Jump to content

Mbam detected trojan downloader "skype.dat" but cannot delete it


Recommended Posts

Hello , im using malwarebytes (trial edition) and along with that im using QuickHeal antivirus .

Now the thing is , my Laptop has been infected with the virus  "skype.dat" and i came to know about this   when i scanned my system with malwarebytes , as my quickheal antivirus totally failed to detect anything.

 

Now i came to know over the internet , that no major antiviruses are able to detect this virus , which means this "skype.dat" virus has the ability to bypass detection . and i also came to know that it hides itself in the registry and slowly changes the system files and later when connected to the internet it downloads more malwares.

 

Anyway, after malwarebytes detected it , it said that upon rebooting it will be removed , but after rebooting it came back again .

Unlike many FBI moneypak viruses , my system has not been locked down by this virus yet.

I mean , till now my system is running ok , but one weird thing did happen .

Whenever im trying to run my quickheal antivirus , a message popping up instead saying that my quickheal product key is being used by multiple computers  (Note : i have only one system in my house) ... and also the quickheal software window won't open.

 

Let me mention here , that i have been running quickheal and malwarebytes together in a single laptop since 2011 and i have never experienced anything like this , until now.

 

Anyway after going through all this i decided to call in the technician guys and they formatted my system (deleted all partitions) and did a clean install of win7 .... and now again while scanning with Mbam (trial), its showing that the same virus is still there in my system , in the location (c/users/appdata/roaming/skype.dat)

That means it survived the format.

 

Im at a loss of ideas about what should i do now .

Is there any other way to remove it ?

 

 

One thing i noticed today and that is -

  • When im running only malwarebytes (by un-installing quickheal) and scanning my system with malwarebytes , it is detecting no such "skype.dat" virus.

 

  • When im running only quickheal (by un-installing malwarebytes) and scanning my system with quickheal its not detecting any viruses.

 

  • But when im running both Quickheal and Malwarebytes , and scanning with both the software , only malwarebytes is detecting the "skype.dat" virus . But cannot delete it. :(

 

=====

 

Im posting the dds logs here -

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 03-08-2013 12:53:03

System Uptime: 21-08-2013 13:00:52 (0 hours ago)

.

Motherboard: Hewlett-Packard |  | 1670

Processor: Intel® Core i3-2330M CPU @ 2.20GHz | CPU1 | 2200/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 63 GiB total, 12.489 GiB free.

D: is FIXED (NTFS) - 195 GiB total, 135.22 GiB free.

E: is FIXED (NTFS) - 207 GiB total, 206.877 GiB free.

F: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: BCM20702A0

Device ID: USB\VID_0A5C&PID_21E3\60D819DC45CF

Manufacturer:

Name: BCM20702A0

PNP Device ID: USB\VID_0A5C&PID_21E3\60D819DC45CF

Service:

.

Class GUID:

Description: PCI Device

Device ID: PCI\VEN_10EC&DEV_5209&SUBSYS_1670103C&REV_01\4&208DFA15&0&00E2

Manufacturer:

Name: PCI Device

PNP Device ID: PCI\VEN_10EC&DEV_5209&SUBSYS_1670103C&REV_01\4&208DFA15&0&00E2

Service:

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: mscank

Device ID: ROOT\LEGACY_MSCANK\0000

Manufacturer:

Name: mscank

PNP Device ID: ROOT\LEGACY_MSCANK\0000

Service: mscank

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Community Help

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Media Player

Adobe Photoshop CS5

Adobe Reader 9.4.0

AMD APP SDK Runtime

AMD Catalyst Install Manager

Catalyst Control Center

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

Catalyst Control Center Profiles Mobile

ccc-utility64

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CCleaner

HP Power Manager

IDT Audio

Intel® Display Audio Driver

Java 7 Update 21 (64-bit)

K-Lite Codec Pack 9.8.0 (Full)

LightScribe System Software  1.14.17.1

Malwarebytes Anti-Malware version 1.75.0.1300

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Office 64-bit Components 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared 64-bit MUI (English) 2007

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319

Microsoft_VC80_ATL_x86_x64

Microsoft_VC80_CRT_x86

Microsoft_VC80_CRT_x86_x64

Microsoft_VC80_MFC_x86

Microsoft_VC80_MFC_x86_x64

Microsoft_VC80_MFCLOC_x86

Microsoft_VC80_MFCLOC_x86_x64

Microsoft_VC90_ATL_x86

Microsoft_VC90_ATL_x86_x64

Microsoft_VC90_CRT_x86

Microsoft_VC90_CRT_x86_x64

Microsoft_VC90_MFC_x86

Microsoft_VC90_MFC_x86_x64

Mozilla Firefox 23.0 (x86 en-US)

Mozilla Maintenance Service

neroxml

Opera 12.16

PDF Settings CS5

PX Profile Update

Quick Heal Internet Security

WinRAR 4.01 (32-bit)

YACReader 6.5.3

.

