Is iexplore.exe a trojan?

Chris Johnson · Mar 3, 2002

Hi there, I have a friend that has a PC that has been infected by a trojan, which I think has renamed itself iexplore.exe, and hence ZA lets it pass thru the firewall. If you deny it access, it just keeps on trying. I think the trojan may have been picked up in Mirc. I have tried using a program called "The cleaner" but it fails to pick anything up. Also when the machine boots up, we keep getting the error message "iexplore is not a valid Win32 application" I am sure the BO Clean would find it, but am unable to afford the software. Are there any freeware programs out there that will do the job. Many thanks

Jooske · Mar 3, 2002

Hi there,
irf you think it is a Mirc worm, you might like to test with Mirclean, one of the free tools available at http://www.diamondcs.com.au
If it is explore.exe (mind not explorer and not iexplorer)you find a good description of it and what to do on the same site.
After that info you can do some online scanning, like at www.pandasoftware.com
http://housecall.antivirus.com
www.bitdefender.com
TheCleaner would find it as well, as do many others.

How do you know it is a trojan?
A corrupt file can also happen due to crashes and such.
In properties you can see if the file was changed maybe and when.
If it is the iexplorer.exe you can locate the file and rename it for a try, after do a repair setup for IE (via the configuration|software, locate MS IE and add/remove should give that option) so the original hopefully woulld be put back and see if that helps.

Please let us know here how it goes.

wizard · Mar 3, 2002

Can you tell me the correct path where you found iexplore.exe? There are some trojans out which use this name but do not change the real iexplore.exe. But it can also be corrupt IE. As Jooske wrote try to reinstall the IE.

Download TrojanCheck5 from http://www.wilders.org
TC5 is a nice freeware tool which gives you a full overview about Windows autostart entries. Is there an autostart entry for iexplore.exe?

wizard

Chris Johnson · Mar 3, 2002

Hi there, yes the reason I think it is a trojan in disguise is because there is a copy of iexplore.exe in the C\WINDOWS\SYSTEM folder (To the best of my knowledge, there shouldnt be) In zone alarm he has the ie logo in the "Programs currently accessing the net" folder as you would expect if you have IE running, BUT he also has iexplore.exe running, which is displayed as the rectangular blue and white icon with the 3 dots in it which is the suspicious one. I will read up on the links provided. I am not at his place right now, so carnt do a lot at the moment, but will post back....cheers Chris

Paul Wilders · Mar 4, 2002

Hi Chris,

One of the possibilties could be your system has been infected with a subseven variant - possibly v2.2.

This version has the capacity to change icons; have a look at this:

http://www.safersite.com/Whitepapers/images/ssconfigureicon.jpg

Have a look at the - extensive - "detection/removal instructions" below, and perform a check:

SUBSEVEN v2.2 MANUAL REMOVAL INSTRUCTIONS
========================================

1. usual Run-Entries in the Registry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
Entry under RunDLL32r key. Before this Key will be deleted, write all specs down.
These informations are needed later on to delete the server files.

2. Registry Installed Components

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
Default: hyil\StubPath - C:\WINDOWS\SYSTEM\hyil.exe
NOTE ! This name can be changed in virtually any other ! It's hardly possible to find this entry when the file name is unknown. Two files with different names should be detected.
Now, open the Registry Path mentioned above and perform a search under "Installed Components" for one of the trojan file names. NOTE! Write down the information displayed. Delete now.

3. Registry Common Startup Key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
Currentversion\explorer\User shell folders.
Entry Name: C:\WINDOWS\SYSTEM\dv\
Here you'll find the server as well, as in C:\Windows\System

4. System.ini unter [boot]

shell=Explorer.exe c:\windows\sytem\"trojan name".exe
Only shell=Explorer.exe should be mentioned. Delete all mentioned after that.

5. Win.ini

load=c:\windows\system\"trojan name.exe"
Behind "load=" should be no entry at all.

6. Method using "Explorer.exe" on hard drive C:\

As a Windows Bug result, the "first explorer.exe" will be activated in C:\, before the legitimate explorer.exe (in c:\windows\) will start.
This explorer.exe in c:\ results in running the Sub7 server will start up in the Key c:\windows\system. The file "explorer.exe" must be deleted from
c:\

After writing down information about all that has been deleted, perform a search (start > find) for all deleted trojan files, and deleted. This will not be possible in some cases, because they still are in use by Windows.
Now, reboot your system, and repeat the search as mentioned right above.
Since the Autostart entries have been deleted in the process, the files found can be deleted now without a problem.

NOTE! Not every Autorun entry has to be a trojan; especially not in regard to "win.ini".

Also, it's not necessary all mentioned Autostart methods have been installed at the same time. The EditServer allows configuration from just one of the mentioned Autostart methods.

========================================

Keep us posted!

regards.

paul

spy1 · Mar 4, 2002

Might want to run The Rx Trojan Assistance Pack from here: http://home.earthlink.net/~rmbox/Reticulated/Toys.html , too, and see what it tells you. Pete

Chris Johnson · Mar 4, 2002

Hey thanks for all the info, will be going up there this week sometime, so will print out what I have here, plus I will check out the programs listed in reticulated toybox...I am not anticipating any problems removing it (hehe, famous last words!) will post back...cheers Chris

Gavin - DiamondCS · Mar 7, 2002

Always feel free to email suspicious files to submit@diamondcs.com.au

If there is a large sized file or a large number of files you should email us first support@diamondcs.com.au and describe the situation.

Chris · Mar 7, 2002

Hi there, still havent been able to get up to his place yet, Have got him to email me his netstat file, win.ini and sys.ini file, his ZA Log and if I can, I'll get him to mail me the iexplore.exe file which I will send to you..cheers Chris

Log in or Sign up

Is iexplore.exe a trojan?

Chris Johnson Guest

Jooske Registered Member

wizard Registered Member

Chris Johnson Guest

Paul Wilders Administrator

spy1 Registered Member

Chris Johnson Guest

Gavin - DiamondCS Former DCS Moderator

Chris Guest