Malwarebytes unable to remove secupdat.dat and ndisvvan.sys

[ghkj1982]

Hi All,

Iam new to this forum and require your help urgently !!

Since today morning, malwarebytes antimalware is continuosly detecting the following two files:

D:\WINDOWS\system32\Drivers\ndisvvan.sys (Rootkit.Agent) -> No action taken.

D:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> No action taken.

However, when i click on 'Remove Selected', i get a popup message which says that these files will be deleted on system reboot.

But i have observed that these files are not deleted even after system reboot. On running antimalware again after rebooting, the same files are detected again and it again says that they will be deleted on reboot and it goes on and on...

i have also tried deleting these files manually by going to the specified path but i always get the message access denied.

I am also attaching the information collected during the scan.

Please Help !!

mbam_log_2009_11_22__17_24_49_.txt

[ghkj1982]

Please find DDS.txt and Attach.txt, hijackThis and Output.txt:

DDS:

DDS (Ver_09-10-26.01) - FAT32x86

Run by Ramnath at 20:25:11.87 on Sun 11/22/2009

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.59 [GMT 5.5:30]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

D:\WINDOWS\System32\svchost.exe -k netsvcs

SVCHOST.EXE

SVCHOST.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Google\Update\GoogleUpdate.exe

D:\WINDOWS\explorer.exe

D:\Program Files\Logitech\QuickCam\Quickcam.exe

D:\Program Files\Common Files\Real\Update_OB\realsched.exe

d:\program files\mcafee.com\agent\mcdetect.exe

d:\PROGRA~1\mcafee.com\vso\mcshield.exe

D:\Program Files\McAfee.com\VSO\mcvsshld.exe

d:\PROGRA~1\mcafee.com\agent\mctskshd.exe

D:\Program Files\McAfee.com\VSO\oasclnt.exe

d:\program files\mcafee.com\agent\mcagent.exe

d:\progra~1\mcafee.com\vso\mcvsescn.exe

F:\Unlocker\UnlockerAssistant.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

D:\Program Files\Skype\Phone\Skype.exe

D:\WINDOWS\system32\slserv.exe

D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

D:\WINDOWS\system32\svchost.exe -k imgsvc

D:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe

D:\Program Files\TeamViewer\Version4\TeamViewer.exe

D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

D:\WINDOWS\system32\wscntfy.exe

D:\Program Files\Skype\Plugin Manager\skypePM.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\WINDOWS\system32\NOTEPAD.EXE

D:\Documents and Settings\Ramnath\Local Settings\Temporary Internet Files\Content.IE5\CJ26BYFL\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rediff.com/

uInternet Connection Wizard,ShellNext = iexplore

mWinlogon: Userinit=d:\windows\system32\userinit.exe

mWinlogon: Taskman=d:\documents and settings\ramnath\application data\oynnuf.exe

uWinlogon: Shell=d:\recycler\s-1-5-21-6013456314-6304757194-177563495-9564\windll.exe,d:\documents and settings\ramnath\application data\oynnuf.exe,explorer.exe "d:\documents and settings\ramnath\ctp.exe"

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - d:\windows\system32\BHOManager.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe

uRun: [iSUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [ccleaner] "d:\program files\ccleaner\CCleaner.exe" /AUTO

mRun: [MotiveReportAgent] "d:\program files\common files\motive\mccibootstrapper.exe" /url="-appkey=motive -windowcontext=reportagent -url=file://d:\program files\common files\motive\reportagent.html" /browsertype=custommsie /browserpath="d:\program files\common files\motive\MotiveBrowser.exe" /hidden

mRun: [LogitechQuickCamRibbon] "d:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [TkBellExe] "d:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [VSOCheckTask] "d:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

mRun: [VirusScan Online] d:\program files\mcafee.com\vso\mcvsshld.exe

mRun: [OASClnt] d:\program files\mcafee.com\vso\oasclnt.exe

mRun: [MCAgentExe] d:\progra~1\mcafee.com\agent\mcagent.exe

mRun: [MCUpdateExe] d:\progra~1\mcafee.com\agent\McUpdate.exe

mRun: [unlockerAssistant] "f:\unlocker\UnlockerAssistant.exe"

uPolicies-system: DisbleRegistryTools = 0 (0x0)

mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)

IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\windows\system32\msjava.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file://d:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

TCP: {5174CEB6-903C-4F97-B0A9-D165E0887687} = 218.248.240.23,192.168.1.1

TCP: {51C87D69-DFAA-49D7-AD10-20B4A5CDE446} = 218.248.240.23,192.168.1.1

Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} -

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -

SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - d:\windows\system32\ShellHook.dll

============= SERVICES / DRIVERS ===============

R0 xcidnlcs;xcidnlcs;d:\windows\system32\drivers\xcidnlcs.sys --> d:\windows\system32\drivers\xcidnlcs.sys [?]

