=(keyloger in my spybot?

Discussion in 'privacy general' started by Mr.Blaze, Dec 6, 2002.

Thread Status:
Not open for further replies.
  1. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    holly molly it my first keyloger=)

    spybot search and destroyed found it it keeps deleting it for me but it keeps comeing back

    Prolivation: Prefix change (Registry change)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\www=http://

    Prolivation: Prefix change (Registry change)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\=http://

    SafeNet: Settings (File)
    wb.ini

    Internet Explorer: User agent (Registry change)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

    MS Office 9.0: Internet history (Registry value)
    HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\Internet\UseRWHlinkNavigation

    Windows Explorer: User Assistant history IE( (1 files)) (Registry key)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

    its the safe.net keyloger

    when i did a search for safe.net it was in guess where
    C:\Program Files\Spybot - Search & Destroy 1.0 SR1 beta\Recovery

    why i see all these spyware folders ziped up in there

    how do i get rid of safe.net
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi MRBlaze,

    Living dangerously does pay of sometimes doesn't it. ;)

    Please go to our downloads-section: http://www.wilders.org/downloads.htm and download startuplist.zip
    Unzip and run the program and copy and paste the results in your next post. If there is anything in there you don´t want the world to know about, you´re welcome to IM it to me. Let's see if we can find that nasty.

    Regards,

    Pieter
     
  3. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    hope you can find whats makeing this
    StartupList report, 12/6/2002, 9:14:59 AM
    StartupList version: 1.35.0
    Started from : C:\WINDOWS\DESKTOP\STARTUPLIST\STARTUPLIST.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\SK9910DM.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\SYSTEM\DLA\TFSWCTRL.EXE
    C:\PROGRAM FILES\NSCLEAN\BOCLEAN\BOCLEAN.EXE
    C:\PROGRAM FILES\NSCLEAN\BOCLEAN\BOCSEC.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\STARTUPLIST\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    Hidserv = Hidserv.exe run
    WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
    NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    Hot Key Kbd 9910 Daemon = SK9910DM.EXE
    POINTER = point32.exe
    dla = C:\WINDOWS\system\dla\tfswctrl.exe
    BOCleanautostart = C:\PROGRA~1\NSCLEAN\BOCLEAN\BOCLEAN.EXE
    IgfxTray = C:\WINDOWS\SYSTEM\igfxtray.exe
    HotKeysCmds = C:\WINDOWS\SYSTEM\hkcmd.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    GoBack Polling Service = C:\Program Files\Adaptec\GoBack\GBPoll.exe

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{89820200-ECBD-11cf-8B85-00AA005B4395}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [>PerUser_MSN_Clean] *
    StubPath = C:\WINDOWS\msnmgsr1.exe

    [PerUser_LinkBar_URLs] *
    StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\FLASHS~1.SCR
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 5/12/2002, 19:43:26)

    [Rename]
    C:\PROGRA~1\WINDOW~1\WMPLAYER.EXE=C:\PROGRA~1\WINDOW~1\SETB4.TMP
    C:\WINDOWS\SYSTEM\WMP.DLL=C:\WINDOWS\SYSTEM\SETB3.TMP
    C:\WINDOWS\SYSTEM\WMPLOC.DLL=C:\WINDOWS\SYSTEM\SETB2.TMP
    C:\WINDOWS\SYSTEM\WMVCORE.DLL=C:\WINDOWS\SYSTEM\SETB1.TMP
    C:\WINDOWS\SYSTEM\WMASF.DLL=C:\WINDOWS\SYSTEM\SETB0.TMP

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG
    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    @C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    LH C:\PROGRA~1\MICROS~5\MOUSE\MOUSE.EXE

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - C:\PROGRAM FILES\COMMON FILES\JUSTDO\JD2002.DLL - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}
    (no name) - C:\PROGRAM FILES\E-BOOK SYSTEMS\FLIPALBUM 5 PRO\FPLAUNCH.DLL - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/mil/en/actsetup.cab

    [ForumChat]
    InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
    CODEBASE = http://objects.compuserve.com/chat/RTCChat.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37593.496087963

    --------------------------------------------------
    End of report, 8,475 bytes
    Report generated in 0.903 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Always a joy to see one of these from someone who takes care of his computer. :)
    Only one entry I can´t put my finger on MRBlaze:
    (no name) - C:\PROGRAM FILES\COMMON FILES\JUSTDO\JD2002.DLL - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}
    Could you please download BHODemon
    Run it, select the one mentioned above, click Details, select Disable and please tell me what it reads when you hit More details.
    Then try out if this stops your little pest from coming back..

    Regards,

    Pieter
     
  5. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    Blazers, don't remove a thing!!! You have an older, buggy version of Spybot.
    Search & Destroy 1.0 SR1 beta
    Current is Search & Destroy 1.1 rel 3. I'm not sure what the current beta is. I don't get the betas.

    Download the current version and update it first. http://security.kolla.de/
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Keen eye and nice catch, Mike!

    regards.

    paul
     
  7. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    Pieter_Arntz is this what you wanted i found it with
    IECatcher.dll,sf micromedia flash object that is from a program called flash catcher
    C:\Program Files\Common Files\justDo
    CLSID: {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}
    File Size (bytes): 143360
    Time Accessed: 2002/12/7 0:0:0
    Time Modified: 2002/7/11 17:41:24
    Time Created: 2002/10/7 18:11:51
    Drive Number: 2
    Comments:
    CompanyName: justDo Software
    FileDescription: Jd2002 Module
    FileVersion: 2, 6, 0, 1
    InternalName: Jd2002
    LegalCopyright: Copyright 2002
    LegalTrademarks: 
    OLESelfRegister: $
    OriginalFilename: Jd2002.DLL
    PrivateBuild:
    ProductName: Jd2002 Module
    ProductVersion: 2, 6, 0, 1
    SpecialBuild: $

    mike and paul looking futher into the safe.net wb.ini file keeps comeing back this might be from a program called windows blinds but not sure ill try a new spybot seach and destroy
     
  8. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    just do software seems to be a program called flash catcher lol i think
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That´s exactly what I was looking for. Thnxs.
    That should be this one: http://www.justdosoft.com/
    Looks harmless at first sight. I´ll give it a very close look.

    Regards,

    Pieter
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi MRBlaze,

    I would get rid of this app. Mind you, just my opinion.
    These changes I had to make after installing it:


