"barcode" trojan returns..!!

[tarquinlinbin]

I have had an ongoing problem with my win xp pro based machine. It
sits behind a router which has NAT and SPI. It also runs fully up to
date NIS and a recent full virus scan in safe mode produced no results
nor did scans with adaware,spybot and trojan remover. Still the
"problem" persists.

Every now and then NIS will flag up a warning that a particular
application is trying to access the internet. I block it. The
application alwats resides in c:\ windows\system32 and always has a
barcode style icon. It always has a created date of a few years ago
and it always has a name similar to a genuine item. The latest alert
was called systemm.exe. It doesnt always show directly as a running
process (ctrl/alt/del). It cannot be deleted as access is denied. I
have to reboot in safe mode and delete. I have had sys restore turned
off for several weeks now. The items appear even when the user is not
an administrator. I never log in/run normally with admin priveledges.

This recent item when the alert flagged was trying to make outbound
tcp's to 217.69.116.217

a lot of these alerts seem to aimed at legit operations registered or
based in the USSR according to dns lookups.

When the alert flagged i ran dos cmd prompt and netstat -a and there
were more ports active or trying to be active than usual, although
nothing was apparently flowing. When the item was deleted in safe mode
a reboot and a netstat -a produced much reduced and "normal" results.

I can only conclude that somehow my pc is trying to be used to launch
DOS atteacks on other servers. The question is,how are these items
appearing on my pc?.

Could there be a backdoor of some kind?. As i say,every scan proves
negative and i have scoured google in search of any clues to this
problem but there is nothing.

Can anyone suggest anything or recall similar situations? does anyone
else have any dubious barcode style icons in their c:\windows\system32
folder?.

I have all the latest windows updates,i dont use OL express for email,
i am as secure as i possibly can be.

I bought an almost new netgear router a while ago, it seems like
paranoia but could someone have embedded some code in the firmware of
it? sounds crazy but im struggling for solutions to this one now!!

jo

 

[Rick \Nutcase\ Rogers]

Hi,

Have you run a spyware program yet? I find references to that file and a BHO
called smartsearch (a known parasite).

Adaware www.lavasoft.de
Spybot www.safer-networking.org

These may be able to help. This one can help you avoid these programs from
being installed in the first place:

Spyware Blaster: www.javacoolsoftware.com/spywareblaster.html

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[zzz]

I have had an ongoing problem with my win xp pro based machine. It
sits behind a router which has NAT and SPI. It also runs fully up to
date NIS and a recent full virus scan in safe mode produced no results
nor did scans with adaware,spybot and trojan remover. Still the
"problem" persists.

Every now and then NIS will flag up a warning that a particular
application is trying to access the internet. I block it. The
application alwats resides in c:\ windows\system32 and always has a
barcode style icon. It always has a created date of a few years ago
and it always has a name similar to a genuine item. The latest alert
was called systemm.exe. It doesnt always show directly as a running
process (ctrl/alt/del).
jo

ctrl/alt/del is incomplete, I use Adaware or some other memory scanner
)Norton?) to see all the processes running and often get 8-10 more than
ctrl/alt/del shows. Since you are running those (Adaware), what
processes do they show running?

g-w

 

[tarquinlinbin]

Hi,

Have you run a spyware program yet? I find references to that file and a BHO
called smartsearch (a known parasite).

Adaware www.lavasoft.de
Spybot www.safer-networking.org

These may be able to help. This one can help you avoid these programs from
being installed in the first place:

Spyware Blaster: www.javacoolsoftware.com/spywareblaster.html

Ive run the lot and nothing has flagged it. Ive used
adaware,spybot,trojan remover i have NIS installed. Ive just powered
up and its morphed again and its now called csrsc.exe in the
c:\windows\system32 folder with the same barcode icon. This time ive
deleted and saved a copy to floppy for submission/analysis. I'm
currently downloading latest adaware and will run that

jo

 

[George]

Can anyone suggest anything or recall similar situations? does anyone
else have any dubious barcode style icons in their c:\windows\system32
folder?.

When I was cleaning up my computer a few weeks ago I found two programs
running in the background
- Bcpc.exe and xclean.exe
They were in the Program files directory under folders named Bcpc and XML
Bcpc.exe had the barcode icon, but other exe. files in the folders had an
icon consisting of a computer screen and a cd. On the icon's computer screen
you can quite clearly see a four-legged animal that looks like a horse.
Since I had no idea what these files were, I deleted references to them in
the registry and moved them to a safe area.

Are these "horses" on the icons a cute way of signalling a trojan horse?

George

 

[Mike]

When I was cleaning up my computer a few weeks ago I found two programs
running in the background
- Bcpc.exe and xclean.exe
They were in the Program files directory under folders named Bcpc and XML
Bcpc.exe had the barcode icon, but other exe. files in the folders had an
icon consisting of a computer screen and a cd. On the icon's computer screen
you can quite clearly see a four-legged animal that looks like a horse.
Since I had no idea what these files were, I deleted references to them in
the registry and moved them to a safe area.

Are these "horses" on the icons a cute way of signalling a trojan horse?

George

They are both Adware. A 10 second Google told me that FFS. Give us a
hard question.

http://computercops.biz/postp340572.html

Google for spybot. Download it and install it and stop browsing for porn.

*Any* icon can be assigned to *any* file so making them pointless in
identifying the type of file.

 

[George]

They are both Adware. A 10 second Google told me that FFS. Give us a
hard question.

Google for spybot. Download it and install it and stop browsing for porn.

Sorry you used up your brain's resources on my trivial post. Nobody forced
you to answer. FYI both adware programs had been missed by spybot, which
I've been running for over a year. After my last post I downloaded Ad-Aware
(hadn't used it before) which caught both of them and a few others spybot
had missed besides.

*Any* icon can be assigned to *any* file so making them pointless in
identifying the type of file.

Yes I know that, but it wouldn't stop someone from using it as a signature,
would it?
Lighten up, FTSOYBP. You'll live longer.

 

[Michael Moyse]

Sorry you used up your brain's resources on my trivial post.

Apology accepted.

Nobody forced you to answer.

Or you to post without doing some basic research first.

FYI both adware programs had been missed by spybot, which
I've been running for over a year. After my last post I downloaded Ad-Aware
(hadn't used it before) which caught both of them and a few others spybot
had missed besides. Cool



Yes I know that, but it wouldn't stop someone from using it as a signature,
would it?

No, but it would be a pretty dumb thing to do.

Lighten up, FTSOYBP. You'll live longer.

I have no idea what FTSOYBP means (Fart The Sock Out Your Back Passage
perhaps?)

You'll live longer if you stop browsing porn sites.

 

[George]

You are obsessed with porn, aren't you?

FTSOYBP
For

the

sake

of

your

blood

pressure

Try logging on to the "free" genealogy sites. Or the gardening or
woodworking sites for that matter. Look up some of your old high school
buddies and see how quickly the E-Mails for free degrees come in. Spyware is
a problem with all of these "free" services. You'll find that most of these
sites are supported by advertising, and they are all trying to target you
through cookies, tracking software and data miners.

At my age porn just ain't that exciting.

Peace.
G