blacksmoke
-
Posts
5 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by blacksmoke
-
-
Thanks for replying Gringo,
well if its a false positive , then i can surely breathe a sigh of releif .
But are you sure this is happening only with the users that runs Quickheal and Mbam together ?
or is it happening with other users too who don't run quickheal but some other Antivirus along with mbam ?
The reason im worried, because i have heard a lot about this virus , like they can bypass detection from popular antiviruses . Could it be this reason that its not getting detected by mbam all the time?
and also heard that there are like 2 files (skype.dat and skype.ini) that hides in the registry or hidden sector of the HDD and slowly takes over the system.
Do you think , some viruses can surive a full system format ?
Thanks
-
Hello , im using malwarebytes (trial edition) and along with that im using QuickHeal antivirus .
Now the thing is , my Laptop has been infected with the virus "skype.dat" and i came to know about this when i scanned my system with malwarebytes , as my quickheal antivirus totally failed to detect anything.
Now i came to know over the internet , that no major antiviruses are able to detect this virus , which means this "skype.dat" virus has the ability to bypass detection . and i also came to know that it hides itself in the registry and slowly changes the system files and later when connected to the internet it downloads more malwares.
Anyway, after malwarebytes detected it , it said that upon rebooting it will be removed , but after rebooting it came back again .
Unlike many FBI moneypak viruses , my system has not been locked down by this virus yet.
I mean , till now my system is running ok , but one weird thing did happen .
Whenever im trying to run my quickheal antivirus , a message popping up instead saying that my quickheal product key is being used by multiple computers (Note : i have only one system in my house) ... and also the quickheal software window won't open.
Let me mention here , that i have been running quickheal and malwarebytes together in a single laptop since 2011 and i have never experienced anything like this , until now.
Anyway after going through all this i decided to call in the technician guys and they formatted my system (deleted all partitions) and did a clean install of win7 .... and now again while scanning with Mbam (trial), its showing that the same virus is still there in my system , in the location (c/users/appdata/roaming/skype.dat)
That means it survived the format.
Im at a loss of ideas about what should i do now .
Is there any other way to remove it ?
One thing i noticed today and that is -
- When im running only malwarebytes (by un-installing quickheal) and scanning my system with malwarebytes , it is detecting no such "skype.dat" virus.
- When im running only quickheal (by un-installing malwarebytes) and scanning my system with quickheal its not detecting any viruses.
- But when im running both Quickheal and Malwarebytes , and scanning with both the software , only malwarebytes is detecting the "skype.dat" virus . But cannot delete it.
=====
Im posting the dds logs here -
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 03-08-2013 12:53:03
System Uptime: 21-08-2013 13:00:52 (0 hours ago)
.
Motherboard: Hewlett-Packard | | 1670
Processor: Intel® Core i3-2330M CPU @ 2.20GHz | CPU1 | 2200/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 63 GiB total, 12.489 GiB free.
D: is FIXED (NTFS) - 195 GiB total, 135.22 GiB free.
E: is FIXED (NTFS) - 207 GiB total, 206.877 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: BCM20702A0
Device ID: USB\VID_0A5C&PID_21E3\60D819DC45CF
Manufacturer:
Name: BCM20702A0
PNP Device ID: USB\VID_0A5C&PID_21E3\60D819DC45CF
Service:
.
