BillyJack Posted November 10, 2009 ID:156124 Share Posted November 10, 2009 MalwareBytes keeps finding SECUPDAT.DAT when a scan is performed. It indicates it will be removed on reboot but following a restart the scan finds it again. Is this a false positive and if not is there a way to manually remove this? Link to post Share on other sites More sharing options...
negster22 Posted November 11, 2009 ID:156240 Share Posted November 11, 2009 Hi BillyJack,Please post the complete MBAM log.Also please follow the procedures recommended in this topic:http://www.malwarebytes.org/forums/index.php?showtopic=9573Download DDS and save it to your desktop from hereDisable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.When done, DDS will open two (2) logs:DDS.txtAttach.txt[*]Save both reports to your desktop[*]Please copy and paste both logs into your next reply (do NOT attach them).To sum it up, In your next reply, I need to see:1. MBAM log2. HijackThis log3. DDS - DDS.txt & Attach.txt posted in your reply - not attached Link to post Share on other sites More sharing options...
BillyJack Posted November 11, 2009 Author ID:156440 Share Posted November 11, 2009 MBAM LOG:Malwarebytes' Anti-Malware 1.41Database version: 3145Windows 5.2.379011/11/2009 6:59:54 AMmbam-log-2009-11-11 (06-59-54).txtScan type: Quick ScanObjects scanned: 174114Time elapsed: 10 minute(s), 11 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> Delete on reboot.HIJACK THIS LOG:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:10:13 AM, on 11/11/2009Platform: Windows 2003 (WinNT 5.02.3790)MSIE: Internet Explorer v6.00 (6.00.3790.0000)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Dfssvc.exeC:\WINDOWS\System32\dns.exeD:\Program Files\CA\SharedComponents\iTechnology\igateway.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\WINDOWS\system32\CBA\pds.exeC:\Program Files\LogMeIn\x86\RaMaint.exeC:\Program Files\LogMeIn\x86\LogMeIn.exeC:\Program Files\LogMeIn\x86\LMIGuardian.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEd:\SYSPRO60\base\CCITCP2.EXEC:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exeC:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exeC:\WINDOWS\system32\ntfrs.exeC:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exeC:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXEd:\SYSPRO60\base\SRVANY.EXEd:\SYSPRO60\base\impcsu.exeC:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exeC:\USQLCS\BIN\USQLSD32.EXEC:\WINDOWS\System32\wins.exeC:\WINDOWS\system32\wbem\wmiservice.exeC:\Program Files\RealVNC\VNC4\WinVNC4.exeC:\WINDOWS\system32\wbem\wmiclisv.exeC:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exeC:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\eng02.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\rdpclip.exeC:\WINDOWS\Explorer.EXEC:\Program Files\LogMeIn\x86\LogMeInSystray.exeC:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exeC:\Program Files\LogMeIn\x86\LMIGuardian.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\WINDOWS\system32\wscript.exed:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\WINDOWS\system32\mmc.exeC:\Program Files\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exeC:\Program Files\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exeC:\Program Files\Trend Micro\OfficeScan\PCCSRV\Web\Service\NSAgent.exeC:\WINDOWS\system32\mmc.exed:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\NOTEPAD.EXED:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companywebR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.comF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocxO4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"O4 - HKLM\..\Run: [C22 Monitor] c:\program files\c22Tech\C22Monitor.vbsO4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindowO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "d:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "d:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dllO14 - IERESET.INF: START_PAGE_URL=http://companywebO15 - ESC Trusted Zone: http://gateway.cms.2wire.comO15 - ESC Trusted Zone: http://*.hp.comO15 - ESC Trusted Zone: http://ftp.mozilla.orgO15 - ESC Trusted IP range: http://192.168.1.*O15 - ESC Trusted IP range: http://127.0.0.1O16 - DPF: {0638383F-68BF-4F95-B2A7-EB2B3FBCAE14} (AtxSmexInst Control) - https://goliath:4343/officescan/console/html/AtxSmexInst.cabO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://goliath:4343/officescan/console/html/AtxEnc.cabO16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://localhost/ConnectComputer/nshelp.dllO16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management Console) - https://goliath:4343/officescan/console/html/AtxConsole.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124397352500O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://goliath:4343/officescan/console/html/AtxPie.cabO16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GoliathSolutions.localO17 - HKLM\Software\..\Telephony: DomainName = GoliathSolutions.localO17 - HKLM\System\CCS\Services\Tcpip\..\{DEC700F2-4098-4228-AE02-6F995C12C6E4}: Domain = sbcglobal.netO17 - HKLM\System\CCS\Services\Tcpip\..\{F4B8ACCE-5E5D-4AF0-AED8-2BC3708C5BD2}: NameServer = 192.168.169.253,208.67.220.220O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GoliathSolutions.localO17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = goliathsolutions.localO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GoliathSolutions.localO17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = goliathsolutions.localO17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GoliathSolutions.localO17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = goliathsolutions.localO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = goliathsolutions.localO20 - Winlogon Notify: vtUkihhE - C:\WINDOWS\O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPBPRO.EXEO23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPBOID.EXEO23 - Service: hpdj00 - HP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\hpdj00.exeO23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - D:\Program Files\CA\SharedComponents\iTechnology\igateway.exeO23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exeO23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exeO23 - Service: MBAMService - Malwarebytes Corporation - d:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: Micro Focus CCITCP2 daemon (mf_CCITCP2) - Micro Focus International Ltd - d:\SYSPRO60\base\CCITCP2.EXEO23 - Service: DataBase Manager Services (mscrcosd) - Unknown owner - C:\WINDOWS\system32\mscrco.exeO23 - Service: Windows Video Devices Services (mswadkd) - Unknown owner - C:\WINDOWS\system32\mswadk.exeO23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exeO23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: ScanMail_MailAction - Trend Micro Inc. - C:\Program Files\Trend\Smex\SMEXMA.exeO23 - Service: ScanMail_Monitor - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstMon.exeO23 - Service: ScanMail_RealTimeScan - Trend Micro Inc. - C:\Program Files\Trend\Smex\InstRTS.exeO23 - Service: ScanMail_Web - Trend Micro Inc. - C:\Program Files\Trend\Smex\WebRoot\InstWeb.exeO23 - Service: SYSPRO6IMP - Unknown owner - d:\SYSPRO60\base\SRVANY.EXEO23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exeO23 - Service: USQLSDMF4.00.0000 - Transoft Ltd - C:\USQLCS\BIN\USQLSD32.EXEO23 - Service: Logon Authentication Service (WINVINFO) - Unknown owner - C:\WINDOWS\system32\wbem\wmiservice.exeO23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exeO23 - Service: WMI Client Service (WMICLISV) - Unknown owner - C:\WINDOWS\system32\wbem\wmiclisv.exe--End of file - 10453 bytesDDS won't run on my system... Link to post Share on other sites More sharing options...
negster22 Posted November 12, 2009 ID:156779 Share Posted November 12, 2009 Did you receive an error message regarding DDS?Launch notepad by Clicking start -> run -> type notepadHit EnterPaste the following text in the code box into the notepad windowSave the file to your desktop by setting the "Save as Type" to "all files", and save it as fix.bat@ECHO OFFsc stop mscrcosdsc config mscrcosd start= disabledsc stop mswadkdsc config mswadkd start= disabledsc stop WMICLISVsc config WMICLISV start= disabledsc stop WINVINFOsc config WINVINFO start= disabledif exist C:\output.txt del C:\output.txtsc query mscrcosd > C:\output.txtsc query mswadkd >> C:\output.txtsc query WMICLISV >> C:\output.txtsc query WINVINFO >> C:\output.txtnotepad C:\output.txtDouble-click the fix.bat icon on your desktop (allow the script to run and disable any script blocking programs which may interfere).A notepad file will open called C:\output.txt. Please copy and paste the contents in a reply back C:\output.txtScan with HijackThis by clicking the "Scan "button and place a checkmark next to the following items. Close ALL other windows and browsers except HijackThis. Click "fix checked".O20 - Winlogon Notify: vtUkihhE - C:\WINDOWS\O23 - Service: DataBase Manager Services (mscrcosd) - Unknown owner - C:\WINDOWS\system32\mscrco.exeO23 - Service: Windows Video Devices Services (mswadkd) - Unknown owner - C:\WINDOWS\system32\mswadk.exeO23 - Service: Logon Authentication Service (WINVINFO) - Unknown owner - C:\WINDOWS\system32\wbem\wmiservice.exeO23 - Service: WMI Client Service (WMICLISV) - Unknown owner - C:\WINDOWS\system32\wbem\wmiclisv.exeClose HJTPlease perform a scan with the ESET online virus scanner:http://www.eset.com/onlinescan/index.phpESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.Check the "Yes, I accept the terms of use" box.Click "Start"Check the boxes the following two boxes:enable "Remove found threats"Scan unwanted applications[*]Click the Scan button to begin scanning.[*]When the scan is done the log is automatically saved. To retrieve itClose the ESET scan Window.Now open a run line by clicking Start >> Run...Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:The Scan results will now display in Notepad[*]Please copy and paste the ESET scan report that can be found in this locationC:\Program Files\EsetOnlineScanner\log.txt into your next replyNote to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.Post back output.txt, a new hijackthis log, and the ESET scan log Link to post Share on other sites More sharing options...
BillyJack Posted November 15, 2009 Author ID:158209 Share Posted November 15, 2009 Ran a few only virus scans and also Super-Anti Spyware. The last MalwareBytes scan indicates the previously reported problem is now gone...Malwarebytes' Anti-Malware 1.41Database version: 3173Windows 5.2.379011/15/2009 3:05:02 AMmbam-log-2009-11-15 (03-05-02).txtScan type: Quick ScanObjects scanned: 174792Time elapsed: 4 minute(s), 56 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
negster22 Posted November 15, 2009 ID:158218 Share Posted November 15, 2009 That's encouraging news, but can you post a new HJT log so I can see if it's clean please. Link to post Share on other sites More sharing options...
therimalaya Posted November 19, 2009 ID:159899 Share Posted November 19, 2009 I've similar Problem, Can i post in this topic ? plz help! Link to post Share on other sites More sharing options...
negster22 Posted November 20, 2009 ID:160195 Share Posted November 20, 2009 therimalaya , sorry but you have to create a completely new topic. Link to post Share on other sites More sharing options...
Recommended Posts