Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > "barcode"trojan ?

Reply
Thread Tools

"barcode"trojan ?

 
 
tarquinlinbin
Guest
Posts: n/a
 
      04-19-2004
Hello
,it might be me whos getting paranoid but im convinced something is
not right. NIS flagged up

outbound tcp connect

remote address is www.superdomen.fig (217.69.122.26) http (80)

process name is c:\windows\system32\sspool.exe

i blocked it. Checking the NIS log file,sometimes the avobe remote ip
is 217.69.116.217

sspool.exe is not a legit file as far as i know. looking in the sys32
folder,it was pretending to be a screensaver and its icon was a
barcode picture. I had to reboot in safe mode to delete as access
denied otherwise.

A couple of weeks ago the same thing happenedonly this time it was
called mspool.exe ,again,barcode icon,non legit file.

my main problem is how are these items appearing in my sys32 folder?.
I'm convinced that there is some kind of morphic trojan/virus but
NIS/NAV doesnt flag it, also i cant find any info on the above ip
no's.

does this sound familar to anyone?

joe
 
Reply With Quote
 
 
 
 
kulm_nd
Guest
Posts: n/a
 
      04-20-2004
Sounds like spyware trying to send its data home. Often there is another
process that reloads the active file when you shut it down. Do you run
Spybot or Adaware regularly? The spyware gets installed off software
installs and from AciveX security set too low.

--

************************************************

g-w


"tarquinlinbin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello
> ,it might be me whos getting paranoid but im convinced something is
> not right. NIS flagged up
>
> outbound tcp connect
>
> remote address is www.superdomen.fig (217.69.122.26) http (80)
>
> process name is c:\windows\system32\sspool.exe
>
> i blocked it. Checking the NIS log file,sometimes the avobe remote ip
> is 217.69.116.217
>
> sspool.exe is not a legit file as far as i know. looking in the sys32
> folder,it was pretending to be a screensaver and its icon was a
> barcode picture. I had to reboot in safe mode to delete as access
> denied otherwise.
>
> A couple of weeks ago the same thing happenedonly this time it was
> called mspool.exe ,again,barcode icon,non legit file.
>
> my main problem is how are these items appearing in my sys32 folder?.
> I'm convinced that there is some kind of morphic trojan/virus but
> NIS/NAV doesnt flag it, also i cant find any info on the above ip
> no's.
>
> does this sound familar to anyone?
>
> joe



 
Reply With Quote
 
 
 
 
Jim Watt
Guest
Posts: n/a
 
      04-20-2004
On Mon, 19 Apr 2004 23:19:30 +0100, tarquinlinbin
<(E-Mail Removed)> wrote:

>Hello
>,it might be me whos getting paranoid but im convinced something is
>not right. NIS flagged up
>
>outbound tcp connect
>
>remote address is www.superdomen.fig (217.69.122.26) http (80)
>
>process name is c:\windows\system32\sspool.exe
>
>i blocked it. Checking the NIS log file,sometimes the avobe remote ip
>is 217.69.116.217
>
>sspool.exe is not a legit file as far as i know. looking in the sys32
>folder,it was pretending to be a screensaver and its icon was a
>barcode picture. I had to reboot in safe mode to delete as access
>denied otherwise.
>
>A couple of weeks ago the same thing happenedonly this time it was
>called mspool.exe ,again,barcode icon,non legit file.
>
>my main problem is how are these items appearing in my sys32 folder?.
>I'm convinced that there is some kind of morphic trojan/virus but
>NIS/NAV doesnt flag it, also i cant find any info on the above ip
>no's.
>
>does this sound familar to anyone?
>
>joe


Navidad used to have a barcode icon, but thats an old one and
NAV would certainly detect it, except I see to remember it disabled
the AV checks, so it might be as well to run something like
Mcafee stinger, or some of the specific tool that symantec
provide.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments