Booby Trapped software!

Originally Published February 19, 2003 by Paul and had an all time high of almost 7500 reads. The staff @Computer Cops thought you might enjoy a re-broadcast of this article.........

While an interesting idea in concept, the reality is, this sort of security can be just as dangerous as a virus!

In a nation where convicts sleep in dry rooms, have meals and are educated for free, while good people are living on the streets, you know that the system has failed.

If businesses/manufacturers used corprate spies, placed bombs in cars, and threatened to throw you out of home for having forgot to wind your clock, the nation of lawyers would be in chaos.

Yet, apply this sort of thinking to software, and it seems hipocracy rules.

I have seen instances where corrupt registries, upgrades and even clock changes have triggered these timebombs. Often bad programming will do it or even a typo while entering a valid serial.
So, here's to blowing the whistle on some of these!

The List:

- 1ClickFormFiller

After being reg'd and working 4 or 5 times it pops a message saying you are using an invalid serial number
and shuts down your system. Phones home.

==================================================================== -


- 1toX

v2.57, Uses a blacklist for pirate serials.

==================================================================== -

- 12Ghosts

When online it will phone home and unreg itself, registration nags come back, etc.

==================================================================== -

- a4proxy (Anonymity 4 Proxy)

Shortly after running this for awhile a user noticed repeated incoming connections trying to
logon to his ftp server. These attempts all used the same pass 'a4proxy' and a userid 'a4pid##'.
The number (##) changed on each attempt, eg. a4pid17, a4pid18, a4pid19.

It may appear registered but will only pop a nag screen if you check more than one proxy at a time.
Randomly send you to a 'buy' page instead of the requested one.

==================================================================== -

- Abbyy Finereader

The counter for the trial is stored in win.ini.
[ABBYY]
Splash2=-289722068
Changing that entry back to that number should give you 30/30 again.
After timing out of usable counts, this program makes various threats to your system.
As far as I can tell, none are carries out, so it is really only a frieghtening nag.

==================================================================== -

- Accelerate 2000

Deletes itself when the trial period is up.

==================================================================== -

- AccuChef

Uses a blacklist for pirate serials, might pop scary messages on using a bad serial.

==================================================================== -

- AcdSystems
- (ACDSee, Pica View)

As of ACDSee v3.0 & PicaView v1.32 the registration system has changed.
They now have separate demo and retail version.
You can no longer enter a serial into the trial versions,
they need to be patched.
You can however enter a serial in the new retail versions of the progs.

After all the hype, ACDSee DOES NOT phone home anymore.
Prior versions will still try!

It includes a new updates checking feature which obviously does require net
access. Also the recent virus warning about ijl10.dll is false, due to a problem
with The Cleaner. Grab the latest version to fix it. Launching an image file
from agent results in a new acdsee window each time, it is a bug in acdsee.

Using an old serial# on v3.1 may result in the prog crashing, requiring a reboot,
and then the root directory being wiped!!!

==================================================================== -

- Ace Clock

v2.51, when using the 'syncronioze from the internet' feature this may try to open your browser
with a gotcha type page, and un-register itself.
Also using a bad serial results in a nasty message.

==================================================================== -

- acqURL

v5.0, Apart from the warning message it now attempts to phone home.
v4.2, using a keygened serial# might 'seem' to work but upon clicking a url will pop an
'illegal registration number' type warning.

==================================================================== -

- Acronis utilities

Will not install unless it can connect to the company registration server.

==================================================================== -

- Adaptec Easy CD Creator

Some versions will outright fail after upgrading to v4.03.

A user reported that after upgrading to v4.02d it permanently set the write speed to 1X.
This can be overcome by backing up the registry and restoring it after the update.
Where EXACTLY the info is stored is not known yet.

==================================================================== -

- AddWeb

Uses server authentication to confirm the users registration.
The second time you use it, you will get a lovely message about using illegal
software and that your IP address was recorded.

Try blocking connections to their server with a firewall but allow all other connections
for the actuall page submissions to the search engines.

v4.0.2.4, Entering a bad serial will immediately pop your browser to the authors website.

==================================================================== -

- AdFilter

Is supposed to delete invalid serials from the registry, but due to pour programming,
it will trash the registry and hence you entire computer!

==================================================================== -

- Adobe Pagemill

Upgrading will nag about having exceeded the trial period.
To be able to re-install it delete 'sysexec.sys' in your WindowsSystem folder.

==================================================================== -

- Advanced Administrative Tools

Uses server authentication to confirm the users registration.

==================================================================== -

- Advanced Zip Password Recovery (AZPR)

Will only accept a valid key, uses a blacklist for pirate keys,
if one is detected wastes CPU cycles without giving a solution.

==================================================================== -

- Advanced Disk Catalog (ADC)

Will only accept a valid key, uses a blacklist for pirate keys,
if one is detected slowly corrupts its databases.
Earlier versions had anti-SoftICE code in them,
though the author later removed this.

The author of AZPR & ADC uses very strong encryption to protect his code,
it won't ever be properly cracked. Alot of releases of these are not 100%
however one group has released v1.30 with a working valid serial#.

==================================================================== -

- AI Picture Utility

Blacklist for pirate serials,
various hidden checks in each version release.

==================================================================== -

- AntiViral Toolkit Pro (AVP)

Bogus CRACKER.* trojan messages about many files, reported to falsely detect
cracks and keygens as virii and corrupts them, this may only happen if you try
to 'clean' the infected files.

False/Joke reportings of freeware/shareware progs being virii.
eg. Ghost Mail v5.1 is reported as Virus: Spammer.GhostMail.51

==================================================================== -

- Antivirus Expert 2000 Pro (AVX)

After downloading and installing the database upgrade, which AVX said to do,
his whole system was screwed up requiring a clean format to fix.

==================================================================== -

- Archiver Shell

v6.3, Causes system problems if a
blacklisted name/serial is used.

==================================================================== -

- aShampoo 2000

Just installed this, no crack or ad blocking involved, was about to setup
the ad blocking and realized ALL his AtGuard firewall rules had vanished.

==================================================================== -

- Atrex

After using an old keygen the prog will eventually start deleting the report files.
Soon after it will delete the database files too.

Under win2k you can change the permissions on the folder and files to stop the deletion.

==================================================================== -

- Audio Grabber

Phone's home with author's server, invalidates itself when you go online.
Might screw up your mouse buttons too.
This checking may only be connected to the CDDB feature.
Search your C Drive for a file 'SLICKS.CNT' and delete it.
Repeat if it invalidates itself again.
Try another prog from http://www.cddb.com to perform cddb queries.
Also try blocking the connection with a good firewall, Conseal or @guard.

As of (?) v1.62 'SLICKS.CNT' is now named 'FLOSS.CNT'.
As of v1.7x other names used have been 'ssplz.cnt' & 'MSDEFF32.CNT'

The phone home has been confirmed when using CDDB but it doesn't seem to happen every time.
It looks like the *.cnt file is now randomly named.
It's normally stored in the 'windows' or 'winnt' directory depending on your OS.
Aparently legal users are getting bugged by this too.
Delete the *.cnt file or whatever it's called to enter the serial again.

More users have reported the turd file as 'SPOOF32.HID' & 'PROXIES.VID', so it looks like it
could be called anything now.

To help find the turd file being used search for a prog called 'Filemon'.

When you get busted using CDDB close AG, go straight to explorer, c:windows, sort by date, check the files time&dated just moments ago.

Once you have found the turd file, try this...

Open the turd in notepad.
Delete the text.
Save it.
Set the properties of the file to READ-ONLY.
Goto back into AG and register with the same serial as before.
It 'should' now stay reg'd no matter what.

==================================================================== -

- Audioactive Production Studio

If you lose access to your cdrom after uninstalling this it's because of a buggy driver or bug in the
uninstall routine. The file cdfs.vxd needs to be restored into windows/system/iosubsy/ directory.

==================================================================== -

- Aureate
(changed it's name to Radiate)

http://grc.com/aureate.htm

Check out the Company sites for info on what progs use the system, etc...
http://www.aureate.com, http://www.radiate.com

Online Check for Aureate Components -
http://www.pcpitstop.com/pcpitstop/AureateCheck.asp

Steve Gibson of Grc.com has released his OptOut program.
This will cover not only Aureate but other intrusive nasties.
http://grc.com/optout.htm

AureateRadiate Remover
http://www.radiate.com/privacy/remover.html

Aureate Scanner
http://members.vavo.com/users/omega3/download/ASD.ZIP

There are now 2 other utils out that will scan your drives for the suspect files.
The one by Cokebottle (AntiSpy) removes some VALID system files -
advpack.dll (Advpack), amstream.dll (DirectShow), amcompat.tlb(Active Movie/MediaPlayer).
I highly suggest you backup the suspect files first as some ppl have had probs after their removal.

==================================================================== -

- AVX

Generally screws up c: and corrupts dlls when using a bad serial.

==================================================================== -

- Bali Tools 2000

Phones home.

==================================================================== -

- BCWipe, Best Crypt & others by Jetico

Jetico works very quickly to defeat cracks, be careful using a mismatched app & crack.
Will lock out the keyboard if exe is found to be cracked.

==================================================================== -

- Befaster

Contains webHancer spyware.

After rebooting this deleted system.ini.
It happened with 2 separate downloads of the prog, on 2 separate PC's.
The problems have been confirmed by a few more ppl.

==================================================================== -

- Black Widow

Was awhile ago now, afew got hit by 'something', denied by authors,
the particular version was pulled very quickly, has been reported
to communicate with the author's server, also claimed to look for
commonly pirated programs.

==================================================================== -

- BlackIce Defender

If you are installing a new version over an older one and having trouble,
go into the NetworkICE folder and open the file license.txt.
Replace the serial in license.txt with a later one.
It has been suggested to totally completely remove the older version before
installing a new one. Check the registry for instances of 'Network ICE',
'LoadBlackD', 'Blackice' & 'Blackd' and remove them.

Using the update check seems to cause program to GPF,
making it unusable after this.
The authors are blacklisting alot of serials, so if you try to download and
update from their webpage and it won't let you, that's why.
Recently a 'snitch' url was discovered, this is part of an upcoming feature of
the prog and seems not to be to 'phone home'.
v1.9.6 seems to have cleared up all the problems and confusion.

==================================================================== -

- BPM Studio

v3.3+, there is a 'noise' problem that seems to be date triggered.

==================================================================== -

- BrainWave Generator

v3.1, phones home.

==================================================================== -

- BSI Wavestation

Later versions after v2.71X, would do severe system damage if it detected use of
that keymaker:

1) Overwrites win.ini, system.ini, user.dat, and system.dat.
2) Overwrites user.da0 and system.da0 (registry backup files).

This will render your system unbootable, and within seconds of doing this you
will get a registry error message, prompting you to reboot.
At that point it is too late.
Incredibly, all those system files are backed up by the program (with different
names, in the program directory) after it does this, so if you keep cool you
can still restore your system.