Class GUID:
Description: PCI Device
Device ID: PCI\VEN_10EC&DEV_5209&SUBSYS_1670103C&REV_01\4&208DFA15&0&00E2
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_10EC&DEV_5209&SUBSYS_1670103C&REV_01\4&208DFA15&0&00E2
Service:
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: mscank
Device ID: ROOT\LEGACY_MSCANK\0000
Manufacturer:
Name: mscank
PNP Device ID: ROOT\LEGACY_MSCANK\0000
Service: mscank
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Community Help
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Media Player
Adobe Photoshop CS5
Adobe Reader 9.4.0
AMD APP SDK Runtime
AMD Catalyst Install Manager
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catalyst Control Center Profiles Mobile
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
HP Power Manager
IDT Audio
Intel® Display Audio Driver
Java 7 Update 21 (64-bit)
K-Lite Codec Pack 9.8.0 (Full)
LightScribe System Software 1.14.17.1
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
Microsoft_VC80_ATL_x86_x64
Microsoft_VC80_CRT_x86
Microsoft_VC80_CRT_x86_x64
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFC_x86_x64
Microsoft_VC80_MFCLOC_x86
Microsoft_VC80_MFCLOC_x86_x64
Microsoft_VC90_ATL_x86
Microsoft_VC90_ATL_x86_x64
Microsoft_VC90_CRT_x86
Microsoft_VC90_CRT_x86_x64
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFC_x86_x64
Mozilla Firefox 23.0 (x86 en-US)
Mozilla Maintenance Service
neroxml
Opera 12.16
PDF Settings CS5
PX Profile Update
Quick Heal Internet Security
WinRAR 4.01 (32-bit)
YACReader 6.5.3
.
==== Event Viewer Messages From Past Week ========
.
20-08-2013 19:14:34, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
18-08-2013 23:53:51, Error: Service Control Manager [7000] - The HP Quick Synchronization Service service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514
Run by admin at 13:20:55 on 2013-08-21
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.91.1033.18.4044.2448 [GMT 5.5:30]
.
AV: Quick Heal Internet Security 2013 *Disabled/Updated* {D8418B0E-EE80-1320-B172-3D5DEB3CE14F}
SP: Quick Heal Internet Security 2013 *Disabled/Updated* {63206AEA-C8BA-1CAE-8BC2-062F90BBABF2}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Quick Heal Firewall *Enabled* {E07A0A2B-A4EF-1278-9A2D-946815EFA634}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Quick Heal\Quick Heal Internet Security\ScSecSvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Quick Heal\Quick Heal Internet Security\EMLPROXY.EXE
C:\Program Files\Quick Heal\Quick Heal Internet Security\SAPISSVC.EXE
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Quick Heal\Quick Heal Internet Security\opssvc.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Quick Heal\Quick Heal Internet Security\quhlpsvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Quick Heal\Quick Heal Internet Security\SCANWSCS.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Quick Heal\Quick Heal Internet Security\onlinent.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: Interfaces\{DDED455B-9CE6-4C63-B0ED-DA38FEE656BA} : NameServer = 208.67.222.222,8.8.8.8
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
AppInit_DLLs= scdetour.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli ScSecAuth
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [Quick Heal Core UI] "C:\Program Files\Quick Heal\Quick Heal Internet Security\strtupap.exe"
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0j1seqy.default\
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_146.dll
FF - ExtSQL: 2013-08-05 11:34; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0j1seqy.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R1 ggc;ggc;C:\Windows\System32\drivers\ggc.sys [2013-8-20 64160]
R1 wsnf;Network Filter Driver;C:\Windows\System32\drivers\wsnf.sys [2013-8-20 45176]
R1 wstif;wstif;C:\Windows\System32\drivers\wstif.sys [2013-8-20 114848]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-8-17 204288]
R2 catflt;catflt;C:\Windows\System32\drivers\catflt.sys [2012-9-7 49824]
R2 Core Mail Protection;Core Mail Protection;C:\Program Files\Quick Heal\Quick Heal Internet Security\EMLPROXY.EXE [2012-7-27 38896]
R2 Core Scanning Server;Core Scanning Server;C:\Program Files\Quick Heal\Quick Heal Internet Security\SAPISSVC.EXE [2012-7-27 254960]
R2 EMLSS;EMLSS;C:\Windows\System32\drivers\EMLTDI.SYS [2013-8-20 18592]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-8-3 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-8-3 701512]
R2 Online Protection System;Online Protection System;C:\Program Files\Quick Heal\Quick Heal Internet Security\OPSSVC.EXE [2012-7-27 31728]
R2 Quick Update Service;Quick Update Service;C:\Program Files\Quick Heal\Quick Heal Internet Security\QUHLPSVC.EXE [2012-7-27 110064]
R2 ScSecSvc;Core Browsing Protection;C:\Program Files\Quick Heal\Quick Heal Internet Security\ScSecSvc.exe [2013-8-20 405472]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-10-15 317440]
R3 intelkmd;intelkmd;C:\Windows\System32\drivers\igdpmd64.sys [2011-8-9 12289472]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-8-3 25928]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-8-3 726160]
S0 mscank;mscank;C:\Windows\System32\drivers\mscank64.sys [2013-8-20 40096]
S2 Core Scanning ServerEx;Core Scanning ServerEx;C:\Program Files\Quick Heal\Quick Heal Internet Security\SAPISSVC.EXE [2012-7-27 254960]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 llio;llio;C:\Windows\System32\drivers\llio64.sys [2013-8-20 66136]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-21 20992]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2011-4-12 34816]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
.
