IEXPLORER.EXE - virus

March 3, 2005 at 15:57:24
Specs: XP Pro, 1.3/512

Ok,

I've been at this for about five days now and i'm ready to give up.

In taskmanager there are processes running (IEXPLORER.EXE x 2 and RunDLL.exe) and they are virii but i can't detect/remove them.

If i kill iexplorer process it just regenerates and spikes up to 70-100% CPU and the rundll seems to be tied in because it dies when i kill the ie process.

AV programs i've used:
> NAV 2002 with most recent updates
> PC-Cillin's latest release with full updates
> NOD32 with full updates

Ran trend micros housecall as well just to be sure.

I'm at a loss here and any help is greatly appreciated!!


kl365


See More: IEXPLORER.EXE - virus

Report •


#1
March 3, 2005 at 16:13:16

I may be missing something here but those are normal xp processes. Try going to blackviper.com and setup your system accordingly.

Report •

#2
March 3, 2005 at 17:14:15

Better say that I'm more familiar with W98SE but unless XP is different iexplorer.exe is not a usual system file. Feel certain from what I've read that you are right, it's a virus.

On W98 you have Iexplore.exe (IE) and Explorer.exe (Windows Explorer). I rather doubt XP is different but happy to be corrected on this.

Derek.W


Report •

#3
March 3, 2005 at 17:16:59

Just put iexplorer.exe in Google and plenty of virus hits. Have you turned off system restore during removal?

Derek.W


Report •

Related Solutions

#4
March 3, 2005 at 18:27:07

Check out here.

Report •

#5
March 3, 2005 at 18:35:01

From what I've read since I posted it seems that there might be more than one possible cause of this. You are right to have scanned for viruses but have not mentioned any malware finders/fixers. Not all nasties get detected by "virus" checkers.

Here's few things that would be worth a shot while waiting for someone who knows more about this one (apologies if you have already tried these freebies):

CWShredder (single file attending to an explicit exploit which gets a mention).

"Ad-Aware" & "SpyBot Search & Destroy" (both look for malware and sometimes one finds what the other will miss).

I rather like this trojan finder/fixer:
A2FREE - JUST DOWN PAGE

Make sure you get updates to these before running them (select highest version number for CWShredder).

If it still persists (or you feel that way inclined) download HijackThis, run it and copy/paste the log into the following:

HJT DETECTIVE

HJT ANALYZER

Use them in the order given because I have found this makes life easier when you go to the second (which lists all running tasks, good or bad). Let HJT remove any nasties after going to the first link, then run it again and go to the second link with your now reduced log.

When you are satisfied that your system is clean then get SpywareBlaster (which keeps them out rather than fixing them) and consider putting all the good entries shown by HJT into the Ignore List. The latter will then only show anything new that arrives which makes life much easier.

One word of warning, check all wonder fixes with the folk on here, unless you are certain they are from a reliable source. Many are bogus (including spyware/malware finders) and can make things even worse.

Good luck

Derek.W


Report •

#6
March 3, 2005 at 18:40:40

I overlapped the post from domass.

Obviously run with that first and keep my more general #5 for future reference, or to use if by any chance you are still in trouble.

The finders/fixers are worth having anyway.

Derek.W


Report •

#7
March 4, 2005 at 12:58:41

I got it removed finally and thanks to everyone that posted. here's the process i used to remove it:

1. Ran all my spyware removal tools (Ad-aware, then Spybot, then M$ Anti-Spyware Beta, then CWShredder).

2. Process was still in memory so i then turned to Security Task Manager to kill the offending processes.

-> something interesting occurred when i killed the processes, I get a M$ warning telling me that IEXPLORER is corrupted and is not the M$ installation. I need to reinstall......

That tipped me off to what was going on. Having an extensive background in Virii development methods and AV research I did a little looking into the executable.

Apparently at some point during my parents hours of unprotected surfing something had replaced the executable with some weird looking code plus the original code. I haven't quite figured out all that it does but it appears try and grab password hashes and there's some other network activity going on.

I've quarantined the files and will continue looking into this. If anyone else has had a similar instance of this occurring please email me kelly.ladouceur[at]gmail.com

I have a sneaking suspiscion that this could be an unreleased vuln.

Later.

kl365

kl365


Report •

#8
March 4, 2005 at 13:34:22

See my #2. I have no reason to believe that IEXPLORER.EXE is "ever" a valid Windows file (unless some XP user can categorically say otherwise).

Without the first I it is a valid, or without the final R. The whole name combination looks like a deliberate attempt to confuse the user.

Derek.W


Report •

#9
March 4, 2005 at 21:41:38

You are correct IEXPLORER.exe is NOT a valid windows file. At least not on my XP Pro computer.

Report •

#10
March 6, 2005 at 19:38:41

i did all that k1365 said worked for him and it still isn't gone, I DL'd all the spyware progs and ran them. You talk about a security task manager, well i run xp home and all i can find is the task manager. When i end the process in that it just keeps restarting again and moves position. Also i have 2 instances of the process both using different amounts of memory. With regards to the runDll it appears to shut down when i end it and when my comp boots up i get a error message saying that runDll can not run?. I would be very happy if anyone could help me out as this virus is messing with my web browser (pausing and running slow when i click on the back button) which is very annoying


Report •

#11
March 7, 2005 at 12:11:47

I'm still an old fashioned W98SE user but I understand that with XP you have to disable restore when you attempt to fix things. Give it a whirl with all the suggestions given then shout back if you are still in trouble.

Some of these nasties dance around in order to mislead you, so it might take a bit of sorting out.

Derek.W


Report •

#12
March 7, 2005 at 12:50:38

"Security Task Manager" is available at

http://www.neuber.com/taskmanager/

kl365


Report •


Ask Question