Spyware In Shareaza?
Sorry but I'm going to need to see some proof that can be duplicated on that accusation, I have never seen any spyware or third party software in shareaza.
I looked pretty hard. Alot of people have. No-one found anything.
I Have never seen it generate any non-standard traffic No-one else has Either.
And if you have proof to the contrary I, as well as many others, would like to see it.
If you do, thanx in advance!
If you Don't, check your facts better!
EDIT: 2 things I forgot!
1. I'm going out of town for a bit. So I will be unable to post for a couple days.
2. Shareaza's Homepage is: http://shareaza.com
evrytime i start Shareaza this happens i start pestpatrol it finds this http://pestpatrol.co...o/s/savenow.asp
i then delete it and then i rescan with pestpatrol it does not show up. then i start up shareaza again and after that do then scan and the file shows up again
so its ad-aware spyware in shareaza it also shows up in spysweeper 2.1
Summary: A single process runs at startup which monitors open IE windows and opens adverts when it sees targeted URLs and terms entered into forms. Some distributions of this software were bundled with a "WhenUDownload" control.
One of the most pervasive pieces of piggyback software is dubbed "SaveNow," created by a company called WhenU.com. Distributed along with BearShare, iMesh and the Global DivX player that allows people to watch many online movies, it tracks where a person goes online and then pops up separate browser windows with targeted advertisements or special offers... continuously downloads updated information about new offers and keeps a record of where a person surfs on that person's own computer. It runs continually--even when the program it came with is not operating. Source
SaveNow is installed on your computer as a module that comes with WhenUShop or other software that you download from the Internet... There are a vast number of offers and services available to Internet users that SaveNow may display... SaveNow's offers and information are provided to users by showing a limited number of relevant coupons and ads in the form of interstitials ("pop-up ads") and other ad formats. These offers and ads are shown when users visit various sites across the Internet, based on URLs visited by the user and/or search terms typed into search engines and/or the HTML content of the page viewed by the user. SaveNow's offers are delivered independently from the site the user happens to be visiting when they see a SaveNow offer. Source
Alias: Adware-SaveNow [McAfee]
Category: Adware: Software that brings ads to your computer. Such ads may or may not be targeted, but are "injected" and/or popup, and are not merely displayed within the form of an ad-sponsored application.
Variants: SaveNow/B comes without the WhenUDownload component.
SaveNow/Db is the same as the Save variant, but includes an ActiveX 'marker' control to prevent it being installed twice.
SaveNow/Download comes bundled with a "WhenUDownload" ActiveX control.
SaveNow/Save is a new version, rebranded as 'Save!', which works in the same manner.
Similar Pests: Adware
Group: WhenU., Inc.
By This Group: SaveNow/Download
Date of Origin: Variants from April, 2002 to November, 2003
Distribution: BearShare and other P2P applications are bundled with SaveNow, as it RadLight video player, and all software distributed by Galt Technologies.
The Db variant is also installed by drive-by-download in advertisements.
Prevalence: SaveNow: 1.0% of all pest reports (1021 per 100,000 reports) More Info
Clot Factor: SaveNow: On average, 32 objects detected in each machine
The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Countries Affected: In the past three months, we have received reports of SaveNow in Argentina, Australia, Austria, Belgium, Brazil, Canada, Chile, Croatia, Czech Republic, Denmark, Egypt, Finland, France, Germany, Israel, Italy, Japan, Lithuania, Mexico, Netherlands, New Zealand, Nicaragua, Norway, Peru, Poland, Portugal, Russian Federation, Saudi Arabia, South Korea, Spain, Sweden, Switzerland, United Kingdom, United States.
Growth: SaveNow: Increased 207.9% over the last 90 days
Advertising: Yes. SaveNow keeps a list of URLs and terms it is interested in on disk, in the file 'SaveNow\savenow.db' in Program Files. This file is obfuscated but it is trivial to decode.* The (large - often over a megabyte) file maps from these targets to advertisements to serve, which are downloaded through Akamai's proxies.
Storage Required: SaveNow: at least 15569KB
Privacy Issues: As well as downloading the pop-up ads, SaveNow connects to WhenU's servers to log the ad impression. It passes the name of the affiliate software which installed the software, the ID of the advert being shown, and the site URL or term that caused the pop-up to be triggered.
Security Issues: No.
Stability Issues: Yes. Can cause frequent crashes.
Detection and Removal
Automatic Removal: PestPatrol detects this.
PestPatrol removes this.
Manual Removal: SaveNow/B and SaveNow/Save can be removed from the Control Panel's 'Add/Remove Programs' option.
SaveNow/Db does not provide an Add/Remove Program entry and must be removed manually. SaveNow/Download may be removed through the Control Panel, but leaves an ActiveX control behind, see below for removal.
Finally, SaveNow often also installs 'WeatherCast', a system tray icon that displays the current weather conditions. Unless you find this useful for some reason, you should probably also remove this from Add/Remove Programs.
Open the registry (Start->Run->regedit) and find the key:
Delete the 'SaveNow' or 'WhenUSave' value. Reboot and you should be able to delete the 'SaveNow' or 'Save' folder inside 'Program Files'.
To remove the ActiveX objects installed by the Download and Db variants, open the 'Downloaded Program Files' folder inside the Windows folder, and deleting the SaveNow object - the name of this is 'WhenUDownload' in the Download variant, and 'FC327B3F-377B-4CB7-8B61-27CD69816BC3' in the Db variant.
Edited by james, 14 December 2003 - 04:09 PM.