If you do a Google search for multiple instances of iexplore.exe
running in Task Manager, you will find numerous complaints with various causes and possible solutions. This problem could be malware or non-malware related. There are worms like W32/Lovgate-AD that will cause the same problem you are experiencing. In addition to other files it drops iexplore.exe in C:\Windows\system32. The legitimate iexplore.exe is located in the C:\Program Files\Internet Explorer folder. Make sure of the spelling
. If it is iexplor.exe
, then it's malware
. Also check to make sure iexplore.exe is not loading at startup as that too can be malware
: If using Internet Explorer 8 or Windows 7, the browser will run an extra instance
of iexplorer.exe as part of the Loosely-Coupled IE
and Automatic Crash Recovery
features. ACR stores information about a browsing session on the hard disk so that in the event of a browser crash, hang, or other unexpected shutdown, it you to resume the last browsing session. If using multiple tabs, ARC allows recovery of all opened tabs in case of a browser failure. Essentially that allows Internet Explorer to prevent itself from closing when a web site in one tab crashes. In order to this, Internet Explorer 8 will open a new process for the main window and another process with any opened tab
. As such, it is not unusual to find multiple instances of iexplore.exe running in Task Manager
. More information about ACR and LCIE can be found on the IEBlog
and an explanation of multiple instances of iexplorer.exe is provided by DON, MS MVP IE here
. One drawback of this new feature is that ACR has been reported to utilize high memory resources.
Most of the processes in Task Manager
will be legitimate as shown in these links.
Determining whether a file is malware or a legitimate process usually depends on the location
(path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program
so that it can run automatically each time the computer is booted. Keep in mind that a legitmate file can also be infected by some types of malware. such as Virut
which is a dangerous polymorphic file infector
. A file's properties may give a clue to identifying it. Right-click
on the file, choose Properties
and examine the General and Version tabs.
Tools to investigate running processes and gather additional information to identify them and resolve problems:These tools will provide information about each process, CPU usage, file description and its path location.
Anytime you come across a suspicious file or one that you do not recognize, search the name using Google <- click here for an example
Or search the following databases:
If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan
. In the "File to upload & scan
" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Edited by quietman7, 18 February 2010 - 08:31 AM.