Re: Unnown process... 5eplorer.exe

From: Colon Terminus (Colon_Terminus_at_hotmail.com)
Date: 09/24/04 

Date: Fri, 24 Sep 2004 17:41:10 GMT

SUMMARY
=======

SUBJECT: CoolWWW spyware persistance and removal.

PROBLEM: Anti-spyware programs (e.g., Spysweeper, Ad-aware Pro, PestPatrol)
do not remove the cause (a "super"-hidden .dll program) but only remove
symptom files and registry settings.

>From original posting by someone else: "This dll is loaded with very strange
file permissions. It has all permissions but 'copy' denied to everyone,
including administrators. This set of permissions makes the file completely
invisible inside windows. You cannot see it using File explorer or DOS
prompts like dir. It also can not have its attributes set so that you can
see it."

SOLUTION: Manual removal by using a revealing xfind.com error message,
then by using the Windows XP Recovery Console.

NOTE: the byte verifier patch does not protect against the latest variations
(6/24/04-7/7/04) of CoolWWW.

===============
MICROSOFT CULPABILITY

(1) Microsoft allows by design or by flaw the creation of "super"-hidden
files. FIX THIS MICROSOFT!!, then anti-spyware programs will be able to
find and remove this stuff.

(2) Also...Microsoft!! Fix the design flaws that allow anything to write to
the registry and place files on the computer as users browse the web with
IE. WHAT A JOKE!!! Guilty! Sentenced to 5 years of trying to remove
Coolwww without xfind or a clean install.

===============
INSTRUCTIONS

Step 1
Download xfind.com
(Note: at least a few programs are named xfind, so do not just search the
web and download any one of these. I did this and wasted time with
xfind.exe, which is not a bad program but not the one needed for our task.)

Download from here:
http://home.mnet-online.de/horst.muc/int/find23.zip (direct download of zip
file)
or
http://home.mnet-online.de/horst.muc/index.html (parent page of download;
click the "Find" link then download [9k])

Step 2
Install xfind.com (simply unzip it; I prefer running it from the c:\, and
so I dragged a copy of xfind.com to c:\, which is also called the "root"
directory.

Step 3
(a) Run xfind.com in a command line window. Click Start, Run, type CMD
(then click OK). A black window opens with a blinking white cursor. Type
cd \ or cd\ (I forget which) then press enter. The cursor should now show
"C:\" and not "C:\Windows."

(b) type this:
xfind "gibberishjdkfkd" c:\windows\system32\ *.dll
(then press the "Enter" key on your keyboard).

("gibberishjdkfkd" can really be anything, but the results are clearer if
you type something strange so it won't be found inside any legitimate
files). We're hoping for an error message, not actually finding a file
containing the search text.

(c) Now wait.... If it comes back with a read error about a file, that's
good! The file it complained about is the evil program (.dll file). WRITE
the file name down EXACTLY as listed in the error message (for example,
Mofohell.dll).

>From the original posting about this by someone else: "This dll is loaded
with very strange file permissions. It has all permissions but copy denied
to everyone, including administrators. This set of permissions makes the
file completely invisible inside windows. You cannot see it using File
explorer or DOS prompts like dir. It also can not have its attributes set so
that you can see it."

Step 4
Prepare to remove the evil program. This can't be done in normal Windows
nor in Safe Mode. Showing system and hidden files doesn't help. You must
restart in a special mode called the "Recovery Console," which is not
available until you install it separately.

(a) Find a Windows XP Home or Professional installation CD. While still in
Windows, insert the CD then exit any automatic window that appears.

(b) Click Start, Run, type the following:
d:\i386\winnt32.exe /cmdcons
(then click OK) and follow the instructions to install the Recovery Console
(click yes, ok, etc.). Restart the computer. (NOTE: if your CD drive is a
different letter than "d" type your CD drive's letter instead of "d.")

Step 5
Rename or delete the evil program from within the Recovery Console.
(a) Restart the computer and press the F8 function key before Windows starts
as if you're trying to get into Safe Mode.

Choose "Return to OS Menu" where you will see at least two choices:
"Windows XP Home" (or Professional) and "Recovery Console." Use the arrow
keys and Enter key to highlight and select "Recovery Console."

