I saw the site mentioned earlier in another thread.

www.giveawayoftheday.com so I've downloaded two freebies for today and decided to run the Zsoft app Before n After running Activate.exe below is the log.

FILE ADDED! C:\WINDOWS\Prefetch\ACTIVATE.EXE-21FBCE9F.pf

REG ADDED! HKLM SOFTWARE\3Planesoft

REG ADDED! HKLM SOFTWARE\3Planesoft\Earth 3D Screensaver

REG ADDED! HKLM SOFTWARE\3Planesoft\Earth 3D Screensaver RegisteredTo "3: Registered to: Giveawayoftheday"

REG ADDED! HKLM SOFTWARE\3Planesoft\Earth 3D Screensaver RegName "3: Giveawayoftheday"

REG ADDED! HKLM SOFTWARE\3Planesoft\Earth 3D Screensaver SerNum "3: fireryone-Hid-His-Serial-Number"

REG ADDED! HKLM SOFTWARE\Microsoft\Cryptography\RNG Seed bin:YmHEjamdKVq9CoCClJrijdQ8SSu+[output cut]=

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\HistoricalCapture

capture_component_indexer_stats bin:RgAAAFEAAAAEAAAAAA[output cut]

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google

Desktop\Status blt_count_slp int:1524174

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google

Desktop\Status dib_count_slp int:2411560

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google

Desktop\Status dib_msec_slp int:423267

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\MSNMessenger\SQM

SessionTime int:25740

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Narrator CurrentPitch

int:26935301

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 0003022b bin:BgAAAA==

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging

Subsystem\Profiles\Outlooka0d020000000000c000000000000046 0003031f bin:BgAAAA==

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging

Subsystem\Profiles\Outlooka0d020000000000c000000000000046 00030398 bin:AgAAAA==

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 101f031e bin:CgAAACwAAABOAAA[output cut]=

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging

Subsystem\Profiles\Outlooka0d020000000000c000000000000046 1102022a

bin:CgAAAMQAAABUAAAAxAAA[output cut]==

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\CurrentVersion\

Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

HRZR_EHACNGU bin:rAAAAFQXAAAwyCOKm2PHAQ==

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\CurrentVersion\

Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

HRZR_EHACNGU:G:\FperraFniref\Rnegu3QFperrafnire\Npgvingr.rkr

bin:rAAAAAYAAAAwyCOKm2PHAQ==

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\CurrentVersion\

Internet Settings\Connections SavedLegacySettings bin:RgAAACssAAABAAAAAAAA[output cut]

REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\ShellNoRoam\

MUICache T:\ScreenSavers\Earth3DScreensaver\Activate.exe "Activate"

REG DELETED! HKLM SOFTWARE\Microsoft\Cryptography\RNG Seed

bin:kPagJN8FxKzxDzcfOm8S5FPL8nwPnFoczpZ3/7l[output cut]=

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google

Desktop\HistoricalCapture capture_component_indexer_stats

bin:RgAAAFEAAAAEAAAAAAAAADMAAAD[output cut]

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\Status

blt_count_slp int:1524109

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\Status

dib_count_slp int:2411495

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\Status

dib_msec_slp int:423250

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\MSNMessenger\SQM

SessionTime int:25440

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Narrator CurrentPitch

int:34209797

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows

NT\CurrentVersion\Windows Messaging

Subsystem\Profiles\Outlooka0d020000000000c000000000000046 0003022b bin:BwAAAA==

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows

NT\CurrentVersion\Windows Messaging

Subsystem\Profiles\Outlooka0d020000000000c000000000000046 0003031f bin:BwAAAA==

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows

NT\CurrentVersion\Windows Messaging

Subsystem\Profiles\Outlooka0d020000000000c000000000000046 00030398 bin:AQAAAA==

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows

NT\CurrentVersion\Windows Messaging

Subsystem\Profiles\Outlooka0d020000000000c000000000000046 101f031e

bin:CgAAACwAAABOAAAAVgAAAGYA[output cut]=

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows

NT\CurrentVersion\Windows Messaging

Subsystem\Profiles\Outlooka0d020000000000c000000000000046 1102022a

bin:CgAAAMQAAABUAAAAxAAAABgBAADEAAA[output cut]==

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\CurrentVersion\

Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

HRZR_EHACNGU bin:rAAAAFMXAABw0b/DmmPHAQ==

REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\CurrentVersion\

Internet Settings\Connections SavedLegacySettings

bin:RgAAACosAAABAAAAAAAAAAAA[output cut]

Note: The sreensaver is not installed at this point only the registration is activated.

I dont see anything nasty though I'm not yet a expert at reading thease yet, I expect all those other unrelated entries must have been added the various things I had running during the analize

The file is located on my T partition and I've cut short some some of the long strings.

If you want to see the Zsoft log of "after installing the screensaver" let me know and i'll dig it up.

www.giveawayoftheday.com so I've downloaded two freebies for today and decided to run the Zsoft app Before n After running Activate.exe

Google Activate.exe and you get things like this:

ACTIVATE.EXE - Trojan.WinAntiSpyware/WinAntiVirus 2006.Process.

WinAntiVirus2006, Adult Personal ads, among other things

Web page here:

WinAntiVirus2006, I`ve experienced first hand.