    Flash Catcher 8-12-2002 12:02:45
    ---------------------------------------
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.SnapFlash.1\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.SnapFlash.1\CLSID\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.SnapFlash\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.SnapFlash\CurVer\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.SnapFlash\CLSID\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.FlashSink.1\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.FlashSink.1\CLSID\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.FlashSink\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.FlashSink\CurVer\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\Jd2002.FlashSink\CLSID\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\IECatcher.Catcher.1\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\IECatcher.Catcher.1\CLSID\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\IECatcher.Catcher\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\IECatcher.Catcher\CurVer\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\IECatcher.Catcher\CLSID\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\VersionIndependentProgID\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\TypeLib\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\ProgID\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\InprocServer32\ThreadingModel ... Ok
    DELETING REGISTRY VALUE: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\InprocServer32\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACVQY:%pfvqy2%\Synfu Pngpure\Uryc.yax ... Ok
    DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACVQY:%pfvqy2%\Synfu Pngpure\Dhvpx Fgneg.yax ... Ok
    DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:p:\Qbphzragf naq Frggvatf\Cvrgre\Ohernhoynq\qbjaybnq\SynfuPngpure.rkr ... Ok
    DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\i ... Ok
    DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher\(Default) ... Ok
    DELETING REGISTRY VALUE: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} ... Ok
    DELETING REGISTRY VALUE: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\i ... FAILS (already deleted)
    DELETING REGISTRY VALUE: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher\(Default) ... FAILS (already deleted)
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.SnapFlash.1\CLSID ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.SnapFlash.1 ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.SnapFlash\CurVer ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.SnapFlash\CLSID ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.SnapFlash ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.FlashSink.1\CLSID ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.FlashSink.1 ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.FlashSink\CurVer ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.FlashSink\CLSID ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\Jd2002.FlashSink ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\IECatcher.Catcher.1\CLSID ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\IECatcher.Catcher.1 ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\IECatcher.Catcher\CurVer ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\IECatcher.Catcher\CLSID ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\IECatcher.Catcher ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\VersionIndependentProgID ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\TypeLib ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\Programmable ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\ProgID ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}\InprocServer32 ... Ok
    DELETING REGISTRY KEY: HKEY_CLASSES_ROOT\CLSID\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} ... Ok
    DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Rabbit ... Ok
    DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9} ... Ok
    DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} ... ERROR (has sub-keys)
    DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe ... Ok
    DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher ... Ok
    DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MenuExt ... Ok
    DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} ... Ok
    DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\justDo Software\FlashCatcher\2.5.000 ... Ok
    DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\justDo Software\FlashCatcher ... Ok
    DELETING REGISTRY KEY: HKEY_LOCAL_MACHINE\SOFTWARE\justDo Software ... Ok
    DELETING REGISTRY KEY: HKEY_USERS\S-1-5-21-1229272821-1383384898-1343024091-1003\Software\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher ... Ok
    DELETING REGISTRY KEY: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Save Flash with Flash Catcher ... FAILS (key not found)
    RESTORING REGISTRY VALUE: HKEY_CURRENT_USER\SessionInformation\ProgramCount ... Ok
    RESTORING REGISTRY VALUE: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory ... Ok
    RESTORING REGISTRY VALUE: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\NextId ... Ok
    DELETING FILE: C:\Documents and Settings\All Users\Menu Start\Programma's\Flash Catcher\Help.lnk ... Ok
    DELETING FILE: C:\Documents and Settings\All Users\Menu Start\Programma's\Flash Catcher\Quick Start.lnk ... Ok
    DELETING FILE: C:\Documents and Settings\Pieter\Bureaublad\download\FlashCatcher.exe ... Ok
    DELETING FILE: C:\WINDOWS\Prefetch\SETUP.EXE-07EB22CB.pf ... Ok
    DELETING FILE: C:\WINDOWS\Prefetch\FLASHCATCHER.EXE-29D5DA0E.pf ... Ok
    DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\setup.ilg ... Ok
    DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\setup.inx ... Ok
    DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\Setup.ini ... Ok
    DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\Setup.exe ... Ok
    DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\data1.cab ... Ok
    DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\data1.hdr ... Ok
    DELETING FILE: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9}\layout.bin ... Ok
    DELETING FILE: C:\Program Files\Common Files\justDo\sf.swf ... Ok
    DELETING FILE: C:\Program Files\Common Files\justDo\IECatcher.dll ... Ok
    DELETING FILE: C:\Program Files\Common Files\justDo\Jd2002.dll ... ERROR (file open)
    DELETING FILE: C:\Program Files\justDo Software\FlashCatcher\sf.swf ... Ok
    DELETING FILE: C:\Program Files\justDo Software\FlashCatcher\FlashCatcher.chm ... Ok
    DELETING FILE: C:\Program Files\justDo Software\FlashCatcher\IECatcher.gif ... Ok
    DELETING FILE: C:\Program Files\justDo Software\FlashCatcher\QuickStart.htm ... Ok
    DELETING FOLDER: C:\Documents and Settings\All Users\Menu Start\Programma's\Flash Catcher ... Ok
    DELETING FOLDER: C:\Program Files\InstallShield Installation Information\{867AE74B-855F-4ABD-BCA1-7B4C0ECF2DD9} ... Ok
    DELETING FOLDER: C:\Program Files\Common Files\justDo ... ERROR (not empty)
    DELETING FOLDER: C:\Program Files\justDo Software\FlashCatcher ... Ok

    But the main thing is. After disabling the BHO and without the intention of using the program, this happened after about five minutes. (See attachment)

    Regards,

    Pieter
     

    Attached Files:

  11. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    mine dont do that it only ask for acess if im trying to use internet explorer to get the swf file from the web page it becomes active if your browsing a page with a flash object

    denieing it acess usealy resorts in a curupted swf file

    thats scary cause zap dosent go off like that when i use flash catcher i have the paid verstion

    but if youre really sure ill do it cause i absolutley hate spyware
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I think it´s only fair to ask the distributors for an explanation, so I sent them an e-mail.
    Plus I asked some of our security and spyware experts to look into this.
    I´m not absolutely sure, just suspicious. Maybe even paranoid ;) If you like the program and have paid for it, hold onto it for a little while longer and wait for the final judgement.

