"barcode" trojan returns..!!

Discussion in 'Computer Security' started by tarquinlinbin, Apr 24, 2004.

  1. I have had an ongoing problem with my win xp pro based machine. It
    sits behind a router which has NAT and SPI. It also runs fully up to
    date NIS and a recent full virus scan in safe mode produced no results
    nor did scans with adaware,spybot and trojan remover. Still the
    "problem" persists.

    Every now and then NIS will flag up a warning that a particular
    application is trying to access the internet. I block it. The
    application alwats resides in c:\ windows\system32 and always has a
    barcode style icon. It always has a created date of a few years ago
    and it always has a name similar to a genuine item. The latest alert
    was called systemm.exe. It doesnt always show directly as a running
    process (ctrl/alt/del). It cannot be deleted as access is denied. I
    have to reboot in safe mode and delete. I have had sys restore turned
    off for several weeks now. The items appear even when the user is not
    an administrator. I never log in/run normally with admin priveledges.

    This recent item when the alert flagged was trying to make outbound
    tcp's to 217.69.116.217

    a lot of these alerts seem to aimed at legit operations registered or
    based in the USSR according to dns lookups.

    When the alert flagged i ran dos cmd prompt and netstat -a and there
    were more ports active or trying to be active than usual, although
    nothing was apparently flowing. When the item was deleted in safe mode
    a reboot and a netstat -a produced much reduced and "normal" results.

    I can only conclude that somehow my pc is trying to be used to launch
    DOS atteacks on other servers. The question is,how are these items
    appearing on my pc?.

    Could there be a backdoor of some kind?. As i say,every scan proves
    negative and i have scoured google in search of any clues to this
    problem but there is nothing.

    Can anyone suggest anything or recall similar situations? does anyone
    else have any dubious barcode style icons in their c:\windows\system32
    folder?.

    I have all the latest windows updates,i dont use OL express for email,
    i am as secure as i possibly can be.

    I bought an almost new netgear router a while ago, it seems like
    paranoia but could someone have embedded some code in the firmware of
    it? sounds crazy but im struggling for solutions to this one now!!

    jo
     
    tarquinlinbin, Apr 24, 2004
    #1
    1. Advertising

  2. On Sat, 24 Apr 2004 09:32:51 +0100, tarquinlinbin
    <> wrote:
    <symptoms snipped>

    >I bought an almost new netgear router a while ago, it seems like
    >paranoia but could someone have embedded some code in the firmware of
    >it? sounds crazy but im struggling for solutions to this one now!!


    Very unlikely. The code would also have to be quite small. You also
    wouldn't see any traffic using netstat if the problem was in the
    router.

    Are all the connections to the same source IP? If so, then it possibly
    is a DoS. If not, you probably have some P2P app running hidden like
    Kazaa media desktop or winmx or limewire.

    Check what app's are installed and remove any that are unnecessary.
    Your AV may also be compromised. Go to http://housecall.trendmicro.com
    and do a full scan on your computer. If the page fails to load,
    chances are you have a virus which is stopping you from accessing this
    page and disabling your AV\Firewall. Turn Off System Restore before
    you clean the virus.

    HTH

    Aaron Lingwood
     
    Aaron B. Lingwood, Apr 24, 2004
    #2
    1. Advertising

  3. tarquinlinbin

    zzz Guest

    tarquinlinbin wrote:
    > I have had an ongoing problem with my win xp pro based machine. It
    > sits behind a router which has NAT and SPI. It also runs fully up to
    > date NIS and a recent full virus scan in safe mode produced no results
    > nor did scans with adaware,spybot and trojan remover. Still the
    > "problem" persists.
    >
    > Every now and then NIS will flag up a warning that a particular
    > application is trying to access the internet. I block it. The
    > application alwats resides in c:\ windows\system32 and always has a
    > barcode style icon. It always has a created date of a few years ago
    > and it always has a name similar to a genuine item. The latest alert
    > was called systemm.exe. It doesnt always show directly as a running
    > process (ctrl/alt/del).
    > jo


    ctrl/alt/del is incomplete, I use Adaware or some other memory scanner
    )Norton?) to see all the processes running and often get 8-10 more than
    ctrl/alt/del shows. Since you are running those (Adaware), what
    processes do they show running?

    g-w
     
    zzz, Apr 24, 2004
    #3
  4. tarquinlinbin

    George Guest

    >
    > Can anyone suggest anything or recall similar situations? does anyone
    > else have any dubious barcode style icons in their c:\windows\system32
    > folder?.


    When I was cleaning up my computer a few weeks ago I found two programs
    running in the background
    - Bcpc.exe and xclean.exe
    They were in the Program files directory under folders named Bcpc and XML
    Bcpc.exe had the barcode icon, but other exe. files in the folders had an
    icon consisting of a computer screen and a cd. On the icon's computer screen
    you can quite clearly see a four-legged animal that looks like a horse.
    Since I had no idea what these files were, I deleted references to them in
    the registry and moved them to a safe area.