(b) When prompted, select the choice listing the Windows directory your
computer normally uses (usually "C:\Windows").

(c) When prompted, type the Administrator password (which might be blank on
your system) and press the Enter key.

You're now in the Recovery Console and can control the evil program file.

(d) Type cd \ (or CD\ -- I forget which), then cd windows , then
cd system32 , then (to confirm that it's present) type dir
MOFOHELL.dll (but substitute the name of the evil program you found
on your system). If it doesn't find anything, type this: attrib -h
MOFOHELL.dll (and press Enter), then type this: attrib -r MOFOHELL.dll
(and press Enter).

(e) Rename or delete it. I renamed it to be really safe in case it was
something good (doubtful). Type this:
ren mofohell.dll harmless.btch (substituting the name of your evil
program for mofohell.dll)
(then press the Enter key).

(f) type this:
dir harmless.btch
(then press Enter) to confirm it's there.

Step 6
Type this: EXIT (and press Enter) to reboot.
Press F8 to enter SAFE MODE as Window starts.

Step 7
Use the registry editor to find the evil reference to the evil program, both
of which were hidden before renaming the latter.
(a) Click Start, Run, then type this: regedit (and click OK).
(b) Use the up-arrow and scroll to the top then click once on "My Computer"
then click the EDIT menu and click FIND. Type the name of the evil program
(e.g., mofohell.dll ) and click find. Delete the entry on the RIGHT side
of the window that contains the name of the evil program (e.g.,
mofohell.dll); click once on the evil name then tap the keyboard's DELETE
key ONCE. Click the EDIT menu and click "FIND NEXT" and repeat. If it is
not found, stop looking and exit the registry editor.

Step 8
Scan your entire computer using the anti-spyware programs you have (which
you updated BEFORE all of this). I prefer running at least two (Spysweeper
and Ad-aware Pro) -- one at a time, of course.

Step 9
Run HijackThis and delete any suspicious BHO entries and other known bad
stuff.

Step 10
Empty every Temp folder, Temporary Internet folder and Cookie folder on your
computer. Empty the Recycle Bin.

Step 11
Turn security up to high in the Internet Options control panel (HIGH for
every category: Internet, Local Area Network, Trusted Sites [delete any
trusted sites listed] and Restricted sites. Go to the Advanced tab and
click the button "Restore Defaults" then modify individual check box items
manually if you want; go to the Programs tab and click the button "Reset Web
Settings" but uncheck the "reset home page prompt unless you like MS's
default page. Click OK.

Step 12
Utter the phrase, "Oooo Ahhhh, devilware, be GONE!" then spit out of the
window over your LEFT shoulder.

Step 13
Restart your computer.

Step 14
Go online and download other browsers to use for everything but Windows
Update. Download Firefox from mozilla.org and Opera from opera.com and
install both. They're safer than Internet Explorer (a.k.a., the Devil's
Helper).

To run Windows Update, first go to the Internet Options control panel,
Security tab, click the Internet category icon, then click the DEFAULT
button, then OK. Then run Windows Update. Afterwards, go back to the
Internet Options control panel and slide the security back up to HIGH for
the Internet category, then click OK, and continue using Mozilla's Firefox
and/or Opera for web browsing.

Step 15
Delete the renamed evil program (e.g., harmless.btch), which Spysweeper will
identify as coolwww even with its different name.

It's as simple as that!
As simple as 1,2,3ab,4abc,5abcdef,6,7ab,8,9,10,11,12,13,14,15!!!"

Total elapse time: 45 minutes to 1.5 hr depending on the number of files
your anti-spyware programs scan.

Step 16 (optional)
Buy a Mac, which doesn't have spyware problems, and throw away your
vulnerable Windows PC.

================
================

MICROSOFT CULPABILITY

(1) Microsoft allows by design or by flaw the creation of "super"-hidden
files. FIX THIS MICROSOFT!!, then anti-spyware programs will be able to
find and remove this stuff.

(2) Also...Microsoft!! Fix the design flaws that allow anything to write to
the registry and place files on the computer as users browse the web with
IE. WHAT A JOKE!!! Guilty! Sentenced to 5 years of trying to remove
Coolwww without xfind or a clean install.