=============== Created Last 30 ================
.
2013-08-21 07:31:12 -------- d--h--w- C:\Users\admin\ScStore
2013-08-20 13:47:14 66136 ----a-w- C:\Windows\System32\drivers\llio64.sys
2013-08-20 12:04:47 40096 ----a-w- C:\Windows\System32\drivers\mscank64.sys
2013-08-20 12:04:42 18592 ----a-w- C:\Windows\System32\drivers\EMLTDI.SYS
2013-08-20 12:04:31 45176 ----a-w- C:\Windows\System32\drivers\wsnf.sys
2013-08-20 12:04:31 114848 ----a-w- C:\Windows\System32\drivers\wstif.sys
2013-08-20 12:04:29 4096 ----a-w- C:\Windows\SysWow64\Detoured.dll
2013-08-20 12:04:29 4096 ----a-w- C:\Windows\System32\Detoured.dll
2013-08-20 12:04:29 339424 ----a-w- C:\Windows\System32\ScDetour.Dll
2013-08-20 12:04:29 283104 ----a-w- C:\Windows\SysWow64\ScDetour.Dll
2013-08-20 12:04:29 152544 ----a-w- C:\Windows\System32\ScSecAuth.Dll
2013-08-20 12:04:29 137184 ----a-w- C:\Windows\System32\ScSandboxApi.dll
2013-08-20 12:04:29 119776 ----a-w- C:\Windows\SysWow64\ScSandboxApi.dll
2013-08-20 12:03:47 -------- d-----w- C:\Program Files\Common Files\Quick Heal
2013-08-20 12:03:08 -------- d-----w- C:\Windows\System32\gprodat
2013-08-20 12:03:02 64160 ----a-w- C:\Windows\System32\drivers\ggc.sys
2013-08-18 08:52:29 -------- d-----w- C:\temp
2013-08-17 10:34:21 -------- d-----w- C:\Program Files\Quick Heal
2013-08-15 00:26:08 9460976 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9228B4FD-4458-46D8-9502-EF8CAC583D50}\mpengine.dll
2013-08-14 18:20:52 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2013-08-14 05:50:48 -------- d-----w- C:\Users\admin\AppData\Roaming\uTorrent
2013-08-14 05:47:23 -------- d-----w- C:\Program Files (x86)\YACReader
2013-08-13 14:51:17 -------- d-----w- C:\Users\admin\AppData\Local\Opera
2013-08-13 11:31:52 -------- d-----w- C:\Users\admin\AppData\Local\Adobe
2013-08-12 19:58:40 -------- d-----w- C:\Users\admin\AppData\Local\Hewlett-Packard
2013-08-12 19:57:25 -------- d-----w- C:\Users\admin\AppData\Roaming\hpqLog
2013-08-11 20:45:06 9460976 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-08-11 04:13:18 -------- d-----w- C:\HP
2013-08-10 06:30:40 -------- d-----w- C:\Users\admin\AppData\Roaming\PotPlayerMini
2013-08-10 06:30:40 -------- d-----w- C:\Users\admin\AppData\Local\Daum
2013-08-08 13:52:51 -------- d-----w- C:\ProgramData\LightScribe
2013-08-08 13:41:36 -------- d-----w- C:\Windows\System32\appmgmt
2013-08-03 20:46:05 -------- d-----w- C:\Windows\Panther
2013-08-03 11:55:21 -------- d-----w- C:\Users\admin\AppData\Local\ATI
2013-08-03 11:53:53 0 ----a-w- C:\Windows\ativpsrm.bin
2013-08-03 11:51:57 -------- d-----w- C:\Program Files\Common Files\Intel
2013-08-03 11:51:57 -------- d-----w- C:\Program Files (x86)\Common Files\Intel
2013-08-03 11:51:41 -------- d-----w- C:\Program Files (x86)\AMD APP
2013-08-03 11:50:11 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2013-08-03 11:49:55 -------- d-----w- C:\Program Files\ATI Technologies
2013-08-03 11:49:52 -------- d-----w- C:\Program Files\ATI
2013-08-03 09:52:10 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2013-08-03 09:52:02 -------- d-----w- C:\Intel
2013-08-03 09:40:26 6012416 ----a-w- C:\Windows\System32\IDTNGUI.exe
2013-08-03 09:40:26 564224 ----a-w- C:\Windows\System32\idt64mp1.exe
2013-08-03 09:40:26 5077504 ----a-w- C:\Windows\System32\IDTNHP.dll
2013-08-03 09:40:26 4113408 ----a-w- C:\Windows\System32\stlang64.dll
2013-08-03 09:40:26 233472 ----a-w- C:\Windows\System32\IDTNJ.exe
