Jump to content

Issue with secupdat.dat file


Recommended Posts

Hello,

I've been dealing with different types of trojans in multiple systems and flash drives at work. I was able to clean them all using malwarebytes except for 2 systems. On these 2 systems, malwarebytes is detecting 1 infected file called sceupdat.dat located in C:\Windows\system32 (malwarebytes refer to it as backdoor.bot) and the action taken is Delete on reboot but I scan again on the next reboot and malwarebytes is still detecting it. I tried to search for that file in system32 folder but I didn't find it and if I run malwarebytes in safe mode it doesn't detect it. the following is the malwarebytes log

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

9/11/2009 4:45:49 PM

mbam-log-2009-09-11 (16-45-49).txt

Scan type: Quick Scan

Objects scanned: 91675

Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> Delete on reboot.

Do you think this is a false positive? if not what can be done?

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

No that is not a false positive, and it is likely there other malware also resides on your system. Let's take a closer look.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

-screen317

Link to post
Share on other sites

Please ignore my provious post. this is the log for the infected computer. Sorry about that

DDS (Ver_09-07-30.01) - NTFSx86

Run by Operator at 7:42:18.89 on Mon 09/14/2009

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.981.406 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\WINDOWS\system32\EloSrvce.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\WINDOWS\SoftwareDistribution\Download\Install\IE8-WindowsXP-x86-ENU.exe

c:\e0707efe1041b2f5de\update\iesetup.exe

F:\dds.pif

============== Pseudo HJT Report ===============

uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4081127

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.malwarebytes.org/contact.php

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [KB923561] rundll32.exe apphelp.dll,ShimFlushCache

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252705866703

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll

Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 ajwkdcaj;ajwkdcaj;c:\windows\system32\drivers\ajwkdcaj.sys [2009-9-10 33440]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-10 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-10 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-10 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090910.003\IDSXpx86.sys [2009-9-10 276344]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-9-10 269648]

R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-10 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-10 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-9-10 19160]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090913.019\NAVENG.SYS [2009-9-13 84912]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090913.019\NAVEX15.SYS [2009-9-13 1323568]

S2 ACCESNT;ACCESNT;c:\windows\system32\drivers\accesnt.sys --> c:\windows\system32\drivers\accesnt.sys [?]

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-4-25 26488]

S3 drvxwdm;Drvxwdm;c:\windows\system32\drivers\Drvxwdm.sys [2003-10-20 33024]

S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2009-8-4 18432]

S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2009-8-4 14336]

=============== Created Last 30 ================

2009-09-14 07:39 <DIR> --d----- C:\e0707efe1041b2f5de

2009-09-14 07:31 1,676,288 a------- c:\windows\system32\SET2BD.tmp

2009-09-14 07:31 575,488 a------- c:\windows\system32\SET2BE.tmp

2009-09-14 07:31 117,760 a------- c:\windows\system32\SET2BF.tmp

2009-09-14 07:31 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll

2009-09-14 07:31 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-09-14 07:31 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll

2009-09-14 07:31 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-09-14 07:31 <DIR> --d----- C:\89c07bda37bd78ac8174

