Crazy trojan
- Thread starter smitherson
- Start date
- Status
As far as I know, the mcwelcom.exe is not a known spyware, adware or trojan executable.
However I do not know exactly what it is or what it does. It has a file size of 24,576 bytes. It is found under the "Agent" directory with a creation date of August 30, 2005.
If you find out what it is, let us know, but it is likely tied to some other install as supplmental software.
However I do not know exactly what it is or what it does. It has a file size of 24,576 bytes. It is found under the "Agent" directory with a creation date of August 30, 2005.
If you find out what it is, let us know, but it is likely tied to some other install as supplmental software.
Recent infections have been going around where scanning tools close down immediately after running them.
In multiple cases, the c:\windows\system32\eventlog.dll was infected and can't be cleaned.
Since the eventlog.dll is a windows system file needed for the event log & event viewer to work, it loads before anti-virus and other cleaning tools. While running, it changes Security settings (it removes SYSTEM from the Security tab) on most cleaning tools and forces them to Close while running scans.
You can delete it or rename it booting to Recovery Console or using a utility like Killbox.
http://killbox.net/downloads/KillBox.exe
Once the file is deleted, your Event Viewer won't work, so you'll have to copy Eventlog.dll from another location in your computer or from another computer.
Even after deleting the eventlog.dll, the scanning tools that were disabled still won't run and you'll need to change the Security on them to be able to delete them or use them. I posted steps for changing the Security tab a few days ago higher up in this post.
In multiple cases, the c:\windows\system32\eventlog.dll was infected and can't be cleaned.
Since the eventlog.dll is a windows system file needed for the event log & event viewer to work, it loads before anti-virus and other cleaning tools. While running, it changes Security settings (it removes SYSTEM from the Security tab) on most cleaning tools and forces them to Close while running scans.
You can delete it or rename it booting to Recovery Console or using a utility like Killbox.
http://killbox.net/downloads/KillBox.exe
Once the file is deleted, your Event Viewer won't work, so you'll have to copy Eventlog.dll from another location in your computer or from another computer.
Even after deleting the eventlog.dll, the scanning tools that were disabled still won't run and you'll need to change the Security on them to be able to delete them or use them. I posted steps for changing the Security tab a few days ago higher up in this post.
Thanks
I did a couple of things, I ran the recovery disc and did the back up. After it reinstalled the system I down loaded all the programs for security again and ran then several times and it found 2 trojans that must have come with the back up. I have been running malware bytes and others after useing and nothing has been found except tracking cookies. The second thing I did since my computer had only 4gb free space on a 90gb HD. I purchased a new laptop with much more memory and HD space. I will use the new comptuer to run emails and banking and things I am more security con. about. and the old one I will do my down loads and torrents on. That way if anything happens I will just do a destructive install and nothing important will be lost. When the funds are available I will buy one of the 500 gb external hd. and I will back up the computer that has all my photos ect on it. I have a 16gb jump drive that has them but it is full and no room to grow. But if I back up my whole system as it is now I should be able to transfer it. I am not sure how it can be done but I would think it possible with a little research.
I did a couple of things, I ran the recovery disc and did the back up. After it reinstalled the system I down loaded all the programs for security again and ran then several times and it found 2 trojans that must have come with the back up. I have been running malware bytes and others after useing and nothing has been found except tracking cookies. The second thing I did since my computer had only 4gb free space on a 90gb HD. I purchased a new laptop with much more memory and HD space. I will use the new comptuer to run emails and banking and things I am more security con. about. and the old one I will do my down loads and torrents on. That way if anything happens I will just do a destructive install and nothing important will be lost. When the funds are available I will buy one of the 500 gb external hd. and I will back up the computer that has all my photos ect on it. I have a 16gb jump drive that has them but it is full and no room to grow. But if I back up my whole system as it is now I should be able to transfer it. I am not sure how it can be done but I would think it possible with a little research.
I should have done a destructive install in stead of a back up. But it did allow for the programs to run and find the trojan in the back up and I have not seen any instances of it since. After backing up my files to the new computer I will not hesitate to do a destructive recovery on the old computer is anything shows up again. I can pin point when I got it also. it was a pop up video that looked like a youtube and when I clicked on the arrow to see the video it went to a down load of an 88kb file. I knew there and then that was some trojan but it was to late it had loaded. I tried to run the MB program and it would not run. I was worried that it was not only keeping antimalware from running but maybe had some other thing like a key stroke program or something that would send banking info to the people who created this program. I think keeping two computers is the best way to partition this from doing any real harm.