    Are these "horses" on the icons a cute way of signalling a trojan horse?

    George
     
    George, Nov 6, 2004
    #4
  5. tarquinlinbin

    Mike Guest

    George wrote:
    >>Can anyone suggest anything or recall similar situations? does anyone
    >>else have any dubious barcode style icons in their c:\windows\system32
    >>folder?.

    >
    >
    > When I was cleaning up my computer a few weeks ago I found two programs
    > running in the background
    > - Bcpc.exe and xclean.exe
    > They were in the Program files directory under folders named Bcpc and XML
    > Bcpc.exe had the barcode icon, but other exe. files in the folders had an
    > icon consisting of a computer screen and a cd. On the icon's computer screen
    > you can quite clearly see a four-legged animal that looks like a horse.
    > Since I had no idea what these files were, I deleted references to them in
    > the registry and moved them to a safe area.
    >
    > Are these "horses" on the icons a cute way of signalling a trojan horse?
    >
    > George
    >
    >


    They are both Adware. A 10 second Google told me that FFS. Give us a
    hard question.

    http://computercops.biz/postp340572.html

    Google for spybot. Download it and install it and stop browsing for porn.

    *Any* icon can be assigned to *any* file so making them pointless in
    identifying the type of file.
     
    Mike, Nov 6, 2004
    #5
  6. tarquinlinbin

    George Guest


    > They are both Adware. A 10 second Google told me that FFS. Give us a
    > hard question.


    > Google for spybot. Download it and install it and stop browsing for porn.


    Sorry you used up your brain's resources on my trivial post. Nobody forced
    you to answer. FYI both adware programs had been missed by spybot, which
    I've been running for over a year. After my last post I downloaded Ad-Aware
    (hadn't used it before) which caught both of them and a few others spybot
    had missed besides.

    > *Any* icon can be assigned to *any* file so making them pointless in
    > identifying the type of file.


    Yes I know that, but it wouldn't stop someone from using it as a signature,
    would it?
    Lighten up, FTSOYBP. You'll live longer.
     
    George, Nov 6, 2004
    #6
  7. George wrote:

    >>They are both Adware. A 10 second Google told me that FFS. Give us a
    >>hard question.

    >
    >
    >>Google for spybot. Download it and install it and stop browsing for porn.

    >
    >
    > Sorry you used up your brain's resources on my trivial post.

    Apology accepted.

    > Nobody forced you to answer.

    Or you to post without doing some basic research first.

    > FYI both adware programs had been missed by spybot, which
    > I've been running for over a year. After my last post I downloaded Ad-Aware
    > (hadn't used it before) which caught both of them and a few others spybot
    > had missed besides.

    Cool

    >
    >>*Any* icon can be assigned to *any* file so making them pointless in
    >>identifying the type of file.

    >
    >
    > Yes I know that, but it wouldn't stop someone from using it as a signature,
    > would it?

    No, but it would be a pretty dumb thing to do.

    > Lighten up, FTSOYBP. You'll live longer.


    I have no idea what FTSOYBP means (Fart The Sock Out Your Back Passage
    perhaps?)

    You'll live longer if you stop browsing porn sites.
     
    Michael Moyse, Nov 7, 2004
    #7
  8. tarquinlinbin

    George Guest

    You are obsessed with porn, aren't you?

    FTSOYBP
    For

    the

    sake

    of

    your

    blood

    pressure

    Try logging on to the "free" genealogy sites. Or the gardening or
    woodworking sites for that matter. Look up some of your old high school
    buddies and see how quickly the E-Mails for free degrees come in. Spyware is
    a problem with all of these "free" services. You'll find that most of these
    sites are supported by advertising, and they are all trying to target you
    through cookies, tracking software and data miners.

    At my age porn just ain't that exciting.

    Peace.
    G
     
    George, Nov 8, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?c2x1ZGxvdw==?=

    barcode scanners worked before SP2

    =?Utf-8?B?c2x1ZGxvdw==?=, Aug 23, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    417
  2. Owdio

    barcode software question

    Owdio, Apr 11, 2004, in forum: Computer Support
    Replies:
    10
    Views:
    14,449
    Lord Haw-Haw
    Apr 13, 2004
  3. magicianstalk

    Question about Barcode Scanner connection

    magicianstalk, Sep 1, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    553
  4. Aman

    Barcode Generation

    Aman, Oct 6, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    443
    °Mike°
    Oct 6, 2004
  5. tarquinlinbin

    "barcode"trojan ?

    tarquinlinbin, Apr 19, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    850
    Jim Watt
    Apr 20, 2004
Loading...

Share This Page