pe.exe - pe.bat and pe

Discussion in 'malware problems & news' started by brucemc, Mar 14, 2005.

Thread Status:
Not open for further replies.
  1. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    I searched the forum for pe.exe and ended up posting a comment to an old discussion on upnpclient. Great, I have at least two problems...

    Today I believe I visited a nasty website. Firefox (1.01) blocked it's attempt to run a potentially malicious program, but I suspect it left me a gift. Just a little later when I went to run Control Panel, Process Guard intercepted something called ps.exe trying to run, and anytime I now try to run CP it somehow wants to also start ps.exe. I disallowed it (and I'm not even a brain surgeon) and took a look at it over in my \system32\ subdirectory, where it and a couple of it's buddies - ps.bat and ps - had an install date of today.

    Each time I delete them then start Contro Panel they are reinstalled to the same directory and ps.exe tries to run. Google shows nothing of value on this, and neither Norton, LavaSoft, A Squared nor MS Malware beta see it as a problem. The one line in the batch file is "C:\WINDOWS\system32\ps.exe" > "C:\WINDOWS\system32\ps" - the quotes are a part of the actual statement in the file.

    Anyone else run into this puppy? If it's legit I don't understand why I have not sen it before, nor do I understand it's behaviour, so I suspect its a nasty.

    And for the heck of it, has anyone identified what the heck upnpclient (stress "client" this is NOT the upnp service WXP normally comes with) is all about?
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  3. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    There wouldn't happen to be a "Cliff Notes" version on what the heck I have to do to get rid of this bugger, would there? And also, how the heck can this have been out there since at least nov. 2004 and still to date not one of my scanners pick up on ito_O I even point them right at the darn files and they all come back fine. At first I thought "Well, if I am screwed, at least maybe I found something new", but this has been out there for quite some time! A gentleman from Eset asked me for copy of these files (the "ps" crew) so I guess they are on it, but isn't it a bit amazing that these have had this much exposure for this long in a forum that is well recognized by the internet community, and still all these scanners continue to be clueless as to it being malwareo_O Please someone give me a reasonable explanation. Oh yeah, and the "Cliff Notes" edition of what I have to do to rid myself of this lousy thing...
     
  4. Happy Bytes

    Happy Bytes Guest

    it's a password extractor for outlook email accounts.
    This file should not be detected as malware, maybe as so called riskware.

    It does print the passwords for Outlook DB into a console window.
    However, this could be combined by a malware with:

    PE.EXE >C:\LOG.LOG and then transfered to the hacker.

    As standalone Program this file is not malicious and should not be considered as malware. But in your case i think something is droping it to take advantage of this 'feature' to get passwords and cached internet cookie information.

    This file is packed by upx and patched.

    Cheers.
     
  5. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    Alone this is true; however after reading the other thread I see it is packaged along with some other programs (upnpclient, for example) that are to transmit this information, apparently, to someone. Not one of the detection programs out there, whether virus, adware, malware or whatever they care to call themselves detected any phase of this thing whatsoever. If I didn't have Process Guard and a good sw firewall (read "not MS") I would have been far more the victim than simply the aggrevation from some unfortunately pathetic person out there. I write this with the entire thread of https://www.wilderssecurity.com/showthread.php?t=54750&page=2&pp=25 to be included as part by reference.
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Brucemc,

    Others have referred to ps.exe in connection with this thing, as indeed do you in post 1 above, so where does pe.exe come into it?
     
  7. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    In my fat fingers hitting the wrong keys...
     
Thread Status:
Not open for further replies.