dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
847
glenn35
join:2003-02-11
Humble, TX

glenn35

Member

Newbie here, What does this mean?

Just to let you know I have just installed Norton Personal Firewall. Only seconds after opening IE a little not poppped up telling me that a program called save.exe is trying to access the internet. It says it has no virus. And here is the info I received from the WHOIS feature.

Registrant:
SONDHI, GAYATRI (WHENU-DOM)
301 E 66TH ST APT 9D
NEW YORK, NY 10021-6216
US

Domain Name: WHENU.COM

Administrative Contact:
Nader, Avi (PMRVKVGHAI) anader@whenu.com

494 8th Ave
New York, NY 10001
US
212-239-0000 212-239-4442
Technical Contact:
Hostmaster, Pfmc (PH540) hostmaster@GLOBIX.NET
Globix Corp.
139 Centre Street
New York, NY 10013
US
212-334-8600 212-334-8603

Record expires on 22-Jul-2003.
Record created on 22-Jul-1999.
Database last updated on 10-Mar-2003 17:28:32 EST.

Domain servers in listed order:

Z1.NS.NYC1.GLOBIX.NET 209.10.66.55
Z1.NS.SJC1.GLOBIX.NET 209.10.34.55

What is this program and how did I get it? I am very green at all of this even though I have been reading the FAQ and the Security Forums here at DSLR. So please help me to figure this garbage out and what I should do in the future for this type of occurrence.

Thanks

Ray
Mahnahmahna
Premium Member
join:2001-04-02
85120

Ray

Premium Member

I did a quick Google for 'save.exe' and found this:

»www.winpatrol.com/stats.html
LowWaterMark
Premium Member
join:2002-05-16
Wallingford, CT

LowWaterMark to glenn35

Premium Member

to glenn35
I cleaned this off a system the other day with SpyBot... They got it when a weather applet got download for the systray. More info: »Weather.exe,SaveUninst.exe,SaveNow...
glenn35
join:2003-02-11
Humble, TX

glenn35 to Ray

Member

to Ray
Thanks for the quick response. But what should I do about that file? Should I delete it or what? Will it come back and how do I prevent it from coming back?

I have Ad blocking checked on NPF. Is that enough?
LowWaterMark
Premium Member
join:2002-05-16
Wallingford, CT

LowWaterMark

Premium Member

Run SpyBot S&D to clean it off.

CableLane5
join:2001-03-16
Chester, VA

CableLane5 to glenn35

Member

to glenn35
I did a check on spychecker »www.spychecker.com/ for a program named (save) it came up with two hits both of them adware. I think it my be adware one of the two was a New York based ad company. You my if you don't already have one try ad remover software. Spybot or adaware. If it is adware either one of these programs should find it and be able to remove it.

dolphins
Clean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ

dolphins to LowWaterMark

Premium Member

to LowWaterMark
said by LowWaterMark:
I cleaned this off a system the other day with SpyBot... They got it when a weather applet got download for the systray. More info: »Weather.exe,SaveUninst.exe,SaveNow...

BTW, I had to manually delete that folder after using SpybotS&D and jv16 reg cleaner. So be sure you check for any bits & pieces left in your registry.

BillPStudios to Ray

Anon

to Ray
Yup, according to the WinPatrol Plus database it's a popular one these days.
---------------------------------------
We have found multiple references to a file named SAVE.EXE. Hopefully, the Properties for this file include a company name.

Save.exe from Adobe is a Plug-In for Pagemaker which enables you to collect all the files your service provider will need to output your publication. If you have this Save.exe you're ok.

However Save.exe from WhenU.com is not something you want. It's been referred to as Thiefware. It tracks your internet usage and relays the information to it's clients. If you notice you're suddenly getting a lot of popup-ads it's probably due to Save.exe.

What's worse is WhenU.com is able to steal referrals so if you purchase products online they'll get the affiliate money instead of the site that recommended or highlighted the product.
glenn35
join:2003-02-11
Humble, TX

glenn35 to dolphins

Member

to dolphins
Click for full size
OK I just DL Adaware and ran it. It shows 142 items. Several are registry entries. If I click "next" it says all 142 items will be removed. I suppose it is talking about the registry entries also. Will this screw up my computer?

dolphins
Clean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ

dolphins

Premium Member

They're all nasties! Let Adaware delete them.

Jeeze, with all that gone you might notice change in your browser speed;)
glenn35
join:2003-02-11
Humble, TX

glenn35

Member

OK they have all been deleted. But just one Q. After I deleted them I closed and reopened IE and the save.exe tried again to access the internet. I closed everything and rebooted and does not seem to be active anymore.

The folder "save" which contains the save.exe is still on my computer and I tried to delete the whole folder. It says that save.exe is being used by another program or user and cannot be deleted. I have WinXP and am logged in with admin account. No one else is using the computer or logged on.

Whats up?
LowWaterMark
Premium Member
join:2002-05-16
Wallingford, CT

LowWaterMark

Premium Member

said by glenn35:
The folder "save" which contains the save.exe is still on my computer and I tried to delete the whole folder. It says that save.exe is being used by another program or user and cannot be deleted. I have WinXP and am logged in with admin account. No one else is using the computer or logged on.

Whats up?
Check the running processes in the task manager (Ctrl Alt Delete) - if you see save.exe running, kill it then deleted the folder.

If it survived after a reboot, then maybe the key is still in the Startups. Check msconfig to see if it's listed in the startup tab.

Technically, when I cleaned it off the other system, I had gone thru msconfig first, unchecked any bad startups, rebooted and than ran SpyBot for cleanup, so perhaps yours survived a clean by Ad-Aware.

dolphins
Clean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ

dolphins

Premium Member

or restart in safe mode, then delete the folder.

I suggest you get some realtime protection> »www.wilderssecurity.net/ ··· ter.html

»www.wilderssecurity.com/ ··· ard.html

Also I would download> »spybot.safer-networking.de/ Nothing wrong with having both this and AdAware.

Also if you want to keep track of your registry entries? Learn how to use this amazing tool> »www.vtoy.fi/jv16/shtml/j ··· ls.shtml

Out of all of these only SpywareGuard uses any resources (small amount) but IMO is well worth it! It has stopped some nasties from loading to my machine without my permission.

Note: These programs are free but you can make a donation!
glenn35
join:2003-02-11
Humble, TX

glenn35 to LowWaterMark

Member

to LowWaterMark
Thanks lowwatermark, and others that responded. I went to task manager and it was still running. I killed it and then deleted the folder and its contents.

Thanks again
glenn35

glenn35

Member

Click for full size
OK I thought I was finished with this mess but I was looking thru the registry and found this entry. Should I delete it or what?

BKayrac
Premium Member
join:2001-09-29

BKayrac

Premium Member

yeah if you delete that, that program won't run, don't want it to run at startup, delete it......might also want to delete real player one, i always found that thing to be pointless ....but up to you
LowWaterMark
Premium Member
join:2002-05-16
Wallingford, CT

LowWaterMark

Premium Member

said by BKayrac:
yeah if you delete that, that program won't run, don't want it to run at startup, delete it......might also want to delete real player one, i always found that thing to be pointless ....but up to you
Agree completely regarding the Save stuff (though, you already deleted the program and folder above). Plus, in addition to removing the RealPlayer, though you didn't ask, I'd also delete the QuickTime one. (Both RealPlayer and Quicktime work fine without taking resources away right from bootup.)

BKayrac
Premium Member
join:2001-09-29

BKayrac

Premium Member

yes, quicktime also, didn't see it or else i would have mentioned it......both of them tend to take over and put lots of stuff.....and for me, it's lots of stuff places that i don't want it