Detected explorer.exe and winlogon.exe as infected

Well that is indicating that you have McAfee still installed or remnants of McAfee remaining and still active as it is password protecting its files.

Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn’t know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can’t be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text.

So what elements belonging to McAfee do you have installed ?

As David said clear the restore point and the alerts will disappear

Keeping a copy of Combofix is useless as it will self disable after a few days, this is due to the changing nature of malware

Looking at that I am a happy bunny :slight_smile:

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

The MBAM scan came up clean :smiley: (yay!) The log is attached at the bottom of this post.

The only thing left is to get rid of those random McAfee files but I can’t seem to find them… When I look in the directory (following the path C > docs & settings > All users > … ) It stops at “all users” and I can’t find the file “application data”.

Is the file hidden? I tried using the search function in the start menu but it couldn’t find the files either.

Anyways, once again thanks to all of you, this will most likely be one of the last post I do lol. Sorry to keep this thread rolling on.

The “application data” folder has to be there and I believe it is a hidden folder, you should ensure that you show hidden files and folders in windows explorer, Tools, Folder Options, View tab, enable ‘Show hidden files and folders,’ see image1.

See image2, note the faded folder icons in the image indicating that normally they are hidden.

Before simply trying to delete this folder, there are password protected (which shouldn’t stop their deletion), but you have to ensure that they aren’t active. Have or did you have any McAfee applications installed before and if so which and how were they removed ?

Check the add remove programs and see if there are any McAfee entries listed, the McAfee, Agent, News may just have been an updater and news process for a number of McAfee applications.

Well I remember that I had McAfee’s virus protection some time ago (though I don’t remember when or how long ago). I would have uninstalled it through it’s built in uninstall function (as I don’t just delete files and folders). I’m guessing these are probably some remnant files from back when McAfee was on my computer. Also I did get a McAfee web browser protection program: http://www.siteadvisor.com/download/windows.html. That could be it maybe.

I’ll try and see if I can get the folder visible and not hidden.

(P.S. I didn’t see any other McAfee stuff in the add-remove).

It is possible that this sneaked in under the radar when siteadvisor was installed, though if you still have siteadvisor, it is a much depreciated product as the accuracy of its database is doubtful.

We have seen many sites considered infected/malicious when they aren’t and vice versa, but worse is that some entries in its database are months old and out of date data is almost worse than no data at all.

So if you opt to remove that application, it may also remove this McAfee, agent news folder.

Ok so I found all the McAfee files and took care of them :slight_smile:

(final side note, someone told me something about registry cleaning. What’s that all about and do you have any recommended programs on that note?)

The registry, is where programs, processes, services, windows settings, etc. are retained. Like a big reference library (but a dangerous one), mess with the registry at your peril, it can seriously ruin you day.

Registry cleaners get rid of redundant entries, but you still have to exercise extreme care with what you select to delete, some go very deeply others only really offer what are considered safe to remove. They should also offer the option to make a backup of the changes you are about to make, so you can restore the changes you made. Assuming the changes you made don’t stop it booting to be able to reverse them.

CCleaner is primarily a temp file cleaner but it has other tools and Registry is one of them, generally it doesn’t go too deep and is safe to use, but there is always a risk with cleaning the registry. However ccleaner does by default offer to backup any changes you select.