Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tarma Installer


  • This topic is locked This topic is locked
2 replies to this topic

#1 stratblast

stratblast

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 06 October 2013 - 04:17 AM

I'm pretty sure Tarma is the program that infected me. Microsoft Security Essentials was disable and unable to start after removing some of it with Malwarebytes'. I can't install MSE now because of a 0x80070643 error and I believe there is still something evil in the computer. Here is the DDS results.

Thank you,

Bill

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.25.2
Run by DTC-3 at 2:16:51 on 2013-10-06
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3071.1343 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\rserver30\RServer3.exe
C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files\Silicondust\HDHomeRun\hdhomerun_service.exe
C:\Windows\system32\conhost.exe
C:\Program Files\TeamViewer\Version8\TeamViewer.exe
C:\Program Files\TeamViewer\Version8\tv_w32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\DTC-3\AppData\Local\Autobahn\nexdef.exe
C:\Windows\system32\rserver30\FamItrfc.Exe
C:\Windows\system32\rserver30\FamItrfc.Exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\rserver30\FamItrf2.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = Preserve
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [cdloader] "c:\users\dtc-3\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\iastoriconlaunch.exe "c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe" 60
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Nvtmru] "c:\program files\nvidia corporation\nvidia update core\nvtmru.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\dtc-3\appdata\roaming\micros~1\windows\startm~1\programs\startup\nexdef~1.lnk - c:\users\dtc-3\appdata\local\autobahn\nexdef.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file:///E:/LTOCX14N.cab
DPF: {0F1B49C0-9894-4696-8E8D-DB1F5D02FBAB} - hxxp://mousecoguy.dyndns-ip.com:1026/UltraMJCamX.cab
DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://nettee.selfip.com:99/WebClient.exe
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file:///E:/CDVIEWER/CdViewer.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{E2677FEF-0376-457E-8A8F-36F4B82C1A4E} : DHCPNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\nvidia~1\nvstreamsrv\rxinput.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dtc-3\appdata\roaming\mozilla\firefox\profiles\3rvdkek1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - plugin: c:\windows\system32\webclient\npwebclient.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;c:\windows\system32\drivers\iaStorA.sys [2012-8-13 530752]
R0 iaStorF;iaStorF;c:\windows\system32\drivers\iaStorF.sys [2012-8-13 24896]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2011-11-28 752128]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2009-10-9 46304]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2013-8-14 87968]
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-11-28 3246040]
R2 HDHomeRun Service;HDHomeRun Service;c:\program files\silicondust\hdhomerun\hdhomerun_service.exe [2012-4-5 16384]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2012-9-11 7168]
R2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\nvidia corporation\nvstreamsrv\nvstreamsvc.exe [2013-8-14 14592288]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-6-14 794272]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2009-10-9 1242504]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-5-22 27648]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2013-9-12 414496]
R2 TeamViewer8;TeamViewer 8;c:\program files\teamviewer\version8\TeamViewer_Service.exe [2013-5-13 5071712]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-11-28 167968]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2009-10-9 3328]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad32v.sys [2013-8-14 34592]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2013-6-18 669912]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9e4f96c4af090;Google Update Service (gupdate1c9e4f96c4af090);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DWA;Wireless USB Device Adapter;c:\windows\system32\drivers\WSR_DWA.SYS [2010-8-5 508416]
S3 hwa;Wireless USB Host Adapter;c:\windows\system32\drivers\WSR_HWA.SYS [2010-8-5 823296]
S3 HWARadio;Wireless USB Host Radio;c:\windows\system32\drivers\WSR_RCI.SYS [2010-8-5 146432]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-5-22 112128]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 107392]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-6-20 295376]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2012-11-29 20080]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-11-18 14848]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-11-18 49664]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-5 1343400]
