Browse the Net in IE. Got hit by codbas-14 [Trj] that is detected by Avast. Actions taken:
Let Avast delete files
Delete IE temporary files.
Scan again
The Trojan is not found again. It seems OK.
However, I find that Windows Explorer is started on startup and is set to be allowed to connect Internet in my firewall (Zonealarm). Actually I never allow Windows Explorer to connect Internet. The file is c:\windows\explorer.exe, file size is 1008k. My OS is XP-sp2. When I rename the file, the new file is created on startup and try to connect 239.255.255.250: port 1900.
So My computer has been infected.
Any body knows how to get rid of this bug, please?
If avast found this whilst browsing, which provider detected it, Web Shield or Standard Shield, there is a difference, check the avast log viewer for more details.
Web Shield would have only one option abort the connection, e.g. stop downloading that item. So nothing shpould have reached the HDD so you wouldn’t find anything. If it was Standard Shield that detected it then it would give several options, move to chest, delete, etc. and would have shown a location on your HDD where the file was located.
I to never allow explorer to connect, it is blocked by my firewall.
Mine is 1,032,192 bytes, last modified 04 Aug 2004, version 6.00.2900.2180, I think windows may be doing some form of self healing and getting a copy from the windows\servicepackfiles\i386 folder or protecting it because it is in the windows folder.
Scanned the system in safemode by ewido and found g_server2.0.exe in c:\windows.
After being scanned, the zonealarm message appeared once only, and it no long appears now.
Did you preview the 2 posts first? If so, that will cause the pictures to not show. Do not preview the message/attachments before. Use only the POST button after making an attachment.
The two files are different, one is explorer.exe (windows explorer) and the other is Iexplore.exe (Internet Explorer. It is possible that a program is calling explorer.exe to connect to the internet (because explorer can connect). You can use the remember this setting box and click Deny, that will stop explorer.exe from connecting in the future. Whilst that doesn’t resolve the issue it blocks it until such time as resolve the problem and decide to allow access (personally for me that is never, I use my browser to connect to the internet).
So the ewido would appear to have taken care of the Iexplore.exe issue but we still have to find the program using explorer.exe.
My system is not stable after being hit. I usually reinstall OS 3,4 time a year with my old 98 box. I think that I have to do the same with my new xp box now.
You need to be sure that is an “i” and not a small “L”. There are several worms that can install an exe that looks like it is IE exe but is really LE exe using a small L instead of a capital I. Read below for more info from a Google search I did …