holly molly it my first keyloger=) spybot search and destroyed found it it keeps deleting it for me but it keeps comeing back Prolivation: Prefix change (Registry change) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\www=http:// Prolivation: Prefix change (Registry change) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\=http:// SafeNet: Settings (File) wb.ini Internet Explorer: User agent (Registry change) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32) MS Office 9.0: Internet history (Registry value) HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\Internet\UseRWHlinkNavigation Windows Explorer: User Assistant history IE( (1 files)) (Registry key) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count its the safe.net keyloger when i did a search for safe.net it was in guess where C:\Program Files\Spybot - Search & Destroy 1.0 SR1 beta\Recovery why i see all these spyware folders ziped up in there how do i get rid of safe.net
Hi MRBlaze, Living dangerously does pay of sometimes doesn't it. Please go to our downloads-section: http://www.wilders.org/downloads.htm and download startuplist.zip Unzip and run the program and copy and paste the results in your next post. If there is anything in there you don´t want the world to know about, you´re welcome to IM it to me. Let's see if we can find that nasty. Regards, Pieter
hope you can find whats makeing this StartupList report, 12/6/2002, 9:14:59 AM StartupList version: 1.35.0 Started from : C:\WINDOWS\DESKTOP\STARTUPLIST\STARTUPLIST.EXE Detected: Windows ME (Win9x 4.90.3000) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\INTERNAT.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\SYSTEM\SK9910DM.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\WINDOWS\SYSTEM\DLA\TFSWCTRL.EXE C:\PROGRAM FILES\NSCLEAN\BOCLEAN\BOCLEAN.EXE C:\PROGRAM FILES\NSCLEAN\BOCLEAN\BOCSEC.EXE C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\DESKTOP\STARTUPLIST\STARTUPLIST.EXE -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Start Menu\Programs\StartUp] Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = C:\WINDOWS\scanregw.exe /autorun TaskMonitor = C:\WINDOWS\taskmon.exe PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s SystemTray = SysTray.Exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme Hidserv = Hidserv.exe run WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE Hot Key Kbd 9910 Daemon = SK9910DM.EXE POINTER = point32.exe dla = C:\WINDOWS\system\dla\tfswctrl.exe BOCleanautostart = C:\PROGRA~1\NSCLEAN\BOCLEAN\BOCLEAN.EXE IgfxTray = C:\WINDOWS\SYSTEM\igfxtray.exe HotKeysCmds = C:\WINDOWS\SYSTEM\hkcmd.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme SchedulingAgent = mstask.exe SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg GoBack Polling Service = C:\Program Files\Adaptec\GoBack\GBPoll.exe -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [{89820200-ECBD-11cf-8B85-00AA005B4395}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [>PerUser_MSN_Clean] * StubPath = C:\WINDOWS\msnmgsr1.exe [PerUser_LinkBar_URLs] * StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C} [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02} [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] * StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] * StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load= run= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\FLASHS~1.SCR drivers=mmsystem.dll power.drv -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 5/12/2002, 19:43:26) [Rename] C:\PROGRA~1\WINDOW~1\WMPLAYER.EXE=C:\PROGRA~1\WINDOW~1\SETB4.TMP C:\WINDOWS\SYSTEM\WMP.DLL=C:\WINDOWS\SYSTEM\SETB3.TMP C:\WINDOWS\SYSTEM\WMPLOC.DLL=C:\WINDOWS\SYSTEM\SETB2.TMP C:\WINDOWS\SYSTEM\WMVCORE.DLL=C:\WINDOWS\SYSTEM\SETB1.TMP C:\WINDOWS\SYSTEM\WMASF.DLL=C:\WINDOWS\SYSTEM\SETB0.TMP -------------------------------------------------- C:\AUTOEXEC.BAT listing: SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG SET windir=C:\WINDOWS SET winbootdir=C:\WINDOWS SET COMSPEC=C:\WINDOWS\COMMAND.COM SET PROMPT=$p$g SET TEMP=C:\WINDOWS\TEMP SET TMP=C:\WINDOWS\TEMP -------------------------------------------------- C:\WINDOWS\WINSTART.BAT listing: @C:\WINDOWS\tmpcpyis.bat -------------------------------------------------- C:\WINDOWS\DOSSTART.BAT listing: LH C:\PROGRA~1\MICROS~5\MOUSE\MOUSE.EXE -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Enumerating Browser Helper Objects: NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} (no name) - C:\PROGRAM FILES\COMMON FILES\JUSTDO\JD2002.DLL - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} (no name) - C:\PROGRAM FILES\E-BOOK SYSTEMS\FLIPALBUM 5 PRO\FPLAUNCH.DLL - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job PCHealth Scheduler for Data Collection.job Symantec NetDetect.job -------------------------------------------------- Enumerating Download Program Files: [CV3 Class] InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/mil/en/actsetup.cab [ForumChat] InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL CODEBASE = http://objects.compuserve.com/chat/RTCChat.cab [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37593.496087963 -------------------------------------------------- End of report, 8,475 bytes Report generated in 0.903 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only
Always a joy to see one of these from someone who takes care of his computer. Only one entry I can´t put my finger on MRBlaze: (no name) - C:\PROGRAM FILES\COMMON FILES\JUSTDO\JD2002.DLL - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} Could you please download BHODemon Run it, select the one mentioned above, click Details, select Disable and please tell me what it reads when you hit More details. Then try out if this stops your little pest from coming back.. Regards, Pieter
Blazers, don't remove a thing!!! You have an older, buggy version of Spybot. Search & Destroy 1.0 SR1 beta Current is Search & Destroy 1.1 rel 3. I'm not sure what the current beta is. I don't get the betas. Download the current version and update it first. http://security.kolla.de/
Pieter_Arntz is this what you wanted i found it with IECatcher.dll,sf micromedia flash object that is from a program called flash catcher C:\Program Files\Common Files\justDo CLSID: {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} File Size (bytes): 143360 Time Accessed: 2002/12/7 0:0:0 Time Modified: 2002/7/11 17:41:24 Time Created: 2002/10/7 18:11:51 Drive Number: 2 Comments: CompanyName: justDo Software FileDescription: Jd2002 Module FileVersion: 2, 6, 0, 1 InternalName: Jd2002 LegalCopyright: Copyright 2002 LegalTrademarks: OLESelfRegister: $ OriginalFilename: Jd2002.DLL PrivateBuild: ProductName: Jd2002 Module ProductVersion: 2, 6, 0, 1 SpecialBuild: $ mike and paul looking futher into the safe.net wb.ini file keeps comeing back this might be from a program called windows blinds but not sure ill try a new spybot seach and destroy
That´s exactly what I was looking for. Thnxs. That should be this one: http://www.justdosoft.com/ Looks harmless at first sight. I´ll give it a very close look. Regards, Pieter
Hi MRBlaze, I would get rid of this app. Mind you, just my opinion. These changes I had to make after installing it: Flash Catcher 8-12-2002 12:02:45 --------------------------------------- DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.SnapFlash.1\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.SnapFlash.1\CLSID\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.SnapFlash\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.SnapFlash\CurVer\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.SnapFlash\CLSID\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.FlashSink.1\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.FlashSink.1\CLSID\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.FlashSink\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.FlashSink\CurVer\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.FlashSink\CLSID\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\IECatcher.Catcher.1\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\IECatcher.Catcher.1\CLSID\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\IECatcher.Catcher\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\IECatcher.Catcher\CurVer\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\IECatcher.Catcher\CLSID\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\VersionIndependentProgID\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\TypeLib\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\ProgID\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\InprocServer32\ThreadingModel ... Ok DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\InprocServer32\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACVQY:%pfvqy2%\Synfu Pngpure\Uryc.yax ... Ok DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACVQY:%pfvqy2%\Synfu Pngpure\Dhvpx Fgneg.yax ... Ok DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:\Qbphzragf naq Frggvatf\Cvrgre\Ohernhoynq\qbjaybnq\SynfuPngpure.rkr ... Ok DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\i ... Ok DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher\(Default) ... Ok DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} ... Ok DELETING REGISTRY VALUE: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\i ... FAILS (already deleted) DELETING REGISTRY VALUE: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher\(Default) ... FAILS (already deleted) DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.SnapFlash.1\CLSID ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.SnapFlash.1 ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.SnapFlash\CurVer ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.SnapFlash\CLSID ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.SnapFlash ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.FlashSink.1\CLSID ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.FlashSink.1 ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.FlashSink\CurVer ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.FlashSink\CLSID ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.FlashSink ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\IECatcher.Catcher.1\CLSID ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\IECatcher.Catcher.1 ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\IECatcher.Catcher\CurVer ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\IECatcher.Catcher\CLSID ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\IECatcher.Catcher ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\VersionIndependentProgID ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\TypeLib ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\Programmable ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\ProgID ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\InprocServer32 ... Ok DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} ... Ok DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Rabbit ... Ok DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9} ... Ok DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} ... ERROR (has sub-keys) DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe ... Ok DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher ... Ok DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MenuExt ... Ok DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} ... Ok DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\justDo Software\FlashCatcher\2.5.000 ... Ok DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\justDo Software\FlashCatcher ... Ok DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\justDo Software ... Ok DELETING REGISTRY KEY: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher ... Ok DELETING REGISTRY KEY: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher ... FAILS (key not found) RESTORING REGISTRY VALUE: HKEY_CURRENT_USER\SessionInformation\ProgramCount ... Ok RESTORING REGISTRY VALUE: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory ... Ok RESTORING REGISTRY VALUE: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\NextId ... Ok DELETING FILE: C:\Documents and Settings\All Users\Menu Start\Programma's\Flash Catcher\Help.lnk ... Ok DELETING FILE: C:\Documents and Settings\All Users\Menu Start\Programma's\Flash Catcher\Quick Start.lnk ... Ok DELETING FILE: C:\Documents and Settings\Pieter\Bureaublad\download\FlashCatcher.exe ... Ok DELETING FILE: C:\WINDOWS\Prefetch\SETUP.EXE-07EB22CB.pf ... Ok DELETING FILE: C:\WINDOWS\Prefetch\FLASHCATCHER.EXE-29D5DA0E.pf ... Ok DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\setup.ilg ... Ok DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\setup.inx ... Ok DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\Setup.ini ... Ok DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\Setup.exe ... Ok DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\data1.cab ... Ok DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\data1.hdr ... Ok DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\layout.bin ... Ok DELETING FILE: C:\Program Files\Common Files\justDo\sf.swf ... Ok DELETING FILE: C:\Program Files\Common Files\justDo\IECatcher.dll ... Ok DELETING FILE: C:\Program Files\Common Files\justDo\Jd2002.dll ... ERROR (file open) DELETING FILE: C:\Program Files\justDo Software\FlashCatcher\sf.swf ... Ok DELETING FILE: C:\Program Files\justDo Software\FlashCatcher\FlashCatcher.chm ... Ok DELETING FILE: C:\Program Files\justDo Software\FlashCatcher\IECatcher.gif ... Ok DELETING FILE: C:\Program Files\justDo Software\FlashCatcher\QuickStart.htm ... Ok DELETING FOLDER: C:\Documents and Settings\All Users\Menu Start\Programma's\Flash Catcher ... Ok DELETING FOLDER: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9} ... Ok DELETING FOLDER: C:\Program Files\Common Files\justDo ... ERROR (not empty) DELETING FOLDER: C:\Program Files\justDo Software\FlashCatcher ... Ok But the main thing is. After disabling the BHO and without the intention of using the program, this happened after about five minutes. (See attachment) Regards, Pieter
mine dont do that it only ask for acess if im trying to use internet explorer to get the swf file from the web page it becomes active if your browsing a page with a flash object denieing it acess usealy resorts in a curupted swf file thats scary cause zap dosent go off like that when i use flash catcher i have the paid verstion but if youre really sure ill do it cause i absolutley hate spyware
I think it´s only fair to ask the distributors for an explanation, so I sent them an e-mail. Plus I asked some of our security and spyware experts to look into this. I´m not absolutely sure, just suspicious. Maybe even paranoid If you like the program and have paid for it, hold onto it for a little while longer and wait for the final judgement. Regards, Pieter