.
=============== Created Last 30 ================
.
2013-10-06 04:28:23 697992 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{be40bd34-df26-5971-8932-b49359a49e77}\GapaEngine.dll
2013-10-06 04:28:17 7328304 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{fedd2af4-de5f-45ff-94bc-09db37e5b11e}\mpengine.dll
2013-10-06 04:01:13 -------- d-----w- c:\users\dtc-3\Pavark
2013-10-06 03:42:18 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-10-06 03:33:40 -------- d-----w- C:\46faf0a4f645760286ea0fe866578d
2013-10-06 03:09:43 -------- d-----w- C:\44e6af91658b4df32293a1b86d
2013-10-05 13:43:13 -------- d-----w- C:\Kaspersky Rescue Disk 10.0
2013-10-02 16:12:33 7328304 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1d01d5a4-8fe9-4028-9f3f-3fca0dd35bec}\mpengine.dll
2013-10-01 00:21:25 7328304 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-09-23 23:50:14 2555168 ----a-w- c:\windows\system32\nvsvcr.dll
2013-09-23 22:18:49 -------- d-----w- c:\users\dtc-3\appdata\roaming\NVIDIA
2013-09-23 22:06:54 -------- d-----w- c:\program files\iPod
2013-09-23 22:06:53 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-09-23 22:06:53 -------- d-----w- c:\program files\iTunes
2013-09-23 21:13:04 9430408 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-09-23 20:06:12 -------- d-----w- c:\users\dtc-3\appdata\local\Nero
2013-09-23 19:57:24 718712 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{40031baf-f5f5-4193-bfb2-10f8c9c6971d}\gapaengine.dll
2013-09-18 05:23:20 9253664 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-09-12 08:17:50 571168 ----a-w- c:\windows\system32\nvStreaming.exe
.
==================== Find3M  ====================
.
2013-09-23 21:13:12 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 21:13:12 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-12 06:28:40 4265760 ----a-w- c:\windows\system32\nvcpl.dll
2013-09-12 06:28:40 3006240 ----a-w- c:\windows\system32\nvsvc.dll
2013-09-12 06:28:37 662816 ----a-w- c:\windows\system32\nvvsvc.exe
2013-09-12 06:28:37 62752 ----a-w- c:\windows\system32\nvshext.dll
2013-09-12 06:28:36 209184 ----a-w- c:\windows\system32\nvmctray.dll
2013-09-11 20:27:01 3361114 ----a-w- c:\windows\system32\nvcoproc.bin
2013-08-14 11:41:03 77528 ----a-w- c:\windows\system32\RtNicProp32.dll
2013-08-14 11:41:03 669912 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2013-08-14 11:41:03 102104 ----a-w- c:\windows\system32\RTNUninst32.dll
2013-08-14 10:07:19 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-08-14 10:07:17 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-08-14 10:07:17 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-08-10 03:59:10 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-08-10 03:58:09 2876928 ----a-w- c:\windows\system32\jscript9.dll
2013-08-10 03:58:06 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-08-10 03:58:06 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-08-10 03:07:50 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-08-10 02:17:19 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-08-08 01:03:07 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-08-05 01:56:47 133056 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-08-02 01:50:36 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-08-02 01:49:19 293376 ----a-w- c:\windows\system32\KernelBase.dll
2013-08-02 00:52:57 271360 ----a-w- c:\windows\system32\conhost.exe
2013-08-02 00:43:05 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-07-25 08:57:27 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-19 01:41:01 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-09 05:03:34 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-09 05:03:34 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-09 04:53:46 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-07-09 04:52:10 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 04:50:42 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 04:46:31 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
============= FINISH:  2:17:09.48 ===============
 

Attached Files


Would you ask a poor man how to make money?

BC AdBot (Login to Remove)

 


#2 stratblast

stratblast
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 07 October 2013 - 09:02 AM

This thread can be closed. I did a system restore and ran Malwarebytes'. It found the Tarma installer and removed it. I believe the PC is fine now. Thank you, I don't want to clog up the forum or waste anyone's time.
Would you ask a poor man how to make money?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:14 PM

Posted 07 October 2013 - 09:52 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users