Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with PUP.Optional.Tarma.A


  • This topic is locked This topic is locked
3 replies to this topic

#1 beepingUser

beepingUser

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 30 July 2013 - 10:17 PM

Hello all,

 

Malwarebtyes reported my system as being infected with something called PUP.Optional.Tarma.A and it has it in quarantine. I am wondering if I have it fully removed and / or do I have possibly other infections.

 

I begin seeing what I thought was strange behavior starting maybe 2 weeks ago where dll host would pop up and run at various times through out the day along with Windows Installer service running at random times during the day when it used to only run right before or during windows updates. I have temporarly disabled the Windows Installer service (TrustedInstaller.exe) until I have a better idea of what is going on.

 

I also noticed that the file system protecton and malicious web site blocking in Malwarebtyes was somehow disabled in Malwarebytes when I always have those items checked.

 

Should I just assume I got everything and carry on or are there other steps I should take?

 

 

Below is the DDS.txt

 

 

Thank you,

 

 

 

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16611
Run by admin at 21:41:39 on 2013-07-30
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.4022.1410 [GMT -5:00]
.
AV: PC Tools AntiVirus Free *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: PC Tools AntiVirus Free *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe
C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
C:\Program Files (x86)\PC Tools\PC Tools Security\pctsGui.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Mobile Stream\EasyTether\easytthr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\notepad.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: PC Tools Browser Guard: {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
mWinlogon: Userinit = userinit.exe,
BHO: PC Tools Browser Guard BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Microsoft Web Test Recorder 9.0 Helper: {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
TB: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
EB: Web Test Recorder 9.0: {3C7ADADE-D1E8-45d2-BDCD-7F8D8B99B2A2} -
uRun: [EasyTether] "C:\Program Files\Mobile Stream\EasyTether\easytthr.exe"
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_224_Plugin.exe -update plugin
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AntiLogger] "C:\Program Files (x86)\AntiLogger\AntiLogger.exe" /minimized
mRun: [ISTray] "C:\Program Files (x86)\PC Tools\PC Tools Security\pctsGui.exe" /hideGUI
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
LSP: %windir%\system32\vsocklib.dll
TCP: NameServer = 8.8.8.8 8.8.4.4 24.196.64.53
TCP: Interfaces\{8A2F7856-FFA7-43F3-85D5-116C082CD202} : DHCPNameServer = 8.8.8.8 8.8.4.4 24.196.64.53
TCP: Interfaces\{8A2F7856-FFA7-43F3-85D5-116C082CD202}\358656675737775626 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{CEF035AE-0261-4110-9EBB-9A019135817B} : DHCPNameServer = 8.8.8.8 8.8.4.4
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
x64-Run: [NVHotkey] rundll32.exe C:\Windows\System32\nvHotkey.dll,Start
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvoiuujm.default\
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;C:\Windows\System32\drivers\PCTCore64.sys [2013-5-22 413448]
R0 pctDS;PC Tools Data Store;C:\Windows\System32\drivers\pctDS64.sys [2013-5-22 453896]
R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\System32\drivers\pctEFA64.sys [2013-5-22 1096176]
R0 vsock;vSockets Driver;C:\Windows\System32\drivers\vsock.sys [2013-3-28 70296]
R1 AntiLog32;AntiLog32;C:\Windows\System32\drivers\AntiLog64.sys [2013-5-11 49240]
R1 pctgntdi;pctgntdi;C:\Windows\System32\drivers\pctgntdi64.sys [2013-5-22 347016]
R1 PCTSD;PC Tools Spyware Doctor Driver;C:\Windows\System32\drivers\PCTSD64.sys [2013-5-22 253256]
R2 Browser Defender Update Service;Browser Defender Update Service;C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [2013-5-22 580728]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-7-29 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-7-29 701512]
R2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe [2013-5-22 403416]
R2 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe [2013-5-22 1162360]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2012-10-11 918680]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2009-11-6 293552]
R3 easytether;easytether;C:\Windows\System32\drivers\easytthr.sys [2013-3-18 20784]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-3-18 25928]
R3 PCTBD;PC Tools Browser Defender Driver;C:\Windows\System32\drivers\PCTBD64.sys [2013-5-22 77144]
R3 pctplsm;pctplsm;C:\Windows\System32\drivers\pctplsm64.sys [2013-5-22 87968]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S2 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2012-2-11 597080]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-3-19 59392]
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files (x86)\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\x64\VSPerfDrv90.sys [2007-9-4 71024]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-3-18 1255736]
S4 RsFx0200;RsFx0200 Driver;C:\Windows\System32\drivers\RsFx0200.sys [2012-2-11 334936]
.
=============== Created Last 30 ================
.
2013-07-30 09:00:30    --------    d-----w-    C:\8371d7a55ea9f56a3eb60d42
