Update: slow performance (MoM)

Discussion in 'Computer Support' started by Madonna, Nov 12, 2004.

  1. Madonna

    Madonna Guest

    I was complaining about poor internet performance a while ago.
    For example I had lots of timeouts when sending email (I always had to retry 2
    or 3 times)
    At the time I had scanned my system and found nothing, but I
    suspected something was messing up my system at the TCP/IP stack level.

    Today I scanned again with an updated Spy Sweeper and found "MoM" (see below) :\

    Before deleting MoM with Spy Sweeper, I scanned with Ad-Aware SE:
    it found 1 critical object: a tracking cookie from cyberpresse.ca
    (non-critical objects were MRU lists). :(

    The keys found are under
    HKLM\software\microsoft\windows\currentversion\uninstall\st6unst #1
    they include:
    ApplicationName BSEasySFVCreator.exe
    DisplayName Brad Smith Easy SFV Creator

    BTW: SFV is a checksum utility for ensuring files don't contain errors.
    It came in the file esfvc100.exe downloaded on 8 feb 2003
    (I don't remember where it got downloaded from)
    If I open it with winrar there are 3 files in the exe:
    BSEasySFVCreator.cab 1125861 bytes (unpacked) 14/04/2002 10:57 CRC32:9540040C
    SETUP.EXE 139776 bytes 15/07/2000 0:00 CRC32:2DD9157D
    SETUP.LST 1926 bytes 14/04/2002 10:59 CRC32:92F863F3
    SETUP.LST seems to be the list of installed files, contents are attached at the
    bottom of this message.

    Spybot S&D 1.3 has the definitions of 2004-10-26 and won't update.
    But http://www.safer-networking.org/en/download/index.html shows
    update 2004-11-10 so something's wrong here.
    Now scanning with the updates installed Spybot reports:
    "Congratulations! No immediate threats were found" :(
    the rest is MRU logs and cookies.

    Hijack This log is attached below.

    PestPatrol Corporate v5 trial didn't seem to complain either.

    Pestscan.com scashed after installing the Active-X. :(

    Now I've uninstalled EasySFVCreator from the Control Panel.
    I guess I'll have to check if the Mscomctl.ocx are F***'d up as well.

    Now maybe this is a false positive and a conincidence, but I have an ING
    internet bank account that now has a 0.00$ balance!
    =================================================================================
    SYSTEM MONITOR Description:
    Name: MoM
    Author: A. Value Systems, Inc.
    Category: System Monitor
    Threat Assessment: High

    Description:
    MoM is a system monitor that records all of your computer activity including
    keystrokes typed, programs run, Web sites visited, and chat conversation.

    Characteristics:
    MoM records all keystrokes, including passwords, and logs which applications you
    use. This program also takes screenshots of your desktop and records all the Web
    pages you visit. This program is invisible to the user and can email the log
    files to a pre-defined email address.

    Method of Infection:
    MoM can only be installed by someone with administrative access to your
    computer, such as a system administrator or someone that shares your computer.

    http://www.webroot.com/php/spysweeper_spydesc.php
    =================================================================================
    Logfile of HijackThis v1.98.2
    Scan saved at 12:09:13, on 12/11/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Common Files\PestPatrol\ppRemoteService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Common Files\pestpatrol\PPMCActiveDetection.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE
    C:\Program Files\_EZ_INSTALL\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Idea2 SidebarBrowserMonitor Class -
    {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} -
    C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program
    Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media
    Experience\PCMService.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
    -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
    Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: Download all by Net Transport - C:\Program
    Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program
    Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents
    and Settings\Pi\Application
    Data\Mozilla\Firefox\Profiles\default.j0u\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
    O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents
    and Settings\Pi\Application
    Data\Mozilla\Firefox\Profiles\default.j0u\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console -
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file
    missing)
    O9 - Extra button: Subscribe in Desktop Sidebar -
    {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
    O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar -
    {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: www.feedroom.com
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
    (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) -
    http://webevents.broadcast.com/wsp/VisionBrowser.CAB
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program
    Files\Common Files\Microsoft Shared\Help\hxds.dll
    =================================================================================
    SETUP.LST


    [Bootstrap]
    SetupTitle=Setup
    SetupText=Initializing setup...
    CabFile=BSEasySFVCreator.cab
    Spawn=SETUP1.EXE
    Uninstal=ST6UNST.EXE
    TmpDir=MSFTQWS.PDW
    Cabs=1

    [Bootstrap Files]
    File1=@VB6STKIT.DLL,$(WinSysPathSysFile),,,3/26/99 10:00:00 AM,101888,6.0.84.50

    [IconGroups]
    Group0=Brad Smith
    PrivateGroup0=0
    Parent0=$(Programs)

    [Brad Smith]
    Icon1="BSEasySFVCreator.exe"
    Title1=Easy SFV Creator
    StartIn1=$(AppPath)

    [Setup]
    Title=Brad Smith Easy SFV Creator
    DefaultDir=$(ProgramFiles)\Brad Smith\Easy SFV Creator
    AppExe=BSEasySFVCreator.exe
    AppToUninstall=BSEasySFVCreator.exe

