A slight problem has occurred with a downloader called slingshot from Tenebril software, the makers of Ghostsurf, a supposed spyware free product and allegedly an anti spyware company the brief details are explained at these 2 links http://66.246.16.46/forums/viewthread.php?tid=12603 and http://www.karlsforums.com/forums/viewthread.php?tid=12826&page=1 Now not believing that a respected company could include spywares in it products, and disbelieving the other forumm users. I tried it out myself This is a copy from the spybot log 7FaSSt: IE toolbar (Registry value, nothing done) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{669695BC-A811-4A9D-8CDF-BA8C795F261C} 7FaSSt: Class (Registry key, nothing done) HKEY_CLASSES_ROOT\KBBar.KBBarBand.1 7FaSSt: Class (Registry key, nothing done) HKEY_CLASSES_ROOT\KBBar.KBBarBand 7FaSSt: Class ID (Registry key, nothing done) HKEY_CLASSES_ROOT\CLSID\{669695BC-A811-4A9D-8CDF-BA8C795F261C} 7FaSSt: Interface (Registry key, nothing done) HKEY_CLASSES_ROOT\Interface\{38493F7F-2922-4C6C-9A9A-8DA2C940D0EE} 7FaSSt: Type lib (Registry key, nothing done) HKEY_CLASSES_ROOT\TypeLib\{3277CD27-4001-4EF8-9D96-C6CA745AC2F9} 7FaSSt: Typelib (Registry key, nothing done) HKEY_CLASSES_ROOT\Typelib\{37686C62-D497-42E3-BAAB-78D89A74E151} in the links above are adaware logs showing the same. All I did is download the slingshot to a completely clean computer so I can guarantee that any entries came from this program Either spybot & adaware along with every other source on the net are wrong in their ID of this 7search hijacker or Tenebril have used a clsid that is used by 7search Tenebril insist that no spyware is in any of their products are they doing a GAtor and redefining spyware or are all the antispyware companies wrong Would one of the more expert users on this forum like to look into it and let me know if tenebril are wrong in their statement about spyware free products or are all the anti spyware companies wrong
Hi Derek, I just installed Slingshot (downloaded from the Tenebril site) and scanned with AdAware and Spybot S&D and came up clean on both counts. Can you confirm that you used the same download location? I attached the Total Uninstall log from the changes made to the registry during the install. Regards, Pieter
Hi Pieter Yes can confirm I downloaded slingshot direct from Tenebril site immediately I downloaded I rebooted and did a search for a file using slingshot to check it out. Didn't download anything just searched for moviemaker from M$. and then ran a HJt log (attached) which clearly shows O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\Program Files\Slingshot\ties\dlIE.dll O3 - Toolbar: Slingshot - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Program Files\Slingshot\ties\ the O2 clsid comes up as ghostsurf IETIE.dll in all searches a goodie teh O3 comes up as powerstrip.dll a known baddie perhaps this is why adaware & spybot find 7search I know the computer was completey clean of all spywares etc before downloading slingshot I hope it is because the clsid's are wrong in slingshot that this problem is occuring
Pieter I do not understand this I just installed slingshot again but this time used total uninstall to monitor. On install nothing bad showed and total uninstall doesn't show any baddies I ran a hjt log & adaware scan and clean then I started slingshot and initialised it as they said and ran a hjt log & adaware and all the 7search baddies appeared in the logs What the hell is going on
Hi Derek, Can you get a MD5 for your slingshot-install.exe ? Mine has: 30D46A1469C25C0AAA99F20B2ADDC320 If they are the same I will try install it again, reboot and use it. Regards, Pieter
Hi Derek, Indeed you need to start the application before the toolbar and the BHO get added The odd thing is no files get detected. Only registry keys. Another thing I observed. It only asks access when you fill out a search it contacts cnet (download.com) and tucows. The chances of getting a duplicate CLSID are too slim to ignore. I'll do some more investigating. Regards, Pieter
Thsanks Pieter then it isn't just me and the 2 users on the other forum having problems do you think it's spyware or just false positives with the same clsid numbers as you say, it's only registry entries no files seem to be added
Hi Derek, I am not a firm believer in coincidence. The BHO being the same as GhostSurf by the same company, that is easy to explain. But the 7FaSST CLSID´s (mind you, four of them) are remarkable to say the least. I have added both the BHO and the Toolbar as O to the lists, pending investigation. Regards, Pieter
Thanks Pieter, keep me posted Normally I prefer to submit info like this by email or Private message in case I have the info wrong, but in this case, it seemed so strange that an "anti spyware" company should have any sort of possible spyware entries within it's products and warranted a wider audience for discusion at least. as you say it's a remarkable coincidence at the least if all 4 clsid entries correspond to known spywares, 3 fast search and one as gator/gain I understand that one of the forum users mentioned contacted the company who responded by email and that has been posted in the forum links above and said that there definitely is no spyware in the application, but couldn't or wouldn't explain where the entries come from. Thanks for the work you have put in on this for me Regards Derek
My pleasure Derek, I like digging into this sort of thing. You always come out having learned something. Regards, Pieter
Pieter This is a paste of an email received by one of the users who had problems with slingshot it comes from the developers of slinghshot and seems to explain the reason why the spware is detected Thanks so much for getting back to me, and thanks for posting my message to the forum. I have some good news for you (which I hope you will post as well) -- from reading the forum, it's clear to me why Slingshot is being detected by these anti-spyware systems. In order to intercept downloads (i.e. when the user clicks on a link in Internet Explorer) Slingshot installs a Browser Helper Object (BHO), which is a DLL that Internet Explorer loads each time it starts. The BHO architecture is one way to extend Internet Explorer, and it's used by many software products (including spyware, since it gives software a window into your surfing). Each BHO registers itself with IE using a unique identifier called a CLSID, which is mentioned in the thread. Because this CLSID is unique, anti-spyware software can search for CLSID's which are known to be associated with spyware BHO's. Unfortunately for us, the Slingshot BHO was created from a demo BHO which shows how to connect to Internet Explorer for accelerating downloads. This same demo has been used by the authors of the spyware you mentioned, and so its CLSID is now recognized as spyware. This will cause alerts for other download accelerators as well which share this CLSID; I believe ReGet will trigger it, although I haven't checked myself. Ultimately this is our fault for not changing the CLSID when we published Slingshot. I'll look into getting it changed for the next release, and in the mean time I'll put an article in our Knowledge Base which describes this problem. I'm sorry for all the concern this has caused in the forum. I can definitely appreciate the concerns of the people there, as I definitely like to keep an eye on my own system and would hate to have software spying on me. Best wishes for your weekend. Please let me know if I can be of any further assistance. Sincerely, Christian Carrillo Tenebril Inc. So perhaps we can assume that it's sorted now. Looks like they did a Microsoft and released it without proper testing
Hi Derek, I'm not quite satisfied. It's not the BHO setting of the alarms, but the toolbar. And as for Reget: http://www.sysinfo.org/bholist.php?filter=reget&count=&type= I'll see if I can get my hands on the Powerstrip file. Regards, Pieter
This may be the wrong forum, but I have encountered GhostSurf on our network, and I am trying to find a way to prevent it from working. I am the Tech Director for a small school district, and some students have figured out how to use GS to look at porn on campus... We have a proxy server, and force all port 80 traffic to validate through it first via the Pix firewall. Somehow GS changes the proxy address to <local>, and bypasses this rule. We have most all other ports blocked, and I am stumped. Any help would be much appreciated. Thanks - Jon
Answering my own question... This may be the solution - looks like GhostSurf operates on 127.0.0.1:7212 Thought we had that one blocked, but I will check in the morning... If you answer your own posts, aren't you just talking to yourself