BleepingComputer.com: Iexplore.exe Fake

Process Explorer shows I have iexplore.exe running EVEN THOUGH NO BROWSER WINDOW IS ACTIVE. When I right click in process explorer, I get the following vague info (listed below)in the properties box. There is no path, parent info nor will it show the process window when I click on "Bring to Front", it tells me no visible windows found. This doesnt look good to me. IN addition, when I open internet explorer and place my cursor over it's corresponding iexplore.exe info in process explorer, a box pops up telling me it's path, for example C:\ProgramFiles\Internet Explorer\iexplorer.exe. When I place the cursor over the suspicious iexpore.exe file, the only thing the pop up box shows iexplore.exe, no file path info at all. I tried to insert the print screen capture of this issue but when I tried to add image to this post it asked me for the image URL, which I don't have, or don;t know how to add it.
Can anyone help? Thanks in Advance.


Process Explorer Properties

Image file

Version: n/a
Time: n/a

Parent:<Non-existent Process>(2136)

Path: Not Available

Command Line: (blank)
Current directory: (blank)

Download and install Starter by CodeStuff.

• Double-click the Starter.exe icon on your desktop or from Start > Programs.
  
• Click the Processes tab.
  
• Right-click on the suspicious process (iexplore.exe) and choose Explore process folder
  
• A new window should open and show you the path where the process is running from.
  
• Post that file path information in your next reply.

Then go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.

Thanks quietman. I've been out of town this week but am back now and will do this today and post results. Thanks again.

Ok. Let me know how things go.

Sorry for the delay but the strange iexplore.exe process went away for over a week but is now BACK X 2. There are now to iexplore.exe processes showing in sysinternal process explorer. I ran Starter.exe but NEITHER iexplore.exe process would show up in it.

Like I mentioned before, there are no pathways showing in process list, nor any info or parent path in the properties box of process explorer. When I right click and try to select 'properties' in the windows task manager process list, it does nothing, no properties box appears, NOTHING HAPPENS AT ALL.
When I try to terminate either of the iexplore.exe processes from the task manager OR sysinternal process explorer, I get a error box stating "Error Terminating Process. Access is Denied" and when I try to suspend it I get "Unable to suspend thread. The system cannot find the file specified."

After doing some in-depth searching I was finally able to locate what I THINK are the files in question. Here's their names and location.

IEXPLORE.EXE found here- C:\WORKSSETUP\MSWORKS\REDIST\IE6\IEMIL_2.CAB\IEXPLORE.EXE

IEXPLORE.EXE, all caps, 89kb in size and file date is 8/29/2002, 7:07 am. This date is odd considering my laptop is only 7 months old (I bought it in July, 07)

The other process running is- iexplore.exe and was found here:

C:\WORKSSETUP\MSWORKS\REDIST\IE6\IEW2K_4.CAB\iexplore.exe

iexplore.exe, all lower case, 89kb, 8/29/02 7:14 am.

Also meant to mention, when these show in sysinternals process explorer, it's icon is NOT the big blue 'E' logo like the normal iexplorer icon, it's one of those square icons like you see beside a svchost.exe or simialar proceses in sysinternals. BTW, I'd love to post some screen shots but cant figure out how! When I click to add image to my post, a scripts box pops up asking for a URL address so I'm clueless.

Do these files and locations sound odd to you? The way they decide to show, for how long and when has had no rhyme or reason. Don't know if it's related or not but, there have been some files in my temp folder that, even when using Move On Boot OR Safe Mode, they would not allow me to delete them.

Anyway, here's the results of the online scans, I could only scan the 2 .CAB folders which contained the questionable files.

THANKS AGAIN IN ADVANCE!



VirusTotal Scans

File IEW2K_4.CAB SCAN received on 01.21.2008 03:40:25 (CET)Antivirus Version Last Update Result

