question about i.exe

[keesue]

What is i.exe ?

 

I found this process "i.exe" associated with:

 

C:\Program Files\IObit\Advanced SystemCare Ultimate\ASC.exe" /widget_scan

 

I searched i.exe and found this entry:

 

I.exe - Process Information

 

This component is part of CWS.SearchX

 

Component Name: I.exe

 

Description of : CWS Search X is a CWS variant that hijacks the user's browser and sets the start and search pages to about:blank and keeps a record of pages visited in a log file in the root directory. It is difficult to detect because the dynamic link library (DLL) file it installs is randomly named.

 

Recommendation for :

It is strongly recommended that this spyware be removed from your system immediately.

 

Trusted: No

Trojan: No

Chronic: Yes

Adware: No

Carrier: No

Browser Hijacker: No

Dialer: No

Commercial Keylogger: No

Remote Administration Tool: No

Suspected: No

 

Company Name: .

Platforms Affected:

Methods of Distribution: This spyware is installed via drive-by download on certain affiliate websites.

Variants/Versions:

Release Date: 2004

[scrd01]

file search

 

Hi Keesue,

I to am running this programme

I did a search using the keyword ASC.exe and can find no trace of this.

i also searched i.exe no trace

As the release date is 2004 i would have thought that most AV programmes/IObitMalwareFighter/malwarebites/superantispyware would pick this up

 

Roy

 

If your CP is upto date

I suggest you install another Firewall.

(no disrespect intended but the XP Firewall is not very well regarded)

[Buddahfan]

I searched my computer for "i.exe" and it came up blank. Here is another opinion about it.

 

Nasty stuff - A lot worse than just Spyware according to webiste on the link.

 

Cloaked Malware

Malicious Software

Malware Downloader

 

File Behavior

 

I.EXE has been seen to perform the following behavior:

 

Adds products to the system registry

Writes to another Process's Virtual Memory (Process Hijacking)

This process creates other processes on disk

This Process Deletes Other Processes From Disk

Executes a Process

Removes Scheduled Tasks from the Windows task queue

Can communicate with other computer systems using HTTP protocols

Copies files

Creates or uses a background service to access the Internet using HTTP protocols

Injects code into other processes

Performs DNS look ups to resolve URL IP addresses

The Process is packed and/or encrypted using a software packing process

Adds a Registry Key (RUN) to auto start Programs on system start up

Sends email using SMTP protocols

Uses DNS to retrieve the IP address for web sites

Registers a Dynamic Link Library File

Executes Processes stored in Temporary Folders

 

I.EXE has been the subject of the following behavior:

 

Created as a process on disk

Executed as a Process

Has code inserted into its Virtual Memory space by other programs

Copied to multiple locations on the system

Created as a new Background Service on the machine

Added as a Registry auto start to load Program on Boot up

Executed from Temporary Folders

Terminated as a Process

Registered as a Dynamic Link Library File

Deleted as a process from disk

 

Here is another opinion

 

We suggest you to remove I.EXE from your computer as soon as possible.

 

I.EXE Dangerous Rating: 5 out of 5

 

I don't know if IMF or ASC or ASCU Beta will find and remove it or not. There is at least one Malware removal expert on this forum. However I am not one ("It is a wise person who recognizes his/her limitations.":smile:) so I offer no suggestions on how to remove it. Maybe the Malware expert will read your OP and offer a suggestion on how to remove it.

 

I will say this. There are tools out there that will remove it but I offer no suggestion on which one or ones to use because depending on the Malware if it is not removed correctly the infected computer could wind up becoming unusable.

 

Good luck

[Toppack]

Another opinion:

(this one says about 62% probability)

 

http://www.threatexpert.com/files/i.exe.html

[keesue]

This file, i.exe, is associated with and runs within ASC-Ultimate. Its origin is China. The first entry I posted was from a log file. Here it is again: C:\Program Files\IObit\Advanced SystemCare Ultimate\ASC.exe" /widget_scan. Note the command line switch: /widget scan. It appears therefore that i.exe is executed within ASC-Ultimate and cannot be detected by malware or antivirus.

 

Can one of the ASC folks directly address this?

[scrd01]

i.exe

 

Hi Keesue,

Have run searches on ,scan widget, and cannot find i.exe in any of them also checked my logs.

 

Which log did you find it in.

 

On the downside maybe its just that youve been caught by a drive-by. xp firewall old (previously infected pc)

 

Suggest you review the malware guidelines section

 

Roy

[Buddahfan]

Another opinion:

(this one says about 62% probability)

 

http://www.threatexpert.com/files/i.exe.html

 

62%

 

I don't like those odds especially in light of what the other websites are saying.

