    After the above you can get another download also:

    Please download aswmbr.exe.exe to your desktop.

    Right click and "run as admin" on the icon
    For the question: Would you like to download latest Avast! virus definitions?" Click YES to download the additional files..then
    Click the "Scan" button to start scan.
    Once the scan is done click the"Save log", save it to your desktop and post it in your next reply.

  4. #14
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Toolbars aren't necessary to use the software they came with. Viewpoint player is foistware. Not sure what the ZA toolbar claims to do but can bet its just more crapware.

    Toolbars can have privacy concerns and be resource hogs. I wouldnt waste my CPU cycles on them. This is what adwcleaner and several other tools are for, they target adware/crapware/foistware that people install.
    Before you run adwcleaner you could run there uninstallers from the add/remove programs panel then run adwcleaner for the leftovers. Or keep them if you want, up to you. Those printer items you see are for the click buttons in the toolbar.
    How Can I Reduce My Risk?

  5. #15
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Ok Thanks. I'll think about that part of it. And will probably try uninstall first.
    Here's the log for aswMBr:

    aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
    Run date: 2013-09-18 12:21:40
    -----------------------------
    12:21:40.234 OS Version: Windows 5.1.2600 Service Pack 3
    12:21:40.234 Number of processors: 2 586 0x401
    12:21:40.234 ComputerName: WILSON UserName: Owner
    12:21:41.031 Initialize success
    12:27:47.484 AVAST engine defs: 13091804
    12:28:07.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
    12:28:07.234 Disk 0 Vendor: WDC_WD2000JD-22HBB0 08.02D08 Size: 190782MB BusType: 3
    12:28:07.390 Disk 0 MBR read successfully
    12:28:07.390 Disk 0 MBR scan
    12:28:07.437 Disk 0 unknown MBR code
    12:28:07.453 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 186386 MB offset 8980335
    12:28:07.468 Disk 0 Partition 2 00 0B FAT32 RECOVERY 4384 MB offset 63
    12:28:08.984 Disk 0 scanning sectors +390700800
    12:28:09.062 Disk 0 scanning C:\WINDOWS\system32\drivers
    12:28:33.859 Service scanning
    12:28:47.515 Service MpKslb7b53dc2 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C0E57BC2-A5AE-499E-A354-4866F68EDCF5}\MpKslb7b53dc2.sys **LOCKED** 32
    12:29:03.062 Modules scanning
    12:29:07.093 Disk 0 trace - called modules:
    12:29:07.093 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    12:29:07.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa72ab8]
    12:29:07.109 3 CLASSPNP.SYS[ba178fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8aaa6b00]
    12:29:07.718 AVAST engine scan C:\
    15:37:31.875 Scan finished successfully
    16:14:03.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
    16:14:03.218 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


    Quote Originally Posted by shelf life View Post
    Toolbars aren't necessary to use the software they came with. Viewpoint player is foistware. Not sure what the ZA toolbar claims to do but can bet its just more crapware.

    Toolbars can have privacy concerns and be resource hogs. I wouldnt waste my CPU cycles on them. This is what adwcleaner and several other tools are for, they target adware/crapware/foistware that people install.
    Before you run adwcleaner you could run there uninstallers from the add/remove programs panel then run adwcleaner for the leftovers. Or keep them if you want, up to you. Those printer items you see are for the click buttons in the toolbar.

  6. #16
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Well, that all looks good.
    How Can I Reduce My Risk?

  7. #17
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Ok, on the adware stuff. Decided to not remove the Viewpoint software as it wouldn't matter if I did or not as AOL just will add it back on as soon as I log in. It's apparently necessary to view parts of the AOL software. So here's the log after I removed everything but the obvious Viewpoint parts:

    # AdwCleaner v3.005 - Report created 23/09/2013 at 12:01:01
    # Updated 22/09/2013 by Xplode
    # Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
    # Username : Owner - WILSON
    # Running from : C:\Documents and Settings\Owner\Desktop\AdwCleaner.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    [x] Not Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
    [x] Not Deleted : C:\Program Files\Viewpoint
    Folder Deleted : C:\Program Files\Common Files\Software Update Utility
    Folder Deleted : C:\Documents and Settings\Owner\Application Data\CheckPoint\ZoneAlarm LTD Toolbar

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
    [x] Not Deleted : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
    Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
    Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
    Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
    Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
    Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar.1
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem.1
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_launcher
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_launcher.1
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_printmanager
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_printmanager.1
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback.1
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler.1
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.tbtoolband
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.tbtoolband.1
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.useroptions
    Key Deleted : HKLM\SOFTWARE\Classes\toolband.useroptions.1
    Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
    [x] Not Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2611275
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B27D9527-3762-4D71-963D-FB7A94FDD678}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{48C9C8B0-A546-46C1-A81F-47A31E623E9D}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
    [x] Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{327C2873-E90D-4C37-AA9D-10AC9BABA46C}]
    Key Deleted : HKCU\Software\PriceGong
    Key Deleted : HKCU\Software\YahooPartnerToolbar
    Key Deleted : HKLM\Software\MetaStream
    [x] Not Deleted : HKLM\Software\Viewpoint
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
    [x] Not Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
    [x] Not Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\alotToolbar
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\PriceGong
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
    [x] Not Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

    ***** [ Browsers ] *****

    -\\ Internet Explorer v8.0.6001.18702


    *************************

    AdwCleaner[R0].txt - [6985 octets] - [16/09/2013 05:45:23]
    AdwCleaner[R1].txt - [7045 octets] - [18/09/2013 12:15:40]
    AdwCleaner[R2].txt - [7512 octets] - [23/09/2013 11:53:19]
    AdwCleaner[R3].txt - [7572 octets] - [23/09/2013 11:57:14]
    AdwCleaner[S0].txt - [7703 octets] - [23/09/2013 12:01:01]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7763 octets] ##########



    And here's the log after I cleaned everything and ran it again:

    # AdwCleaner v3.005 - Report created 23/09/2013 at 12:21:45
    # Updated 22/09/2013 by Xplode
    # Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
    # Username : Owner - WILSON
    # Running from : C:\Documents and Settings\Owner\Desktop\AdwCleaner.exe
    # Option : Scan

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Found C:\Documents and Settings\All Users\Application Data\Viewpoint
    Folder Found C:\Documents and Settings\Owner\Application Data\CheckPoint\ZoneAlarm LTD Toolbar
    Folder Found C:\Program Files\Viewpoint

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Found : HKLM\Software\MetaStream
    Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
    Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
    Key Found : HKLM\Software\Viewpoint
    Value Found : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{327C2873-E90D-4C37-AA9D-10AC9BABA46C}]

    ***** [ Browsers ] *****

    -\\ Internet Explorer v8.0.6001.18702


    *************************

    AdwCleaner[R0].txt - [6985 octets] - [16/09/2013 05:45:23]
    AdwCleaner[R1].txt - [7045 octets] - [18/09/2013 12:15:40]
    AdwCleaner[R2].txt - [7512 octets] - [23/09/2013 11:53:19]
    AdwCleaner[R3].txt - [7572 octets] - [23/09/2013 11:57:14]
    AdwCleaner[R4].txt - [2232 octets] - [23/09/2013 12:21:45]
    AdwCleaner[S0].txt - [7843 octets] - [23/09/2013 12:01:01]

    ########## EOF - C:\AdwCleaner\AdwCleaner[R4].txt - [2352 octets] ##########



    I did try removing the Viewpoint but as soon as I logged into AOL it added it back in. So I think I'm going to leave this for now. I'll be offline for a day or so, have family things to do.

    Quote Originally Posted by shelf life View Post
    Well, that all looks good.

  8. #18
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    ok, keep it. All looks ok. I dont think running combofix is necessary at this point unless you already have done so.
    How Can I Reduce My Risk?

  9. #19
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    No I haven't run combofix yet. If you think it all looks good I won't run it. Thanks for all your help.

    Quote Originally Posted by shelf life View Post
    ok, keep it. All looks ok. I dont think running combofix is necessary at this point unless you already have done so.

  10. #20
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    your welcome. You can remove adwcleaner by starting it up and using the uninstall button.
    The logs can be manually deleted. Note the free version of Malwarebytes must be updated manually and a scan started manually.
    It dosnt run in the background. Always check for updates before a scan and its good practice to routinely check for updates even if you don't start a scan at that time.
    Happy safe surfing.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •