Expiorer.exe

Comments

  • Some one will look into this and moved the post to Malware Talk.

  • pankajkkdhir
    edited January 2009

    Dear All,


    This one is a very old trojan mostly identified as "Mytob" which again has many variants. I had the same problem with one of my clients computer. The resolve is here finally, which has come after 7 hours of working on this and checking various websites and after reading 10's of articles on sites. The hint finally came from " http://www.threatexpert.com/files/expiorer.exe.html ". This gave me an idea, where most of the possibilities led to notepad.exe from where it triggers. Though whatever written in this article had no resemblance with my case and nothing written in this article could be found in the infected computer, still the hint was helpful enough.


    Firstly the expiorer.exe was of 68kb exactly of the size of notepad.exe. And I took the hint, through My Computer, i searched for all existances of Notepad.exe (made sure to opt for search in hidden files and folders too, under more advanced options below the look-in window) I Deleted all such files with Shift+del so they don't go to recycle bin and this worked (Pl. do not delete now-read further-just keep them searched). Before you do this following steps would be necessary:


    1. Right Click My compter - Go to System Restore and Turn off system restore. (if system restore tab is not visible thsi might have been disabled in group policies by this malware) To get this back download 'ravmon removal tool' (search from google and download) run this in safe mode reboot and come back again in safe mode check if this tab appears) If yes Turn off system restore now, reboot and come back to normal windows.


    2. Make sure that Hidden files are set to be shown under Folder Options in My computer, this too would have been resolved by Ravmon Removal Tool (Place tick marks on all options when you run this tool) and keep saying OK, remember this one is a 3rd option on Ravmon Screen)


    3. Open My Computer and in Windows folder point to Expiorer.exe just do nothing but highlite only, Run Task Manager and terminate the process expiorer.exe by right clicking on this and opt for End Process Tree. Immediately thereafter shift+del the expiorer.exe in windows folder followed by immediately deleting the all found notepad.exe files.


    4. Now you may receive a windows warning that an important file is missing etc. etc. which will ask for the windows CD. If you have a CD insert it and let windows restore your notepad.exe from the CD. else cancel the dialogue box and get this file from another computer or safe website and restore under \windows\system32.


    Your problem stands resolved. (you would have read on many sites about this and some registry keys are mentioned on these sites, which need to be rectified after this operation. For this you may refer to http://www.trendmicro.com/vinfo/virusencyc...IG&VSect=Sn. Read carefully you may have to learn to edit registry for this to work.


    Pl get back to me if anything is unclear.


    Also Read http://www.incodesolutions.com/threats2/Wi...expiorerexe.php

  • The name of the archive is a little bit confusing, because it contains 2 keyloggers. Basically, they both do the same: drop an executable and a library in system32, and load that library under as many processes as they can (the library does the actual keylogging, the executable is just an "injector" that injects the library when ran). They currently detected by the heuristic engine. However, we will soon add detection for them.


    Best regards!

  • The name of the archive is a little bit confusing, because it contains 2 keyloggers. Basically, they both do the same: drop an executable and a library in system32, and load that library under as many processes as they can (the library does the actual keylogging, the executable is just an "injector" that injects the library when ran). They currently detected by the heuristic engine. However, we will soon add detection for them.


    Best regards!

  • There was something a miss in my previous message of 12th Jan and here it is. The earlier resolve was not final since the expiorer.exe later came back again. The resolve lies in deletion of another file under windows alongwith its process and this is 'ahmrpta.exe'. Actually this is again of the same size as expiorer.exe and notepad.exe and the deletion of both the files i.e. expiorer.exe and 'ahmrpta.exe simultaneously is very important. You know when you terminate one of the processes and then go to delete the connected file under windows, the other file copies itself to deleted filename and immediately activates itself. So the steps are:


    1. open my computer - goto windows folder - bring the both the files into view (they are closer to each other in order) Select them with the control key. Leave them there and start task manager.


    2. terminate the processes one after the other in succession i.e expiorer.exe and ahmrpta.exe.


    3.

  • There was something a miss in my previous message of 12th Jan and here it is. The earlier resolve was not final since the expiorer.exe later came back again. The resolve lies in deletion of another file under windows alongwith its process and this is 'ahmrpta.exe'. Actually this is again of the same size as expiorer.exe and notepad.exe and the deletion of both the files i.e. expiorer.exe and 'ahmrpta.exe simultaneously is very important. You know when you terminate one of the processes and then go to delete the connected file under windows, the other file copies itself to deleted filename and immediately activates itself. So the steps are:


    1. open my computer - goto windows folder - bring the both the files into view (they are closer to each other in order) Select them with the control key. Leave them there and start task manager.


    2. terminate the processes one after the other in succession i.e expiorer.exe and ahmrpta.exe.


    3. Immediately click on the titlebar of the mycomputer window to make it active.


    4. The files earlier selected should be highlited Shift+delete them immediately. (remember not to click in the centre of the window else files will be unselected.


    This is the final solution to this "EXPIORER" problem. I have throughly tested this.


    Regards,


    Pankaj Dhir

  • Hi,


    Thank you all for your replies, especially pankajdhir's


    I have solved this problem using RegRunSecuritySuit 5.8 to remove expiorer.exe and Smart Virus Remover 1.4 to resolve the hidden files and folders problem. However, I still generally use Bitdefender and hope Bitdefender could treat this trojan well.


    Later, maybe I will try pankajdhir's solution, thank you, pankajdhir :)


    I have additional information may be relevant is that may be this trojan adds two program in auto startup :


    C:\Windows\system32\vamsoft.exe


    C:\Windows\system32\mmvo.exe


    Thank you.