fireryone Posted March 11, 2007 Share Posted March 11, 2007 I saw the site mentioned earlier in another thread. www.giveawayoftheday.com so I've downloaded two freebies for today and decided to run the Zsoft app Before n After running Activate.exe below is the log. FILE ADDED! C:\WINDOWS\Prefetch\ACTIVATE.EXE-21FBCE9F.pf REG ADDED! HKLM SOFTWARE\3Planesoft REG ADDED! HKLM SOFTWARE\3Planesoft\Earth 3D Screensaver REG ADDED! HKLM SOFTWARE\3Planesoft\Earth 3D Screensaver RegisteredTo "3: Registered to: Giveawayoftheday" REG ADDED! HKLM SOFTWARE\3Planesoft\Earth 3D Screensaver RegName "3: Giveawayoftheday" REG ADDED! HKLM SOFTWARE\3Planesoft\Earth 3D Screensaver SerNum "3: fireryone-Hid-His-Serial-Number" REG ADDED! HKLM SOFTWARE\Microsoft\Cryptography\RNG Seed bin:YmHEjamdKVq9CoCClJrijdQ8SSu+[output cut]= REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\HistoricalCapture capture_component_indexer_stats bin:RgAAAFEAAAAEAAAAAA[output cut] REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\Status blt_count_slp int:1524174 REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\Status dib_count_slp int:2411560 REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\Status dib_msec_slp int:423267 REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\MSNMessenger\SQM SessionTime int:25740 REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Narrator CurrentPitch int:26935301 REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 0003022b bin:BgAAAA== REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 0003031f bin:BgAAAA== REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 00030398 bin:AgAAAA== REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 101f031e bin:CgAAACwAAABOAAA[output cut]= REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 1102022a bin:CgAAAMQAAABUAAAAxAAA[output cut]== REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\CurrentVersion\ Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU bin:rAAAAFQXAAAwyCOKm2PHAQ== REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\CurrentVersion\ Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:G:\FperraFniref\Rnegu3QFperrafnire\Npgvingr.rkr bin:rAAAAAYAAAAwyCOKm2PHAQ== REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Connections SavedLegacySettings bin:RgAAACssAAABAAAAAAAA[output cut] REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\ShellNoRoam\ MUICache T:\ScreenSavers\Earth3DScreensaver\Activate.exe "Activate" REG DELETED! HKLM SOFTWARE\Microsoft\Cryptography\RNG Seed bin:kPagJN8FxKzxDzcfOm8S5FPL8nwPnFoczpZ3/7l[output cut]= REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\HistoricalCapture capture_component_indexer_stats bin:RgAAAFEAAAAEAAAAAAAAADMAAAD[output cut] REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\Status blt_count_slp int:1524109 REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\Status dib_count_slp int:2411495 REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\Status dib_msec_slp int:423250 REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\MSNMessenger\SQM SessionTime int:25440 REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Narrator CurrentPitch int:34209797 REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 0003022b bin:BwAAAA== REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 0003031f bin:BwAAAA== REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 00030398 bin:AQAAAA== REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 101f031e bin:CgAAACwAAABOAAAAVgAAAGYA[output cut]= REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlooka0d020000000000c000000000000046 1102022a bin:CgAAAMQAAABUAAAAxAAAABgBAADEAAA[output cut]== REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\CurrentVersion\ Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU bin:rAAAAFMXAABw0b/DmmPHAQ== REG DELETED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Connections SavedLegacySettings bin:RgAAACosAAABAAAAAAAAAAAA[output cut] Note: The sreensaver is not installed at this point only the registration is activated. I dont see anything nasty though I'm not yet a expert at reading thease yet, I expect all those other unrelated entries must have been added the various things I had running during the analize The file is located on my T partition and I've cut short some some of the long strings. If you want to see the Zsoft log of "after installing the screensaver" let me know and i'll dig it up. fireryone Link to comment Share on other sites More sharing options...
Moderators DennisD Posted March 11, 2007 Moderators Share Posted March 11, 2007 www.giveawayoftheday.com so I've downloaded two freebies for today and decided to run the Zsoft app Before n After running Activate.exe Google Activate.exe and you get things like this: ACTIVATE.EXE - Trojan.WinAntiSpyware/WinAntiVirus 2006.Process. WinAntiVirus2006, Adult Personal ads, among other things Web page here: WinAntiVirus2006, I`ve experienced first hand. Not very pleasant, so I hope you have a different Activate.exe to this one. Link to comment Share on other sites More sharing options...
Anthony A Posted March 11, 2007 Share Posted March 11, 2007 I saw the site mentioned earlier in another thread.www.giveawayoftheday.com so I've downloaded two freebies for today and decided to run the Zsoft app Before n After running Activate.exe below is the log. Note: The sreensaver is not installed at this point only the registration is activated. I dont see anything nasty though I'm not yet a expert at reading thease yet, I expect all those other unrelated entries must have been added teh various things i had running duing the analize The file is located on my T partition and I've cut short some some of the long hash strings. If you want to see the Zsoft log of "after installing the screensaver" let me know and i'll dig it up. I have a question for you? In this entry REG ADDED! HKU S-1-5-21-682003330-412668190-2146912999-1003\Software\Google\Google Desktop\HistoricalCapture capture_component_indexer_stats bin:RgAAAFEAAAAEAAAAAA[output cut] See the part that says bin: than a string of text? It says [output cut]. Did you put that bracketed part saying output cut or did that line go on for several lines? I ask because I installed a program the other day and used Zsoft uninstaller to track it. When I looked at the log it had a similar entry to yours but the string of text after bin: was 6 lines long. There were two sections like this. One for REG added and another for REG deleted. Link to comment Share on other sites More sharing options...
Moderators Andavari Posted March 11, 2007 Moderators Share Posted March 11, 2007 It wouldn't hurt to scan the screensaver setup file with VirusTotal or Jotti. Link to comment Share on other sites More sharing options...
JDPower Posted March 12, 2007 Share Posted March 12, 2007 Google Activate.exe and you get things like this: ACTIVATE.EXE - Trojan.WinAntiSpyware/WinAntiVirus 2006.Process. WinAntiVirus2006, Adult Personal ads, among other things Web page here: WinAntiVirus2006, I`ve experienced first hand. Not very pleasant, so I hope you have a different Activate.exe to this one. The activate.exe is a standard part of the GOTD free software downloads, its just the activation program to activate the software for free (usually has to be run before installing the actual program). Link to comment Share on other sites More sharing options...
fireryone Posted March 12, 2007 Author Share Posted March 12, 2007 See the part that says bin: than a string of text? It says [output cut]. Did you put that bracketed part saying output cut or did that line go on for several lines? I ask because I installed a program the other day and used Zsoft uninstaller to track it. When I looked at the log it had a similar entry to yours but the string of text after bin: was 6 lines long. There were two sections like this. One for REG added and another for REG deleted. Yes I cut the output, it was just too long to bother posting the whole string. fireryone Link to comment Share on other sites More sharing options...
fireryone Posted March 12, 2007 Author Share Posted March 12, 2007 It wouldn't hurt to scan the screensaver setup file with VirusTotal or Jotti. == Jotti == File: Activate.exe Status: OK MD5 a90a707de5e36d8e92231e93cd6c56ff Packers detected: - Scanner results Scan taken on 12 Mar 2007 10:01:27 (GMT) AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing == Virus Total == AntivirusVersionUpdateResult AntiVir7.3.1.4103.12.2007no virus found Authentium4.93.803.09.2007no virus found Avast4.7.936.003.11.2007no virus found AVG7.5.0.44703.12.2007no virus found BitDefender7.203.12.2007no virus found CAT-QuickHeal9.0003.10.2007no virus found ClamAVdevel-2006042603.12.2007no virus found DrWeb4.3303.11.2007no virus found eSafe7.0.14.003.11.2007no virus found eTrust-Vet30.6.347103.12.2007no virus found Ewido4.003.11.2007no virus found FileAdvisor103.12.2007no virus found Fortinet2.85.0.003.12.2007no virus found F-Prot4.3.1.4503.09.2007no virus found F-Secure6.70.13030.003.11.2007no virus found IkarusT3.1.1.303.12.2007no virus found Kaspersky4.0.2.2403.12.2007no virus found McAfee498103.09.2007no virus found Microsoft1.230603.12.2007no virus found NOD32v2210803.12.2007no virus found Norman5.80.0203.10.2007no virus found Panda9.0.0.403.12.2007Suspicious file Prevx1V203.12.2007no virus found Sophos4.15.003.10.2007no virus found Sunbelt2.2.907.003.10.2007no virus found Symantec1003.12.2007no virus found TheHacker6.1.6.07403.12.2007no virus found UNA1.8303.11.2007no virus found VBA323.11.203.12.2007no virus found VirusBuster4.3.19:903.11.2007no virus found Aditional Information File size: 144534 bytesMD5: a90a707de5e36d8e92231e93cd6c56ffSHA1: 37c3a86f836f590f80d1fcbf5cc4d7446a08b973 there, overall quite possibly safe fireryone Link to comment Share on other sites More sharing options...
Moderators DennisD Posted March 12, 2007 Moderators Share Posted March 12, 2007 there, overall quite possibly safe fieryone, I am more than happy to have been wrong, but the name "Activate.exe" rang an immediate bell. Unfortunately, not everything with that name is benign. Link to comment Share on other sites More sharing options...
fireryone Posted March 13, 2007 Author Share Posted March 13, 2007 Thats all right, its better to be safe than sorry. I ran the file without checking that, Ive gotten to trust NOD32's active system monitor, maybe a little too much . By the way that was a scan of activate.exe not the setup file. I have since done a scan of the setup files with NOD32 and nothing turned up, may turn in to quite an interesting site, seeing the haven't bundled anything (noticeable) into the packages. fireryone Link to comment Share on other sites More sharing options...
BrownSugar Posted March 13, 2007 Share Posted March 13, 2007 As soon as I saw the giveawayoftheday.com heading, I immediately thought of asking someone to check that activate.exe file with Zsoft. Supposedly, what that exe file does is ensure that you can only load the program one time. What I don't understand is why they have to issue an exe file and not a registration code. The only questionable strings I see are those that have to do with Outlook and Windows Messaging. Personally I wouldn't download any file that needs an activation key unless it came from a familiar site. It's interesting that Siteadvisor still doesn't have any information on giveawayoftheday.com. Link to comment Share on other sites More sharing options...
fireryone Posted March 13, 2007 Author Share Posted March 13, 2007 I'd say the reason of using an exe instead of a registration code is that it really is "only free to install today" not on another machine on a different day. fireryone Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now