    [Setup1 Files]
    File1=@BSEasySFVCreatorContext.dll,$(AppPath),$(DLLSelfRegister),,4/13/02
    3:40:36 AM,45056,1.0.0.0
    File2=@BSEasySFVCreatorInterfaces.tlb,$(AppPath),$(TLBRegister),,4/13/02 3:42:56
    AM,3812,0.0.0.0
    File3=@BSSpawn.exe,$(AppPath),$(EXESelfRegister),,4/13/02 3:37:46 AM,45056,1.0.0.0
    File4=@BSCleanup.exe,$(AppPath),,,4/13/02 3:35:24 AM,77824,1.0.0.0
    File5=@BSCRC32.DLL,$(WinSysPath),,$(Shared),12/30/01 7:05:00 AM,45056,1.0.0.0
    File6=@BSInterface.ocx,$(WinSysPath),$(DLLSelfRegister),$(Shared),10/2/01
    7:52:00 AM,73728,1.0.0.0
    File7=@COMDLG32.OCX,$(WinSysPath),$(DLLSelfRegister),$(Shared),5/22/00 12:00:00
    AM,140488,6.0.84.18
    File8=@Mscomctl.ocx,$(WinSysPath),$(DLLSelfRegister),$(Shared),5/22/00 9:00:00
    AM,1066176,6.0.88.62
    File9=@BSWizard.ocx,$(WinSysPath),$(DLLSelfRegister),$(Shared),8/1/01 3:51:28
    AM,77824,1.0.0.1
    File10=@BSSystemTray.ocx,$(WinSysPath),$(DLLSelfRegister),$(Shared),6/14/01
    2:31:38 PM,57344,1.0.0.0
    File11=@BSRuntime.dll,$(WinSysPath),$(DLLSelfRegister),$(Shared),9/23/01 9:59:00
    AM,49152,1.0.0.2
    File12=@BSRegistry.dll,$(WinSysPath),$(DLLSelfRegister),$(Shared),3/17/01
    12:08:22 AM,94208,1.0.0.1
    File13=@BSFileSystem.dll,$(WinSysPath),$(DLLSelfRegister),$(Shared),12/30/01
    7:12:20 AM,110592,1.0.0.4
    File14=@BSEasySFVCreator.exe,$(AppPath),,,4/14/02 10:56:10 AM,540672,2.5.0.6
    =================================================================================
    Madonna, Nov 12, 2004
    #1
    1. Advertising

  2. Madonna

    Jim Berwick Guest

    Madonna <> wrote in news:Qw6ld.49837$km5.2098709
    @news20.bellglobal.com:

    >
    >


    You are being way to paranoid, as your hijack this log, while including
    some extra fluff you don't need, doesn't have anything harmful.
    Jim Berwick, Nov 12, 2004
    #2
    1. Advertising

  3. Madonna

    Madonna Guest

    Jim Berwick wrote:
    > Madonna <> wrote in news:Qw6ld.49837$km5.2098709
    > @news20.bellglobal.com:
    >
    > You are being way to paranoid, as your hijack this log, while including
    > some extra fluff you don't need, doesn't have anything harmful.


    Thanks for your input. I'm wondering if SpySweeper paranoid as well.
    Is the MoM report a false positive?

    I'm wondering how these programs determine what is spyware and what is not.
    I think they should check the CRC-32 of the exe, dll, ocx ...

    Imagine someone makes a legit software and releases it on his website.
    A hacker trojanizes it by changing an exe and hosts it on another site.
    Both programs might use the same registry keys.
    If the second program gets reported into an anti-spyware definitions file,
    wouldn't the first program get falsely flagged as spyware if the anti-spyware
    only uses registry keys to find spyware.

    Sidenote: Kerio hasn't caught this program trying to access the internet (unless
    it's hiding under another name).
    Madonna, Nov 13, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Expert lino fitter

    Re: slow slow slow!

    Expert lino fitter, Dec 10, 2008, in forum: Computer Support
    Replies:
    0
    Views:
    623
    Expert lino fitter
    Dec 10, 2008
  2. Expert lino fitter

    Re: slow slow slow!

    Expert lino fitter, Dec 10, 2008, in forum: Computer Support
    Replies:
    5
    Views:
    624
    Expert lino fitter
    Dec 12, 2008
  3. Beauregard T. Shagnasty

    Re: slow slow slow!

    Beauregard T. Shagnasty, Dec 10, 2008, in forum: Computer Support
    Replies:
    2
    Views:
    644
    Shel-hed
    Dec 10, 2008
  4. chuckcar

    Re: slow slow slow!

    chuckcar, Dec 10, 2008, in forum: Computer Support
    Replies:
    0
    Views:
    515
    chuckcar
    Dec 10, 2008
  5. General Patron

    Re: slow slow slow!

    General Patron, Dec 11, 2008, in forum: Computer Support
    Replies:
    0
    Views:
    494
    General Patron
    Dec 11, 2008
Loading...

Share This Page