On my new gateway I ran malware bytes and got 9 trojans detected. Are these false positives? Or do I have something in my docs. that I have backed up and transfered to the new computer that is causeing this? I do have a nero 7 with keygen on it. Is this possibly the culpirt? Should I delete the program and keygen in rar off my computer? and is the damage already done? I have had this for a long time on other computer and just copied it to this one. I have used it for over a year with no problems on my other gateway. Is the postive just a false pos? here is the malware bytes log.
Malwarebytes' Anti-Malware 1.41
Database version: 2804
Windows 6.0.6001 Service Pack 1
9/15/2009 2:50:17 PM
mbam-log-2009-09-15 (14-50-17).txt
Scan type: Full Scan (C:\|)
Objects scanned: 247240
Time elapsed: 43 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{86676e13-d6d8-4652-9fcf-f2047f1fb000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\ProgramData\Partner\partner.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\ProgramData\Partner\partner.exe (Trojan.BHO) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.41
Database version: 2804
Windows 6.0.6001 Service Pack 1
9/15/2009 2:50:17 PM
mbam-log-2009-09-15 (14-50-17).txt
Scan type: Full Scan (C:\|)
Objects scanned: 247240
Time elapsed: 43 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{86676e13-d6d8-4652-9fcf-f2047f1fb000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\ProgramData\Partner\partner.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\ProgramData\Partner\partner.exe (Trojan.BHO) -> Quarantined and deleted successfully.
Doubt they are false positives.
You should re-run MalwareBytes again in SAFE MODE, as some of those infestations are know for hiding in memory and returning when you reboot.
In addition, I would run Avira and SuperAntispyware, but SuperAntiSpyware will not re-run in Safe Mode.
You should re-run MalwareBytes again in SAFE MODE, as some of those infestations are know for hiding in memory and returning when you reboot.
In addition, I would run Avira and SuperAntispyware, but SuperAntiSpyware will not re-run in Safe Mode.
malwarebytes file
This is a second computer that I just ran the recovery disc in destructive mode. I down loaded avrast anti spyware imedatly and then malware bytes and ran malware bytes in quick scan and it says it found these two problems. I must be getting false positves. How can I be getting trojans or viruses on a complete reinstall?
Malwarebytes' Anti-Malware 1.41
Database version: 2805
Windows 5.1.2600 Service Pack 2
9/15/2009 6:37:38 PM
mbam-log-2009-09-15 (18-37-38).txt
Scan type: Quick Scan
Objects scanned: 88247
Time elapsed: 5 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
This is a second computer that I just ran the recovery disc in destructive mode. I down loaded avrast anti spyware imedatly and then malware bytes and ran malware bytes in quick scan and it says it found these two problems. I must be getting false positves. How can I be getting trojans or viruses on a complete reinstall?
Malwarebytes' Anti-Malware 1.41
Database version: 2805
Windows 5.1.2600 Service Pack 2
9/15/2009 6:37:38 PM
mbam-log-2009-09-15 (18-37-38).txt
Scan type: Quick Scan
Objects scanned: 88247
Time elapsed: 5 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
smitherson
Posts: 9 +0
logs attached
Tmagic650
Posts: 17,233 +234
This is an antivirus/malware program that can be uninstalled normally. i don't care for it, but that's just my opinion
Rootrepeal log shows that you need to remove:
C:\WINDOWS\system32\drivers\SKYNETyqdnnkti.sys
Boot to Recovery Console and type in the dos prompt:
del C:\WINDOWS\system32\drivers\SKYNETyqdnnkti.sys
If spybot won't let you delete, re-install, or run it, it is because the security settings have been changed by the virus.
The Security tab can be viewed in the Properties of SpybotSD.exe by making a few changes.
If you're using XP Pro. you can run these steps in normal windows mode - use Windows SAFE Mode if you're using XP Home edition.
1. Open 'My Computer'
2. Click on Tools - folder options.
3. Click on the VIEW tab.
4. Click on the bullet 'Show hidden files & folders'
5. Uncheck 'Hide protected operating system files (Recommended)'
6. Uncheck 'Use simple file sharing (Recommended)'
7. click OK.