==== Event Viewer Messages From Past Week ========

.

20-08-2013 19:14:34, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

18-08-2013 23:53:51, Error: Service Control Manager [7000]  - The HP Quick Synchronization Service service failed to start due to the following error:  The system cannot find the file specified.

.

==== End Of File ===========================

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 8.0.7601.17514

Run by admin at 13:20:55 on 2013-08-21

Microsoft Windows 7 Ultimate   6.1.7601.1.1252.91.1033.18.4044.2448 [GMT 5.5:30]

.

AV: Quick Heal Internet Security 2013 *Disabled/Updated* {D8418B0E-EE80-1320-B172-3D5DEB3CE14F}

SP: Quick Heal Internet Security 2013 *Disabled/Updated* {63206AEA-C8BA-1CAE-8BC2-062F90BBABF2}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: Quick Heal Firewall *Enabled* {E07A0A2B-A4EF-1278-9A2D-946815EFA634}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files\Quick Heal\Quick Heal Internet Security\ScSecSvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\IDT\WDM\STacSV64.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Quick Heal\Quick Heal Internet Security\EMLPROXY.EXE

C:\Program Files\Quick Heal\Quick Heal Internet Security\SAPISSVC.EXE

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Quick Heal\Quick Heal Internet Security\opssvc.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Quick Heal\Quick Heal Internet Security\quhlpsvc.exe

C:\Windows\Explorer.EXE

C:\Program Files\Quick Heal\Quick Heal Internet Security\SCANWSCS.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\IDT\WDM\sttray64.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Quick Heal\Quick Heal Internet Security\onlinent.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

TCP: Interfaces\{DDED455B-9CE6-4C63-B0ED-DA38FEE656BA} : NameServer = 208.67.222.222,8.8.8.8

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

AppInit_DLLs= scdetour.dll

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

LSA: Notification Packages =  scecli ScSecAuth

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"

x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

x64-Run: [Quick Heal Core UI] "C:\Program Files\Quick Heal\Quick Heal Internet Security\strtupap.exe"

x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0j1seqy.default\

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_146.dll

FF - ExtSQL: 2013-08-05 11:34; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0j1seqy.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

.

============= SERVICES / DRIVERS ===============

.

R1 ggc;ggc;C:\Windows\System32\drivers\ggc.sys [2013-8-20 64160]

R1 wsnf;Network Filter Driver;C:\Windows\System32\drivers\wsnf.sys [2013-8-20 45176]

R1 wstif;wstif;C:\Windows\System32\drivers\wstif.sys [2013-8-20 114848]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-8-17 204288]

R2 catflt;catflt;C:\Windows\System32\drivers\catflt.sys [2012-9-7 49824]

R2 Core Mail Protection;Core Mail Protection;C:\Program Files\Quick Heal\Quick Heal Internet Security\EMLPROXY.EXE [2012-7-27 38896]

R2 Core Scanning Server;Core Scanning Server;C:\Program Files\Quick Heal\Quick Heal Internet Security\SAPISSVC.EXE [2012-7-27 254960]

R2 EMLSS;EMLSS;C:\Windows\System32\drivers\EMLTDI.SYS [2013-8-20 18592]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-8-3 418376]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-8-3 701512]

R2 Online Protection System;Online Protection System;C:\Program Files\Quick Heal\Quick Heal Internet Security\OPSSVC.EXE [2012-7-27 31728]

R2 Quick Update Service;Quick Update Service;C:\Program Files\Quick Heal\Quick Heal Internet Security\QUHLPSVC.EXE [2012-7-27 110064]

R2 ScSecSvc;Core Browsing Protection;C:\Program Files\Quick Heal\Quick Heal Internet Security\ScSecSvc.exe [2013-8-20 405472]

