Discussion moved from VirusScan Enterprise to Corporate User Assistance for better assistance.
1 of 1 people found this helpful
Mcafee cannot delete that file(explorer.exe)as it is a core windows file, it can try to disinfect. If disinfection fails, then you`ll need to replace the infected(patched)version of explorer.exe with a clean version, either from the dllcache(or any other location where a clean copy is found) or your windows installation CD/DVD.
You can also try this automated removal tool:
Or try the security forums:
I'm having problems replacing the explorer.exe file remotely. With no one logged into the PC I've done the following:
-I highlighted and deleted explorer.exe while connected to their c$ share. I copied over a supposedly clean copy of explorer.exe into the Windows folder. That all went fine, then I rebooted, logged in as a local admin and ran the scan and yet again it flagged C:\WINDOWS\explorer.exe (normally flagged as C:\Windows\Explorer.EXE but I dont know if letter case makes a difference to McAfee).
-I then tried to just copy over the top of explorer.exe. I was prompted "do you want to replace, etc, etc". Yes. Rebooted, logged in as a different local administrator creating a new profile, ran the scan, and it flagged it again.
Just out of curiosity I deleted the explorer.exe without anyone logged in, and then went up a folder and then back in to Windows and found it had replaced itself. I tried deleting it while logged into an admin account. I pulled up task manager first, then ended the explorer.exe process then deleted explorer.exe (it removes the desktop interface). I ran a new task and ran a good copy of explorer.exe that i copied over and renamed to explorercopy.exe. That brought my desktop back, i navigated to the Windows folder and found the explorer.exe file, which I thought I had removed, still sitting there. One interesting aspect is that while running the process explorercopy.exe instead of explorer.exe I ran a scan and this time it did not flag anything. Does it only turn bad somehow when it's a running task?
Then lastly, out of curiosity, I ran an on-demand scan again, of course it flags it, but then I ran a targetted scan on just the C:\Windows folder, and it didn't find anything! I then ran another targetted scan on just explorer.exe and it didn't flag it either?
So now I'm a little confused as to how running a general scan flags explorer.exe, but running a targetted scan does not.
I tried the TDSSKiller, but that scan came up clean. Do I have some kind of super-invincible bug? Is it worth sending a sample in? Is McAfee falsely identifying it?
I'm going to continue my search on answers for this. Reimaging is an easy fix, but it doesn't give me the closure I need to move on. If anyone has anymore ideas, feel free to include your ideas.
**edit. I'm not sure if it matters, but everytime the Explorer.EXE is detect my McAfee shield in my system tray no longer appears.
***edit. Also the process is not taking up an unusually large chunk of memory nor is it attempting to contact outside sources (netstat -aon looks clear)
Message was edited by: JesseK on 8/5/10 3:17:16 PM CDT
Please send explorer.exe files to the lab.
You can also check the files at this site:
The files will be scanned by other vendors, if other vendors detect the files as being malicious, then you know it is not a false/positive. If on the other hand, only Mcafee is detecting the files as being malicious, then it is possible that these files are being incorrectly detected- either way, best sending to the lab.
Thanks for the help paullotion.
I did a check on totalvirustool.com and it came back clean. I also submitted a sample to McAfee and they said it came back clean as well.
Still no real answer as to why it keeps getting flagged as a trojan when doing a system scan, but it doesn't flag it when the file or folder are scanned individually.