You should now be able to open:
My Computer - Local Disk C: - Program Files - Spybot - Search & Destroy
Right mouse click on SpybotSD.exe and select Properties.
Click on the SECURITY tab.
(check to see if SYSTEM is listed under 'Group or user names')
(If it's not there, then follow the next step)
Click the ADD button
Click the ADVANCED button
Click the FIND NOW button
Scroll down and select (left click on) SYSTEM.
Click OK
Click OK
System should now appear in the list.
Left click on SYSTEM.
Click on the check box for 'Full Control'
Click the OK button at the bottom of that window.
You will now be able to re-install, delete, or run spybot.
Note: You need to check the box for ''Use simple file sharing (Recommended)' and Hide system files and hidden files.
1. Open 'My Computer'
2. Click on Tools - folder options.
3. Click on the VIEW tab.
4. Click on the bullet 'Do Not Show hidden files & folders'
5. Check 'Hide protected operating system files (Recommended)'
6. Check 'Use simple file sharing (Recommended)'
7. click OK.
Done.
C:\WINDOWS\system32\drivers\SKYNETyqdnnkti.sys
Boot to Recovery Console and type in the dos prompt:
del C:\WINDOWS\system32\drivers\SKYNETyqdnnkti.sys
If spybot won't let you delete, re-install, or run it, it is because the security settings have been changed by the virus.
The Security tab can be viewed in the Properties of SpybotSD.exe by making a few changes.
If you're using XP Pro. you can run these steps in normal windows mode - use Windows SAFE Mode if you're using XP Home edition.
1. Open 'My Computer'
2. Click on Tools - folder options.
3. Click on the VIEW tab.
4. Click on the bullet 'Show hidden files & folders'
5. Uncheck 'Hide protected operating system files (Recommended)'
6. Uncheck 'Use simple file sharing (Recommended)'
7. click OK.
You should now be able to open:
My Computer - Local Disk C: - Program Files - Spybot - Search & Destroy
Right mouse click on SpybotSD.exe and select Properties.
Click on the SECURITY tab.
(check to see if SYSTEM is listed under 'Group or user names')
(If it's not there, then follow the next step)
Click the ADD button
Click the ADVANCED button
Click the FIND NOW button
Scroll down and select (left click on) SYSTEM.
Click OK
Click OK
System should now appear in the list.
Left click on SYSTEM.
Click on the check box for 'Full Control'
Click the OK button at the bottom of that window.
You will now be able to re-install, delete, or run spybot.
Note: You need to check the box for ''Use simple file sharing (Recommended)' and Hide system files and hidden files.
1. Open 'My Computer'
2. Click on Tools - folder options.
3. Click on the VIEW tab.
4. Click on the bullet 'Do Not Show hidden files & folders'
5. Check 'Hide protected operating system files (Recommended)'
6. Check 'Use simple file sharing (Recommended)'
7. click OK.
Done.
smitherson
Posts: 9 +0
i did that already but once I run any antimalware it will open, but once I start a scan it closes. When i look at the security settings again they have changed back to not having the system in the list anymore
smitherson
Posts: 9 +0
i did that already but once I run any antimalware it will open, but once I start a scan it closes. When i look at the security settings again they have changed back to not having the system in the list anymore. The second i hit the check for problems button the program closes. when I go back to the exe. system has been removed from the security tab.
then is what happened to me first, all AV and malwares were disabled this way, and now virtually all programs except chrome. Also internet connection and sound are lost.
I tried to take to hard drive out to scan but soon discovered it was SATA and not adaptable to my old external hard drive box (laptop size), 2.5")
so I made a boot disc but has not worked, perhaps i try again...
smitherson
Posts: 9 +0
i gave up and bought vista and installed it. hopefully that cures it... any tips on how to secure my system and optimise vista would be greatly appreciated!
usually, scanning in regular mode with SuperAntiSpyware, MalwareBytes, and Avira Antivirus, then immediately run Avira and MalwareBytes again in safe mode will remove them. Or Kaspersky or Nod32
Safe mode is the key.
You might also do a search by name of each trojan for a removal tool... they not all become victims of the same removal tool.
But Symantec, AVG, TrendMicro, CA, McAfee, and Panda will not remove them.
Safe mode is the key.
You might also do a search by name of each trojan for a removal tool... they not all become victims of the same removal tool.
But Symantec, AVG, TrendMicro, CA, McAfee, and Panda will not remove them.
- Status