R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-10-15 317440]

R3 intelkmd;intelkmd;C:\Windows\System32\drivers\igdpmd64.sys [2011-8-9 12289472]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-8-3 25928]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-8-3 726160]

S0 mscank;mscank;C:\Windows\System32\drivers\mscank64.sys [2013-8-20 40096]

S2 Core Scanning ServerEx;Core Scanning ServerEx;C:\Program Files\Quick Heal\Quick Heal Internet Security\SAPISSVC.EXE [2012-7-27 254960]

S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]

S3 llio;llio;C:\Windows\System32\drivers\llio64.sys [2013-8-20 66136]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-21 20992]

S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]

S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2011-4-12 34816]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]

S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]

.

=============== Created Last 30 ================

.

2013-08-21 07:31:12    --------    d--h--w-    C:\Users\admin\ScStore

2013-08-20 13:47:14    66136    ----a-w-    C:\Windows\System32\drivers\llio64.sys

2013-08-20 12:04:47    40096    ----a-w-    C:\Windows\System32\drivers\mscank64.sys

2013-08-20 12:04:42    18592    ----a-w-    C:\Windows\System32\drivers\EMLTDI.SYS

2013-08-20 12:04:31    45176    ----a-w-    C:\Windows\System32\drivers\wsnf.sys

2013-08-20 12:04:31    114848    ----a-w-    C:\Windows\System32\drivers\wstif.sys

2013-08-20 12:04:29    4096    ----a-w-    C:\Windows\SysWow64\Detoured.dll

2013-08-20 12:04:29    4096    ----a-w-    C:\Windows\System32\Detoured.dll

2013-08-20 12:04:29    339424    ----a-w-    C:\Windows\System32\ScDetour.Dll

2013-08-20 12:04:29    283104    ----a-w-    C:\Windows\SysWow64\ScDetour.Dll

2013-08-20 12:04:29    152544    ----a-w-    C:\Windows\System32\ScSecAuth.Dll

2013-08-20 12:04:29    137184    ----a-w-    C:\Windows\System32\ScSandboxApi.dll

2013-08-20 12:04:29    119776    ----a-w-    C:\Windows\SysWow64\ScSandboxApi.dll

2013-08-20 12:03:47    --------    d-----w-    C:\Program Files\Common Files\Quick Heal

2013-08-20 12:03:08    --------    d-----w-    C:\Windows\System32\gprodat

2013-08-20 12:03:02    64160    ----a-w-    C:\Windows\System32\drivers\ggc.sys

2013-08-18 08:52:29    --------    d-----w-    C:\temp

2013-08-17 10:34:21    --------    d-----w-    C:\Program Files\Quick Heal

2013-08-15 00:26:08    9460976    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9228B4FD-4458-46D8-9502-EF8CAC583D50}\mpengine.dll

2013-08-14 18:20:52    --------    d-----w-    C:\ProgramData\regid.1986-12.com.adobe

2013-08-14 05:50:48    --------    d-----w-    C:\Users\admin\AppData\Roaming\uTorrent

2013-08-14 05:47:23    --------    d-----w-    C:\Program Files (x86)\YACReader

2013-08-13 14:51:17    --------    d-----w-    C:\Users\admin\AppData\Local\Opera

2013-08-13 11:31:52    --------    d-----w-    C:\Users\admin\AppData\Local\Adobe

2013-08-12 19:58:40    --------    d-----w-    C:\Users\admin\AppData\Local\Hewlett-Packard

2013-08-12 19:57:25    --------    d-----w-    C:\Users\admin\AppData\Roaming\hpqLog

2013-08-11 20:45:06    9460976    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2013-08-11 04:13:18    --------    d-----w-    C:\HP

2013-08-10 06:30:40    --------    d-----w-    C:\Users\admin\AppData\Roaming\PotPlayerMini

2013-08-10 06:30:40    --------    d-----w-    C:\Users\admin\AppData\Local\Daum

2013-08-08 13:52:51    --------    d-----w-    C:\ProgramData\LightScribe

2013-08-08 13:41:36    --------    d-----w-    C:\Windows\System32\appmgmt

2013-08-03 20:46:05    --------    d-----w-    C:\Windows\Panther

2013-08-03 11:55:21    --------    d-----w-    C:\Users\admin\AppData\Local\ATI

2013-08-03 11:53:53    0    ----a-w-    C:\Windows\ativpsrm.bin

2013-08-03 11:51:57    --------    d-----w-    C:\Program Files\Common Files\Intel

2013-08-03 11:51:57    --------    d-----w-    C:\Program Files (x86)\Common Files\Intel

2013-08-03 11:51:41    --------    d-----w-    C:\Program Files (x86)\AMD APP

2013-08-03 11:50:11    --------    d-----w-    C:\Program Files (x86)\ATI Technologies

2013-08-03 11:49:55    --------    d-----w-    C:\Program Files\ATI Technologies

2013-08-03 11:49:52    --------    d-----w-    C:\Program Files\ATI

2013-08-03 09:52:10    53248    ----a-w-    C:\Windows\SysWow64\CSVer.dll

2013-08-03 09:52:02    --------    d-----w-    C:\Intel

2013-08-03 09:40:26    6012416    ----a-w-    C:\Windows\System32\IDTNGUI.exe

2013-08-03 09:40:26    564224    ----a-w-    C:\Windows\System32\idt64mp1.exe

2013-08-03 09:40:26    5077504    ----a-w-    C:\Windows\System32\IDTNHP.dll

2013-08-03 09:40:26    4113408    ----a-w-    C:\Windows\System32\stlang64.dll

2013-08-03 09:40:26    233472    ----a-w-    C:\Windows\System32\IDTNJ.exe

2013-08-03 09:40:26    1819136    ----a-w-    C:\Windows\System32\IDTNC64.cpl

2013-08-03 09:40:26    1424896    ----a-w-    C:\Windows\sttray64.exe

2013-08-03 09:40:26    1041920    ----a-w-    C:\Windows\System32\IDTNX.dll

2013-08-03 09:40:25    --------    d-----w-    C:\Windows\System32\SRSLabs

2013-08-03 09:37:42    655872    ------w-    C:\Windows\System32\stapi64.dll

2013-08-03 09:37:42    535040    ----a-w-    C:\Windows\System32\drivers\stwrt64.sys

2013-08-03 09:37:42    446464    ----a-w-    C:\Windows\System32\stcplx64.dll

2013-08-03 09:37:42    251392    ----a-w-    C:\Windows\System32\staco64.dll

2013-08-03 09:37:42    1966080    ----a-w-    C:\Windows\System32\stapo64.dll

2013-08-03 09:37:39    --------    d-----w-    C:\Program Files\IDT

2013-08-03 09:37:26    --------    d-----w-    C:\swsetup

2013-08-03 09:06:48    --------    d-----w-    C:\Users\admin\AppData\Local\Macromedia

2013-08-03 08:19:54    --------    d-----w-    C:\Users\admin\AppData\Local\Ahead

2013-08-03 08:16:01    --------    d-----w-    C:\Program Files (x86)\Nero

2013-08-03 08:09:38    --------    d-----w-    C:\Windows\PCHEALTH

2013-08-03 08:07:54    --------    d-----w-    C:\Program Files (x86)\Microsoft Visual Studio 8

2013-08-03 08:07:06    --------    d-----w-    C:\Users\admin\AppData\Local\Microsoft Help

2013-08-03 08:00:33    178688    ----a-w-    C:\Windows\SysWow64\unrar.dll

2013-08-03 08:00:27    --------    d-----w-    C:\Program Files (x86)\K-Lite Codec Pack

2013-08-03 07:59:35    971680    ----a-w-    C:\Windows\System32\deployJava1.dll

2013-08-03 07:59:35    1092512    ----a-w-    C:\Windows\System32\npDeployJava1.dll

2013-08-03 07:59:31    108448    ----a-w-    C:\Windows\System32\WindowsAccessBridge-64.dll

2013-08-03 07:57:22    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-08-03 07:57:22    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe

2013-08-03 07:56:47    --------    d-----w-    C:\Program Files\CCleaner

2013-08-03 07:49:58    51200    ----a-w-    C:\Windows\System32\ATIODCLI.exe

2013-08-03 07:49:58    332800    ----a-w-    C:\Windows\System32\ATIODE.exe

2013-08-03 07:49:58    118784    ----a-w-    C:\Windows\System32\atibtmon.exe

2013-08-03 07:49:52    14336    ----a-w-    C:\Windows\System32\atiglpxx.dll

2013-08-03 07:49:49    58880    ----a-w-    C:\Windows\System32\coinst.dll

2013-08-03 07:46:25    --------    d-----w-    C:\Users\admin\AppData\Local\Mozilla