R2 paldrv;paldrv;d:\windows\system32\pal_drv.sys [2003-1-1 11107]

S2 OMSCAN;OMSCAN;\SyszYes or No Trust --> \SyszYes or No Trust [?]

S3 AVPsys;AVPsys;d:\windows\system32\drivers\cdaudio.sys [2009-7-31 18688]

S3 MBAMDrvService;MBAMDrvService;d:\windows\system32\drivers\mbam.sys [2008-11-8 19160]

=============== Created Last 30 ================

2009-11-22 14:53:11 0 d-----w- d:\program files\Trend Micro

2009-11-22 14:42:26 12800 ---ha-w- d:\documents and settings\ramnath\ctp.exe

2009-11-22 08:43:10 0 d-----w- D:\!KillBox

2009-11-22 07:07:02 0 d-sh--w- D:\FOUND.031

2009-11-22 06:21:28 114464 ----a-w- d:\windows\system32\drivers\naiavf5x.sys

2009-11-22 06:20:51 0 d-----w- d:\docume~1\alluse~1\applic~1\McAfee.com

2009-11-22 06:20:33 288320 ----a-w- d:\windows\system32\mcgdmgr.dll

2009-11-22 06:20:30 349760 ----a-w- d:\windows\system32\mcinsctl.dll

2009-11-22 06:20:30 0 d-----w- d:\program files\McAfee.com

2009-11-21 13:24:12 0 d-sh--w- D:\FOUND.030

2009-11-21 05:03:51 70656 --sh--r- d:\docume~1\ramnath\applic~1\oynnuf.exe

2009-11-20 15:06:46 0 d-sh--w- D:\FOUND.029

2009-11-19 16:47:51 0 d-----w- d:\docume~1\alluse~1\applic~1\Metacafe

2009-11-05 03:13:12 0 d-sh--w- D:\FOUND.028

2009-11-01 15:26:24 0 d-sh--w- D:\FOUND.027

2009-11-01 08:52:38 40128 ----a-w- d:\windows\system32\drivers\xcidnlcs.sys

2009-11-01 08:51:43 42496 ---h--w- d:\windows\system32\secupdat.dat

2009-11-01 08:51:43 42496 ---h--w- d:\documents and settings\ramnath\secupdat.dat

2009-10-24 03:57:25 0 d-----w- d:\docume~1\alluse~1\applic~1\Blueberry

==================== Find3M ====================

============= FINISH: 20:26:08.28 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 1/29/2006 4:56:54 PM

System Uptime: 11/22/2009 5:12:51 PM (3 hours ago)

Motherboard: ASUS | | A7V266-MX

Processor: AMD Athlon XP 2000+ | Socket A | 1659/133mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (FAT32) - 9 GiB total, 0.395 GiB free.

D: is FIXED (FAT32) - 5 GiB total, 0.49 GiB free.

E: is FIXED (FAT32) - 7 GiB total, 2.727 GiB free.

F: is FIXED (FAT32) - 6 GiB total, 0.294 GiB free.

G: is FIXED (FAT32) - 9 GiB total, 1.688 GiB free.

H: is CDROM ()

J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}

Description: Multimedia Controller

Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_210018D0&REV_01\3&61AAA01&0&40

Manufacturer:

Name: Multimedia Controller

PNP Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_210018D0&REV_01\3&61AAA01&0&40

Service:

==== System Restore Points ===================

RP123: 11/14/2009 1:31:23 PM - Microsoft Backup Utility Recovery

==== Installed Programs ======================

[screen317]

Hi and welcome to Malwarebytes.

My apologies for the delay. Do you still need help?

-screen317

[ghkj1982]

Hi and welcome to Malwarebytes.

My apologies for the delay. Do you still need help?

-screen317

Hi screen317

Thanks for your reply. I was able to solve this problem by installing super antispyware.

[screen317]

Okay thanks for letting me know.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.