1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved How to kill SaveNow?

Discussion in 'Earlier Versions of Windows' started by MadDogMugsy, Jan 20, 2003.

Unmark Solved
Thread Status:
Not open for further replies.
Advertisement
  1. MadDogMugsy

    MadDogMugsy Guest Thread Starter

    Good Morning Folks!

    I just ran Norton Internet Security / Intenet Access Control.

    After requesting a search for all Internet Enabled Applications, it listed an new & unfamiliar one "SaveNow ... C:/PROGRAM FILES/SAVENOW/SAVENOW.EXE. (I have blocked access)
    (I ran it about a month ago and this wasn't in there)

    Even though it is not in my Startup, I went to http://www.pacs-portal.co.uk/startup_pages/startup_full.htm and they state that: SaveNow/ SaveNow.exe / Advertising spyware. Installed as part of the Kazaa Media Desktop bundle for example.

    - I don't use Kazaa
    - the folder was not in c:/program ...
    - it was not found in add/remove programs
    - it is only in the Registry under Symantec's "catch" (HKEY/LOCAL_MACHINE/SOFTWARE/Savenow/Symantec/IAM/FirewallObjects
    - I ran Spybot - nothing found
    - I ran Adaware - nothing found

    :confused: Question
    ... why would Norton pick this up if I can't find it anywhere? Is this something to investigate further (and how)?

    Many thanks in advance
    cheers
    Louise
    MDM
     
  2. rugrat

    rugrat

    Joined:
    Dec 16, 2001
    Messages:
    1,869
  3. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    I don't understand why SpyBot won't detect SaveNow.

    It should, even when NOT updated for quite a while...

    Are you sure you're running the very latest version of SB?
    Launch it, and press Info & License.

    It should read SB 1.1 rel 4.

    If it doesn't, uninstall the program, and reinstall the latest version.

    And install ALL available updates, as Rugrat already advised you to do.
     
  4. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    By the way, I almost forgot:

    SaveNow has a working uninstaller (unless parts of it have already been removed by Ad-Aware or SpyBot).

    Go to Add/Remove program, find SaveNow (also known as WhenUSave, or Save), and uninstall it.
     
  5. MadDogMugsy

    MadDogMugsy Guest Thread Starter

    Hi rugrat and TonyKlein
    thanks for responding!!

    I check my system often with SpyBot, AdAware, Norton's InternetAccessControl, StartUpList...etc. :D because I am out there a lot checking out new & groovy stuff. But this "catch" by Norton has just popped up out of the blue. (no system changes since my last check)

    Yes - I just installed SpyBot this morning (just ran it prior to thread) and I hade ensured all latest updates were applied.:)

    There is nothing in the Add/Remove Programs even close (just stuff I recognise)

    I decided to delete my Internet Security Preferences ... rebooted -made sure the references were not in the Windows Registry - and then ran it again ... it is still picking it up when I scan for Internet Enabled Applications.:(

    Is there another tool out there that you know of? ... to delete this, to find remnants?

    Many thanks !!!
    MDM

    ps
    The only piggybacker I found, came with a Demo Download of PhotoShop ... called CDilla ... okay to protect copyright, but they didn't tell me about it and I found it only when deleting the demo after first use in Add/Remove and the .dat in SpyBot
     
  6. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Wait a minute: you're saying it's not in your startups.

    If so it is probably not running, and maybe not even installed any more, exactly like it should be after running SpyBot

    It may just be a orphaned registry entry left in your Firewall applications list, that may well point to nothing at all.

    Just remove the SaveNow entry from that list.

    For a second opinion, please do this:

    Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

    Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and post the contents here.

    If SaveNow is running, we'll see it. But I don't think so.
     
  7. MadDogMugsy

    MadDogMugsy Guest Thread Starter

    Hi again!

    I don't see it in there ... but here it is:

    StartupList report, 1/20/2003, 11:40:52 AM
    StartupList version: 1.40.1
    Started from : C:\WINDOWS\DESKTOP\NEW FOLDER\STARTUPLIST.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\ADSGONE\ADSGONE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\NEW FOLDER\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    OmgStartup = C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    SystemTray = SysTray.Exe
    LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
    LexStart = Lexstart.exe
    LXSUPMON = C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    MSConfigReminder = C:\WINDOWS\SYSTEM\msconfig.exe /reminder

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
    SchedulingAgent = mstask.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    WebCamRT.exe =

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{89820200-ECBD-11cf-8B85-00AA005B4395}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [>PerUser_MSN_Clean] *
    StubPath = C:\WINDOWS\msnmgsr1.exe

    [PerUser_LinkBar_URLs] *
    StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 18/1/2003, 16:28:4)

