"barcode" trojan returns..!!
From: tarquinlinbin (noemail_at_myrealbox.com)
Date: 04/27/04
- Next message: goofy: "Re: svchost exploit on ports 80, 443 &21"
- Previous message: Six: "Re: svchost exploit on ports 80, 443 &21"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Apr 2004 08:58:14 +0100
I have had an ongoing problem with my win xp pro based machine. It
sits behind a router which has NAT and SPI. It also runs fully up to
date NIS and a recent full virus scan in safe mode produced no results
nor did scans with adaware,spybot and trojan remover. Still the
"problem" persists.
Every now and then NIS will flag up a warning that a particular
application is trying to access the internet. I block it. The
application alwats resides in c:\ windows\system32 and always has a
barcode style icon. It always has a created date of a few years ago
and it always has a name similar to a genuine item. The latest alert
was called systemm.exe. It doesnt always show directly as a running
process (ctrl/alt/del). It cannot be deleted as access is denied. I
have to reboot in safe mode and delete. I have had sys restore turned
off for several weeks now. The items appear even when the user is not
an administrator. I never log in/run normally with admin priveledges.
This recent item when the alert flagged was trying to make outbound
tcp's to 217.69.116.217
a lot of these alerts seem to aimed at legit operations registered or
based in the USSR according to dns lookups.
When the alert flagged i ran dos cmd prompt and netstat -a and there
were more ports active or trying to be active than usual, although
nothing was apparently flowing. When the item was deleted in safe mode
a reboot and a netstat -a produced much reduced and "normal" results.
I can only conclude that somehow my pc is trying to be used to launch
DOS atteacks on other servers. The question is,how are these items
appearing on my pc?.
Could there be a backdoor of some kind?. As i say,every scan proves
negative and i have scoured google in search of any clues to this
problem but there is nothing.
Can anyone suggest anything or recall similar situations? does anyone
else have any dubious barcode style icons in their c:\windows\system32
folder?.
I have all the latest windows updates,i dont use OL express for email,
i am as secure as i possibly can be.
I bought an almost new netgear router a while ago, it seems like
paranoia but could someone have embedded some code in the firmware of
it? sounds crazy but im struggling for solutions to this one now!!
jo
- Next message: goofy: "Re: svchost exploit on ports 80, 443 &21"
- Previous message: Six: "Re: svchost exploit on ports 80, 443 &21"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
