2 Replies Latest reply on Jul 5, 2011 1:33 AM by SamSwift

    McAfee failed to detect common Trojan

      Could someone convince me why I shouldn't ask for a refund from McAfee?

       

      McAfee runs a scan on my laptop weekly.

       

      However when I noticed my browser was lagging and redirecting my links, I knew instantly that I had been infected with a browser hijacker. And ran a manual full McAfee scan.

      But, McAfee showed up with no results.

       

      Unconvinced because of my browser and lapops general, sudden unusual behaviour, I took a look into my c:\ myself. There, I found the very common API-MS-WIN-CORE-MEMORY-L1-1-032DLL file. Which is a trojan downloader and browser hi-jacker.

      Despite it's commonnes, McAfee failed to detect it.

       

      Instead, I downloaded the FREE MalwareBytes software, which not only detected the above trojan downloader, but found ADDITIONAL malicious software that McAfee, again, failed to detect. MalwareBytes quarantined and deleted the files. Then, alas, my laptops performance went back to normal.

       

      So, could sometone try and convince me why I shouldn't get a refund for my McAfee software and keep the free software which did a far better job than McAfee?

       

      For those interested, below is the log from Malware Bytes showing the sucessful detection and removal of malicious software (which, as said, McAfee failed to even detect):

       

       

       

       

       

      Malwarebytes' Anti-Malware 1.51.0.1200

      www.malwarebytes.org

       

       

      Database version: 7018

       

       

      Windows 6.1.7600

      Internet Explorer 8.0.7600.16385

       

       

      04/07/2011 14:00:46

      mbam-log-2011-07-04 (14-00-46).txt

       

       

      Scan type: Quick scan

      Objects scanned: 169453

      Time elapsed: 3 minute(s), 47 second(s)

       

       

      Memory Processes Infected: 4

      Memory Modules Infected: 1

      Registry Keys Infected: 2

      Registry Values Infected: 3

      Registry Data Items Infected: 1

      Folders Infected: 1

      Files Infected: 12

       

       

      Memory Processes Infected:

      c:\Windows\SysWOW64\reagent32.exe (Trojan.Tracur.SGen) -> 2016 -> Unloaded process successfully.

      c:\programdata\imageres32.exe (Trojan.Tracur.SGen) -> 1748 -> Unloaded process successfully.

      c:\Users\Scott\AppData\Roaming\SysWin\lsass.exe (Trojan.Tracur.SGen) -> 3812 -> Unloaded process successfully.

      c:\Windows\deskmonwow.exe (Trojan.Tracur.SGen) -> 6480 -> Unloaded process successfully.

       

       

      Memory Modules Infected:

      c:\programdata\api-ms-win-core-memory-l1-1-032.dll (Trojan.Tracur.Gen) -> Delete on reboot.

       

       

      Registry Keys Infected:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield32 (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

       

       

      Registry Values Infected:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RTHDBPL (Trojan.Tracur.SGen) -> Value: RTHDBPL -> Quarantined and deleted successfully.

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deskmonwow.exe (Trojan.Tracur.SGen) -> Value: deskmonwow.exe -> Quarantined and deleted successfully.

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\colbactwow.exe (Trojan.TracurW.Gen) -> Value: colbactwow.exe -> Quarantined and deleted successfully.

       

       

      Registry Data Items Infected:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.Gen) -> Bad: (C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll) Good: () -> Quarantined and deleted successfully.

       

       

      Folders Infected:

      c:\Users\Scott\AppData\Roaming\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

       

       

      Files Infected:

      c:\Windows\SysWOW64\reagent32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      c:\programdata\imageres32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      c:\Users\Scott\AppData\Roaming\SysWin\lsass.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      c:\Windows\deskmonwow.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      c:\Windows\System32\reagent32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      c:\Windows\System32\config\systemprofile\AppData\Roaming\1697.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      c:\Windows\System32\config\systemprofile\AppData\Roaming\B5C1.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      c:\Windows\System32\imageres32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      c:\Windows\SysWOW64\imageres32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      c:\Windows\Temp\D6A4.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.

      c:\Users\Scott\downloads\quicktime_update_kb323612.exe (Malware.Tracur.PGen) -> Quarantined and deleted successfully.

      c:\programdata\api-ms-win-core-memory-l1-1-032.dll (Trojan.Tracur.Gen) -> Quarantined and deleted successfully.

        • 1. Re: McAfee failed to detect common Trojan
          exbrit

          Until one of the people from that department chime in here I should point out that no antivirus in the world is guaranteed to catch everything, likewise MalwareBytes and other specialist tools aren't that good at catching the millions of infections that antiviruses already do catch.  With new variants appearing by the hundreds daily it's a difficult job to keep up and McAfee Labs like many other antivirus company's labs rely heavily on file submissions to combat anything new.

           

          Tracur is on McAfee's books and has been for some time so this must be a new variant.  http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=299182 is but one of the many variants already on their books.

           

          There is also a free tool available called Fake Alert Stinger which does a similar job to MalwareBytes here:  http://www.mcafee.com/us/downloads/free-tools/fake-alert-stinger.aspx

           

          It's unfortunate that this happens I know but don't switch brands simply because of one disappointment because the same could happen with any antivirus, believe me.

           

          Always keep a small arsenal of tools handy and I've outlined a few here:  https://community.mcafee.com/docs/DOC-2168 and keep your system and software always up to date, and be ultra careful what you click, download etc.

           

          A quote from one of the lead developers of MalwareBytes (Bruce Harrison) :

          ...

          "As far as why MBAM is very good at dealing with this infection, that is simple. MBAM is designed to be very good at dealing with malware that the AVs seem to be having problems with. I do not spend my time making MBAM detect millions of infections that any decent AV already detects as MBAM is DESIGNED to work alongside antivirus software, not replace it.  A huge chunk of the research that goes into MBAM revolves around what we see making it into HJT threads as the vast majority of these threads involve antivirus software that was in some way bypassed.

          ...

          Lets settle this now and avoid any further misinformation. MBAM is now a very good backup to any antivirus software and will only get better in the future. MBAM will NEVER add antivirus abilities to its core app and is always advised to be used WITH antivirus software. We actually get this question a lot in the forums and I assure you that we always say :

          "No, MBAM can't replace your existing antivirus software and is not designed to."

          • 2. Re: McAfee failed to detect common Trojan
            SamSwift

            Hi Scottster,

             

            Ex_Brit is exactly right - unfortunately no AV will protect you all of the time - we added many new detections every day via both the traditional DAT update files and via GTI file reputation, however the bad guys keep on churning out new malware. I would always recommend scanning with Stinger if you have suspicious undetected behaviour on your machine. We release a new one every day Monday-Friday so please make sure you have the latest version before running it.

             

            I hope this helps,

             

            Sam