Showing results for 
Search instead for 
Did you mean: 
Level 7

McAfee failed to detect common Trojan

Could someone convince me why I shouldn't ask for a refund from McAfee?

McAfee runs a scan on my laptop weekly.

However when I noticed my browser was lagging and redirecting my links, I knew instantly that I had been infected with a browser hijacker. And ran a manual full McAfee scan.

But, McAfee showed up with no results.

Unconvinced because of my browser and lapops general, sudden unusual behaviour, I took a look into my c:\ myself. There, I found the very common API-MS-WIN-CORE-MEMORY-L1-1-032DLL file. Which is a trojan downloader and browser hi-jacker.

Despite it's commonnes, McAfee failed to detect it.

Instead, I downloaded the FREE MalwareBytes software, which not only detected the above trojan downloader, but found ADDITIONAL malicious software that McAfee, again, failed to detect. MalwareBytes quarantined and deleted the files. Then, alas, my laptops performance went back to normal.

So, could sometone try and convince me why I shouldn't get a refund for my McAfee software and keep the free software which did a far better job than McAfee?

For those interested, below is the log from Malware Bytes showing the sucessful detection and removal of malicious software (which, as said, McAfee failed to even detect):

Malwarebytes' Anti-Malware

Database version: 7018

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

04/07/2011 14:00:46

mbam-log-2011-07-04 (14-00-46).txt

Scan type: Quick scan

Objects scanned: 169453

Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 4

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 3

Registry Data Items Infected: 1

Folders Infected: 1

Files Infected: 12

Memory Processes Infected:

c:\Windows\SysWOW64\reagent32.exe (Trojan.Tracur.SGen) -> 2016 -> Unloaded process successfully.

c:\programdata\imageres32.exe (Trojan.Tracur.SGen) -> 1748 -> Unloaded process successfully.

c:\Users\Scott\AppData\Roaming\SysWin\lsass.exe (Trojan.Tracur.SGen) -> 3812 -> Unloaded process successfully.

c:\Windows\deskmonwow.exe (Trojan.Tracur.SGen) -> 6480 -> Unloaded process successfully.

Memory Modules Infected:

c:\programdata\api-ms-win-core-memory-l1-1-032.dll (Trojan.Tracur.Gen) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield32 (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RTHDBPL (Trojan.Tracur.SGen) -> Value: RTHDBPL -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deskmonwow.exe (Trojan.Tracur.SGen) -> Value: deskmonwow.exe -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\colbactwow.exe (Trojan.TracurW.Gen) -> Value: colbactwow.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.Gen) -> Bad: (C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll) Good: () -> Quarantined and deleted successfully.

Folders Infected:

c:\Users\Scott\AppData\Roaming\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

c:\Windows\SysWOW64\reagent32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

c:\programdata\imageres32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

c:\Users\Scott\AppData\Roaming\SysWin\lsass.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

c:\Windows\deskmonwow.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

c:\Windows\System32\reagent32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\AppData\Roaming\1697.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\AppData\Roaming\B5C1.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

c:\Windows\System32\imageres32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

c:\Windows\SysWOW64\imageres32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

c:\Windows\Temp\D6A4.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

c:\Users\Scott\downloads\quicktime_update_kb323612.exe (Malware.Tracur.PGen) -> Quarantined and deleted successfully.

c:\programdata\api-ms-win-core-memory-l1-1-032.dll (Trojan.Tracur.Gen) -> Quarantined and deleted successfully.

0 Kudos
2 Replies
Level 21

Re: McAfee failed to detect common Trojan

Until one of the people from that department chime in here I should point out that no antivirus in the world is guaranteed to catch everything, likewise MalwareBytes and other specialist tools aren't that good at catching the millions of infections that antiviruses already do catch.  With new variants appearing by the hundreds daily it's a difficult job to keep up and McAfee Labs like many other antivirus company's labs rely heavily on file submissions to combat anything new.

Tracur is on McAfee's books and has been for some time so this must be a new variant. is but one of the many variants already on their books.

There is also a free tool available called Fake Alert Stinger which does a similar job to MalwareBytes here:

It's unfortunate that this happens I know but don't switch brands simply because of one disappointment because the same could happen with any antivirus, believe me.

Always keep a small arsenal of tools handy and I've outlined a few here: and keep your system and software always up to date, and be ultra careful what you click, download etc.

A quote from one of the lead developers of MalwareBytes (Bruce Harrison) :


"As far as why MBAM is very good at dealing with this infection, that is simple. MBAM is designed to be very good at dealing with malware that the AVs seem to be having problems with. I do not spend my time making MBAM detect millions of infections that any decent AV already detects as MBAM is DESIGNED to work alongside antivirus software, not replace it.  A huge chunk of the research that goes into MBAM revolves around what we see making it into HJT threads as the vast majority of these threads involve antivirus software that was in some way bypassed.


Lets settle this now and avoid any further misinformation. MBAM is now a very good backup to any antivirus software and will only get better in the future. MBAM will NEVER add antivirus abilities to its core app and is always advised to be used WITH antivirus software. We actually get this question a lot in the forums and I assure you that we always say :

"No, MBAM can't replace your existing antivirus software and is not designed to."

0 Kudos
Level 12

Re: McAfee failed to detect common Trojan

Hi Scottster,

Ex_Brit is exactly right - unfortunately no AV will protect you all of the time - we added many new detections every day via both the traditional DAT update files and via GTI file reputation, however the bad guys keep on churning out new malware. I would always recommend scanning with Stinger if you have suspicious undetected behaviour on your machine. We release a new one every day Monday-Friday so please make sure you have the latest version before running it.

I hope this helps,


0 Kudos