AhnLab-V3 2008.1.19.10 2008.01.18 -
AntiVir 7.6.0.48 2008.01.20 -
Authentium 4.93.8 2008.01.21 -
Avast 4.7.1098.0 2008.01.20 -
AVG 7.5.0.516 2008.01.20 -
BitDefender 7.2 2008.01.21 -
CAT-QuickHeal 9.00 2008.01.19 -
ClamAV 0.91.2 2008.01.21 -
DrWeb 4.44.0.09170 2008.01.20 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5470 2008.01.18 -
Ewido 4.0 2008.01.20 -
FileAdvisor 1 2008.01.21 No threat detected, but known vulnerabilities exist
Fortinet 3.14.0.0 2008.01.20 -
F-Prot 4.4.2.54 2008.01.21 -
F-Secure 6.70.13260.0 2008.01.20 -
Ikarus T3.1.1.20 2008.01.21 -
Kaspersky 7.0.0.125 2008.01.21 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.20 -
NOD32v2 2808 2008.01.20 -
Norman 5.80.02 2008.01.20 -
Panda 9.0.0.4 2008.01.20 -
Prevx1 V2 2008.01.21 -
Rising 20.27.62.00 2008.01.20 -
Sophos 4.24.0 2008.01.20 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.21 -
TheHacker 6.2.9.191 2008.01.19 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.20 -
Webwasher-Gateway 6.6.2 2008.01.20 -

Additional information
File size: 2141642 bytes
MD5: 44ac89b7f1392e1202235becc07765e3
SHA1: 38de19e63b6efa313a9af28fdc3aed53f93a1e21
PEiD: -
Bit9 info: http://fileadvisor.bit9.com/services/extin...2235becc07765e3

File IEMIL_2.CAB SCAN received on 01.21.2008 04:03:01 (CET)Antivirus Version Last Update Result

AhnLab-V3 2008.1.19.10 2008.01.18 -
AntiVir 7.6.0.48 2008.01.20 -
Authentium 4.93.8 2008.01.21 -
Avast 4.7.1098.0 2008.01.20 -
AVG 7.5.0.516 2008.01.20 -
BitDefender 7.2 2008.01.21 -
CAT-QuickHeal 9.00 2008.01.19 -
ClamAV 0.91.2 2008.01.21 -
DrWeb 4.44.0.09170 2008.01.20 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5470 2008.01.18 -
Ewido 4.0 2008.01.20 -
FileAdvisor 1 2008.01.21 No threat detected, but known vulnerabilities exist
Fortinet 3.14.0.0 2008.01.20 -
F-Prot 4.4.2.54 2008.01.21 -
F-Secure 6.70.13260.0 2008.01.20 -
Ikarus T3.1.1.20 2008.01.21 -
Kaspersky 7.0.0.125 2008.01.21 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.20 -
NOD32v2 2808 2008.01.20 -
Norman 5.80.02 2008.01.20 -
Panda 9.0.0.4 2008.01.20 -
Prevx1 V2 2008.01.21 -
Rising 20.27.62.00 2008.01.20 -
Sophos 4.24.0 2008.01.21 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.21 -
TheHacker 6.2.9.191 2008.01.19 -
VBA32 3.12.2.5 2008.01.19 -
VirusBuster 4.3.26:9 2008.01.20 -
Webwasher-Gateway 6.6.2 2008.01.20 -

Additional information
File size: 2182142 bytes
MD5: 093cfb681e7521a255dc42548f0b7dfa
SHA1: 32f8b77812eb4f02e02b4b1a76bda1fbef2ba72c
PEiD: -
Bit9 info: http://fileadvisor.bit9.com/services/extin...5dc42548f0b7dfa

Jotti's Malware Scan Results:

File: IEW2K_4.CAB
Status: OK
MD5: 44ac89b7f1392e1202235becc07765e3
Packers detected: -
Bit9 reports: No threat detected, but known vulnerabilities exist (more info)

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

File: IEMIL_2.CAB
Same Results, Nothing Found.

This post has been edited by Five2One: 21 January 2008 - 03:21 AM

The files do not appear to be malicious. C:\WORKSSETUP\MSWORKS\ is a legit folder path for Microsoft Works 7.0 07.02.0620

Download and install AnVir Task Manager Free. It has a processes tab that provides a wealth of information. See what info you can gather from that.

Ok, will try that.

Question, though, why would an IE6 file dated from 2002 be on my computer? I'm using, and as far as I know, ran IE7 since I've had this computer. Any thoughts?

Unless you have a brand new pc, IE6 was probably updated automatically via Windows update to IE7. I'm just not sure why a process for it is showing in the C:\WORKSSETUP\MSWORKS\ folder.

Ok, thanks. I've downloaded AnVir Task Mgr. and am waiting for the iexplore.exe to resurface. Hopefully, it will be soon and I can get a definitive path and location on it. I'll post as soon as I can catch it.

Thanks again for all your help!

Best,
Five