 

I also could not locate it on my computers.

[keesue]

Hi Keesue,

Have run searches on ,scan widget, and cannot find i.exe in any of them also checked my logs.

 

Which log did you find it in.

 

On the downside maybe its just that youve been caught by a drive-by. xp firewall old (previously infected pc)

 

Suggest you review the malware guidelines section

 

Roy

 

Thanks, but this has been my machine since acquisition with a secure corporate OS completely vetted by my staff and by me personally. Every application is cleared and all processes are logged and accountable. My log entry shows the association of this executable and ASC Ultimate which started this line of inquiry.

 

For clarity: This executable is logged as initiated by /Widget Scan and if so must be embedded within the ASC executable; put another way, it would have to be compiled within the code, and therefore, under that circumstance it would not be detected by malware. When the call is made, i.exe is executed and disappears when the process is complete. The malware guidelines section would be irrelevant.

 

Given /Widget Scan is a command line switch, I will run diagnostics to capture the line-by-line execution. Given the security implication, I'm asking IOBIT to look into this. This is not trivial. If that cannot be done, I will de-install and the matter can be considered closed.

 

Thanks in advance to the ASC team for addressing this issue.

 

Best,

 

Keesue

[keesue]

More on i.exe

 

Running the executable "asc.exe \widget scan" on the command line brings up the ASC Ultimate scanning utility. The start of i.exe and the start of the utility are logged in the same timeframe. It appears to be called by that program itself. I will run a capture program to find when i.exe is called and what scan is doing at that moment in time to synchronize the instances. More to follow.

[scrd01]

run asc

 

Hi Keesue,

Just tried to run asc.exe.

and via CMD

Come back with unable to find

 

Roy

 

on another note im suprised that a corporate user would go with a Beta program < STRIKE THAT.

I see youve been using Iobit products for a while.

[Buddahfan]

Thanks, but this has been my machine since acquisition with a secure corporate OS completely vetted by my staff and by me personally. Every application is cleared and all processes are logged and accountable. My log entry shows the association of this executable and ASC Ultimate which started this line of inquiry.

 

Thanks in advance to the ASC team for addressing this issue.

 

Best,

 

Keesue

 

Whatever you say. Personally I would question the vetting. Microsoft has noted that there are now a high percentage of new computers that have Malware inserted during the manufacturing process; i.e. adding the software. Too much software comes with malware. I think you are relying on 100% accuracy of others.

 

What you describe as seeing is symptomatic of bad stuff. I wouldn't know if you downloaded an infected version of ASCU or not. Many people download stolen software using a P2P app and much of that stolen stuff is infected with really bad stuff.

 

I am not accusing you of anything, but from all the evidence chances are your computer is infected. Where that infection came from is anyone's guess.

 

Just because Corp people gave some software the okay doesn't mean that it can't be or get infected. If that were the case than there would no malware problems in larger companies with professional IT people.

[Melvin_Deal]

Nor I...

 

I have thoroughly checked and I have no i.exe on my system either! I just installed Ultimate a few days ago. What location did you download from keesue? Perhaps it was not secure? Perhaps you could try a clean install from a different download location? Some forms of malware will move around on your machine as well.

 

Sincerely,

-Mel

Live long and prosper!

[scrd01]

file sizes

 

Hi Keesue,

thought this might be usefull to you

File Application

 

4.13 MB 4,336,512bytes size

4.13 Mb 4,337,664bytes size on disc

 

Application

4235 KB

 

Roy

[Toppack]

I have thoroughly checked and I have no i.exe on my system either!

 

What Keesue is saying is that the I.exe is Not a separate file,

that can Not be found with a search.

It evidently is being run by embeded code, in another .exe file.

 

He found it with a '/widget scan' command-line switch.

 

I'm not sure, but I think '/widget scan' is part of the WordPress utility software package.

I've not used it, so have no idea how reliable it is?

(WordPress is a blogging tool and content manager, that has security addons)

[keesue]

If you enter the directory command in the IObit AdvancedSystem directory you will see "asc.exe".

 

C:\Program Files\IObit\Advanced SystemCare Ultimate>dir asc.exe

 

If you run this command from the Advanced System Ultimate Care directory:

 

C:\Program Files\IObit\Advanced SystemCare Ultimate>asc.exe /widgetscan You will see the result of that executable.

