Trojan-gen in iexplorer.exe

Hi all

Trojan-gen in iexplorer.exe
WIN32: Trojan-gen.{UPX!}

Im helping someone, probaly to late to get you involved in it but
for my information how would you suggest replacing the exe ?
Acast makes a snapshot if i remember correcty of system files, could it have been used to replace iexplorer.exe ?

apparently the real one
C:\Program Files\Internet Explorer\IEXPLORE.EXE

Trend (online) says its
TROJ GEMA.A

CA’s online see nothing

later RAV Online was used and it see’s
C:\Program Files\Internet Explorer\iexplorer.exe -
TrojanDownloader:Win32/Crypter → Infected

Hihackthis has been ran >>
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

all thats visible was (I think)
O4 - HKLM..\Run: [Imagemgt32] c:\winnt\system32\imagemgt32.exe
we fixed it but when looking for it to delete it didnt exist.
Post is here if you care to look
http://www.windowsbbs.com/showthread.php?t=31539

Thanks

If VRDB was generated prior the infection, then IEXPLORE.EXE could be repaired by clicking repair on the Avast detection dialog.
If not, then you might want to try generic cleaning.

I don’t have experience with this trojan but I guess peeps from the virus and worms subforum could help on on this.

Clicking repair was unsuccessful…

If repair doesn’t work for you, that means either the VRDB was not compiled or the VRDB does not contain the valid information for your file(s).

Same person? ???

May i jump in here…

Lonny Jones has program named: IEXPLORER.EXE

Real Internet Explorer executable is named IEXPLORE.EXE

Notice that extra “R” letter? Its a very nasty trick wich is widely used in these days,especially for spyware files. Thats why he cannot repair it. Just delete it since its classified as trojan which is not a file infector.

Nice eye ya got there…
I always made the same mistake with the “r”, since explorer.exe has a “r” as a suffix. So i + explorer.exe = iexplorer.exe ;D

I was working pretty long on social engineering tricks,especially for spyware so i know most of the naming tricks :wink:

AFAIK iexplorer.exe is most often one of the RapidBlaster variants (adware).

thanks guys.

dam dont i feel the fool :slight_smile: extra R

He had deleted it proir to me posting with a move on reboot tool, but once back in windows it was recreated again.

I’ll let you know what develops.

It may be hiding in system restore (_restore file in XP), but this is ‘Last Good Configuration’ or something in win2000.

You will have to find a way to disable that (I don’t use win200, so no help there), scan with avast and or remove iexplorer.exe. reboot, scan and confirm clean and enable last good configuration.

HTH David

The trojan might have reinstalled itself with another startup item.
Check for computer for spyware then try deleting this file from your computer.
If the file is in the _restore folder as DavidR mentioned, you will have to disable your System Restore feature before you could delete the file properly.