2009-09-14 07:24 304 a------- c:\windows\system32\spupdsvc.inf

2009-09-11 18:02 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll

2009-09-11 18:02 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx

2009-09-11 17:55 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll

2009-09-11 17:55 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys

2009-09-11 17:55 1,106,944 a------- c:\windows\system32\SET133.tmp

2009-09-11 17:55 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

2009-09-11 17:54 <DIR> --d----- c:\windows\system32\PreInstall

2009-09-11 17:51 31,768 a------- c:\windows\system32\wucltui.dll.mui

2009-09-11 17:51 <DIR> --d----- c:\windows\system32\SoftwareDistribution

2009-09-11 17:51 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui

2009-09-11 17:51 23,576 a------- c:\windows\system32\wuapi.dll.mui

2009-09-11 17:51 18,456 a------- c:\windows\system32\wuaueng.dll.mui

2009-09-11 17:51 <DIR> --ds---- c:\documents and settings\operator\UserData

2009-09-11 17:23 <DIR> --d----- c:\windows\system32\appmgmt

2009-09-11 17:09 <DIR> --d----- c:\program files\SpyZooka

2009-09-11 14:37 <DIR> a-dshr-- C:\cmdcons

2009-09-11 14:36 230,912 a------- c:\windows\PEV.exe

2009-09-11 14:36 161,792 a------- c:\windows\SWREG.exe

2009-09-11 14:36 98,816 a------- c:\windows\sed.exe

2009-09-11 09:07 <DIR> --d----- c:\program files\Trend Micro

2009-09-10 17:19 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys

2009-09-10 17:19 60,808 a------- c:\windows\system32\S32EVNT1.DLL

2009-09-10 17:19 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT

2009-09-10 17:19 806 a------- c:\windows\system32\drivers\SYMEVENT.INF

2009-09-10 17:19 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS

2009-09-10 17:19 <DIR> --d----- c:\program files\Symantec

2009-09-10 17:19 <DIR> --d----- c:\program files\common files\Symantec Shared

2009-09-10 17:19 <DIR> --d----- c:\windows\system32\drivers\NIS

2009-09-10 17:19 <DIR> --d----- c:\program files\Norton Internet Security

2009-09-10 17:19 <DIR> --d----- c:\program files\NortonInstaller

2009-09-10 14:19 <DIR> --d----- c:\docume~1\operator\applic~1\Malwarebytes

2009-09-10 14:19 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 14:19 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-09-10 14:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-09-10 14:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-09-10 14:17 <DIR> --d----- c:\program files\EloTouchSystems

2009-09-10 13:06 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{9454A426-3FAF-459D-BE28-8100355EC7D7}

2009-09-10 13:05 172,032 a------- c:\windows\system32\NetEdLib.dll

2009-09-10 13:05 5,697 a------- c:\windows\HEIDB.INI

2009-09-10 13:05 51 a------- c:\windows\DS500.INI

2009-09-10 13:05 77,824 a------- c:\windows\system32\HEI32_3.DLL

2009-09-10 13:05 <DIR> --d----- C:\HAPTools

2009-09-10 12:59 12,288 a---h--- c:\documents and settings\operator\prpt.exe

2009-09-10 11:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec

2009-09-10 11:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton

2009-09-10 11:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller

2009-09-10 11:27 33,440 a------- c:\windows\system32\drivers\ajwkdcaj.sys

2009-09-10 11:26 664 a------- c:\windows\system32\d3d9caps.dat

2009-09-10 11:26 12,288 a---h--- c:\documents and settings\operator\gswx.exe

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-07-29 00:37 119,808 a------- c:\windows\system32\t2embed.dll

2009-07-29 00:37 81,920 a------- c:\windows\system32\fontsub.dll

2009-07-18 12:05 1,509,888 a------- c:\windows\system32\SET4BB.tmp

2009-07-18 12:05 3,069,440 -------- c:\windows\system32\SET4BC.tmp

2009-07-17 15:01 58,880 a------- c:\windows\system32\SET505.tmp

2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll

2009-06-26 12:50 620,032 a------- c:\windows\system32\SET4BA.tmp

2009-06-26 12:50 666,624 -------- c:\windows\system32\SET4B9.tmp

2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll

2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll

2009-06-25 04:25 301,568 a------- c:\windows\system32\SET4D7.tmp

2009-06-25 04:25 147,456 a------- c:\windows\system32\SET4D5.tmp

2009-06-25 04:25 136,192 a------- c:\windows\system32\SET4D6.tmp

2009-06-25 04:25 54,272 a------- c:\windows\system32\SET4D3.tmp

2009-06-25 04:25 56,832 -------- c:\windows\system32\SET4D4.tmp

============= FINISH: 7:42:45.29 ===============

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.