The ONLY version to consider safe is v2.71X, It has been disassembled and
verified that no trojan horse code exists in it.

==================================================================== -

- Bulletproof FTP

Uses server authentication to confirm the users registration, opens your browser
to a 'gotcha' page if invalid, repeatedly new serials are released for new
versions, frankly don't bother, most if not all shared serials are cancelled by
the author when they are eventually discovered.
The last version that seems very stable is v1.15.

Try using a single word TWICE for the name when using a keygen.

==================================================================== -

- BullEyes Pro

SPYWARE.

==================================================================== -

- Cakewalk

v8.0, you MUST specify a 'temp' directory during installion, otherwise it will use the root.
When the install completes it cleans up thus removing ALL files from the root directory.

==================================================================== -

- Catraxx 2000

After you enter more than 100 albums, a big red screen comes up warning you about the dangers
of using cracks and from downloading from untrusted sources. It then starts creating error messages,
and then it wipes your ENTIRE album list database that you've created.

==================================================================== -

- CD Wizard

If you put the serial in wrong (even a valid one) it might pop a warnimg saying 'We have detected a
virus attached to your copy of CD Wizzard' or similar.

==================================================================== -

- cdlabel

v5.0, using an old/blacklisted serial results in popup warnings.

==================================================================== -

- CdrWin

At one point filled the hd with junk, another time deleted system files,
ongoing double checking of the serial and if it fails burns coasters.
There have been reports of it inserting garbage into the write stream as well.
This means that only some files may have errors.
This would make it somewhat difficult to detect for the average user.
Doing a plain directory or filesize compare may not reveal any corrupt files.
Use a crc validator or a binary file compare util on all images burned this.

==================================================================== -

- CFAtest

v1.41 (+?), this will take over the verify functions of QuickSFV.
You will need to uninstall, then reinstall CFAtest & QuickSFV in that order.

==================================================================== -

- ClipMate

Opens your browser to a 'gotcha' page using blacklisted name/serial
v4.11 using a blacklisted name/serial might also make it crash
Solution: Just delete the Registration Info from your Registry.
(HKEY_CURRENT_USERSoftwareThornsoftClipmate5Registration)
after v5.1.04 a registry appears, S9 or P9 which contains the date 5 days from
installation. On this date the prog fails and pops a you're busted message.

v5.1.08+, detects the presence of a time-limit extending program such as Cracklock in the Startup Group
then it refuses to open (and consequently can't be registered!), informing the user that the ClipMt52.exe file
has probably been damaged by a virus. The solution is simply to remove >Cracklock from the Startup Group.

==================================================================== -

- CloneCD

A v2.8.4.2 user reports bootup problems after a few days of use.
Removing the prog cleared up the problem.

As of v2.7.8.1 (maybe earlier) the registry keys mentioned below have new names.
'Messiah' (for Current_User) and 'Dogma' (for Local_Machine).

New serials get blacklisted very quickly, make sure you use the correct
serial with the version you have. It might appear to accept old serials but
will burn dud cds. Have also seen reports of it threatening to format the hd.
Goto HKEY_LOCAL_MACHINESoftwareThe Silicon Realms Toolworks
and delete the 'Armadillo' key for 10 more writes.

AVP might report the installer is infected. This is a false positive but
treat all warnings with care.
Try unzipping the installer and scanning the files, should be clean.

If you are having trouble installing new versions...
Goto -

HKEY_CURRENT_USERSoftwareElaborate BytesCloneCDStolen
AND
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionmagnacarta
AND
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionmagnacarta
and clean those entries.
It also puts some stuff in win.ini under the section [CloneCD], delete that section too.

==================================================================== -

- CodeWright

Whenever you want to re-install Codewright,
you must first delete the following key from your registry:
HKEY_CLASSES_ROOTCLSID{CDE06051-E12F-11D2-8468-00A0C96C6A07}

==================================================================== -

- CommView, Essential NetTools, SmartWhois
by TamoSoft

The author updates to defeat cracks but keep same version number, no ill effects reported yet.
Also see SmartWhois entry below.

==================================================================== -

- Cool Edit 2000

Detects if you've had a previous cracked/pirated v1.2 on your system.
It might Delete itself on this detection.
Also seen mentioned that the CoolEdit MP3 Plugin does the same thing.

BEFORE rebooting after install search for 'uncool.bat' in your windows directory.

==================================================================== -

- Coolfocus Applets

Have been reported to phone home, show an 'Unregistered' message before the menu appears
and overwrite the .class files.

==================================================================== -

- Compupic

The thumbnailed images were replaced by 0kb files each time it was used.
This could be a bug, maybe not.

==================================================================== -

- Content Advisor (MSIE Internet Properties)

Goto HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesRatings
Delete the key/s under 'Ratings'. Delete 'Ratings.pol' from your system folder.

==================================================================== -

- Copernic

The ads or lack of might be related to specific serials.

Using AdSubtract as a proxy will also stop the ads.

v4.0/4.1+ - Using the built-in update feature results in the ad banner window
returning. Try getting a newer version and do a clean install of it.
Make sure you use a newer serial too.

Have seen mention of the ads coming back on a new search.

To remove the grayed out box and remove Advertisments go to Registery Editor.
(HKEY_CURRENT_USERSoftwareCopernic TechologiesCopernic4PlusPreferences)
and remove the 'ShowAd' key.
OR try, inside the 'ShowAd' key replace 0Xffffffff to 0X00000000

Also try a different serial if you can find one.
And try increasing the 2nd last number by 1.

==================================================================== -

- Cover Pro

Under 'VB and VBA Program Settings' in the registry, remove the cover pro entires
and you have a new trial period.

==================================================================== -

- CPUidle

AtGuard reports that this tries to establish
an outgoing TCP/IP connection.

==================================================================== -

- CSE HTML Validator

Phones home only when using the built-in update check.
If you have used an invalid serial and try to update,
it will then always try to phone home even with a valid serial.
Solution: Just delete the Registration Info from your Registry.
(HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionCSE3310)

==================================================================== -

- Cubase vst32

Recognizes all previous projects made with cracked Steinberg products and deletes or
corrupts them.

==================================================================== -

- Cumberland Family Tree

Type the serial, don't copy/paste or it will not validate.

==================================================================== -

- CuteFtp

v3.xx, using cracks may make the program and your system become very unstable.
As of v3.54 there are a few good cracks that contain a valid registry file.
Apparently the program has multiple layers of key-checking and numerous
self-integrity checks.
See what the authors have to say. http://www.globalscape.com/support/cracks.html,
http://www.globalscape.com/support/cracks2.html

While the program may be reasonably protected by the registration system,
CuteFTP's data files are protected by an extremely weak 'encryption'.
The term 'encryption' is used very loosely in this regard as usernames and
passwords in the 'tree.dat' (v2.x) and 'smdata.dat' (v3.x) are easily recovered.
There is one other username and password combination that is stored as plaintext
in the registry and CuteFTP's ini file.

To see the registered name goto HKEY_CLASSES_ROOTRI.
Double-click on the keys to see it in hex & ascii.

==================================================================== -

- Cybercorder 2000

Uses blacklist for pirate serials.

==================================================================== -

- Dansie Shopping Cart

Secretly emails the author who has access to a hidden back door.
(from a Fravia essay at searchlores that uses this document as it's basis, without proper kudos given)

==================================================================== -

- DartPro 98

A backdoor file named 'EXTRAP.EXE' is installed which tries to access the net.

==================================================================== -

- DiskState

v2.02 it fills the registry with CLSID's.
This appears to be part of it's normal opperation.

==================================================================== -

- Download Accelerator

Could be a bug (?) that causes it to crash continually after trying to reg it.
To remove the ads find the 'Ads' folder and delete the image files,
if they come back, delete them again.
Search the registry for 'accelerator', find and delete the 'Ads' key.

Also try...
Delete all the ads from the Ads subfolder in the DAP folder but leave the
Ads folder empty, don't delete it.
Open RegEdit and goto HKLMSOFTWARESPEEDBITDOWNLOADACCELERATORADS.
Find the key 'defaultserver'.
Right-click, choose modify and enter 'http://blank.htm'.

Also try renaming c:windowssystemanigif.ocx to e.g. anigif.oc_.

==================================================================== -

- Download Demon

Hijacks certain browser task without permission.
Sends details (e.g. file names and URLs) to RealNetworks/Netzip.
This 'feature' is mentioned in the privacy policy.

==================================================================== -

- DrumStation (DT-010)

Uses a blacklist for pirate serials.

==================================================================== -

- Earthtuner

Using the 'update' feature will cause the prog to expire and result in the
trial popup returning.

==================================================================== -

- EF Commander

v2.38.3, after using Fallen's keygen the prog worked perfectly.
BUT, soon realized that after using the built-in viewer, the viewed file was being deleted.

==================================================================== -

- Eudora

v4.3x, performs an update check on each run.
What Eudora is sending...
http://x55.deja.com/=dnc/getdoc.xp?AN=615588664&CONTEXT=962925880.1478819860&hitnum=32

To get rid of the update page and/or the blank screen that will
come up in front of the In box:
Go to the Eudora directory, look for the file eudora.ini and open it.
Look for lines that start with NGBase and NGLast. Delete all these lines, add 'DontShowUpdates=1'
& 'DontShowAudit=1' on separate lines, save your changes, then start Eudora.
You won't get the upgrade or blank white screen anymore.

Have also seen mention of making 'Eudora.ini' read only.
Remeber to turn that off tho if you change any settings otherwise it won't be saved.

You can try to stop it phoning phome adding '127.0.0.1 jump.eudora.com' and
'127.0.0.1 jump1.eudora.com' to your hosts file.

Eudora Support Document - Ads: Not Seeing Ads...
http://www.eudora.com/techsupport/kb/1922hq.html

To enter the serial goto Help > Payment & Registration > Paid Mode, and hit cancel.
Then enter the name & serial and you should be able to select Paid mode.

Another ad fix...

Add these lines to the [Settings] section of your Eudora.ini file.

RegistrationFlag=-1
Code=IC
NC=1

==================================================================== -

- Evidence Eliminator

Firstly a word of CAUTION.
I have seen talk about a filemask being set to *.* for the IE cookies folder.
This appears to be part of the prog and being able to set what files to search for to clean.
This can have disasterous results. Check all settings when installing a new version
as its default setting can wipe out the entier drive!!!

v5.0, will accept a bad serial#, upon restart will immediately expire and soon pop
'illegal reverse engineered' warnings and it stops working properly.
HKEY_CURRENT_USERSoftwareVB and VBA Program Settings tsflc
and clean it out.
HKEY_CURRENT_USERSoftwareEvidence Eliminator
Create a key named 'Registered' and enter for the value 'Registered'.
If you don't see a key called 'App.Path' in there add it and enter the path to the prog.

To display the unlock window...
Start it up and after choosing trial, click once and hold with the LEFT mouse button on the
blue top and press the Cntrl-key AND the i-key At the same time!
This will display the Unlock window! Enter your name reg number and enjoy.

You might need to move your clock forward 30 days AND reboot to make the trial expire.
This should allow you to enter the unlock code.

(I highly recomend using Acronis instead, as it is faster and less buggy.)

==================================================================== -

- Exploit Submission Wizard

Deleted the FAT partitions on HD, nasty.
This happened after using a patch.
- Extractor Marketing Software
- (Extractor Pro & Web Weasel)

Phones home every time the prog is started.

==================================================================== -

- EZPix

v4.4, after using a keygen and a week of use this might pop a message saying...
'the serial number you have used is not in our database. You must register.....'
Possibly phones home but continues to stay reg'd with no ill effects.

==================================================================== -

- Faststats Log Analyzer

Complains and stops working when using an older serial.
Try reinstalling and enter a valid serial.

==================================================================== -

- Feurio

v1.30 and later, Be carefull using a shared or keygened serial.
Although it seems registered, it inserts a spoiler into a random track.
It goes : beeeeeep... illegal copy ... beeeeeep.

==================================================================== -

- Firehand Ember

Not sure of versions v5.93+ i think, pops a warning using a 'pirated' serial,
damages system.
After v3.8.6(?) there are separate demo and retail versions.

==================================================================== -

- FlashFXP

Uses a blacklist for pirate serials, if you use a blacklisted serial
the app contacts the author's website and pops threatening messages,
it's not recommended using the update feature, tHE eGOISTE/Tmg has a
good crack for it and eGO has a program that reads the blacklist.

==================================================================== -

- FlashGet (ex JetCar)

Uses Radiate spyware.

==================================================================== -

- Fluid Promotion

v1.02, using a bad serial will seem to register it, but it'll stop working,
will also pop 'gotcha' messages and report you to the author's site.

==================================================================== -

- Folder Guard

Uses blacklist for pirate names. Often blacklists valid serials.

==================================================================== -

- FreeMem Pro

v4.3, If an invalid serial is used, corrupts data in memory causing any number of problems.

==================================================================== -

- Fruity Loops

v2.01, to enter serial - ctrl+shift+F2, reported as having 4 stages to the
protection scheme, Basic, Full, TS404, a 'God' mode being the final,
this 'God' mode has been reported as bogus.
It appears that the download from the FruityLoops site is a CRIPPLED demo.

==================================================================== -

- Fruity Tracks

v1.50, to enter serial - ctrl+alt+F9.
Also try ctrl+alt+F5.
The crippled problem with FruityLoops may also apply to this one.

==================================================================== -

- FTP Voyager

A very strange report on this one...

v7.2.0.0, One user reports that ALL his icons have the FTP Voyager icon superimposed on them.
Changing the original icon makes no difference, the FTPV icon comes back.

Serial is date dependant. Stops downloading files a few bytes
before completion when using blacklisted name/serial.
A problem with your system clock changing will cause this program to corrpt downloads.

==================================================================== -

- FTPPro98/2000

Received a report that this phones home reporting your usage times.
There was also mention that some cracks for this alter your system ID,
and the prog or home server thinks you are using it on more than one system.

==================================================================== -

- GameSpy

Uses server authentication to confirm the users registration,
forget about using keygens or serial#s alone.

==================================================================== -

- Genius

v2.6 on detecting a blacklisted serial pops up a little you're using pirated
software, etc. window and disables various functions.

==================================================================== -

- Getright

Uses a blacklist for pirate serials. Might try to bring up a 'gotcha' page.
If it starts playing up...

Entering a valid serial will not work unless you clean out the registry.

Goto HKEY_CLASSES_ROOTCLSID{F853B2C7-386A-11D3-A860-006097897A00}
and delete 'ID'
Goto HKEY_CURRENT_USERSoftwareHeadLightGetRightConfig
and delete 'Window00' and 'RegistrationCode'
or delete the number itself. Then try using another serial#.

==================================================================== -

- Gohip.com

This is some kind of multimedia website that pays you to advertise for them.
To clean this rubbish out...
http://www.gohip.com/remove_browser_enhancement.html
http://korova.com/virus/gohip_remove_browser_enhancement-022000.htm
Also remove windows folder winstart.exe which is called by an entry in the
HKLMSoftwareMicrosoftWindowsCurrentVersionRun key.
Check with MSCONFIG, it will show up Gohip autorun as c:windowswinsta~1.exe.
If you use OE check you signature as well.

==================================================================== -

- Gordon Production's software
- (ASCII-Help, Einstein,
- Home Project, KarCheck,
- PasteMaster)

Einstein maybe others, phones home and reports the use of a crack,
expect an email from the author. Saw a report on Zor's news that the
author emailed a keygen user knowing it was used.

==================================================================== -

- Gotmail? Screensaver by Gotime solutions

Phones home, you will get an email from the author mentioning registered user
and the username you choose from the keygen. After awhile you will get another email
about pirated software and threats of the prog deleting files from the windows directory.

==================================================================== -

- Hellfire and Firestorm Screensaver

At some time may pop a warning 'Executable file is damaged (or cracked)!'.


==================================================================== -

- HistoryKill 99

Pops a warning about sending mail to the author when using a bad serial#,
have seen one report of it doing system damage.


==================================================================== -

- HoneyQ

v1.50, not all serials seem to enable the use of video, even if valid.

==================================================================== -

- HotDog

Uses server authentication to confirm the users registration.

