I've started having some extra slowness in my PC and did ctrl alt del to see what's running in the task manager (I have win2000 SP4)
I've noticed IEXPL0RE.EXE is one of the entries shows up running. It is not visible otherwise.
I realised I hardly use IEXPL0RE and not supposed to be running and stop running it. And IEXPLORE shows up only in the background and can only see it through the Task Manager
But when I restart the PC, IEXPL0RE.EXE again was there running noticeable only through the task manager of course.
Then I checked whether it is in the start up using Startup Control Panel 2.8 by Mike Lin and IEXPL0RE wasn't in the start up.
I then checked IEXPL0RE.EXE on
and found out that
This is an undesirable program.
This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.
Name: Configuration Loader
Description: Added by the LOADCFG or SDBOT TROJANS!
File Location: Unknown
Startup Type: Currently being identified.
Then I checked registry entries to see if I could locate any of the following entries through http://securityresponse.symantec.com/avcen...oor.sdbot.html:
Discovered on: April 30, 2002
Last Updated on: July 21, 2005 04:51:37 PM
Backdoor.Sdbot is a Backdoor Trojan horse that allows the Trojan's creator to control a computer by using Internet Relay Chat (IRC). Backdoor.Sdbot can update itself by checking for newer versions over the Internet.
Also Known As: IRC-Sdbot [McAfee], Backdoor.IRC.SdBot [Kaspersky], BKDR_SDBOT.B [Trend], Troj/Sdbot-B [Sophos], Win32.SdBot.14176 [CA]
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Payload Trigger: Running the Backdoor executable file.
Compromises security settings: Allows unauthorized use of a compromised system.
Ports: 6667 (the default IRC port).
Backdoor.Sdbot is a server component (bot) that the Trojan's creator distributes over IRC channels. This Trojan horse allows its creator to perform a wide variety of actions on a compromised computer.
The Trojan arrives in the form of a Portable Executable (PE) file.
When Backdoor.Sdbot is executed, it does the following:
Copies itself to the %System% folder. The file name to which it copies itself can vary. Some known file names are:
NOTE: %System% is a variable. The Trojan locates the \Windows\System folder (by default, this is C:\Windows\System or C:\Winnt\System32), and then copies itself to that location.
Adds one of the following values:
"Configuration Loader" = "%System%\iexplore.exe"
"Configuration Loader" = "MSTasks.exe"
"Configuration Loader" = "aim95.exe"
"Configuration Loader" = "cmd32.exe"
"Configuration Loader"= "IEXPL0RE.EXE"
"Configuration Manager" = "Cnfgldr.exe"
"Fixnice" = "vcvw.exe"
"Internet Config" = "svchosts.exe"
"Internet Protocol Configuration Loader" = "ipcl32.exe
"MSSQL" = "Mssql.exe"
"MachineTest" = "CMagesta.exe"
"Microsoft Synchronization Manager" = "svhost.exe"
"Microsoft Synchronization Manager" = "winupdate32.exe"
"Microsoft Video Capture Controls" = "MSsrvs32.exe"
"Quick Time file manager" = "quicktimeprom.exe"
"Registry Checker" = "%System%\Regrun.exe"
"Sock32" = "sock32.exe"
"System Monitor" = "Sysmon16.exe"
"System33" = "%System%\FB_PNU.EXE"
"Windows Configuration" = "spooler.exe"
"Windows Explorer" = " Explorer.exe"
"Windows Services" = "service.exe"
"Yahoo Instant Messenger" = "Yahoo Instant Messenger"
"cthelp" = "cthelp.exe"
"stratas" = "xmconfig.exe"
"syswin32" = "syswin32.exe"
or a similar value to the following registry keys:
May create the following additional files:
%System%\SVKP.sys (a clean driver that can be used for malicious purposes).
%System%\msdirectx.sys (this file is intended to provide rootkit functionality and may be detected as Hacktool.Rootkit).
Backdoor.Sdbot contains its own IRC client, allowing it to connect to an IRC channel that was coded into the Trojan. Some examples of possible servers to which it may connect are:
Using the IRC channel, the Trojan listens for the commands from the Trojan's creator. The creator of the Trojan accesses the Trojan by using a password-protected authorization.
The commands allow the Trojan's creator to perform any of the following actions:
Manage the Backdoor installation.
Control the IRC client on a compromised computer.
Dynamically update the installed Trojan.
Send the Trojan to other IRC channels to attempt to compromise more computers.
Download and execute files.
Deliver system and network information to the Trojan's creator.
Perform Denial of Service (DoS) attacks against a target, which the Trojan's creator defines.
Completely uninstall itself by removing the relevant registry entries.
I couldn't identify anything loading IEXPLORE.EXE
I then run the latest version of PestPetrol Corporate Edition, Adaware Latest with updates, SpySweeper , SpyBot Search and Destroy, Norton Antivirus (all with latest definitions/updates)
None identifed anything relating to the problem which is " IEXPLORE.EXE" loads everytime Pc starts and I can only kill it after it starts through Task manager
I now do not know if I have a trojan?
I do not know how to stop IEXPLORE.EXE running in the background according to the task manager.
I also have ZoneAlarm which is not reporting anything suspicious. (Well IEXPLORE.EXE cannot be suspicious I guess)
I've run out of possibilities: