Slingshot downloader ?spyware

A slight problem has occurred with a downloader called slingshot from Tenebril software, the makers of Ghostsurf, a supposed spyware free product and allegedly an anti spyware company

the brief details are explained at these 2 links

http://66.246.16.46/forums/viewthread.php?tid=12603

and
http://www.karlsforums.com/forums/viewthread.php?tid=12826&page=1


Now not believing that a respected company could include spywares in it products, and disbelieving the other forumm users. I tried it out myself

This is a copy from the spybot log
7FaSSt: IE toolbar (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{669695BC-A811-4A9D-8CDF-BA8C795F261C}

7FaSSt: Class (Registry key, nothing done)
HKEY_CLASSES_ROOT\KBBar.KBBarBand.1

7FaSSt: Class (Registry key, nothing done)
HKEY_CLASSES_ROOT\KBBar.KBBarBand

7FaSSt: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{669695BC-A811-4A9D-8CDF-BA8C795F261C}

7FaSSt: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{38493F7F-2922-4C6C-9A9A-8DA2C940D0EE}

7FaSSt: Type lib (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{3277CD27-4001-4EF8-9D96-C6CA745AC2F9}

7FaSSt: Typelib (Registry key, nothing done)
HKEY_CLASSES_ROOT\Typelib\{37686C62-D497-42E3-BAAB-78D89A74E151}

in the links above are adaware logs showing the same.

All I did is download the slingshot to a completely clean computer so I can guarantee that any entries came from this program

Either spybot & adaware along with every other source on the net are wrong in their ID of this 7search hijacker or Tenebril have used a clsid that is used by 7search


Tenebril insist that no spyware is in any of their products

are they doing a GAtor and redefining spyware or are all the antispyware companies wrong

Would one of the more expert users on this forum like to look into it and let me know if tenebril are wrong in their statement about spyware free products or are all the anti spyware companies wrong

 

Hi Pieter

Yes can confirm I downloaded slingshot direct from Tenebril site
immediately I downloaded I rebooted and did a search for a file using slingshot to check it out. Didn't download anything just searched for moviemaker from M$. and then ran a HJt log (attached) which clearly shows
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\Program Files\Slingshot\ties\dlIE.dll

O3 - Toolbar: Slingshot - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Program Files\Slingshot\ties\

the O2 clsid comes up as ghostsurf IETIE.dll in all searches a goodie

teh O3 comes up as powerstrip.dll a known baddie

perhaps this is why adaware & spybot find 7search


I know the computer was completey clean of all spywares etc before downloading slingshot

I hope it is because the clsid's are wrong in slingshot that this problem is occuring

 

Pieter I do not understand this

I just installed slingshot again but this time used total uninstall to monitor.

On install nothing bad showed and total uninstall doesn't show any baddies
I ran a hjt log & adaware scan and clean

then I started slingshot and initialised it as they said and ran a hjt log & adaware and all the 7search baddies appeared in the logs

What the hell is going on

 

30D46A1469C25C0AAA99F20B2ADDC320 according to filealyzer

 

Thsanks Pieter

then it isn't just me and the 2 users on the other forum having problems

do you think it's spyware or just false positives with the same clsid numbers

as you say, it's only registry entries no files seem to be added

 

Thanks Pieter, keep me posted


Normally I prefer to submit info like this by email or Private message in case I have the info wrong, but in this case, it seemed so strange that an "anti spyware" company should have any sort of possible spyware entries within it's products and warranted a wider audience for discusion at least.

as you say it's a remarkable coincidence at the least if all 4 clsid entries correspond to known spywares, 3 fast search and one as gator/gain

I understand that one of the forum users mentioned contacted the company who responded by email and that has been posted in the forum links above and said that there definitely is no spyware in the application, but couldn't or wouldn't explain where the entries come from.

Thanks for the work you have put in on this for me

Regards

Derek

 

Pieter

This is a paste of an email received by one of the users who had problems with slingshot

it comes from the developers of slinghshot and seems to explain the reason why the spware is detected



Thanks so much for getting back to me, and thanks for posting my message to the forum. I have some good news for you (which I hope you will post as well) -- from reading the forum, it's clear to me why Slingshot is being detected by these anti-spyware systems.

In order to intercept downloads (i.e. when the user clicks on a link in Internet Explorer) Slingshot installs a Browser Helper Object (BHO), which is a DLL that Internet Explorer loads each time it starts. The BHO architecture is one way to extend Internet Explorer, and it's used by many software products (including spyware, since it gives software a window into your surfing).

Each BHO registers itself with IE using a unique identifier called a CLSID, which is mentioned in the thread. Because this CLSID is unique, anti-spyware software can search for CLSID's which are known to be associated with spyware BHO's.

Unfortunately for us, the Slingshot BHO was created from a demo BHO which shows how to connect to Internet Explorer for accelerating downloads. This same demo has been used by the authors of the spyware you mentioned, and so its CLSID is now recognized as spyware. This will cause alerts for other download accelerators as well which share this CLSID; I believe ReGet will trigger it, although I haven't checked myself.

Ultimately this is our fault for not changing the CLSID when we published Slingshot. I'll look into getting it changed for the next release, and in the mean time I'll put an article in our Knowledge Base which describes this problem. I'm sorry for all the concern this has caused in the forum. I can definitely appreciate the concerns of the people there, as I definitely like to keep an eye on my own system and would hate to have software spying on me.

Best wishes for your weekend. Please let me know if I can be of any further assistance.

Sincerely,
Christian Carrillo
Tenebril Inc.


So perhaps we can assume that it's sorted now.

Looks like they did a Microsoft and released it without proper testing