xIEPo$ter? Please help!

devicenull · Cadet Joined: May 02, 2004 Posts: 3 Location: USA

ok, i had this crap and didnt notice it till i saw it on the taskman.

full description of what was going on:
For a while, i was hearing clicks of pages loading, but there was no explorer window open. Then the system would lag after a while.

it was attempting (and probably succeeding) to upload passwords to http://golddirectory.us/php (feel free to do whatever you want to this site) in the form of a file called pstor.tmp which was located in the C:\TMP directory. In addition, there was a file which contained the same information in the C:\Windows and C:\Windows\System32 directories, but with seemingly random names. There was an attempt being made every 10 minutes to upload information. Fortunately for me, all passwords in the file were forum passwords and nothing critical. I have been unable to find the actual file which is causing this, but I have a hunch it has something to do with foqmpb.exe located in C:\Windows. This file was oddly modified on 4/7/2004, shortly before the problems began. Removal of this file results in the inability to run programs.

My hunch is based on the fact that everytime I now run a program, foqmpd.exe crashes and I get an error message notifying me of this fact.

My solution:
After locating the pstor.tmp file, I searched my entire hard drive for files which contained one of the passwords and investigated them. Then, I allowed the program to attempt an update. It regenerated all the files. Altering the information in the pstor.tmp file resulted in it being rewritten during the next update attempt.

So, I did the following:
I deleted all content of the offending file and saved it as empty. Next, I set the file as system and read only, then restricted all access to the file.

The program does not attempt to upload if the file is empty.

attached is my foqmpd.exe file if anyone wants to peek at it.

DDM · Cadet Joined: May 01, 2004 Posts: 3 Location: USA

I still haven't found any files with passwords in them

and Smax, I downloaded the fix, ran it in safe mode........and it didn't find anything and the problem is still here, thanks for the effort tho

DDM · Cadet Joined: May 01, 2004 Posts: 3 Location: USA

okay, well, I've come to terms and i'm formatting my pc

but, I can't have it done until next saturday (it's sunday)

is it safe to live with this thing for a week?

Smax · Trooper Joined: May 01, 2004 Posts: 12 Location: USA

That sux that the fix didnt work for you. I know for a fact that norton antivirus can detect and remove this particular hook dl and exe.

You can try it manually if you like.

(do you get any notices when shutting down of any tasks that are failing to be ended by windows, like i mean "Ending program.... please wait...." with some strange sounding "empgei32.exe" or something equally as strange?)

If you need to know therefore the name of the exe that might be a problem, try using the free online virus and trojan scanners at symantec.

http://security.symantec.com/ssc/

give that a go.

see what it finds. If you are unable to remove the infected exes and what not in windows, try safe mode, that should handle it.

let me know if you still have any trouble

Smax · Trooper Joined: May 01, 2004 Posts: 12 Location: USA

Devicenull,

bad news is.......

it looks like you're infected with PWsteal.Bancos.gen

Ifno on this:-
http://www.sarc.com/avcenter/cgi-bin/virauto.cgi?vid=39388

good news is...........

If its a known trojan, then it means it has been handled in an update.

If you are unwilling to purchase products like Norton Antivirus or what not, try
Avg antivirus, and update it immediately

http://www.grisoft.com/us/us_dwnl_free.php

If you already have Norton antivirus installed, update it.

Hope this helps

devicenull · Cadet Joined: May 02, 2004 Posts: 3 Location: USA

avg is annoying and pisses me off. in fact, most antivirus sofware pisses me off. 99.9% of all viruses and worms are caught by idiots who use p2p in an over-trusting manner, or open email attachments. The last virus I caught was due to an explorer exploit which basically just downloaded tons of crap and installed it while eating all the cycles to a point where the machine became unresponsive. took a good 2 hours to clean it all up. they were nice enough to throw a virus in there too, but it was obvious and i killed it.... there is more than likely more crap running around loose on my system, and i am scanning now.. yay online symantec scanning.

I know my system files intimately, as well as their dates... when something is out of place, I notice it and search for more crap with the same date.

devicenull · Cadet Joined: May 02, 2004 Posts: 3 Location: USA

lol, it is xadz. it attached itself to the exefile keys in the registry, so it tries to run with every program rather than just at startup. and deleting the program fucks windows. manual removal works, anti-virus software either fails or screws up windows.

ever since screwing up the dll file it needed, it has been crashing on every execution attempt. so, now i just have to clean up the mess it left.

BeenInfected · Cadet Joined: Apr 28, 2004 Posts: 2 Location: USA

I found the hyb32.dat file. I noticed the same strange behaviour with an old password I swear I haven't used... for Fantasy Football, so the season has been over for months.

Well, I got rid of that file, although no processes are running anymore, I'm fairly certain it sent those passwords off somewhere when it was running. Changes the passwords in the file, but it still is scary.

laziauzz · Cadet Joined: May 10, 2004 Posts: 1 Location: USA

with some help I was able to remove the xiepo$ter2 process that runs when you logon.

i downloaded a trial version of THE CLEANER from moosoft.com and scanned the PC. it took about 30min, but once done, it found aristotles and tenget and deleted those two trojan. i had to remove a pjdnnc.exe that was stopping the PC from rebooting correctly. once that was cleared i rebooted and it logged on fine. good luck!!!!

RobAlb · Cadet Joined: May 22, 2004 Posts: 1 Location: USA

Hello. This is the first time I've ever posted to this and I'm here because Tony or someone may be able to help me with the xIEPo$ster thing that keeps popping up on my computer.

Is the best course of action to go thru the process of showing hidden and operating system files and then saving the contents of the quote box to Notepad...as Tony recommended?

Sounds good...my only problem is once I save that stuff as Remove.reg in notepad...I'm not able to "Doubleclick Remove.reg and answer yes" because once I've saved it, I can't find it to doubleclick it. I'm quite the novice at this, by the way...but your help is much appreciated!

desktopsecurity · Cadet Joined: May 22, 2004 Posts: 1 Location: Uk

Hi all,

First of all let me say that I'm a pretty experienced PC user and I take all precautions with my internet security. I was therefore alarmed to be struck by something unknown!

I was browsing the web one evening and my Firewall gave an alert saying an unknown .exe file was trying to access the net, so I blocked it and logged-off right away to investigate further. Turned out that a new 63.7 kb file had been created in my Windows/System32 folder called Boodgbai.exe.

My anti-virus was running and upto date but that didn't pick it up as a virus, so I scanned for spyware with Ad-Ware and Spybot-S&D, but they didn't turn up anything either.I opened the Windows Task Manager but there was no trace of the .exe file actually running, but it wouldn't let me delete the file either. After rebooting the PC there was still no trace of it in any utilities I used so it seemed to be "hiding" itself, but I knew it was still running somehow. I also scanned the Registry but could find no reference to the Boodgbai.exe file. Neither could I find any links that were making it automatically load on starting Windows.

I managed to remove the .exe file by rebooting to the command prompt and deleting the file then rebooting into Windows, but I don't know what other files it may have left behind. After some searching I found another small 6kb file in my Windows/System32 folder with the same date/timestamp called Koknogdl.dll. I opened it in a text editor and it has some reference to Boodgbai inside but I don't know what else it was doing. I also found 2 more randomly-named .exe files the same size as the original Boodgbai file in my Internet Explorer folder, although these didn't appear to be running and I deleted them OK.

I scanned through my internet browser history and found 3 files/processes shown as X-okRecv11 ...

http://65.75.141.210/_php/piplog.php
http://65.75.141.210/_php/ppsloc.php
http://65.75.141.210/_php/ppslog.php

I also found 2 more of the same later when I logged-on again later (before I managed to delete the .exe file).

Also from "My Computer" that 23 files had been created and maybe(?) submitted to the above address. They were all titled xIEPo$ster followed by a number. Further investigation showed that these were .htm files created in a temp directory but they were deleting themselves automatically afterwards. I managed to find one it left behind and that confirmed it was submitting info from my system to the above web address, in some kind of script/form. Although I had blocked the original threat in my Firewall immeadiately, this still seemed to be accessing the net to submit this info somehow. But I haven't been able to find how how it was doing it or what data it was actually sending out.

Like others that have posted on this forum, I too found a .dat file in my Windows/System32 folder that held a load of personal information. It went right back to when I first had this PC, so included far too much data that I wouldn't like to be sent out! But I'm assuming that this spyware/trojan or whatever it is has been leaking details, so naturally I'm freaking out at the possible consequences!!!

Has anyone found out any definate details of what the xIEPo$ster files were sending out? Was it parts of the .dat file it created? Or was it gathering information from elsewhere. And where on earth did it generate all the data from for the .dat file in the first place? And where did it come from? I don't use any file-sharing programs and it definately didn't come through my e-mail, so I'm assuming it got in through a webpage which is a worrying thought.

Now I know the advice some have already given out ... format your hard drive, change all your passwords, etc ... but really that is going to take me weeks to re-install all my programs and work so I don't want to do that unless I have no other choice. And there's no guarantee that I won't pick up the same bug along the way again! Also, I don't want to risk logging-into all my online accounts and changing my passwords at the moment as I'm not certain that my system is 100% clean. What if there's still something left behind logging my details?

It's not a very nice position to be in right now, not knowing what to do for the best. Any further info would be much appreciated, thanks!

Oh, finally ... I'm too worried to upload any new files to my website for the moment as I thought what if there's a possibility of the spyware getting on there while I FTP the files? Anyone come across anything like this? What if the trojan spreads this way? That will mean I can't update anything on my site until I'm certain I'm not going to do any further damage.

Sorry for such a long mail but I wanted to explain my findings in as much detail as possible. Thanks for this excellent forum!

Del_Del · Cadet Joined: May 30, 2004 Posts: 1 Location: Australia

I concur with desktopsecurity.

My infection of xIEpo$ter was sending information to an IP which had directory browsing enabled.

The three files being logged on this site were:

ctlog.txt - Advanced personal details and passwords stolen from numerous computers world-wide.
iplog.txt - Mapping of IP to unique ID
pslog.txt - Basic personal details stolen from numerous computers world-wide.

This is a nastly little Trojan. I wish I knew how I got it!

btw... does anyone have a copy of the ###32.exe and ###32.dll files that it creates in the system / system32 directories? If so, please submit these through to Symantec so a fix can be created. None of the fixes suggested so far have worked on my system and none of the Symantec detection tools can pick it up.

Saler · Cadet Joined: Jun 09, 2004 Posts: 2 Location: Canada

Hello total computer neophyte here. Is there someone here who could help me wiht this virus? I have gone to page 1 and ran teh hijakc this program. but I am not sure if teh fix that tonyklein gave COpying the quote is the right fix for everyone. Anyways some help would be appreciated

Saler · Cadet Joined: Jun 09, 2004 Posts: 2 Location: Canada

Hello again. I ran the solution that tonyklein mentioned on page1. (copying quote into note pad and adding to registry) But it didn't seem to help. When I start up my computer and go on the internet in my internet history i get x-kovrecv11 under a IP # and a mycomputer file comes up
with files such as xIEPo$ter3 and xIEPo$ter5 etc. Driving me insane. THanks for any help


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1072 pages served in previous 5 minutes. Page Generation: 0.872 seconds.