    [Rename]
    C:\PROGRA~1\MICROS~1\OFFICE\MSO9.DLL=C:\PROGRA~1\MICROS~1\OFFICE\TBMA1B6.TMP
    C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL=C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\TBMA1D5.TMP
    C:\PROGRA~1\COMMON~1\SYSTEM\MAPI\1033\95\EXSEC32.DLL=C:\PROGRA~1\COMMON~1\SYSTEM\MAPI\1033\95\TBMA243.TMP
    C:\PROGRA~1\COMMON~1\SYSTEM\MAPI\1033\95\OMI9.DLL=C:\PROGRA~1\COMMON~1\SYSTEM\MAPI\1033\95\TBMA261.TMP
    C:\PROGRA~1\MICROS~1\OFFICE\OUTLLIB.DLL=C:\PROGRA~1\MICROS~1\OFFICE\TBMA292.TMP
    C:\PROGRA~1\MICROS~1\OFFICE\1033\OUTLLIBR.DLL=C:\PROGRA~1\MICROS~1\OFFICE\1033\TBMA2A5.TMP
    C:\PROGRA~1\MICROS~1\OFFICE\OUTLOOK.EXE=C:\PROGRA~1\MICROS~1\OFFICE\TBMA2B2.TMP
    C:\PROGRA~1\COMMON~1\SYSTEM\MAPI\1033\95\PSTPRX32.DLL=C:\PROGRA~1\COMMON~1\SYSTEM\MAPI\1033\95\TBMA2B5.TMP
    NUL=C:\WINDOWS\TTFCACHE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\;;C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    @C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    @echo off
    REM Notes:
    REM DOSSTART.BAT is run whenenver you choose "Restart the computer
    REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
    REM you to load programs that you might not want loaded in Windows,
    REM (because they have functional equivalents) but that you do
    REM want loaded under MS-DOS. The two primary candidates for
    REM this are MSCDEX and a real mode driver for the mouse you ship
    REM with your system. Commands that you want present in both Windows
    REM and MS-DOS should be placed in the Autoexec.bat in the
    REM \Image directory of your reference server. Please note that for
    REM MSCDEX you will need to load the corresponding real-mode CD
    REM driver in Config.sys. This driver won't be used by Windows 98
    REM but will be available prior to and after Windows 98 exits.
    REM
    REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
    REM before Windows loads and access the CD-ROM. All you have to do
    REM is press F8 and then run DOSSTART to load MSCDEX and your real
    REM mode mouse driver (no need to remember the command line parameters
    REM for these two files.
    REM
    REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
    REM - The string following the /D: statement must explicitly match
    REM the string in CONFIG.SYS following your CD-ROM device driver.
    REM MSCDEX.EXE /D:OEMCD001 /l:d
    REM MOUSE.EXE

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    PCHealth Scheduler for Data Collection.job
    Symantec NetDetect.job
    Norton AntiVirus - a.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
    CODEBASE = http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
    CODEBASE = http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [AcceptLang Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SETACCEPTLANG.DLL
    CODEBASE = http://runonce.msn.com/setacceptlang.cab

    [sonyctl.sonycm]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SONYCTL.DLL
    CODEBASE = http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
    CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    [MSN Photo Upload Tool]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
    CODEBASE = http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

    [MSN Chat Control 4.2]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT42.OCX
    CODEBASE = http://sc.communities.msn.com/controls/chat/msnchat42.cab

    [Macromedia Authorware Web Player Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\AUTHORWA\AWSWAX.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
    CODEBASE = http://lw14fd.law14.hotmail.msn.com/activex/HMAtchmt.ocx

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [YahooYMailTo Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL
    CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll

    [Cpuid Control]
    InProcServer32 = C:\WINDOWS\CPUID.OCX
    CODEBASE = http://powe45.vwh.net/downloads/upgradefinder.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
    CODEBASE = http://207.188.7.150/03a990cac734383a2716/netzip/RdxIE6.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.4965625

    [OPUCatalog Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
    CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

    [sys Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
    CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    --------------------------------------------------
    End of report, 11,822 bytes
    Report generated in 0.555 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    =================
    I guess it is just a wee ghost of Norton's past as you said ... kinda creeps me out not to be able to track down every little tidbit.

    thanks again:D
    Louise
     
  8. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hi Louise,

    No sign of any spyware whatsoever.

    As I suspected it's just a left over registry entry, and you can simply delete SaveNow's entry on Norton's list of applications.
     
  9. MadDogMugsy

    MadDogMugsy Guest Thread Starter

    Thanks again Tony!

    I removed it from Norton's list

    best cheers
    Louise
     
  10. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You're welcome, Louise.

    Happy surfing! :)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/114277

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice