Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Lonny Jones on June 13, 2004, 02:08:08 AM
-
Hi all
Trojan-gen in iexplorer.exe
WIN32: Trojan-gen.{UPX!}
Im helping someone, probaly to late to get you involved in it but
for my information how would you suggest replacing the exe ?
Acast makes a snapshot if i remember correcty of system files, could it have been used to replace iexplorer.exe ?
apparently the real one
C:\Program Files\Internet Explorer\IEXPLORE.EXE
Trend (online) says its
TROJ GEMA.A
CA's online see nothing
later RAV Online was used and it see's
C:\Program Files\Internet Explorer\iexplorer.exe -
TrojanDownloader:Win32/Crypter -> Infected
Hihackthis has been ran >>
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
all thats visible was (I think)
O4 - HKLM\..\Run: [Imagemgt32] c:\winnt\system32\imagemgt32.exe
we fixed it but when looking for it to delete it didnt exist.
Post is here if you care to look
http://www.windowsbbs.com/showthread.php?t=31539
Thanks
-
If VRDB was generated prior the infection, then IEXPLORE.EXE could be repaired by clicking repair on the Avast detection dialog.
If not, then you might want to try generic cleaning.
I don't have experience with this trojan but I guess peeps from the virus and worms subforum could help on on this.
-
If VRDB was generated prior the infection, then IEXPLORE.EXE could be repaired by clicking repair on the Avast detection dialog.
If not, then you might want to try generic cleaning.
I don't have experience with this trojan but I guess peeps from the virus and worms subforum could help on on this.
Clicking repair was unsuccessful...
-
If repair doesn't work for you, that means either the VRDB was not compiled or the VRDB does not contain the valid information for your file(s).
Same person? ???
-
May i jump in here...
Lonny Jones has program named: IEXPLORER.EXE
Real Internet Explorer executable is named IEXPLORE.EXE
Notice that extra "R" letter? Its a very nasty trick wich is widely used in these days,especially for spyware files. Thats why he cannot repair it. Just delete it since its classified as trojan which is not a file infector.
-
Nice eye ya got there...
I always made the same mistake with the "r", since explorer.exe has a "r" as a suffix. So i + explorer.exe = iexplorer.exe ;D
-
I was working pretty long on social engineering tricks,especially for spyware so i know most of the naming tricks ;)
-
AFAIK iexplorer.exe is most often one of the RapidBlaster variants (adware).
-
thanks guys.
dam dont i feel the fool :) extra R
He had deleted it proir to me posting with a move on reboot tool, but once back in windows it was recreated again.
I'll let you know what develops.
-
It may be hiding in system restore (_restore file in XP), but this is 'Last Good Configuration' or something in win2000.
You will have to find a way to disable that (I don't use win200, so no help there), scan with avast and or remove iexplorer.exe. reboot, scan and confirm clean and enable last good configuration.
HTH David
-
The trojan might have reinstalled itself with another startup item.
Check for computer for spyware then try deleting this file from your computer.
If the file is in the _restore folder as DavidR mentioned, you will have to disable your System Restore feature before you could delete the file properly.