Guest LilBambi Posted September 2, 2013 Share Posted September 2, 2013 This turned out to be a very strange one. tumri.net is an old piece of crapware, but it appears to have a newer twist. A client has the latest version of AOL. He has used AOL for the 20 +/- yrs and never had anything bad installed through AOL so he never was interested in using anything else. Recently though, his bank told him that AOL was not secure enough, and that he should try using Firefox or Google Chrome if he wants to use online banking. He also last night was looking at emails from folks he gets emails from frequently and ended up getting constant popups from tumri.net plus a ton of local to him places. I blocked the site within every browser, but had to block it via host file (127.0.0.1 tumri.net) for it to work in AOL. But that was was only partially successful; prevent the content, but the popups themselves continued every 5 seconds as before in AOL. It did not do that in any other browsers. That is the backdrop of today's mess. I tried various tools: Malwarebytes Antimalware, aswMBR.exe, JRT, the client's ESET NOD32 scanner, Kaspersky's TDSSKiller, Combofix, CCleaner, Oldtimer's OTF for deeper cleaning. I read all the logs and there was nothing that any of them found that would cause the problem. aswMBR, Malwarebytes, ESET's NOD32, and TDSSKiller found absolutely nothing. I checked the processes and nothing looked amiss. What it finally came down to was uninstalling AOL completely and downloading it fresh and reinstalling it. That took care of it. And he was very happy in the end. Between this problem today, and what his bank said, he is now willing to move to another browser where we could install Adblock Plus with Malware Domains enabled in Adblock Plus, and WOT. He used web based AOL email before when traveling so it worked out well. He has a lot of work to do to get all his hundreds of Favorites moved over to the other browser but hopefully he will be happy enough with his alternative browser to keep himself safer. I think it came from an email, possibly from Yahoo. It is also possible that we had it fixed, until he opened the email from yahoo again each time. There's no way to be sure on that. Except to open it again in the newly installed AOL and neither of us are going to try that. The yahoo email doesn't do anything in the new browser with that domain blocked six ways to Sunday, and he is very happy about that. I think there is a very good chance that it modified some dll for AOL's network sock because Combofix actually removed it's networking and it had to be re-installed after Combofix reboot but apparently either it re-installed after the email was reopened or it really needed a full uninstall and re-install of AOL to fix it. Quote Link to comment Share on other sites More sharing options...
goretsky Posted September 2, 2013 Share Posted September 2, 2013 Hello, Out of curiosity, did you generate an ESET SysInspector log from the system? That's a great way to find otherwise undetected malicious software. Regards, Aryeh Goretsky Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted September 2, 2013 Share Posted September 2, 2013 I had several logs from scans to go over and couldn't find anything. Is the ESET SysInspector log generation possible in NOD32? NOD 32 found nothing either in it's scans, BTW. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted September 2, 2013 Share Posted September 2, 2013 I should revise my first posting. I forgot that JRT did find several things and removed them, but when he went back into AOL and looked at the email again, it appeared that those things did not take care of it. But as I mentioned earlier, it appears that the yahoo emails may have been what infected AOL software. I talked to him today since he has been using AOL.com in another browser for email with Adblock Plus with Malware Domains and tumri.net manually added in the custom urls, (I also as noted added it to the HOST file), and WOT, no more issues even with existing yahoo emails that no longer have all that yahoo crap at the bottom of the emails. The only thing that is frustrating to some degree and he knows that will end in time, when he tries to go to a new website that is in AOL but not yet in his alternative browser, it is frustrating to have to go get his favorite (copy, paste, then save it). I told him I knew that was frustrating but that too will end soon enough once he gets them all copied and saved to the alternative browser. He knows not to use AOL for any email. And I think that is why it didn't come back after we uninstalled and reinstalled AOL software. You know that VirusTotal URL Scanner and Sucuri SiteCheck say that tumri.net is not infested with malware. Very frustrating given the problems folks have had with this. So have they cleaned up their act overnight? Or is this whole thing a malware purveyor that hacked AOL via some sort of email such as from Yahoo, etc. that is trying to make money off tumri.net advertising? Quote Link to comment Share on other sites More sharing options...
goretsky Posted September 3, 2013 Share Posted September 3, 2013 Hello, ESET SysInspector is one of the options available via the Tools menu in ESET NOD32 Antivirus. Regards, Aryeh Goretsky Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.