Not very pleasant, so I hope you have a different Activate.exe to this one.

I saw the site mentioned earlier in another thread.

www.giveawayoftheday.com so I've downloaded two freebies for today and decided to run the Zsoft app Before n After running Activate.exe below is the log.

Note: The sreensaver is not installed at this point only the registration is activated.

I dont see anything nasty though I'm not yet a expert at reading thease yet, I expect all those other unrelated entries must have been added teh various things i had running duing the analize

The file is located on my T partition and I've cut short some some of the long hash strings.

If you want to see the Zsoft log of "after installing the screensaver" let me know and i'll dig it up.

I have a question for you? In this entry REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\HistoricalCapture

capture_component_indexer_stats bin:RgAAAFEAAAAEAAAAAA[output cut]

See the part that says bin: than a string of text? It says [output cut]. Did you put that bracketed part saying output cut or did that line go on for several lines? I ask because I installed a program the other day and used Zsoft uninstaller to track it. When I looked at the log it had a similar entry to yours but the string of text after bin: was 6 lines long. There were two sections like this. One for REG added and another for REG deleted.

It wouldn't hurt to scan the screensaver setup file with VirusTotal or Jotti.

Google Activate.exe and you get things like this:

ACTIVATE.EXE - Trojan.WinAntiSpyware/WinAntiVirus 2006.Process.

WinAntiVirus2006, Adult Personal ads, among other things

Web page here:

WinAntiVirus2006, I`ve experienced first hand.

Not very pleasant, so I hope you have a different Activate.exe to this one.

The activate.exe is a standard part of the GOTD free software downloads, its just the activation program to activate the software for free (usually has to be run before installing the actual program).

See the part that says bin: than a string of text? It says [output cut]. Did you put that bracketed part saying output cut or did that line go on for several lines? I ask because I installed a program the other day and used Zsoft uninstaller to track it. When I looked at the log it had a similar entry to yours but the string of text after bin: was 6 lines long. There were two sections like this. One for REG added and another for REG deleted.

Yes I cut the output, it was just too long to bother posting the whole string.

It wouldn't hurt to scan the screensaver setup file with VirusTotal or Jotti.

== Jotti ==

File: Activate.exe Status: OK

MD5 a90a707de5e36d8e92231e93cd6c56ff Packers detected: -

Scanner results Scan taken on 12 Mar 2007 10:01:27 (GMT)

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

== Virus Total ==

AntivirusVersionUpdateResult AntiVir7.3.1.4103.12.2007no virus found

Authentium4.93.803.09.2007no virus found

Avast4.7.936.003.11.2007no virus found

AVG7.5.0.44703.12.2007no virus found

BitDefender7.203.12.2007no virus found

CAT-QuickHeal9.0003.10.2007no virus found

ClamAVdevel-2006042603.12.2007no virus found

DrWeb4.3303.11.2007no virus found

eSafe7.0.14.003.11.2007no virus found

eTrust-Vet30.6.347103.12.2007no virus found

Ewido4.003.11.2007no virus found

FileAdvisor103.12.2007no virus found

Fortinet2.85.0.003.12.2007no virus found

F-Prot4.3.1.4503.09.2007no virus found

F-Secure6.70.13030.003.11.2007no virus found

IkarusT3.1.1.303.12.2007no virus found

Kaspersky4.0.2.2403.12.2007no virus found

McAfee498103.09.2007no virus found

Microsoft1.230603.12.2007no virus found

NOD32v2210803.12.2007no virus found

Norman5.80.0203.10.2007no virus found

Panda9.0.0.403.12.2007Suspicious file

Prevx1V203.12.2007no virus found

Sophos4.15.003.10.2007no virus found

Sunbelt2.2.907.003.10.2007no virus found

Symantec1003.12.2007no virus found

TheHacker6.1.6.07403.12.2007no virus found

UNA1.8303.11.2007no virus found

VBA323.11.203.12.2007no virus found

VirusBuster4.3.19:903.11.2007no virus found

Aditional Information File size: 144534 bytesMD5: a90a707de5e36d8e92231e93cd6c56ffSHA1: 37c3a86f836f590f80d1fcbf5cc4d7446a08b973

there, overall quite possibly safe

there, overall quite possibly safe

fieryone, I am more than happy to have been wrong, but the name "Activate.exe" rang an immediate bell.

Unfortunately, not everything with that name is benign.

Thats all right, its better to be safe than sorry.

I ran the file without checking that, Ive gotten to trust NOD32's active system monitor, maybe a little too much .

By the way that was a scan of activate.exe not the setup file.

I have since done a scan of the setup files with NOD32 and nothing turned up,

may turn in to quite an interesting site, seeing the haven't bundled anything (noticeable) into the packages.

As soon as I saw the giveawayoftheday.com heading, I immediately thought of asking someone to check that activate.exe file with Zsoft.

Supposedly, what that exe file does is ensure that you can only load the program one time. What I don't understand is why they have to issue an exe file and not a registration code. The only questionable strings I see are those that have to do with Outlook and Windows Messaging.

Personally I wouldn't download any file that needs an activation key unless it came from a familiar site. It's interesting that Siteadvisor still doesn't have any information on giveawayoftheday.com.

I'd say the reason of using an exe instead of a registration code is that it really is "only free to install today" not on another machine on a different day.