Is iexplore.exe a trojan?

Hi there, I have a friend that has a PC that has been infected by a trojan, which I think has renamed itself iexplore.exe, and hence ZA lets it pass thru the firewall. If you deny it access, it just keeps on trying. I think the trojan may have been picked up in Mirc. I have tried using a program called "The cleaner" but it fails to pick anything up. Also when the machine boots up, we keep getting the error message "iexplore is not a valid Win32 application" I am sure the BO Clean would find it, but am unable to afford the software. Are there any freeware programs out there that will do the job. Many thanks

 

Some would say so.

The iexplore.exe in C:\Program Files\Internet Explorer is the executable for the Internet Explorer Browser. There are copies of this file in one or two other places inside Windows 2000 and Windows XP. But in Windows 9x, I think there should only be one such file.

 

Thanks for the reply Kevin. The reason I think it is a trojan in disguise is because there is a copy of iexplore.exe in the C\WINDOWS\SYSTEM folder (To the best of my knowledge, there shouldnt be) as well as the correct iexploree.exe in the "Internet explorer folder. He is using W98. In zone alarm he has the ie logo in the "Programs currently accessing the net" folder as you would expect if you have IE running, BUT he also has iexplore.exe running, which is displayed as the rectangular blue and white icon with the 3 dots in it which is the suspicious one. I will read up on the links provided. I am not at his place right now, so carnt do a lot at the moment, but will post back....cheers Chris ..P.S
I run Win2k pro, and I only have one iexplore.exe which is correctly located in the internet explorer folder, so I reckon the other is Very suspicious Cheerz Chris

 

If your friend doesn't use NAV and his antivirus program is unable to identify a problem he could disable any suspicious programs running at startup using MSconfig or other method as a temporary measure.

He can also try the Symantec Security online checker at http://www.symantec.com/SecurityCheck/ - The Scan for Viruses checker also looks for known trojans.

 

Thanx Tony and Alice, will check out both URLs and post back when O can get up to his place..Cheers Chris

 

backdoor subseven trojan

i have this trojan on my computer but have tried several times to remove it but can never find the files that the instructions describe. Anyway the hacker trying to attack my machine is 62.135.10.47 so if anyone can attack his machine please do so!!

 

We don't do hacking, we don't support it and we don't provide info on it. So much for that request.

If you can't find the SubSeven files on your computer, how do you know it's there?

 

RE: Backdoor SubSeven Trojan

>If you can't find the SubSeven files on your computer,
>how do you know it's there?

I'd say that they saw an incoming Firewall report stating that someone was trying to reach a port on their system which corresponds to the SubSeven Trojan family, or they took the incoming port number and looked it up at WWW.GOOGLE.COM.

A simple seatrch would throw up some information about possible viruses, which can be used at places like WWW.NAI.COM's Virus Library to identifiy methods of infection and automated / manually processes for cleaning up.

As he can't find the identified files, which-ever files he has been advised to look for, then it is probable that he doesn't actually have the Trojan only the incoming request - which just HOPES he has the Trojan so they can control his machine.

The only safe way to know if for the installation of a valid, and up to date, Anti-Virus product - even an evaluation version (but only if the evaluation version of the full application can remove viruses or prevent the initial infection) is better than nothing in most cases.

Equally in these days of Always-On or Dial-up Modems you may find that the IP Address you are using has previously been used by someone who has had the infection and the incoming connection was aimed at the previous system.

Joe.

 

BlackICE on this box reports an occasional SubSeven port probe. A newby might perhaps interpret that wrongly.