A slight problem has occurred with a downloader called slingshot from Tenebril software, the makers of Ghostsurf, a supposed spyware free product and allegedly an anti spyware company

the brief details are explained at these 2 links

http://66.246.16.46/forums/viewthread.php?tid=12603

and
http://www.karlsforums.com/forums/viewthread.php?tid=12826&page=1


Now not believing that a respected company could include spywares in it products, and disbelieving the other forumm users. I tried it out myself

This is a copy from the spybot log
7FaSSt: IE toolbar (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{669695BC-A811-4A9D-8CDF-BA8C795F261C}

7FaSSt: Class (Registry key, nothing done)
HKEY_CLASSES_ROOT\KBBar.KBBarBand.1

7FaSSt: Class (Registry key, nothing done)
HKEY_CLASSES_ROOT\KBBar.KBBarBand

7FaSSt: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{669695BC-A811-4A9D-8CDF-BA8C795F261C}

7FaSSt: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{38493F7F-2922-4C6C-9A9A-8DA2C940D0EE}

7FaSSt: Type lib (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{3277CD27-4001-4EF8-9D96-C6CA745AC2F9}

7FaSSt: Typelib (Registry key, nothing done)
HKEY_CLASSES_ROOT\Typelib\{37686C62-D497-42E3-BAAB-78D89A74E151}

in the links above are adaware logs showing the same.

All I did is download the slingshot to a completely clean computer so I can guarantee that any entries came from this program

Either spybot & adaware along with every other source on the net are wrong in their ID of this 7search hijacker or Tenebril have used a clsid that is used by 7search


Tenebril insist that no spyware is in any of their products

are they doing a GAtor and redefining spyware or are all the antispyware companies wrong

Would one of the more expert users on this forum like to look into it and let me know if tenebril are wrong in their statement about spyware free products or are all the anti spyware companies wrong

Hi Derek,

I just installed Slingshot (downloaded from the Tenebril site) and scanned with AdAware and Spybot S&D and came up clean on both counts.

Can you confirm that you used the same download location?

I attached the Total Uninstall log from the changes made to the registry during the install.

Regards,

Pieter

Hi Pieter

Yes can confirm I downloaded slingshot direct from Tenebril site
immediately I downloaded I rebooted and did a search for a file using slingshot to check it out. Didn't download anything just searched for moviemaker from M$. and then ran a HJt log (attached) which clearly shows
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\Program Files\Slingshot\ties\dlIE.dll

O3 - Toolbar: Slingshot - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Program Files\Slingshot\ties\

the O2 clsid comes up as ghostsurf IETIE.dll in all searches a goodie

teh O3 comes up as powerstrip.dll a known baddie

perhaps this is why adaware & spybot find 7search


I know the computer was completey clean of all spywares etc before downloading slingshot

I hope it is because the clsid's are wrong in slingshot that this problem is occuring

Pieter I do not understand this

I just installed slingshot again but this time used total uninstall to monitor.

On install nothing bad showed and total uninstall doesn't show any baddies
I ran a hjt log & adaware scan and clean

then I started slingshot and initialised it as they said and ran a hjt log & adaware and all the 7search baddies appeared in the logs

What the hell is going on

Hi Derek,

Can you get a MD5 for your slingshot-install.exe ?
Mine has: 30D46A1469C25C0AAA99F20B2ADDC320

If they are the same I will try install it again, reboot and use it.

Regards,

Pieter

30D46A1469C25C0AAA99F20B2ADDC320 according to filealyzer

OK. BRB.

Pieter

Hi Derek,

Indeed you need to start the application before the toolbar and the BHO get added

The odd thing is no files get detected. Only registry keys.

Another thing I observed. It only asks access when you fill out a search it contacts cnet (download.com) and tucows.

The chances of getting a duplicate CLSID are too slim to ignore.

I'll do some more investigating.

Regards,

Pieter

Thsanks Pieter

then it isn't just me and the 2 users on the other forum having problems

do you think it's spyware or just false positives with the same clsid numbers

as you say, it's only registry entries no files seem to be added

Hi Derek,

I am not a firm believer in coincidence. The BHO being the same as GhostSurf by the same company, that is easy to explain.

But the 7FaSST CLSID´s (mind you, four of them) are remarkable to say the least.

I have added both the BHO and the Toolbar as O to the lists, pending investigation.

Regards,

Pieter

Thanks Pieter, keep me posted


Normally I prefer to submit info like this by email or Private message in case I have the info wrong, but in this case, it seemed so strange that an "anti spyware" company should have any sort of possible spyware entries within it's products and warranted a wider audience for discusion at least.

as you say it's a remarkable coincidence at the least if all 4 clsid entries correspond to known spywares, 3 fast search and one as gator/gain

I understand that one of the forum users mentioned contacted the company who responded by email and that has been posted in the forum links above and said that there definitely is no spyware in the application, but couldn't or wouldn't explain where the entries come from.

Thanks for the work you have put in on this for me

Regards

Derek

My pleasure Derek,

I like digging into this sort of thing. You always come out having learned something. :)

Regards,

Pieter

Pieter

This is a paste of an email received by one of the users who had problems with slingshot

it comes from the developers of slinghshot and seems to explain the reason why the spware is detected



Thanks so much for getting back to me, and thanks for posting my message to the forum. I have some good news for you (which I hope you will post as well) -- from reading the forum, it's clear to me why Slingshot is being detected by these anti-spyware systems.

In order to intercept downloads (i.e. when the user clicks on a link in Internet Explorer) Slingshot installs a Browser Helper Object (BHO), which is a DLL that Internet Explorer loads each time it starts. The BHO architecture is one way to extend Internet Explorer, and it's used by many software products (including spyware, since it gives software a window into your surfing).

Each BHO registers itself with IE using a unique identifier called a CLSID, which is mentioned in the thread. Because this CLSID is unique, anti-spyware software can search for CLSID's which are known to be associated with spyware BHO's.

Unfortunately for us, the Slingshot BHO was created from a demo BHO which shows how to connect to Internet Explorer for accelerating downloads. This same demo has been used by the authors of the spyware you mentioned, and so its CLSID is now recognized as spyware. This will cause alerts for other download accelerators as well which share this CLSID; I believe ReGet will trigger it, although I haven't checked myself.

Ultimately this is our fault for not changing the CLSID when we published Slingshot. I'll look into getting it changed for the next release, and in the mean time I'll put an article in our Knowledge Base which describes this problem. I'm sorry for all the concern this has caused in the forum. I can definitely appreciate the concerns of the people there, as I definitely like to keep an eye on my own system and would hate to have software spying on me.

Best wishes for your weekend. Please let me know if I can be of any further assistance.

Sincerely,
Christian Carrillo
Tenebril Inc.


So perhaps we can assume that it's sorted now.

Looks like they did a Microsoft and released it without proper testing

Hi Derek,

I'm not quite satisfied. It's not the BHO setting of the alarms, but the toolbar.

And as for Reget: http://www.sysinfo.org/bholist.php?filter=reget&count=&type=

I'll see if I can get my hands on the Powerstrip file.

Regards,

Pieter

This may be the wrong forum, but I have encountered GhostSurf on our network, and I am trying to find a way to prevent it from working. I am the Tech Director for a small school district, and some students have figured out how to use GS to look at porn on campus...

We have a proxy server, and force all port 80 traffic to validate through it first via the Pix firewall. Somehow GS changes the proxy address to <local>, and bypasses this rule. We have most all other ports blocked, and I am stumped.

Any help would be much appreciated.
Thanks - Jon

This may be the solution - looks like GhostSurf operates on 127.0.0.1:7212

Thought we had that one blocked, but I will check in the morning... If you answer your own posts, aren't you just talking to yourself???