Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > "barcode" trojan returns..!!

Reply
Thread Tools

"barcode" trojan returns..!!

 
 
tarquinlinbin
Guest
Posts: n/a
 
      04-24-2004
I have had an ongoing problem with my win xp pro based machine. It
sits behind a router which has NAT and SPI. It also runs fully up to
date NIS and a recent full virus scan in safe mode produced no results
nor did scans with adaware,spybot and trojan remover. Still the
"problem" persists.

Every now and then NIS will flag up a warning that a particular
application is trying to access the internet. I block it. The
application alwats resides in c:\ windows\system32 and always has a
barcode style icon. It always has a created date of a few years ago
and it always has a name similar to a genuine item. The latest alert
was called systemm.exe. It doesnt always show directly as a running
process (ctrl/alt/del). It cannot be deleted as access is denied. I
have to reboot in safe mode and delete. I have had sys restore turned
off for several weeks now. The items appear even when the user is not
an administrator. I never log in/run normally with admin priveledges.

This recent item when the alert flagged was trying to make outbound
tcp's to 217.69.116.217

a lot of these alerts seem to aimed at legit operations registered or
based in the USSR according to dns lookups.

When the alert flagged i ran dos cmd prompt and netstat -a and there
were more ports active or trying to be active than usual, although
nothing was apparently flowing. When the item was deleted in safe mode
a reboot and a netstat -a produced much reduced and "normal" results.

I can only conclude that somehow my pc is trying to be used to launch
DOS atteacks on other servers. The question is,how are these items
appearing on my pc?.

Could there be a backdoor of some kind?. As i say,every scan proves
negative and i have scoured google in search of any clues to this
problem but there is nothing.

Can anyone suggest anything or recall similar situations? does anyone
else have any dubious barcode style icons in their c:\windows\system32
folder?.

I have all the latest windows updates,i dont use OL express for email,
i am as secure as i possibly can be.

I bought an almost new netgear router a while ago, it seems like
paranoia but could someone have embedded some code in the firmware of
it? sounds crazy but im struggling for solutions to this one now!!

jo
 
Reply With Quote
 
 
 
 
Aaron B. Lingwood
Guest
Posts: n/a
 
      04-24-2004
On Sat, 24 Apr 2004 09:32:51 +0100, tarquinlinbin
<(E-Mail Removed)> wrote:
<symptoms snipped>

>I bought an almost new netgear router a while ago, it seems like
>paranoia but could someone have embedded some code in the firmware of
>it? sounds crazy but im struggling for solutions to this one now!!


Very unlikely. The code would also have to be quite small. You also
wouldn't see any traffic using netstat if the problem was in the
router.

Are all the connections to the same source IP? If so, then it possibly
is a DoS. If not, you probably have some P2P app running hidden like
Kazaa media desktop or winmx or limewire.

Check what app's are installed and remove any that are unnecessary.
Your AV may also be compromised. Go to http://housecall.trendmicro.com
and do a full scan on your computer. If the page fails to load,
chances are you have a virus which is stopping you from accessing this
page and disabling your AV\Firewall. Turn Off System Restore before
you clean the virus.

HTH

Aaron Lingwood
 
Reply With Quote
 
 
 
 
zzz
Guest
Posts: n/a
 
      04-24-2004
tarquinlinbin wrote:
> I have had an ongoing problem with my win xp pro based machine. It
> sits behind a router which has NAT and SPI. It also runs fully up to
> date NIS and a recent full virus scan in safe mode produced no results
> nor did scans with adaware,spybot and trojan remover. Still the
> "problem" persists.
>
> Every now and then NIS will flag up a warning that a particular
> application is trying to access the internet. I block it. The
> application alwats resides in c:\ windows\system32 and always has a
> barcode style icon. It always has a created date of a few years ago
> and it always has a name similar to a genuine item. The latest alert
> was called systemm.exe. It doesnt always show directly as a running
> process (ctrl/alt/del).
> jo


ctrl/alt/del is incomplete, I use Adaware or some other memory scanner
)Norton?) to see all the processes running and often get 8-10 more than
ctrl/alt/del shows. Since you are running those (Adaware), what
processes do they show running?

g-w
 
Reply With Quote
 
George
Guest
Posts: n/a
 
      11-06-2004
>
> Can anyone suggest anything or recall similar situations? does anyone
> else have any dubious barcode style icons in their c:\windows\system32
> folder?.


