Is iexplore.exe a trojan?

Discussion in 'malware problems & news' started by Chris Johnson, Mar 3, 2002.

Thread Status:
Not open for further replies.
  1. Hi there, I have a friend that has a PC that has been infected by a trojan, which I think has renamed itself iexplore.exe, and hence ZA lets it pass thru the firewall. If you deny it access, it just keeps on trying. I think the trojan may have been picked up in Mirc. I have tried using a program called "The cleaner" but it fails to pick anything up. Also when the machine boots up, we keep getting the error message "iexplore is not a valid Win32 application" I am sure the BO Clean would find it, but am unable to afford the software. Are there any freeware programs out there that will do the job. Many thanks
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there,
    irf you think it is a Mirc worm, you might like to test with Mirclean, one of the free tools available at http://www.diamondcs.com.au
    If it is explore.exe (mind not explorer and not iexplorer)you find a good description of it and what to do on the same site.
    After that info you can do some online scanning, like at www.pandasoftware.com
    http://housecall.antivirus.com
    www.bitdefender.com
    TheCleaner would find it as well, as do many others.

    How do you know it is a trojan?
    A corrupt file can also happen due to crashes and such.
    In properties you can see if the file was changed maybe and when.
    If it is the iexplorer.exe you can locate the file and rename it for a try, after do a repair setup for IE (via the configuration|software, locate MS IE and add/remove should give that option) so the original hopefully woulld be put back and see if that helps.

    Please let us know here how it goes.
     
  3. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Can you tell me the correct path where you found iexplore.exe? There are some trojans out which use this name but do not change the real iexplore.exe. But it can also be corrupt IE. As Jooske wrote try to reinstall the IE.

    Download TrojanCheck5 from http://www.wilders.org
    TC5 is a nice freeware tool which gives you a full overview about Windows autostart entries. Is there an autostart entry for iexplore.exe?

    wizard
     
  4. Hi there, yes the reason I think it is a trojan in disguise is because there is a copy of iexplore.exe in the C\WINDOWS\SYSTEM folder (To the best of my knowledge, there shouldnt be) In zone alarm he has the ie logo in the "Programs currently accessing the net" folder as you would expect if you have IE running, BUT he also has iexplore.exe running, which is displayed as the rectangular blue and white icon with the 3 dots in it which is the suspicious one. I will read up on the links provided. I am not at his place right now, so carnt do a lot at the moment, but will post back....cheers  Chris
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Chris,

    One of the possibilties could be your system has been infected with a subseven variant - possibly v2.2.

    This version has the capacity to change icons; have a look at this:

    http://www.safersite.com/Whitepapers/images/ssconfigureicon.jpg

    Have a look at the - extensive - "detection/removal instructions"  below, and perform a check:

    SUBSEVEN v2.2 MANUAL REMOVAL INSTRUCTIONS
    ========================================


    1. usual Run-Entries in the Registry

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run or
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices
    Entry under RunDLL32r key. Before this Key will be deleted, write all specs down.
    These informations are needed later on to delete the server files.


    2. Registry Installed Components

    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
    Default: hyil\StubPath - C:\WINDOWS\SYSTEM\hyil.exe
    NOTE ! This name can be changed in virtually any other ! It's hardly possible to find this entry when the file name is unknown. Two files with different names should be detected.
    Now, open the Registry Path mentioned above and perform a search under "Installed Components" for one of the trojan file names. NOTE! Write down the information displayed. Delete now.

    3. Registry Common Startup Key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    Currentversion\explorer\User shell folders.
    Entry Name: C:\WINDOWS\SYSTEM\dv\
    Here you'll find the server as well, as in C:\Windows\System


    4. System.ini unter [boot]

    shell=Explorer.exe c:\windows\sytem\"trojan name".exe
    Only shell=Explorer.exe should be mentioned. Delete all mentioned after that.

    5. Win.ini

    load=c:\windows\system\"trojan name.exe"
    Behind "load=" should be no entry at all.

    6. Method using "Explorer.exe" on hard drive C:\

    As a Windows Bug result, the "first explorer.exe" will be activated in C:\, before the legitimate explorer.exe (in c:\windows\) will start.
    This explorer.exe in c:\ results in running the Sub7 server will start up in the Key c:\windows\system. The file "explorer.exe" must be deleted from
    c:\


    After writing down information about all that has been deleted, perform a search (start > find) for all deleted trojan files, and deleted. This will not be possible in some cases, because they still are in use by Windows.
    Now, reboot your system, and repeat the search as mentioned right above.
    Since the Autostart entries have been deleted in the process, the files found can be deleted now without a problem.


    NOTE! Not every Autorun entry has to be a trojan; especially not in regard to "win.ini".

    Also, it's not necessary all mentioned Autostart methods have been installed at the same time. The EditServer allows configuration from just one of the mentioned Autostart methods.

    ========================================

    Keep us posted!

    regards.

    paul
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Might want to run The Rx Trojan Assistance Pack from here: http://home.earthlink.net/~rmbox/Reticulated/Toys.html , too, and see what it tells you. Pete
     
  7. Hey thanks for all the info, will be going up there this week sometime, so will print out what I have here, plus I will check out the programs listed in reticulated toybox...I am not anticipating any problems removing it (hehe, famous last words!) will post back...cheers  Chris
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Always feel free to email suspicious files to submit@diamondcs.com.au

    If there is a large sized file or a large number of files you should email us first support@diamondcs.com.au and describe the situation.
     
  9. Chris

    Chris Guest

    Hi there, still havent been able to get up to his place yet, Have got him to email me his netstat file, win.ini and sys.ini file, his ZA Log and if I can, I'll get him to mail me the iexplore.exe file which I will send to you..cheers  Chris
     
Loading...
Thread Status:
Not open for further replies.