Crazy trojan

By smitherson
Sep 6, 2009
Topic Status:
Not open for further replies.
  1. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,457   +135

  2. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    As far as I know, the mcwelcom.exe is not a known spyware, adware or trojan executable.

    However I do not know exactly what it is or what it does. It has a file size of 24,576 bytes. It is found under the "Agent" directory with a creation date of August 30, 2005.

    If you find out what it is, let us know, but it is likely tied to some other install as supplmental software.
  3. Zyldar

    Zyldar Newcomer, in training Posts: 34

    Recent infections have been going around where scanning tools close down immediately after running them.

    In multiple cases, the c:\windows\system32\eventlog.dll was infected and can't be cleaned.

    Since the eventlog.dll is a windows system file needed for the event log & event viewer to work, it loads before anti-virus and other cleaning tools. While running, it changes Security settings (it removes SYSTEM from the Security tab) on most cleaning tools and forces them to Close while running scans.

    You can delete it or rename it booting to Recovery Console or using a utility like Killbox.
    http://killbox.net/downloads/KillBox.exe

    Once the file is deleted, your Event Viewer won't work, so you'll have to copy Eventlog.dll from another location in your computer or from another computer.

    Even after deleting the eventlog.dll, the scanning tools that were disabled still won't run and you'll need to change the Security on them to be able to delete them or use them. I posted steps for changing the Security tab a few days ago higher up in this post.
  4. edteach

    edteach Newcomer, in training Posts: 42

    Thanks

    I did a couple of things, I ran the recovery disc and did the back up. After it reinstalled the system I down loaded all the programs for security again and ran then several times and it found 2 trojans that must have come with the back up. I have been running malware bytes and others after useing and nothing has been found except tracking cookies. The second thing I did since my computer had only 4gb free space on a 90gb HD. I purchased a new laptop with much more memory and HD space. I will use the new comptuer to run emails and banking and things I am more security con. about. and the old one I will do my down loads and torrents on. That way if anything happens I will just do a destructive install and nothing important will be lost. When the funds are available I will buy one of the 500 gb external hd. and I will back up the computer that has all my photos ect on it. I have a 16gb jump drive that has them but it is full and no room to grow. But if I back up my whole system as it is now I should be able to transfer it. I am not sure how it can be done but I would think it possible with a little research.
  5. Zyldar

    Zyldar Newcomer, in training Posts: 34

    Trojan.Sirefef is one of the names given to that virus that kept shutting down your cleaning programs.
    c:\windows\system32\eventlog.dll
  6. edteach

    edteach Newcomer, in training Posts: 42

    I should have done a destructive install in stead of a back up. But it did allow for the programs to run and find the trojan in the back up and I have not seen any instances of it since. After backing up my files to the new computer I will not hesitate to do a destructive recovery on the old computer is anything shows up again. I can pin point when I got it also. it was a pop up video that looked like a youtube and when I clicked on the arrow to see the video it went to a down load of an 88kb file. I knew there and then that was some trojan but it was to late it had loaded. I tried to run the MB program and it would not run. I was worried that it was not only keeping antimalware from running but maybe had some other thing like a key stroke program or something that would send banking info to the people who created this program. I think keeping two computers is the best way to partition this from doing any real harm.
  7. edteach

    edteach Newcomer, in training Posts: 42

    On my new gateway I ran malware bytes and got 9 trojans detected. Are these false positives? Or do I have something in my docs. that I have backed up and transfered to the new computer that is causeing this? I do have a nero 7 with keygen on it. Is this possibly the culpirt? Should I delete the program and keygen in rar off my computer? and is the damage already done? I have had this for a long time on other computer and just copied it to this one. I have used it for over a year with no problems on my other gateway. Is the postive just a false pos? here is the malware bytes log.

    Malwarebytes' Anti-Malware 1.41
    Database version: 2804
    Windows 6.0.6001 Service Pack 1

    9/15/2009 2:50:17 PM
    mbam-log-2009-09-15 (14-50-17).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 247240
    Time elapsed: 43 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\TypeLib\{86676e13-d6d8-4652-9fcf-f2047f1fb000} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\ProgramData\Partner\partner.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\ProgramData\Partner\partner.exe (Trojan.BHO) -> Quarantined and deleted successfully.
  8. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    Doubt they are false positives.
    You should re-run MalwareBytes again in SAFE MODE, as some of those infestations are know for hiding in memory and returning when you reboot.

    In addition, I would run Avira and SuperAntispyware, but SuperAntiSpyware will not re-run in Safe Mode.
  9. edteach

    edteach Newcomer, in training Posts: 42

    malwarebytes file

    This is a second computer that I just ran the recovery disc in destructive mode. I down loaded avrast anti spyware imedatly and then malware bytes and ran malware bytes in quick scan and it says it found these two problems. I must be getting false positves. How can I be getting trojans or viruses on a complete reinstall?