2013-07-30 05:05:02    76232    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2748B9FF-B0A5-4A30-BBE4-46DEE37B3EB6}\offreg.dll
2013-07-29 20:43:23    712264    ----a-w-    C:\Windows\isRS-000.tmp
2013-07-29 20:10:50    9552976    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2748B9FF-B0A5-4A30-BBE4-46DEE37B3EB6}\mpengine.dll
2013-07-29 04:12:25    --------    d-----w-    C:\Program Files (x86)\Eneter
2013-07-28 10:12:23    436304    ----a-w-    C:\Windows\SysWow64\vmnat.exe
2013-07-23 05:41:52    --------    d-----w-    C:\dev
2013-07-23 04:50:25    --------    d-----w-    C:\installers
2013-07-19 05:42:29    --------    d-----w-    C:\Users\admin\AppData\Local\IsolatedStorage
2013-07-19 05:42:12    --------    d-----w-    C:\ProgramData\Microsoft Visual Studio
2013-07-19 05:40:29    --------    d-----w-    C:\Webs
2013-07-16 00:08:28    --------    d-----w-    C:\Program Files (x86)\Application Verifier
2013-07-16 00:08:27    --------    d-----w-    C:\Program Files\Application Verifier
2013-07-16 00:08:21    --------    d-----w-    C:\ProgramData\Windows App Certification Kit
2013-07-16 00:04:00    --------    d-----w-    C:\Program Files (x86)\Microsoft WCF Data Services
2013-07-15 23:49:15    --------    d-----w-    C:\Program Files\Microsoft Visual Studio 11.0
2013-07-14 09:03:47    --------    d-----w-    C:\Windows\System32\MRT
.
==================== Find3M  ====================
.
2013-06-28 19:50:38    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-28 19:50:38    692104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-06-08 12:28:46    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-06-08 11:13:19    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-05-17 01:25:57    1767936    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-05-17 01:25:27    2877440    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-05-17 01:25:26    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-05-17 01:25:26    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-05-17 00:59:03    2241024    ----a-w-    C:\Windows\System32\wininet.dll
2013-05-17 00:58:10    3958784    ----a-w-    C:\Windows\System32\jscript9.dll
2013-05-17 00:58:08    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2013-05-17 00:58:08    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-05-14 12:23:25    89600    ----a-w-    C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-14 08:40:13    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-05-13 05:51:01    184320    ----a-w-    C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00    1464320    ----a-w-    C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00    139776    ----a-w-    C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40    52224    ----a-w-    C:\Windows\System32\certenc.dll
2013-05-13 04:45:55    140288    ----a-w-    C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55    1160192    ----a-w-    C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55    103936    ----a-w-    C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55    1192448    ----a-w-    C:\Windows\System32\certutil.exe
2013-05-13 03:08:10    903168    ----a-w-    C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06    43008    ----a-w-    C:\Windows\SysWow64\certenc.dll
2013-05-11 06:29:54    49240    ----a-w-    C:\Windows\System32\drivers\AntiLog64.sys
2013-05-10 05:49:27    30720    ----a-w-    C:\Windows\System32\cryptdlg.dll
2013-05-10 03:20:54    24576    ----a-w-    C:\Windows\SysWow64\cryptdlg.dll
2013-05-08 06:39:01    1910632    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-05-02 07:06:08    278800    ----a-w-    C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 21:42:20.31 ===============
 

Attached Files


Edited by beepingUser, 30 July 2013 - 11:26 PM.


BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,424 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:59 PM

Posted 04 August 2013 - 11:26 AM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 
Having said that....   vegeta_zps7f4345cf.gif   Let's get going!!  
----------
 
aswmbr-1-1.jpg Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

aswmbrscan.jpg
Click the image to enlarge it
----------
 
 
adwcleaner.jpgAdwCleaner

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

----------


Posted Image
 
Posted Image
 
Topics are closed if you do not respond within 3 days.
If I am working with you and have not responded in a couple of days please PM me.


If you are satisfied with the help that you have received, please consider a donation. Posted Image

#3 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,424 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:59 PM

Posted 06 August 2013 - 06:40 AM

Still here?


Posted Image
 
Posted Image
 
Topics are closed if you do not respond within 3 days.
If I am working with you and have not responded in a couple of days please PM me.


If you are satisfied with the help that you have received, please consider a donation. Posted Image

#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,424 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:59 PM

Posted 07 August 2013 - 06:38 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Posted Image
 
Posted Image
 
Topics are closed if you do not respond within 3 days.
If I am working with you and have not responded in a couple of days please PM me.


If you are satisfied with the help that you have received, please consider a donation. Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users