2013-08-03 09:40:26 1819136 ----a-w- C:\Windows\System32\IDTNC64.cpl
2013-08-03 09:40:26 1424896 ----a-w- C:\Windows\sttray64.exe
2013-08-03 09:40:26 1041920 ----a-w- C:\Windows\System32\IDTNX.dll
2013-08-03 09:40:25 -------- d-----w- C:\Windows\System32\SRSLabs
2013-08-03 09:37:42 655872 ------w- C:\Windows\System32\stapi64.dll
2013-08-03 09:37:42 535040 ----a-w- C:\Windows\System32\drivers\stwrt64.sys
2013-08-03 09:37:42 446464 ----a-w- C:\Windows\System32\stcplx64.dll
2013-08-03 09:37:42 251392 ----a-w- C:\Windows\System32\staco64.dll
2013-08-03 09:37:42 1966080 ----a-w- C:\Windows\System32\stapo64.dll
2013-08-03 09:37:39 -------- d-----w- C:\Program Files\IDT
2013-08-03 09:37:26 -------- d-----w- C:\swsetup
2013-08-03 09:06:48 -------- d-----w- C:\Users\admin\AppData\Local\Macromedia
2013-08-03 08:19:54 -------- d-----w- C:\Users\admin\AppData\Local\Ahead
2013-08-03 08:16:01 -------- d-----w- C:\Program Files (x86)\Nero
2013-08-03 08:09:38 -------- d-----w- C:\Windows\PCHEALTH
2013-08-03 08:07:54 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8
2013-08-03 08:07:06 -------- d-----w- C:\Users\admin\AppData\Local\Microsoft Help
2013-08-03 08:00:33 178688 ----a-w- C:\Windows\SysWow64\unrar.dll
2013-08-03 08:00:27 -------- d-----w- C:\Program Files (x86)\K-Lite Codec Pack
2013-08-03 07:59:35 971680 ----a-w- C:\Windows\System32\deployJava1.dll
2013-08-03 07:59:35 1092512 ----a-w- C:\Windows\System32\npDeployJava1.dll
2013-08-03 07:59:31 108448 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-08-03 07:57:22 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-03 07:57:22 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-08-03 07:56:47 -------- d-----w- C:\Program Files\CCleaner
2013-08-03 07:49:58 51200 ----a-w- C:\Windows\System32\ATIODCLI.exe
2013-08-03 07:49:58 332800 ----a-w- C:\Windows\System32\ATIODE.exe
2013-08-03 07:49:58 118784 ----a-w- C:\Windows\System32\atibtmon.exe
2013-08-03 07:49:52 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2013-08-03 07:49:49 58880 ----a-w- C:\Windows\System32\coinst.dll
2013-08-03 07:46:25 -------- d-----w- C:\Users\admin\AppData\Local\Mozilla
2013-08-03 07:46:08 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2013-08-03 07:46:00 -------- d-sh--w- C:\Windows\Installer
2013-08-03 07:44:28 -------- d-----w- C:\Users\admin\AppData\Roaming\Malwarebytes
2013-08-03 07:44:25 -------- d-----w- C:\ProgramData\Malwarebytes
2013-08-03 07:44:24 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-08-03 07:44:24 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-03 07:44:16 -------- d-----w- C:\Users\admin\AppData\Local\Programs
2013-08-03 07:42:42 60184 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2013-08-03 07:36:49 4746304 ----a-w- C:\Windows\System32\drivers\BCMWL664.SYS
2013-08-03 07:36:48 95544 ----a-w- C:\Windows\System32\bcmwlcoi.dll
2013-08-03 07:36:48 3952640 ----a-w- C:\Windows\System32\bcmihvsrv64.dll
2013-08-03 07:36:48 3617792 ----a-w- C:\Windows\System32\bcmihvui64.dll
2013-08-03 07:34:47 726160 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys
2013-08-03 07:34:46 74344 ----a-w- C:\Windows\System32\RtNicProp64.dll
2013-08-03 07:34:46 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll
2013-08-03 07:24:04 -------- d-----w- C:\Users\admin\AppData\Local\VirtualStore
2013-08-03 07:22:09 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
.
============= FINISH: 13:21:12.91 ===============