    Malwarebytes' Anti-Malware 1.41
    Database version: 2805
    Windows 5.1.2600 Service Pack 2

    9/15/2009 6:37:38 PM
    mbam-log-2009-09-15 (18-37-38).txt

    Scan type: Quick Scan
    Objects scanned: 88247
    Time elapsed: 5 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  10. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,457   +135

    That's a good mbam log. What does Avast say?
  11. edteach

    edteach Newcomer, in training Posts: 42

    all are clear but spybotsearch and destroy.
  12. smitherson

    smitherson Newcomer, in training Topic Starter

    logs attached
  13. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,457   +135

    This is an antivirus/malware program that can be uninstalled normally. i don't care for it, but that's just my opinion
     
  14. Zyldar

    Zyldar Newcomer, in training Posts: 34

    Rootrepeal log shows that you need to remove:
    C:\WINDOWS\system32\drivers\SKYNETyqdnnkti.sys

    Boot to Recovery Console and type in the dos prompt:
    del C:\WINDOWS\system32\drivers\SKYNETyqdnnkti.sys

    If spybot won't let you delete, re-install, or run it, it is because the security settings have been changed by the virus.

    The Security tab can be viewed in the Properties of SpybotSD.exe by making a few changes.
    If you're using XP Pro. you can run these steps in normal windows mode - use Windows SAFE Mode if you're using XP Home edition.
    1. Open 'My Computer'
    2. Click on Tools - folder options.
    3. Click on the VIEW tab.
    4. Click on the bullet 'Show hidden files & folders'
    5. Uncheck 'Hide protected operating system files (Recommended)'
    6. Uncheck 'Use simple file sharing (Recommended)'
    7. click OK.

    You should now be able to open:
    My Computer - Local Disk C: - Program Files - Spybot - Search & Destroy

    Right mouse click on SpybotSD.exe and select Properties.
    Click on the SECURITY tab.

    (check to see if SYSTEM is listed under 'Group or user names')
    (If it's not there, then follow the next step)
    Click the ADD button
    Click the ADVANCED button
    Click the FIND NOW button
    Scroll down and select (left click on) SYSTEM.
    Click OK
    Click OK

    System should now appear in the list.
    Left click on SYSTEM.
    Click on the check box for 'Full Control'
    Click the OK button at the bottom of that window.

    You will now be able to re-install, delete, or run spybot.

    Note: You need to check the box for ''Use simple file sharing (Recommended)' and Hide system files and hidden files.
    1. Open 'My Computer'
    2. Click on Tools - folder options.
    3. Click on the VIEW tab.
    4. Click on the bullet 'Do Not Show hidden files & folders'
    5. Check 'Hide protected operating system files (Recommended)'
    6. Check 'Use simple file sharing (Recommended)'
    7. click OK.

    Done.
  15. smitherson

    smitherson Newcomer, in training Topic Starter

    i did that already but once I run any antimalware it will open, but once I start a scan it closes. When i look at the security settings again they have changed back to not having the system in the list anymore
  16. smitherson

    smitherson Newcomer, in training Topic Starter

    i did that already but once I run any antimalware it will open, but once I start a scan it closes. When i look at the security settings again they have changed back to not having the system in the list anymore. The second i hit the check for problems button the program closes. when I go back to the exe. system has been removed from the security tab.
  17. pomkon

    pomkon Newcomer, in training Posts: 27

    people always say run malware or Av in safe mode, but i cant get into safe mode and cant run it
  18. pomkon

    pomkon Newcomer, in training Posts: 27


    then is what happened to me first, all AV and malwares were disabled this way, and now virtually all programs except chrome. Also internet connection and sound are lost.

    I tried to take to hard drive out to scan but soon discovered it was SATA and not adaptable to my old external hard drive box (laptop size), 2.5")

    so I made a boot disc but has not worked, perhaps i try again...
  19. smitherson

    smitherson Newcomer, in training Topic Starter

    i gave up and bought vista and installed it. hopefully that cures it... any tips on how to secure my system and optimise vista would be greatly appreciated!
  20. pomkon

    pomkon Newcomer, in training Posts: 27

    oh, then I have to wait forever for windows 7, or just get a mAc that I always wanted
  21. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,457   +135

    Windows 7 release 10/22/2009... or of course you can spend big bucks on a Mac
  22. pomkon

    pomkon Newcomer, in training Posts: 27

    New update, I found the Trojans but cant remove or repair
    They are Pakes.npx, PCK.Tdss.Z.939, PCK.Tdss.Z.949, PCK.Tdss.Z.959 and Alueron.19456U.3

    What can I do??
  23. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,457   +135

    pomkon.
    Did you go to the 8-Step Virus & Malware Removal thread and follow the instructions and post your 3 logs?
  24. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    usually, scanning in regular mode with SuperAntiSpyware, MalwareBytes, and Avira Antivirus, then immediately run Avira and MalwareBytes again in safe mode will remove them. Or Kaspersky or Nod32

    Safe mode is the key.

    You might also do a search by name of each trojan for a removal tool... they not all become victims of the same removal tool.

    But Symantec, AVG, TrendMicro, CA, McAfee, and Panda will not remove them.
  25. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    But Tmagic650's suggestion is the way to go, if it has been updated...
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.