When I was cleaning up my computer a few weeks ago I found two programs
running in the background
- Bcpc.exe and xclean.exe
They were in the Program files directory under folders named Bcpc and XML
Bcpc.exe had the barcode icon, but other exe. files in the folders had an
icon consisting of a computer screen and a cd. On the icon's computer screen
you can quite clearly see a four-legged animal that looks like a horse.
Since I had no idea what these files were, I deleted references to them in
the registry and moved them to a safe area.

Are these "horses" on the icons a cute way of signalling a trojan horse?

George


 
Reply With Quote
 
Mike
Guest
Posts: n/a
 
      11-06-2004
George wrote:
>>Can anyone suggest anything or recall similar situations? does anyone
>>else have any dubious barcode style icons in their c:\windows\system32
>>folder?.

>
>
> When I was cleaning up my computer a few weeks ago I found two programs
> running in the background
> - Bcpc.exe and xclean.exe
> They were in the Program files directory under folders named Bcpc and XML
> Bcpc.exe had the barcode icon, but other exe. files in the folders had an
> icon consisting of a computer screen and a cd. On the icon's computer screen
> you can quite clearly see a four-legged animal that looks like a horse.
> Since I had no idea what these files were, I deleted references to them in
> the registry and moved them to a safe area.
>
> Are these "horses" on the icons a cute way of signalling a trojan horse?
>
> George
>
>


They are both Adware. A 10 second Google told me that FFS. Give us a
hard question.

http://computercops.biz/postp340572.html

Google for spybot. Download it and install it and stop browsing for porn.

*Any* icon can be assigned to *any* file so making them pointless in
identifying the type of file.


 
Reply With Quote
 
George
Guest
Posts: n/a
 
      11-06-2004

> They are both Adware. A 10 second Google told me that FFS. Give us a
> hard question.


> Google for spybot. Download it and install it and stop browsing for porn.


Sorry you used up your brain's resources on my trivial post. Nobody forced
you to answer. FYI both adware programs had been missed by spybot, which
I've been running for over a year. After my last post I downloaded Ad-Aware
(hadn't used it before) which caught both of them and a few others spybot
had missed besides.

> *Any* icon can be assigned to *any* file so making them pointless in
> identifying the type of file.


Yes I know that, but it wouldn't stop someone from using it as a signature,
would it?
Lighten up, FTSOYBP. You'll live longer.


 
Reply With Quote
 
Michael Moyse
Guest
Posts: n/a
 
      11-07-2004
George wrote:

>>They are both Adware. A 10 second Google told me that FFS. Give us a
>>hard question.

>
>
>>Google for spybot. Download it and install it and stop browsing for porn.

>
>
> Sorry you used up your brain's resources on my trivial post.

Apology accepted.

> Nobody forced you to answer.

Or you to post without doing some basic research first.

> FYI both adware programs had been missed by spybot, which
> I've been running for over a year. After my last post I downloaded Ad-Aware
> (hadn't used it before) which caught both of them and a few others spybot
> had missed besides.

Cool

>
>>*Any* icon can be assigned to *any* file so making them pointless in
>>identifying the type of file.

>
>
> Yes I know that, but it wouldn't stop someone from using it as a signature,
> would it?

No, but it would be a pretty dumb thing to do.

> Lighten up, FTSOYBP. You'll live longer.


I have no idea what FTSOYBP means (Fart The Sock Out Your Back Passage
perhaps?)

You'll live longer if you stop browsing porn sites.

 
Reply With Quote
 
George
Guest
Posts: n/a
 
      11-08-2004
You are obsessed with porn, aren't you?

FTSOYBP
For

the

sake

of

your

blood

pressure

Try logging on to the "free" genealogy sites. Or the gardening or
woodworking sites for that matter. Look up some of your old high school
buddies and see how quickly the E-Mails for free degrees come in. Spyware is
a problem with all of these "free" services. You'll find that most of these
sites are supported by advertising, and they are all trying to target you
through cookies, tracking software and data miners.

At my age porn just ain't that exciting.

Peace.
G



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: "Win32:Trojan-gen. {VC}""Win32.trojan-gen.{UPX!}" jamesa01 Computer Support 2 02-27-2006 02:54 PM
"Win32:Trojan-gen. {VC}" "Win32:Trojan-gen. {UPX!}" D@Z Computer Support 5 01-30-2006 07:52 PM
New trojan spam tells you where to download trojan as "MS beta antispy" Joel Rubin Computer Support 2 03-07-2005 02:26 AM
Mozilla is a trojan Yankee Rebel Firefox 46 01-05-2005 10:23 PM
Unknown Trojan causing wireless connection to fail Headtheball Wireless Networking 1 10-03-2004 03:02 PM



Advertisments