================
================

NOTE:

None of these solutions are mine. The fix of using xfind was from an online
posting that a client found and emailed me. Here's the full text of that
posting:

"Coolweb is a 2 stage infection. This fix is not for inexperienced users.
You need to understand how to use the recovery console and also the registry
editor. Everything here is for a W2K install which is what I have. Should be
similar for XP.

First how the infection works:

1) A small dll is loaded onto your machine in the \winnt\systems32
directory. I do not know the method of infection. My machine had the
ByteVerifier patch so it wasn't through that backdoor.
2) This dll is loaded with very strange file permissions. It has all
permissions but copy denied to everyone, including administrators. This set
of permissions makes the file completely invisible inside windows. You can
not see it using File explorer or dos prompts like dir. It also can not have
its attributes set so that you can see it.
3) This little dll (resaf.dll on my machine, but proably different on each
install) hooks itself to the HLKM/Software/Current

Version/WindowsNT/Windows/AppInit_DLLs registry key. Of course you can't see
the entry and searching for it will reveal

nothing. Probably uses the same permissions trick but I was unable to verify
this.
4) Once this dll is running it can do whatever it wants. What it does is
load a full set of secondary infection files. It

creates a file in your temp directory call sp.html. This is the file that is
displayed each time you start IE. It also creates a bunch of registry
entries to enforce this as the start page.
5) Next a second dll is loaded. This one you can see and remove. Of course
it just comes back a few hours later. Not sure what this does.
6) Latest cut of Adaware gets rid of all of the secondary infections, but is
unable to find the primary infection. After about 2-3 hours the infection
just keeps coming back.

How to get rid of this.
1) You need a tool to find the nasty dll. A tool called "xfind" ( find it
here http://home.mnet-online.de/horst.muc/index.html) does a text serach for
a string within all files in the \winnt\system32 directory. Run it from the
command line as XFIND "anything" C:\winnt\system32\*.dll. It turns out that
the string itself is unimportant, it is the fact that this utility is unable
to open the file that reveals the dlls identity. The utility posts an unable
to read reaf.dll notice. This is your first clue.
2) Run adaware with the latest reference file and cleanup the secondary
infection. Run it until no further infection is found. It may take a couple
of passes.
3) Now you know the name of the file we need a way to get rid of it. Not
possible inside Windows that I can see. Tried killbox and other programs but
they are not able to find it. Using your original windows cd, start the
recovery console..

This is done by booting from the cd and then when it finishes loading
selecting R for repair and C for recovery console. Log in as requested and
you are at a command prompt. The file can now be seen using dir. I just
renamed it at this point in case I was wrong and it was a real windows file.
I could then get it back if I needed it.
4) Restart the machine in windows. Using regedit, search for the
AppInit_DLLs key. The value will now be visible. Delete the value, not the
key!
5) The dll will now also be visible and can be deleted.
6) Run adaware one more time to make sure all of the secondary infection is
gone and your done.

I would like to thank the dedicated folks at adawre I could not do without
them. Also the kind folks who wrote the utilities I used to get this thing
off. Good luck.

"noone" <none@> wrote in message
news:jg63l05u7m5ns6ah0agqpag8nju850sanr@4ax.com...
> On Tue, 21 Sep 2004 14:20:02 -0400, noone <none@> wrote:
>
> Thank you for your suggestions, but......
>
> I have now used:
> Norton Anitvirus
> AVG antivirus
> SpyBot
> McAfee Antivirus
> Stinger
> Adaware
>
> All with no luck.
>
> I hate to do it because of the time involved, but I guess it's
> reformat time. Although I have spent more than a few hours looking
> for a legitmate solution that would be usable the next time.
>
> Ralph
>
> >
> >I have a computer that running W2K which is running poorly. I have
> >found a suspiscious process running called "5eplorer.exe."
> >
> >More suspiciouosly, this does not show up when I do a file search even
> >with show all files checked.
> >
> >I have deleted references to it in the registry, but it keeps
> >returning.
> >
> >Two questions:
> >
> >1. Why can't I find it?
> >2. Is this a problem file?
> >
> >Thank you,
> >
> >Ralph
>