USB camera trojan

[Guest]

[dph987]

A virus report.

Today I found these files added to windows directory that were created on  2nd June 2009 that I think is a trojan set. The modified date on these files is earlier than the creation date.

They are:
FixCamera.exe
tsnpstd3.exe
snpstd3.src
snpstd3.ini
vsnpstd3.exe
csnpstd3.dll

My Windows log revealed that, on the 1st June 09, I uninstalled 2 old security products: XoftSpy and Noadware5.0

Yesterday I uninstalled Adaware but the icon was still in the task tray!

I eventually tracked the task down to tsnpstd3.exe which was using the Adaware icon. The mouseover message read "Disconnected".

tsnpstd3.exe is supposed to be a non-essential camera task that is unrelated to security.

My PC was running slow and long delays were experienced using email and browsers.

At startup something would try to access the usb BIGDOG camera entry in the registry which I  would block. Whats more, my USB security camera software regularly lost the camera and I would have to unplug and plug it in again to get it to work.

I suspect this is a camera spy taking secret snapshots.

None of my regular spy and virus detection software (including comodo) found them.

Any ideas?

[EricJH]

Upload the .exe files to Virus Total and see what all scanner report. Leave the urls to the analysis pages here in the topic.

Also submit it to Comodo's Camas and let it generate a report for all three files. Please leave the urls to the reports here.

I assume that program has no uninstall entry in the list of installed software. Is that correct?

[cautim]

Any resolutions yet?

I recognize the executables, they came with my webcam. But I too experience problems with it. Sometimes unless I dissable and then enable the device from the device manager (i guess unplug replug would do the same trick) all I get is a black screen - probably meaning that the camera is already in use by another program... or perhaps it's just that the drivers are buggy.

[panic]

fixcamera.exe is a tropjan/backdoor.

Boot into Safe More and delete fixcamera.exe. Similarly, get rid of tsnpstd3.exe.

Hope this helps,
Ewen :-)

[cautim]

Is that mandatory ? I mean, did I buy a webcam with a trojan bonus ? seriously...? I scaned with virustotal, it seems clean. I don't quite get it why it uses the CPU while I'm not using the cam, neither about what I've already talked about, so while it's suspicious, it's just too bad to be true also.

[JJasper]

Hi dph987 and cautim

If you have a lenovo webcam check this out.

http://forums.lenovo.com/t5/Options-Accessories/Why-the-drivers-CD-shipping-with-the-WebCam-has-Trojan-virus/m-p/34352 and this one

http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-69592

John

[sweepergunsweeep]

i've got the same issue then i downloaded the original driver from the manufacturer web site

[cautim]

Claiming a file is a trojan isn't of much help for me, if virustotal claims otherwise; neither does Comodo antivirus alert me. Getting rid of it is like getting rid of the cam. It's a no-name thing and unless I find something generic...

So, I installed the drivers again, on a presumably clean system (installed win a few days ago) and now winpatrol tells me that telnet wants to register/startup or something, and I have a TV\Video connection showing in my Network Connections. I don't know anything about telnet other than that I don't want it to connect anywhere. Weird thing is, I see only vsnpstd3.exe running in the process list this time. fixcamera.exe and tsnpstd3.exe used to come with it...

I couldn't be more confused...

What's going on ? Is this normal ?

Here's the report from CIMA:
http://camas.comodo.com/cgi-bin/submit?file=383065fcda51cd5f39c78c983e60260a18e19a4513f680630502de3ddee0b61e

[Tags:]