2013-08-03 07:46:08    --------    d-----w-    C:\Program Files (x86)\Mozilla Maintenance Service

2013-08-03 07:46:00    --------    d-sh--w-    C:\Windows\Installer

2013-08-03 07:44:28    --------    d-----w-    C:\Users\admin\AppData\Roaming\Malwarebytes

2013-08-03 07:44:25    --------    d-----w-    C:\ProgramData\Malwarebytes

2013-08-03 07:44:24    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys

2013-08-03 07:44:24    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-08-03 07:44:16    --------    d-----w-    C:\Users\admin\AppData\Local\Programs

2013-08-03 07:42:42    60184    ----a-w-    C:\Windows\System32\drivers\HECIx64.sys

2013-08-03 07:36:49    4746304    ----a-w-    C:\Windows\System32\drivers\BCMWL664.SYS

2013-08-03 07:36:48    95544    ----a-w-    C:\Windows\System32\bcmwlcoi.dll

2013-08-03 07:36:48    3952640    ----a-w-    C:\Windows\System32\bcmihvsrv64.dll

2013-08-03 07:36:48    3617792    ----a-w-    C:\Windows\System32\bcmihvui64.dll

2013-08-03 07:34:47    726160    ----a-w-    C:\Windows\System32\drivers\Rt64win7.sys

2013-08-03 07:34:46    74344    ----a-w-    C:\Windows\System32\RtNicProp64.dll

2013-08-03 07:34:46    107552    ----a-w-    C:\Windows\System32\RTNUninst64.dll

2013-08-03 07:24:04    --------    d-----w-    C:\Users\admin\AppData\Local\VirtualStore

2013-08-03 07:22:09    --------    d-sh--w-    C:\Recovery

.

==================== Find3M  ====================

.

.

============= FINISH: 13:21:12.91 ===============

 

 

Link to post
Share on other sites

  • Staff

Hello Blacksmoke

I have seen this issue come up with a few people running Quickheal and has been reported to our researchers and this is what they told us

About quickheal

They use some sort of "blocklist" with filenames in it in order to prevent the creation of it. (as some sort of pro-active defense)

So during a malwarebytes scan, enumerating the rules probably triggers some sort of action in Quickheal (some sort of lock/access denied), so mbam acts upon that and treats /sees this as the file being present.

I rather think this is present in the Quick Heal Internet Security (maybe the pro-active defense settings? Or some sort of app-blocker in there?)

It is sort of a false positive that is why when you remove quickheal it no longer gets detected

Gringo

Link to post
Share on other sites

Thanks for replying Gringo,

well if its a false positive , then i can surely breathe a sigh of releif .

But are you sure this is happening only with the users that runs Quickheal and Mbam together ?

or is it happening with other users too who don't run quickheal but some other Antivirus along with mbam ?

 

The reason im worried, because i have heard a lot about this virus , like they can bypass detection from popular antiviruses . Could it be this reason that its not getting detected by mbam all the time?

 

and also heard that there are like 2 files (skype.dat and skype.ini) that hides in the registry or hidden sector of the HDD and slowly takes over the system.

Do you think , some viruses can surive a full system format ?

Thanks

Link to post
Share on other sites

Hello again , well , recently my quickheal is acting weird. The quickheal application window is not opening , and instead a message popping up saying my quickheal product key is being used by multiple PCs , when the fact is , i only have one PC in my house.

Now i already un-installed malwarebyes to get rid of any conflict problem between the two apps, then restarted my pc . After that when im again trying to open quickheal , its displaying the same message that my key is being used on multiple PCs .

I think its a virus issue (stole my product key) . I mean after un-installing mbam this kinda problem shouldn't arise. Right ?

Pls help me out.

Link to post
Share on other sites

  • Staff

Hello blacksmoke

There was ne need to uninstall Malwarebytes as long as you know that it is not really seeing those files.

If there was a virus that is stealing information it would not go thru the trouble to get a product code for an antivirus.

I will go and check you computer for virus but I think the best thing for you to do is reinstall Malwarebytes and contact quickheal and its product code

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.