5 Replies Latest reply on Aug 9, 2010 10:11 AM by JesseK

    Problem Removing a Coreflood!mem Trojan

      Recently I've been receiving calls from staff that say that they are receiving multiple McAfee popups throughout the day alerting them that it has flagged a file as a trojan and removed it. Typically it seems to be a randomly-named .dll file running from their Temp folder, and one constant bugger is file named Explorer.EXE it flags it in C:\Windows. Mcafee categorizes it as a Coreflood!mem trojan and says it deletes the file.

      The problem I'm having is that it doesn't seem to be removing it. I've cleared temp folders, checked all startup programs and run/runonce registry keys, ran malwarebytes/spybot s&d (came up clean), uninstalled any unnecessary program, even cleared all profiles. Basically I did everything I could think of. But after a restart, or logging out/in, the Trojan is flagged and declared removed again when running an on-demand scan. I even ran back-to-back full scans and it gets flagged/removed everytime. No other problems are detected during the scans.

      I'm not sure where to proceed. It doesn't appear to be detrimental to the PCs performance, but I just can't seem to clear this little bugger unless the machine is reimaged.

      The file is flagged about 1 minute into a scan while McAfee is "Scanning in memory". I've looked around different sites but could not find anything to go on, or anyone else having a problem. One problem I have is that these PCs are at remote sites where physical access to them is not an option at this time.

      Any ideas/advice would be much appreciated. Thanks!

       

      VirusScan Enterprise + AntiSpyware Enterprise v 8.7i (8.7.0.570)

      Scan engine version (32-bit) : 5400.1158

      DAT version 6063.0000 created 8/3/10

        • 1. Re: Problem Removing a Coreflood!mem Trojan
          Peter M

          Discussion moved from VirusScan Enterprise to Corporate User Assistance for better assistance.

          • 2. Re: Problem Removing a Coreflood!mem Trojan

            Hello,

             

            Mcafee cannot delete that file(explorer.exe)as it is a core windows file, it can try to disinfect. If disinfection fails, then you`ll need to replace the infected(patched)version of explorer.exe with a clean version, either from the dllcache(or any other location where a clean copy is found) or your windows installation CD/DVD.

             

            You can also try this automated removal tool:

            http://support.kaspersky.com/viruses/solutions?qid=208280684

             

            Or try the security forums:

            http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/305963 -new-instructions-read-before-posting-malware-removal-help.html

            http://www.bleepingcomputer.com/forums/topic34773.html

             

            Good luck.

            1 of 1 people found this helpful
            • 3. Re: Problem Removing a Coreflood!mem Trojan

              I'm having problems replacing the explorer.exe file remotely. With no one logged into the PC I've done the following:

              -I highlighted and deleted explorer.exe while connected to their c$ share. I copied over a supposedly clean copy of explorer.exe into the Windows folder. That all went fine, then I rebooted, logged in as a local admin and ran the scan and yet again it flagged C:\WINDOWS\explorer.exe (normally flagged as C:\Windows\Explorer.EXE but I dont know if letter case makes a difference to McAfee).

              -I then tried to just copy over the top of explorer.exe. I was prompted "do you want to replace, etc, etc". Yes. Rebooted, logged in as a different local administrator creating a new profile, ran the scan, and it flagged it again.

               

              Just out of curiosity I deleted the explorer.exe without anyone logged in, and then went up a folder and then back in to Windows and found it had replaced itself. I tried deleting it while logged into an admin account. I pulled up task manager first, then ended the explorer.exe process then deleted explorer.exe (it removes the desktop interface). I ran a new task and ran a good copy of explorer.exe that i copied over and renamed to explorercopy.exe. That brought my desktop back, i navigated to the Windows folder and found the explorer.exe file, which I thought I had removed, still sitting there. One interesting aspect is that while running the process explorercopy.exe instead of explorer.exe I ran a scan and this time it did not flag anything. Does it only turn bad somehow when it's a running task?

              Then lastly, out of curiosity, I ran an on-demand scan again, of course it flags it, but then I ran a targetted scan on just the C:\Windows folder, and it didn't find anything! I then ran another targetted scan on just explorer.exe and it didn't flag it either?

               

              So now I'm a little confused as to how running a general scan flags explorer.exe, but running a targetted scan does not.

              I tried the TDSSKiller, but that scan came up clean. Do I have some kind of super-invincible bug? Is it worth sending a sample in? Is McAfee falsely identifying it?

              I'm going to continue my search on answers for this. Reimaging is an easy fix, but it doesn't give me the closure I need to move on. If anyone has anymore ideas, feel free to include your ideas.

               

              **edit. I'm not sure if it matters, but everytime the Explorer.EXE is detect my McAfee shield in my system tray no longer appears.

              ***edit. Also the process is not taking up an unusually large chunk of memory nor is it attempting to contact outside sources (netstat -aon looks clear)

               

              Message was edited by: JesseK on 8/5/10 3:17:16 PM CDT

               

               

              Message was edited by: JesseK on 8/5/10 3:19:45 PM CDT
              • 4. Re: Problem Removing a Coreflood!mem Trojan

                Hello,

                 

                Please send explorer.exe files to the lab.

                 

                You can also check the files at this site:

                http://www.virustotal.com/

                 

                The files will be scanned by other vendors, if other vendors detect the files as being malicious, then you know it is not a false/positive. If on the other hand, only Mcafee is detecting the files as being malicious, then it is possible that these files are being incorrectly detected- either way, best sending to the lab.

                • 5. Re: Problem Removing a Coreflood!mem Trojan

                  Thanks for the help paullotion.

                  I did a check on totalvirustool.com and it came back clean. I also submitted a sample to McAfee and they said it came back clean as well.

                   

                  Still no real answer as to why it keeps getting flagged as a trojan when doing a system scan, but it doesn't flag it when the file or folder are scanned individually.