    Regards,

    Pieter
     
  13. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Mr Blaze,

    You made this statment in the bottom of your first post.
    _____________
    when i did a search for safe.net it was in guess where
    C:\Program Files\Spybot - Search & Destroy 1.0 SR1 beta\Recovery

    why i see all these spyware folders ziped up in there

    how do i get rid of safe.net
    __________________


    First do llike Mike says and get the latest version of spybot.
    Second, that recovery folder in sypbot is the place it puts all the stuff you have already cleaned off your system to date.

    But.....
    It does not automatically just trash it all..it save it there by default just in case you have made a boo boo and found you want to put it back on your system...any one of them in fact...just like using your trash bin with windows telling it to replace that file.

    Now you can clean that puppy out anytime you want by opening up sypbot and hit that recovery button on the left hand side..when you do each one you have cleaned off so far will be displayed. You will find oodles of them and even multiples of each.

    By default setup of the Sybot S&D, you can check mark any one and "recover the product"...but you can also go into the advanced setting in sybot and put an exta button down below in the GUI that will let you "select all items" at once, I have it set that way..otherwise you must select each one everytime.


    Now not only can you recover each one..you can also PURGE any one ..or all of them..I purge them all so they do not build up...if you had done that you would not have found safe.net or any thing in there. That is stuff you have already dealt with.


    Now..on this Provaloni Sausage thingie..you just found.

    Pieter is right of course.. and even though you have the beta..I am sure you just updated your sysbot cause I also had those two entires after the last update...and it is OK to delete them. and if for some reason your swf go getter does not work..put it back if you wish..I did not and everything is still cool.


    Now that you got this new burner..I suspects you are going to be finding lots more programs out there with spyware and loggers..keep that Spybot handy and hold on to your shorts..not much frre stuff out there that does not have some kind of advertising or partner suff embedded in the software that you download...free is just a wetdream these days on the NET.
     
  14. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    Primrosev thx for that clarification Pieter_Arntz those are some good qustions today i cought a difrent program called flash saver maker wanting internet acess now why the heck would a program that activates a screen saver for my pc want internet acess?
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I don't use any screensavers of other then those which come with windows for that reason, if i use any at all.
    Look at the same steps you did above, use your Port Explorer to analyse the wanted connections and your firewall blocking, TDS port listen if you found what/where wants to connect, etc etc
     
  16. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    lol im still waiting for Pieter_Arntz
    reply if he says in fact it is spyware im dump flash catcher and get wicked bad on it lol
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hold on a little longer, MRBlaze.
    We were provided with al full version of your program, which could be quite different from the free one I got.
    I´ll leave it in the hands of those far more qualified to test that one. We´ll come back to you with the results.

    Regards,

    Pieter
     
  18. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Good call Pieter, we need to avoid making a mistake here at all costs. False allegations could be very damaging to honest software developer. I cannot stess enough that we MUST BE SURE, for both ethical and legal reasons.

    Sir BLAZE, do not worry, a definitive answer will be provided shortly. For the reasons stated above, it should be reletively credible ;)

    I sure hope this software is clean, I wouldn't wish an angry BLAZE on my worst enemy :)
     
  19. PepiMK

    PepiMK Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    43
    I see the prolivation thing has already been solved, so what's left is the SafeNet thing.
    This wb.ini could be a false positive - WindowBlinds uses a configuration file of the same name. The second next update (the next one is already in beta and will be made public today) will have been improved to check the contents of the wb.ini file for SafeNet instead of just identifying it by name.
    So if you have WindowBlinds installed, this is a f/p and will be fixed in a few days :)

    edit: some words about FlashCatcher: I just installed it and did some packet sniffing. When I saved a flash file, it also connected twice to 202.96.122.82 - that is justdosoft.com. The requested page was /FlashCatcher/log.asp=UserID=''&url='http:/.....swf'.
    As you can see, the UserID field is currently empty, but it is there. Does that mean they are not logging currently, or that they are only logging the downloads registered users make?
     
  20. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    hmmmmmm thx pepi way cool hey i heard you made screen savers the other day tv show so now your fameous must look nice on job application now
     
Thread Status:
Not open for further replies.