==================================================================== -

- Htmasc32

v3.03.22 uses a blacklist for pirate serials, will randomly popup a bogus
program error on detecting a blacklisted serial.

==================================================================== -

- HTML (Un)Compress

Uses blacklist for pirate serials.

==================================================================== -

- HyperMaker 2000

There is a feature called 'customer key code generator' that allows you to generate keys
for clients who have bought your ebooks made with the prog.

It seems that this feature does more checking on the registration serial#.
If it doesn't pass the test then the 'customer key code generator' generates the same key
everytime.

Aparently one cracked version did work properly BUT your customers will start seeing
messages poping up talking about illegel copies of the software.

No offence to anyone, don't do business with cracked software, period, atleast until you have
throughly tested every single feature AND over a period of time of weeks or months.

==================================================================== -

- Hypersnap DX

Phone home

==================================================================== -

- ICQ

To remove the opening splash screen -

Create a shortcut and add -minimize (minus the quotes) to the end of the target.
This will automatically minimize to the system tray when you first start ICQ and you
won't get the Loading ICQ with the flower splash screen.

Many versions are loaded with spyware, backdoors, and loggers.

==================================================================== -

- IncrediMail 1850xxx versions and higher.

Spyware, backdoors, keyloggers, blacklists, timebombs, registry bombs and crc checkers.
It took over a month for a group of crackers to remove all the crap from this popular
e-mail program.
Visit EbolaVirusCrew for a non bombed version,.

==================================================================== -

- ICUii

After the trial period ends, you can't register it.
Delete ncvutl10.dll to renew the trial period.
The download package is a wrapper. You must enter a serial# to unlock it.
The actual installer is extracted to /windows/temp/, can be saved for later use.
No serial is required to install or use the prog with the actual installer.

==================================================================== -

- InfoSelect

Tries to phone home each time it's started.

==================================================================== -

- Intermute

Uses server authentication to confirm the users registration.
This may have been removed since v1.40.
v1.50 has been reported as clean.

==================================================================== -

- Internet Watcher 2000

v1.08, After about a weeks use on a keygened serial this popped a message about a pirated ID
and threatened if the prog wasn't bought within 48hrs the police would be called.

==================================================================== -

- Juno

To get rid of the adbar and create a normal DUN entry...
Open juno.ini in the c:windows directory.
Under your user name you will see a juno generated sixteen digit password.
Make a new dial-up networking connection with your user name and this password.
Now you can use what ever browser you want.

==================================================================== -

- KeyText

Most older serial/keygens (v1.1x) were not 100%, prog ended up still limited,
more recent serial#s might be fine.

==================================================================== -

- Kyodai Mahjongg

Be careful using old keygens & serials, has been reported to do nasty things.
Possibly uses a blacklist for pirate serials.
Known to pop nasty messages and delete itself when using only certain serials.

==================================================================== -

- Leech by Aeria

Registers with a keygen ok, using it online it seems to phone home and expire the trial.

==================================================================== -

- Lightspeed Products
- (Rocket, WebConvert Pro)

Rocket maybe others phones home and reports the use of a crack,
expect an email from the author.

==================================================================== -

- LinkBot

v5.0, Phones home.


==================================================================== -

- Liquid FX

Takes your browser to a 'gotcha' page on detecting a blacklisted name/serial.

==================================================================== -

- Lockdown2000

Have seen very conflicting reports about the effectiveness of this,
also seen mention that although it claims to be, it is NOT a firewall.
Repeatedly updated by authors to overcome new cracks,
seemingly very little time spent updating functionality.
Be careful trusting your system security on this, do some testing and you
decide. Some interesting test results to consider -
http://www.primenet.com/~lippard/pchelp/LDtest.htm
http://www.nwi.net/~pchelp/lockdown/Davis/index.html
http://www.nwinternet.com/~pchelp/lockdown/debunk/index.html
http://www.nwinternet.com/~pchelp/bo/htinvest.htm
http://www.antionline.com/cgi-bin/features/ProductReview?date=10-08-1999

The history of the authors is a very interesting read.
Don't even bother testing this let alone buying it.

==================================================================== -

- LP Recorder

If you can't get a working serial from a keygen try this.
For the location enter a location such as a state then a comma. eg. Location,

==================================================================== -

- LviewPro

v2.8, you can't enter a serial in the demo from the website,
a patch is required.

==================================================================== -

- MacOpener

Fails to register after trial ends.
v5.0 maybe others, to get another trial period search for and delete the Dataviz/Macopener keys
from the registry. Then reinstall the demo.

==================================================================== -

- Magic Folders

Deletes the illegal registration file and warns that if you use it again,
it will uninstall and you won't ever be able to install it again.
It also states something about being able to delete the whole hard drive instead
of just one file. Last cracked version was a looooong time ago.

==================================================================== -

- Midpoint

v4.0, search the registry for 'midcore' & 'midpoint' and remove all entries.
Reboot and you should have another 20 days trial.

In v4.0...
HKEY_LOCAL_MACHINE/Software/Midcore/midpoint/Trial Warning=1
Change to




Title


Topic All Topics America Online Anti-Terror Anti-Virus BBS - Portals Bug Alert Chapter 11 Computer Cops Copyright Crack Attack Cyber Security CyberCrime Data Backup/Recovery Digital Rights dot-Gov eBay Email Hassles! Email Servers FBI General News GeneralTechNews Google Gov't Security Hassle Identity Theft ISPs/Telecom Linux Literature Mailwasher Microsoft National ID Networks New York Times OnLine News PayPal PDAs Phishing PHP-Nuke Piracy Privacy Protocols Proxomitron Riot Act ROSI/ROI Security Hole Security Jobs-Career Security Mandates Spackers SPAM Surveillance Symantec TrojanHunter Trojans UNIX Viruses Web Fraud Web Hosts Web Servers Web Site Defaced Windows XP/Pro Wireless Worms Yahoo ZoneLabs

Category ArticlesAdvisories!Announcements!ATPAVPAWPBeware!BooksBusted!Child RightsCommentariesCracked!Denial of ServiceDomainsDownloadsDRMEditorialsEncryptionFirewallsForensicsftp serverGlobalGov't (U.S.)HoneypotsIMIncident ResponseInformation RightsInternetInterviewsIntrusion DetectionMacintoshMalwareMergers/AcquisMilitaryMonthly News LettersNew TechnologyProdsP2PPasswordsPatches/SP'sPatriot ActPenaltiesPenetration TestingPopUpsPrivacyQ&AQuarterly SummaryRemoval Tips/ToolsReview /sRevisedSandboxesScannersSecurity NewsSecurity PoliciesSecurity Tips/ToolsSiteSniffersSpam-SpackersSpywareStealthwareStrategiesTarpitsThe CourtroomThe LegislatureThe Lite Side StoryThe ParlimentThe White HouseThreat AssessmentTutorialsUpdateUpdated StoryVulnerability /sWeb LinksWebDesignWeekly Summaries [ Add | Edit | Delete ]

Publish in Home? Yes No [ Only works if Articles category isn't selected ]

Activate Comments for this Story? Yes No



Story Text
Booby Trapped software!



Originally Published February 19, 2003 by Paul and had an all time high of almost 7500 reads. The staff @Computer Cops thought you might enjoy a re-broadcast of this article.........



While an interesting idea in concept, the reality is, this sort of security can be just as dangerous as a virus!



In a nation where convicts sleep in dry rooms, have meals and are educated for free, while good people are living on the streets, you know that the system has failed.



If businesses/manufacturers used corprate spies, placed bombs in cars, and threatened to throw you out of home for having forgot to wind your clock, the nation of lawyers would be in chaos.



Yet, apply this sort of thinking to software, and it seems hipocracy rules.



I have seen instances where corrupt registries, upgrades and even clock changes have triggered these timebombs. Often bad programming will do it or even a typo while entering a valid serial.

So, here's to blowing the whistle on some of these!

Extended Text
The List:



- 1ClickFormFiller



After being reg'd and working 4 or 5 times it pops a message saying you are using an invalid serial number

and shuts down your system. Phones home.



==================================================================== -





- 1toX



v2.57, Uses a blacklist for pirate serials.



==================================================================== -



- 12Ghosts



When online it will phone home and unreg itself, registration nags come back, etc.



==================================================================== -



- a4proxy (Anonymity 4 Proxy)



Shortly after running this for awhile a user noticed repeated incoming connections trying to

logon to his ftp server. These attempts all used the same pass 'a4proxy' and a userid 'a4pid##'.

The number (##) changed on each attempt, eg. a4pid17, a4pid18, a4pid19.



It may appear registered but will only pop a nag screen if you check more than one proxy at a time.

Randomly send you to a 'buy' page instead of the requested one.



==================================================================== -



- Abbyy Finereader



The counter for the trial is stored in win.ini.

[ABBYY]

Splash2=-289722068

Changing that entry back to that number should give you 30/30 again.

After timing out of usable counts, this program makes various threats to your system.

As far as I can tell, none are carries out, so it is really only a frieghtening nag.



==================================================================== -



- Accelerate 2000



Deletes itself when the trial period is up.



==================================================================== -



- AccuChef



Uses a blacklist for pirate serials, might pop scary messages on using a bad serial.



==================================================================== -



- AcdSystems

- (ACDSee, Pica View)



As of ACDSee v3.0 & PicaView v1.32 the registration system has changed.

They now have separate demo and retail version.

You can no longer enter a serial into the trial versions,

they need to be patched.

You can however enter a serial in the new retail versions of the progs.



After all the hype, ACDSee DOES NOT phone home anymore.

Prior versions will still try!



It includes a new updates checking feature which obviously does require net

access. Also the recent virus warning about ijl10.dll is false, due to a problem

with The Cleaner. Grab the latest version to fix it. Launching an image file

from agent results in a new acdsee window each time, it is a bug in acdsee.



Using an old serial# on v3.1 may result in the prog crashing, requiring a reboot,

and then the root directory being wiped!!!



==================================================================== -



- Ace Clock



v2.51, when using the 'syncronioze from the internet' feature this may try to open your browser

with a gotcha type page, and un-register itself.

Also using a bad serial results in a nasty message.



==================================================================== -



- acqURL



v5.0, Apart from the warning message it now attempts to phone home.

v4.2, using a keygened serial# might 'seem' to work but upon clicking a url will pop an

'illegal registration number' type warning.



==================================================================== -



- Acronis utilities



Will not install unless it can connect to the company registration server.



==================================================================== -



- Adaptec Easy CD Creator



Some versions will outright fail after upgrading to v4.03.



A user reported that after upgrading to v4.02d it permanently set the write speed to 1X.

This can be overcome by backing up the registry and restoring it after the update.

Where EXACTLY the info is stored is not known yet.



==================================================================== -



- AddWeb



Uses server authentication to confirm the users registration.

The second time you use it, you will get a lovely message about using illegal

software and that your IP address was recorded.



Try blocking connections to their server with a firewall but allow all other connections

for the actuall page submissions to the search engines.



v4.0.2.4, Entering a bad serial will immediately pop your browser to the authors website.



==================================================================== -



- AdFilter



Is supposed to delete invalid serials from the registry, but due to pour programming,

it will trash the registry and hence you entire computer!



==================================================================== -



- Adobe Pagemill



Upgrading will nag about having exceeded the trial period.

To be able to re-install it delete 'sysexec.sys' in your WindowsSystem folder.



==================================================================== -



- Advanced Administrative Tools



Uses server authentication to confirm the users registration.



==================================================================== -



- Advanced Zip Password Recovery (AZPR)



Will only accept a valid key, uses a blacklist for pirate keys,

if one is detected wastes CPU cycles without giving a solution.



==================================================================== -



- Advanced Disk Catalog (ADC)



Will only accept a valid key, uses a blacklist for pirate keys,

if one is detected slowly corrupts its databases.

Earlier versions had anti-SoftICE code in them,

though the author later removed this.



The author of AZPR & ADC uses very strong encryption to protect his code,

it won't ever be properly cracked. Alot of releases of these are not 100%

however one group has released v1.30 with a working valid serial#.



==================================================================== -



- AI Picture Utility



Blacklist for pirate serials,

various hidden checks in each version release.



==================================================================== -



- AntiViral Toolkit Pro (AVP)



Bogus CRACKER.* trojan messages about many files, reported to falsely detect

cracks and keygens as virii and corrupts them, this may only happen if you try

to 'clean' the infected files.



False/Joke reportings of freeware/shareware progs being virii.

eg. Ghost Mail v5.1 is reported as Virus: Spammer.GhostMail.51



==================================================================== -



- Antivirus Expert 2000 Pro (AVX)



After downloading and installing the database upgrade, which AVX said to do,

his whole system was screwed up requiring a clean format to fix.



==================================================================== -



- Archiver Shell



v6.3, Causes system problems if a

blacklisted name/serial is used.



==================================================================== -



- aShampoo 2000



Just installed this, no crack or ad blocking involved, was about to setup

the ad blocking and realized ALL his AtGuard firewall rules had vanished.



==================================================================== -



- Atrex



After using an old keygen the prog will eventually start deleting the report files.

Soon after it will delete the database files too.



Under win2k you can change the permissions on the folder and files to stop the deletion.



==================================================================== -



- Audio Grabber



Phone's home with author's server, invalidates itself when you go online.

Might screw up your mouse buttons too.

This checking may only be connected to the CDDB feature.

Search your C Drive for a file 'SLICKS.CNT' and delete it.

Repeat if it invalidates itself again.

Try another prog from http://www.cddb.com to perform cddb queries.

Also try blocking the connection with a good firewall, Conseal or @guard.



As of (?) v1.62 'SLICKS.CNT' is now named 'FLOSS.CNT'.

As of v1.7x other names used have been 'ssplz.cnt' & 'MSDEFF32.CNT'



The phone home has been confirmed when using CDDB but it doesn't seem to happen every time.

It looks like the *.cnt file is now randomly named.

It's normally stored in the 'windows' or 'winnt' directory depending on your OS.

Aparently legal users are getting bugged by this too.

Delete the *.cnt file or whatever it's called to enter the serial again.



More users have reported the turd file as 'SPOOF32.HID' & 'PROXIES.VID', so it looks like it

could be called anything now.



To help find the turd file being used search for a prog called 'Filemon'.



When you get busted using CDDB close AG, go straight to explorer, c:windows, sort by date, check the files time&dated just moments ago.



Once you have found the turd file, try this...



Open the turd in notepad.

Delete the text.

Save it.

Set the properties of the file to READ-ONLY.

Goto back into AG and register with the same serial as before.

It 'should' now stay reg'd no matter what.



==================================================================== -



- Audioactive Production Studio



If you lose access to your cdrom after uninstalling this it's because of a buggy driver or bug in the

uninstall routine. The file cdfs.vxd needs to be restored into windows/system/iosubsy/ directory.



==================================================================== -



- Aureate

(changed it's name to Radiate)



http://grc.com/aureate.htm



Check out the Company sites for info on what progs use the system, etc...

http://www.aureate.com, http://www.radiate.com



Online Check for Aureate Components -

http://www.pcpitstop.com/pcpitstop/AureateCheck.asp



Steve Gibson of Grc.com has released his OptOut program.

This will cover not only Aureate but other intrusive nasties.

http://grc.com/optout.htm



AureateRadiate Remover

http://www.radiate.com/privacy/remover.html



Aureate Scanner

http://members.vavo.com/users/omega3/download/ASD.ZIP



There are now 2 other utils out that will scan your drives for the suspect files.

The one by Cokebottle (AntiSpy) removes some VALID system files -

advpack.dll (Advpack), amstream.dll (DirectShow), amcompat.tlb(Active Movie/MediaPlayer).

I highly suggest you backup the suspect files first as some ppl have had probs after their removal.



==================================================================== -



- AVX



Generally screws up c: and corrupts dlls when using a bad serial.



==================================================================== -



- Bali Tools 2000



Phones home.



==================================================================== -



- BCWipe, Best Crypt & others by Jetico



Jetico works very quickly to defeat cracks, be careful using a mismatched app & crack.

Will lock out the keyboard if exe is found to be cracked.



==================================================================== -



- Befaster



Contains webHancer spyware.



After rebooting this deleted system.ini.

It happened with 2 separate downloads of the prog, on 2 separate PC's.

The problems have been confirmed by a few more ppl.


-->