"barcode"trojan ?

Discussion in 'Computer Security' started by tarquinlinbin, Apr 19, 2004.

  1. Hello
    ,it might be me whos getting paranoid but im convinced something is
    not right. NIS flagged up

    outbound tcp connect

    remote address is www.superdomen.fig (217.69.122.26) http (80)

    process name is c:\windows\system32\sspool.exe

    i blocked it. Checking the NIS log file,sometimes the avobe remote ip
    is 217.69.116.217

    sspool.exe is not a legit file as far as i know. looking in the sys32
    folder,it was pretending to be a screensaver and its icon was a
    barcode picture. I had to reboot in safe mode to delete as access
    denied otherwise.

    A couple of weeks ago the same thing happenedonly this time it was
    called mspool.exe ,again,barcode icon,non legit file.

    my main problem is how are these items appearing in my sys32 folder?.
    I'm convinced that there is some kind of morphic trojan/virus but
    NIS/NAV doesnt flag it, also i cant find any info on the above ip
    no's.

    does this sound familar to anyone?

    joe
    tarquinlinbin, Apr 19, 2004
    #1
    1. Advertising

  2. tarquinlinbin

    kulm_nd Guest

    Sounds like spyware trying to send its data home. Often there is another
    process that reloads the active file when you shut it down. Do you run
    Spybot or Adaware regularly? The spyware gets installed off software
    installs and from AciveX security set too low.

    --

    ************************************************

    g-w


    "tarquinlinbin" <> wrote in message
    news:...
    > Hello
    > ,it might be me whos getting paranoid but im convinced something is
    > not right. NIS flagged up
    >
    > outbound tcp connect
    >
    > remote address is www.superdomen.fig (217.69.122.26) http (80)
    >
    > process name is c:\windows\system32\sspool.exe
    >
    > i blocked it. Checking the NIS log file,sometimes the avobe remote ip
    > is 217.69.116.217
    >
    > sspool.exe is not a legit file as far as i know. looking in the sys32
    > folder,it was pretending to be a screensaver and its icon was a
    > barcode picture. I had to reboot in safe mode to delete as access
    > denied otherwise.
    >
    > A couple of weeks ago the same thing happenedonly this time it was
    > called mspool.exe ,again,barcode icon,non legit file.
    >
    > my main problem is how are these items appearing in my sys32 folder?.
    > I'm convinced that there is some kind of morphic trojan/virus but
    > NIS/NAV doesnt flag it, also i cant find any info on the above ip
    > no's.
    >
    > does this sound familar to anyone?
    >
    > joe
    kulm_nd, Apr 20, 2004
    #2
    1. Advertising

  3. tarquinlinbin

    Jim Watt Guest

    On Mon, 19 Apr 2004 23:19:30 +0100, tarquinlinbin
    <> wrote:

    >Hello
    >,it might be me whos getting paranoid but im convinced something is
    >not right. NIS flagged up
    >
    >outbound tcp connect
    >
    >remote address is www.superdomen.fig (217.69.122.26) http (80)
    >
    >process name is c:\windows\system32\sspool.exe
    >
    >i blocked it. Checking the NIS log file,sometimes the avobe remote ip
    >is 217.69.116.217
    >
    >sspool.exe is not a legit file as far as i know. looking in the sys32
    >folder,it was pretending to be a screensaver and its icon was a
    >barcode picture. I had to reboot in safe mode to delete as access
    >denied otherwise.
    >
    >A couple of weeks ago the same thing happenedonly this time it was
    >called mspool.exe ,again,barcode icon,non legit file.
    >
    >my main problem is how are these items appearing in my sys32 folder?.
    >I'm convinced that there is some kind of morphic trojan/virus but
    >NIS/NAV doesnt flag it, also i cant find any info on the above ip
    >no's.
    >
    >does this sound familar to anyone?
    >
    >joe


    Navidad used to have a barcode icon, but thats an old one and
    NAV would certainly detect it, except I see to remember it disabled
    the AV checks, so it might be as well to run something like
    Mcafee stinger, or some of the specific tool that symantec
    provide.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Apr 20, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?c2x1ZGxvdw==?=

    barcode scanners worked before SP2

    =?Utf-8?B?c2x1ZGxvdw==?=, Aug 23, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    394
  2. Owdio

    barcode software question

    Owdio, Apr 11, 2004, in forum: Computer Support
    Replies:
    10
    Views:
    14,390
    Lord Haw-Haw
    Apr 13, 2004
  3. magicianstalk

    Question about Barcode Scanner connection

    magicianstalk, Sep 1, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    536
  4. Aman

    Barcode Generation

    Aman, Oct 6, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    427
    ┬░Mike┬░
    Oct 6, 2004
  5. tarquinlinbin

    "barcode" trojan returns..!!

    tarquinlinbin, Apr 24, 2004, in forum: Computer Security
    Replies:
    7
    Views:
    647
    George
    Nov 8, 2004
Loading...

Share This Page