7 replies to this topic

[BillyJack]

MalwareBytes keeps finding SECUPDAT.DAT when a scan is performed. It indicates it will be removed on reboot but following a restart the scan finds it again. Is this a false positive and if not is there a way to manually remove this?

[negster22]

Hi BillyJack,

Please post the complete MBAM log.

Also please follow the procedures recommended in this topic:
http://www.malwareby...?showtopic=9573

Download DDS and save it to your desktop from here



Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop
  
• Please copy and paste both logs into your next reply (do NOT attach them).

To sum it up, In your next reply, I need to see:

1. MBAM log

2. HijackThis log

3. DDS - DDS.txt & Attach.txt posted in your reply - not attached

[BillyJack]

MBAM LOG:

Malwarebytes' Anti-Malware 1.41
Database version: 3145
Windows 5.2.3790

11/11/2009 6:59:54 AM
mbam-log-2009-11-11 (06-59-54).txt

Scan type: Quick Scan
Objects scanned: 174114
Time elapsed: 10 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> Delete on reboot.

HIJACK THIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:13 AM, on 11/11/2009
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
D:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\SYSPRO60\base\CCITCP2.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
d:\SYSPRO60\base\SRVANY.EXE
d:\SYSPRO60\base\impcsu.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\USQLCS\BIN\USQLSD32.EXE
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\wbem\wmiservice.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wbem\wmiclisv.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\eng02.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscript.exe
d:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
C:\Program Files\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe
C:\Program Files\Trend Micro\OfficeScan\PCCSRV\Web\Service\NSAgent.exe
C:\WINDOWS\system32\mmc.exe
d:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [C22 Monitor] c:\program files\c22Tech\C22Monitor.vbs
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "d:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "d:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://gateway.cms.2wire.com
O15 - ESC Trusted Zone: http://*.hp.com
O15 - ESC Trusted Zone: http://ftp.mozilla.org
O15 - ESC Trusted IP range: http://192.168.1.*
O15 - ESC Trusted IP range: http://127.0.0.1
O16 - DPF: {0638383F-68BF-4F95-B2A7-EB2B3FBCAE14} (AtxSmexInst Control) - https://goliath:4343...AtxSmexInst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://goliath:4343...html/AtxEnc.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://localhost/Con...uter/nshelp.dll
O16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management Console) - https://goliath:4343.../AtxConsole.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124397352500
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.co...?BundleId=26688
O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://goliath:4343...html/AtxPie.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GoliathSolutions.local
O17 - HKLM\Software\..\Telephony: DomainName = GoliathSolutions.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEC700F2-4098-4228-AE02-6F995C12C6E4}: Domain = sbcglobal.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4B8ACCE-5E5D-4AF0-AED8-2BC3708C5BD2}: NameServer = 192.168.169.253,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GoliathSolutions.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = goliathsolutions.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GoliathSolutions.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = goliathsolutions.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GoliathSolutions.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = goliathsolutions.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = goliathsolutions.local
O20 - Winlogon Notify: vtUkihhE - C:\WINDOWS\
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: hpdj00 - HP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\hpdj00.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - D:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MBAMService - Malwarebytes Corporation - d:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Micro Focus CCITCP2 daemon (mf_CCITCP2) - Micro Focus International Ltd - d:\SYSPRO60\base\CCITCP2.EXE
O23 - Service: DataBase Manager Services (mscrcosd) - Unknown owner - C:\WINDOWS\system32\mscrco.exe
O23 - Service: Windows Video Devices Services (mswadkd) - Unknown owner - C:\WINDOWS\system32\mswadk.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScanMail_MailAction - Trend Micro Inc. - C:\Program Files\Trend\Smex\SMEXMA.exe
O23 - Service: ScanMail_Monitor - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstMon.exe
O23 - Service: ScanMail_RealTimeScan - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstRTS.exe
O23 - Service: ScanMail_Web - Trend Micro Inc. - C:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
O23 - Service: SYSPRO6IMP - Unknown owner - d:\SYSPRO60\base\SRVANY.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: USQLSDMF4.00.0000 - Transoft Ltd - C:\USQLCS\BIN\USQLSD32.EXE
O23 - Service: Logon Authentication Service (WINVINFO) - Unknown owner - C:\WINDOWS\system32\wbem\wmiservice.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WMI Client Service (WMICLISV) - Unknown owner - C:\WINDOWS\system32\wbem\wmiclisv.exe

--
End of file - 10453 bytes

DDS won't run on my system...

[negster22]

Did you receive an error message regarding DDS?

Launch notepad by Clicking start -> run -> type notepad
Hit Enter
Paste the following text in the code box into the notepad window
Save the file to your desktop by setting the "Save as Type" to "all files", and save it as fix.bat

@ECHO OFF
sc stop mscrcosd
sc config mscrcosd start= disabled
sc stop mswadkd
sc config mswadkd start= disabled
sc stop WMICLISV
sc config WMICLISV start= disabled
sc stop WINVINFO
sc config WINVINFO start= disabled
if exist C:\output.txt del C:\output.txt
sc query mscrcosd > C:\output.txt
sc query mswadkd >> C:\output.txt
sc query WMICLISV >> C:\output.txt
sc query WINVINFO >> C:\output.txt
notepad C:\output.txt

Double-click the fix.bat icon on your desktop (allow the script to run and disable any script blocking programs which may interfere).

A notepad file will open called C:\output.txt. Please copy and paste the contents in a reply back C:\output.txt

Scan with HijackThis by clicking the "Scan "button and place a checkmark next to the following items. Close ALL other windows and browsers except HijackThis. Click "fix checked".

O20 - Winlogon Notify: vtUkihhE - C:\WINDOWS\
O23 - Service: DataBase Manager Services (mscrcosd) - Unknown owner - C:\WINDOWS\system32\mscrco.exe
O23 - Service: Windows Video Devices Services (mswadkd) - Unknown owner - C:\WINDOWS\system32\mswadk.exe
O23 - Service: Logon Authentication Service (WINVINFO) - Unknown owner - C:\WINDOWS\system32\wbem\wmiservice.exe
O23 - Service: WMI Client Service (WMICLISV) - Unknown owner - C:\WINDOWS\system32\wbem\wmiclisv.exe

Close HJT

Please perform a scan with the ESET online virus scanner:
http://www.eset.com/...escan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Check the boxes the following two boxes:
  • enable "Remove found threats"
    
  • Scan unwanted applications
• Click the Scan button to begin scanning.
  
• When the scan is done the log is automatically saved. To retrieve it
  • Close the ESET scan Window.
    
  • Now open a run line by clicking Start >> Run...
    
  • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    
  • The Scan results will now display in Notepad
• Please copy and paste the ESET scan report that can be found in this location
  C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Post back output.txt, a new hijackthis log, and the ESET scan log

[BillyJack]

Ran a few only virus scans and also Super-Anti Spyware. The last MalwareBytes scan indicates the previously reported problem is now gone...

Malwarebytes' Anti-Malware 1.41
Database version: 3173
Windows 5.2.3790

11/15/2009 3:05:02 AM
mbam-log-2009-11-15 (03-05-02).txt

Scan type: Quick Scan
Objects scanned: 174792
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[negster22]

That's encouraging news, but can you post a new HJT log so I can see if it's clean please.

[therimalaya]

I've similar Problem, Can i post in this topic ?
plz help!

[negster22]

therimalaya , sorry but you have to create a completely new topic.