-
Thanx for replying .
So can i post the same thing that i've written here , in the malware removal help forum too , along with the dds txt attachments (mentioned in option 1) ?
-
Hello , im using malwarebytes (trial edition) and along with that im using QuickHeal antivirus .
Now the thing is , my Laptop has been infected with the virus "skype.dat" and i came to know about this when i scanned my system with malwarebytes , as my quickheal antivirus totally failed to detect anything.
Now i came to know over the internet , that no major antiviruses are able to detect this virus , which means this "skype.dat" virus has the ability to bypass detection . and i also came to know that it hides itself in the registry and slowly changes the system files and later when connected to the internet it downloads more malwares.
Anyway, after malwarebytes detected it , it said that upon rebooting it will be removed , but after rebooting it came back again .
Till now , my system has not been shut down by this virus , like in the case of many FBI Ukash viruses.
I mean , till now my system is running normally , but one weird thing did happen .
Whenever im trying to run my quickheal antivirus for scanning or to update it , a message popping up instead saying that my quickheal product key is being used by multiple computers and so my quickheal updates are blocked.
(Note : i have only one system in my house)
Let me mention here , that i have been running quickheal and malwarebytes together in a single laptop since 2011 and i have never experienced anything like this , until now.
Anyway after going through all this i decided to call in the technician guys and they formatted my system (deleted all partitions) and did a clean install of win7 .... and now again while scanning with Mbam (trial), its showing that the same virus is still there in my system but cannot delete it . That means it survived the format.
Im at a loss of ideas about what should i do now .
Is there any other way to remove it ?
I tried all the apps like combofix , adwcleaner , ccleaner , junkware removal tool etc. but no luck.
They aren't detecting anything.
One thing i noticed today and that is -
- When im running only malwarebytes (by un-installing quickheal) and scanning my system with malwarebytes , it is detecting no such "skype.dat" virus.
- When im running only quickheal (by un-installing malwarebytes) and scanning my system with quickheal its not detecting any viruses.
- But when im running both Quickheal and Malwarebytes , and scanning with both the software , only malwarebytes is detecting the "skype.dat" virus . But cannot delete it.
Any help would be greatly appreciated .
Mbam detected trojan downloader "skype.dat" but cannot delete it
in Resolved Malware Removal Logs
Posted
Hello again , well , recently my quickheal is acting weird. The quickheal application window is not opening , and instead a message popping up saying my quickheal product key is being used by multiple PCs , when the fact is , i only have one PC in my house.
Now i already un-installed malwarebyes to get rid of any conflict problem between the two apps, then restarted my pc . After that when im again trying to open quickheal , its displaying the same message that my key is being used on multiple PCs .
I think its a virus issue (stole my product key) . I mean after un-installing mbam this kinda problem shouldn't arise. Right ?
Pls help me out.