Mr Blaze, You made this statment in the bottom of your first post. _____________ when i did a search for safe.net it was in guess where C:\Program Files\Spybot - Search & Destroy 1.0 SR1 beta\Recovery why i see all these spyware folders ziped up in there how do i get rid of safe.net __________________ First do llike Mike says and get the latest version of spybot. Second, that recovery folder in sypbot is the place it puts all the stuff you have already cleaned off your system to date. But..... It does not automatically just trash it all..it save it there by default just in case you have made a boo boo and found you want to put it back on your system...any one of them in fact...just like using your trash bin with windows telling it to replace that file. Now you can clean that puppy out anytime you want by opening up sypbot and hit that recovery button on the left hand side..when you do each one you have cleaned off so far will be displayed. You will find oodles of them and even multiples of each. By default setup of the Sybot S&D, you can check mark any one and "recover the product"...but you can also go into the advanced setting in sybot and put an exta button down below in the GUI that will let you "select all items" at once, I have it set that way..otherwise you must select each one everytime. Now not only can you recover each one..you can also PURGE any one ..or all of them..I purge them all so they do not build up...if you had done that you would not have found safe.net or any thing in there. That is stuff you have already dealt with. Now..on this Provaloni Sausage thingie..you just found. Pieter is right of course.. and even though you have the beta..I am sure you just updated your sysbot cause I also had those two entires after the last update...and it is OK to delete them. and if for some reason your swf go getter does not work..put it back if you wish..I did not and everything is still cool. Now that you got this new burner..I suspects you are going to be finding lots more programs out there with spyware and loggers..keep that Spybot handy and hold on to your shorts..not much frre stuff out there that does not have some kind of advertising or partner suff embedded in the software that you download...free is just a wetdream these days on the NET.
Primrosev thx for that clarification Pieter_Arntz those are some good qustions today i cought a difrent program called flash saver maker wanting internet acess now why the heck would a program that activates a screen saver for my pc want internet acess?
I don't use any screensavers of other then those which come with windows for that reason, if i use any at all. Look at the same steps you did above, use your Port Explorer to analyse the wanted connections and your firewall blocking, TDS port listen if you found what/where wants to connect, etc etc
lol im still waiting for Pieter_Arntz reply if he says in fact it is spyware im dump flash catcher and get wicked bad on it lol
Hold on a little longer, MRBlaze. We were provided with al full version of your program, which could be quite different from the free one I got. I´ll leave it in the hands of those far more qualified to test that one. We´ll come back to you with the results. Regards, Pieter
Good call Pieter, we need to avoid making a mistake here at all costs. False allegations could be very damaging to honest software developer. I cannot stess enough that we MUST BE SURE, for both ethical and legal reasons. Sir BLAZE, do not worry, a definitive answer will be provided shortly. For the reasons stated above, it should be reletively credible I sure hope this software is clean, I wouldn't wish an angry BLAZE on my worst enemy
I see the prolivation thing has already been solved, so what's left is the SafeNet thing. This wb.ini could be a false positive - WindowBlinds uses a configuration file of the same name. The second next update (the next one is already in beta and will be made public today) will have been improved to check the contents of the wb.ini file for SafeNet instead of just identifying it by name. So if you have WindowBlinds installed, this is a f/p and will be fixed in a few days edit: some words about FlashCatcher: I just installed it and did some packet sniffing. When I saved a flash file, it also connected twice to 202.96.122.82 - that is justdosoft.com. The requested page was /FlashCatcher/log.asp=UserID=''&url='http:/.....swf'. As you can see, the UserID field is currently empty, but it is there. Does that mean they are not logging currently, or that they are only logging the downloads registered users make?
hmmmmmm thx pepi way cool hey i heard you made screen savers the other day tv show so now your fameous must look nice on job application now