 

What is not shown within that directory is i.exe (nor, as you noted, anywhere else on your drive). This suggests i.exe is embedded and compiled within asc.exe. This is precisely the question I am asking of the developers. The casual user would never detect this but something that is listed as a virus as submitted by the other posters raises concern.

 

With respect to my configuration, while I am running a corporate license of XP Professional, the machine and the installation is my personal configuration separate from the enterprise. The OS is unchanged, certified as such, and only mentioned to belay the suggestion the OS is corrupt.

 

Indeed I have been running IObit - sufficient for me to upgrade and to evaluate Ultimate. My comment in another post was essentially that it transcends the small company look of the previous version and lends itself toward a more enterprise look. To be clear in my intention: I submitted this issue in good faith on behalf of the company; otherwise, I would have just 'chucked it' and not wasted my time. I believe this qualifies as legitimate input for the solicited feedback of this Beta.

 

Thanks again for your input, much appreciated.

[enoskype]

Thanks keesue,

 

I will follow this issue and make sure that IObit makes a comment on it.

 

In the mean time I will investigate the behaviour in W8 Pro.

 

Cheers.

[Toppack]

Keesue,

Am I correct about where the '/widget scan' switch comes from,

in the above post?

[keesue]

Whatever you say. Personally I would question the vetting. Microsoft has noted that there are now a high percentage of new computers that have Malware inserted during the manufacturing process; i.e. adding the software. Too much software comes with malware. I think you are relying on 100% accuracy of others.

 

What you describe as seeing is symptomatic of bad stuff. I wouldn't know if you downloaded an infected version of ASCU or not. Many people download stolen software using a P2P app and much of that stolen stuff is infected with really bad stuff.

 

I am not accusing you of anything, but from all the evidence chances are your computer is infected. Where that infection came from is anyone's guess.

 

Just because Corp people gave some software the okay doesn't mean that it can't be or get infected. If that were the case than there would no malware problems in larger companies with professional IT people.

 

I'm not taking it as an accusation by any means. This is a difficult assertion.

 

Apparently, I'm not making my point clear. This machine has a certified and verified install of XP Professional. The machine never had an installation save the one I installed. All the service packs come directly from Microsoft in the developer tool kit. My other limited software installations are all scrubbed prior to installation by me. I downloaded the Ultimate installation from the link provided in the forum announcing the beta release. If the ASC download was infected, it came from that source. I do not have P2P software and this machine is not used for that activity. It is protected with IObit's malware and antivirus in real time. I also have other on-demand software that looks for rootkits. IObit is the only software running in memory.

 

As to the evidence suggesting otherwise, let me state it this way: There was no evidence of this executable in the prior versions of ASC. It only appeared after the installation of Ultimate. There may be a similarity within the embedded code to this executable such that the signature identifies it as i.exe; or, the executable was inadvertently named i.exe and does not pose a threat. There is one other explanation but I think it is best to get an official response. I'm sure there is a non-nefarious explanation. This software has great potential in the corporate/enterprise space for several very legitimate reasons. I would hate to see this be an impediment to its adoption.

 

This is what I am trying to get to the bottom (of).

[keesue]

Thanks keesue,

 

I will follow this issue and make sure that IObit makes a comment on it.

 

In the mean time I will investigate the behaviour in W8 Pro.

 

Cheers.

 

Sure thing - thanks.

[keesue]

Keesue,

Am I correct about where the '/widget scan' switch comes from,

in the above post?

 

Yes, that is where the executable asc.exe resides and where /widget scan resides (although it is not shown in /?)

[keesue]

Whatever you say.

 

Rather condescending, eh? I'll not waste your time further. Consider the matter closed by me.

[Toppack]

Yes, that is where the executable asc.exe resides and where /widget scan resides (although it is not shown in /?)

 

Okay, if it comes from WordPress Apps,

how sure are you that that security App is Reliable,

and not giving False info?

[enoskype]

I think there is a misunderstanding here Toppack!

 

I understand it as ASC.exe being under Program Files and in kessues case no connection with WordPress Apps.

 

Cheers.

[Toppack]

Don't leave Keesue, this is very Interesting!

 

I can't find much info on the WordPress security App?

[Toppack]

I think there is a misunderstanding here Toppack!

 

I understand it as ASC.exe being under Program Files and in kessues case no connection with WordPress Apps.

 

Cheers.

 

There's No '/widget scan' switch in Windows, that I know of,

and the only one I found is in WordPress App,

and he just said that is where it came from. :shock:

 

So, my next question is 'how reliable is that App'?