So where is this file for download? Can't wait to check it out..
Printable View
So where is this file for download? Can't wait to check it out..
Downloads are located on:
http://www.spybot.info/en/download/index.html
the above link
I'd also like to get a look at it. Is it available anywhere yet?
Hey Tom, perhaps I'm blind but I don't see a DL link anywhere on that page.
I think this will have to await a response from Patrick, I've never seen a release version of this linked anywhere.
<<<EDIT>>>
Here's a partial explination, looks like it's only been released with the German computer magazine c't for the Emergency CD distribution at this point.
http://www.safer-networking.org/en/news/2005-08-29.html
Hey bitman, been a while...nice to see you again and thx for the heads up.
In the meantime, I certainly wouldn't mind if a staffer were to make a copy available to me. :hint:
A download link should follow real soon, I just had a few minor adjustments because since the c't version, there have been new features added, and we wanted to fill the database shipped with it with as many entries as possible, to avoid the need for it to download too many updates later on.
Cool! Thx for the heads up. I'm looking fwd to seeing it. :)
Your such a tease PepiMK but I'll await with patience for another great product :)
I'm so fired up about this. I've been stuck with EZPCFix on my BartPE disk for so long. I got so frustrated with it (it's ugly, it dies so easily, lack of features) that I was beginning to work on my own tool.
Then I saw the announcement on the site and did a little dance, I was so excited. Everything I ever wanted, even the "definitions" idea I thought up, but couldn't dream of implementing, due to time restraints and skill. I've probably wasted a lot of your bandwidth, checking to see if you had made it available for us Americans yet.
Really, the whole idea is beautiful. And since it can phone home, it will help keep Spybot's definitions fresh, I guess, sending you all info from the front lines.
I eagerly await the fruits of your labor. :)
Sorry that it's delaying, with so many rootkits out, there are a bunch of new startup locations I want to add still. Shouldn't take long though (meanwhile a few people are working through the database, which already has increased to nearly 40000 entries).
Meanwhile I've created a small teaser to show you we're still active :D
"PepiMK,"
I thought this new progy was RunAlyzer and your teaser is CompatAlyzer?
I am looking forward to this RunAlyzer, will you be able to change locations for items to start from? Maybe remove some that we have in and reinstall them later? With these reg monitors, FWs, WebAccelerators, etceteras they all have to be stopped when you ScanDisc and DeFrag is a pain.
Excuse ME, I am lost, this is the wrong place for this or maybe I am in the wong place. Went back and re-examined the Forums page and found I had entereed the wong wone. I will need to go back to reading shool and maybe learn a little spelling as well?
TIA,
The new program this forum is for is RunAlyzer, yes. CompatAlyzer is something completely different - I just posted it as an excuse ;)
RunAlyzer will allow for nearly every entry to disable it temporarily (which means it won't get loaded on boot until you re-enable it). The items won't get deleted - just moved to another location in the registry where they don't get loaded.
"PepiMK,"Quote:
Originally Posted by PepiMK
Thank you for this explanation, I was a little confused on this and was looking forward to the RunAlyzer. That is really more of a TEASER I think. I did download the CompatAlyzer and find it to be a little OMH (over my head) and will remove it for now. Maybe some day it may be of some use for me but for now I think not.
Again, Thank You for this reply,
:D
I did finish some optimizations on RunAlyzer and gave it to the team for a short testing today, depending on how much feedback I get I hope for a public beta on Friday :)
Ok, there are a lot of categories to add still, but here's an alpha version:
Download
I love it.Quote:
Originally Posted by PepiMK
It's everything I had hoped for...
I can't wait until it's ready to be called a finished product. ;)
Can this alpha version be run from a BartPE disk? I have a system I'm trying to fix for someone that has a virus on it that so far can't be detected by Stinger, avast! Anti-Virus, Spybot S&D, Ad-Aware, or McAfee. I can't even get rid of it with HijackThis or any of the other tools from Merijn.org...
The virus is running as svchost.exe, and is blocking the desktop from displaying without actually terminating explorer.exe (I can terminate the svchost.exe that really is the virus, and the desktop will load). It's even running in safe-mode, so removing it without re-formatting will be quite a challenge. If I could use RunAlyzer on a BartPE disk, then it would probably be a lot easier to fix...
Oh, PepiMK, you've made my day... possibly week.
Are you guys looking for feedback yet? I don't want to flood you with redundant information, if not. But I'll be testing this quite a bit as releases come out, and would be happy to help you out in any way I can: A better Runalyzer makes my life a lot easier. :) If there's anything else I and/or other users can do, let us know.
@GT500: sure you can run it from a BartPE CD. That was actually the idea why we started to write it in the first place :)
@salmo: sure, if you have feedback, let us hear it :)
I've finally added this to my BartPE disk tonight, and it looks great. I tested it on a Virtual Machine snapshot I have set up with some known spyware on it and it works wonderfully. The definitions could be more complete, which is to be expected, but there were enough to make quick work of the task at hand.
I've also run it on my WinXP x64 machine here, although I didn't find anything new. ;)
Tomorrow, I'll start using this on "real" machines. Shoot, I may even plug up a few drives to one machine and knock some out in batches.
WinXP x64?
Did you notice something? Hmmm I guess it's not yet in the release, I'll have to add another alpha or beta this week.
On WinXPx64, you have two separate registry branches for some settings, one for 32 bit and one for 64 bit. RunAlyzer is able to display both :) (see new post in the screenshot topic I just made)
Ok, download has been updated today :)
Thank you for all the work you do. This is a great product...just like all your works are. :)
First, thx for fixing the log 'save'.
I curious and have a couple of questions about your plans;
Do you plan to make the logs interactive much the same as in HJT(item deletion)?
Will you be making the 'process list' interactive such as with the other tabs or as in a common process manager(delete, suspend, kill, priority, resource usage, etc)?
Item deletion is already available on most tabs, along with item toggling for those who're unsure about their actions :)
Having the same options on the log page would be redundant, wouldn't it?
And yes, the process list will grow in features surely. Priority (and CPUs used by a process), network connections, and all that stuff ;) This program started to be for use on bootable WinPE disks, so processes haven't earn enough attention yet, I agree.
First though I still have a bunch of other startup locations I still need to add.
Just snarfed up your updated installer. I think you can claim the x64 support as a first. I am just thrilled, as no one seems to take x64 seriously (although somewhat understandably).
I have to say after using it for the past week or two, it really has helped me clean machines quite a bit faster. I'm also catching new stuff I'd never seen before.
I'd love to see other things added, like being able to flip through IE settings (proxy, default pages), but I don't know if this is outside of what you're wanting to do. I understand it is Runalyzer, and these kinds of things aren't really "running" but you're so close to making HijackThis! and EZPCFix tools I only look back on using.
As for stability/success rate, I'm amazed. Some times if I 'reg load' hives from a disk into bartpe's registry and 'reg unload' the changes back, my modifications don't stick. But letting Runalyzer self-manage the registry loading and such, I have a 100% success rate so far (cross my fingers). Whatever voodoo you have cooked up is potent. :bigthumb:
Is there anything we users can do to help?
Thx for the heads up, Patrick. I was just trying to get a feel for where you were going since it was still beta and only available here. Again, great work. Thanks.
Very very cool tool!
This is gonna be big :-)
Suggestion: Some registry entries only show a CLSID value - maybe Runalyzer could follow up with that number and find the registry entry that shows the file/program/driver it is associated with. I have seen malware create random CLSIDs and then start itself from there.
Hehe, the restricted domain list is quite big - this has got to be either Spybot's Immunize or SpywareBlaster :-)
Nice to know what these programs actually do to protect us!
Heck, I'll gladly send you my logs for this, as long as it helps make Runalyzer even better :-)
I hope I can just copy the files that the installer creates (instead of installing it on every PC). I intend to use this new toy on client's PCs, but I don't want to have to install it on every PC in a company with 20 PCs hanging on a server when I can just run it from the server.
If you need help analyzing some logs, I bet there's plenty of people here who would help (including me).
I should probably mention that I have installed SPSD on 95% of all the PCs that I have touched in the last year, and it does an excellent job - I hardly ever get calls about malware from clients who have it (and update and run it, though, hehe).
Cool stuff! And as salmo said:
If there's anything we can do to help, just let us know!
(I know from experience with my own little program how hard it can be to get feedback and help from users - well, here you have some who WILL help)
A very nice tool. Presumably over time more entries will be classified as legit :-).
I clicked the online analysis button, and after a lot of upload and download activity, I got the message that Teamspybot woud be analyzing it, but nothing else; I take it it's early days, but how is it planned that that option will function: will we get a report back in Runalyzer?
I have a couple of questions about some of the entries in domains keys. In my case to the best of my knowledge these have all been added either by Spybot or by Spywareblaster.
First, runalyzer does not seem to list those under CURRENT_USER, but does list those for .DEFAULT user: I don't think that is necessarily always the same list as for CURRENT_USER (if I delete an entry under .DEFAULT user that is in both, it does not get removed from CURRENT_USER, so it must be possible to have different entries in these)?
Second, some entries in my domains list are of the form
domain key, no * Dword
subdomain key, *Dword =4 (restricted zone)
example:
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adult-host.org]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adult-host.org\sexycat]
"*"=dword:00000004
Runalyzer shows the main key (in this example adult-host.org) with a (correct) blank entry under description, but does not show the sub key, sexycat, that is in the restricted zone.
By deleting the corresponding key in CURRENT_USER, I found out it is put there by spywareblaster, I don't know how the domains list in .DEFAULT user comes about (spywareblaster does not put it back if I delete it there).
Are those domain entries with subkeys not correctly formulated, or is it an oversight?
I hope this feedback is welcome, if not please say so :-)
Red means its a known badbuy or what?
We've been working hard to bring 64 bit to Spybot-S&D as well, so please forgive me if RunAlyzer took a short break ;) We've got a new release of RunAlyzer ready for next week I think.
@salmo:
x64 is quite important to me - Apple has its consumer OS with 64 bit support for quite some time, and slowly you'll see new machines with 64 bit appearing. And it's better to support it now than to react when the first 64 bit malware really spreads ;)
With the new release, we have a bunch of new keys detected. In fact, the second tab "WinLogon" has now been renamed to "Advanced startups" and contains mostly things that are NT/2k/XP/etc. specific. It now lists more than 60 keys (of course, there are quite a few that appear for every user ;) ), and there will be more. From the IE settings, both proxy and start/search pages may be interest as well, I agree. The pages are often misused to run malicious scripts (which then load stuff, so it's kind of "run").
@semmel:
A CLSID browser? Nice idea and something that has been on my list for a long time, but I never got quite around it (except internal testing implementations for our detectives).
Please send in your logs, of course :) It's just the simple Online Analysis button with the "submit anonymous" checkbox checked!
Yes, it's sufficient if you just copy over the files, or start it from a network drive. We tend to write all our tools in a way that they don't need something only the setup will create.
@Rosenfeld:
Well, we have a bit of a backlog because in the beginning, there were quite a lot of new legit entries ;)
It's planned that you do the online analysis a day or two later and should have updated entries. That depends on a bit on how much this grows of course - that's why we test this in a small area first. Allows us to get the bunch of legit entries done without people pressing :D
Regarding HKEY_CURRENT_USER: HKCU is always just a link to the user currently logged in, who has a subkey under HKEY_USERS. Usually a real user has HKEY_USERS\S-1-5-XX-XXXXXXXXXXXXXXXXXXX (the smaller numbers are default system accounts). The default user key is a template that Windows will copy when you create new users. Spybot-S&D immunizes there as well.
Regarding the keys - in same cases, I've tried to make things simpler and not really representing the registry structure completely. So it should show that sexycat entry under sexycat.adult-host.org, and not as a subkey of adult-host.org.
@Tudds:
yes. Red are the bad guys, green are legit entries, yellow entries we're not sure about, and white not yet classified entries.
@all: Thanks for your offers of help! Filling the database with data is probably the most important thing during the alpha phase, to have a solid base when switching to beta :)
When we're there and I've implemented all the keys I intend to do, more information on additional startup locations will be welcome as well (right now, I've still got a dozen that need some more research, and two dozen or so finished that'll be new in the next release).
Cheers!
Fantastic application.
Can it be run from a USB memory stick?
p.s. was about to buy WinTasks 5 Professional
https://www.regnow.com/softsell/nph-...gi?item=7042-2
but think you've come up with a superior product!
Keep up the great work!
Well, I just downloaded the available version of RunAlyser. Great. Works fine. I'll try it tonight on my mother-in-law problematic PC... I'd like to make some cosmetic suggestions :
1) the flag for the English language has nothing to do with the union jack ??
2) the "help, about" doesn't indicate the version, only a copyright 2005
3) how to expand all items in one click ?
Less cosmetic : when I closed the RunAlyser, it displayed : "patience, RunAlyser is closing..." but never closed (I've no more details).
Do you want a French translator ?
@mea10: sure it can! It was even designed in the first place to run from a CD (a bootable Windows CD) ;).
@Randaph: There'll be a new version shortly, in fact it was planed for the weekend, but is delayed since another AV product has a false positive about the installer :(
1. The English flag is neither UK/GB nor US, since whichever I would choose, the other side would complain. Therefore I took the geographical source of the language, which is the country England (without Wales, Scottland, etc.).
2. Indeed ;) 0.6 (the new one to be uploaded as soon as the FP is solved) will at least have it in its file version dialog (right-click in Explorer, choose Properties, then Version tab). An info page with the version number, size of database & cache, credits etc. will be added of course :)
3. Thanks a lot for your offer - but 0.6 will already come with a full translation ;)
4. This should happen only if you close very early... there are a lot of entries analyzed... but this should stop at an earlier opportunity than right now, I agree!
The file download link has now been updated to version 0.6 :cool:
I downloaded v. 0.6. Uninstalled previous version, installed this one. Runs OK, but I'm a little puzzled by some of the entries.
Under advanced startups, it shows several registry entries, but when I go to the registry the key does not exist.
Example:
HKEY_USERS\S-1-5-19_Classes\SOFTWARE\Classes\exefile\shell\open\command\
clicking the + next to that entry, under that there is a blank entry (i.e. a little square with a green tick in it but nothing else
There is no key HKEY_USERS\S-1-5-19_Classes\SOFTWARE\Classes or any subkeys.
Several similar ghost entries appear, I haven't looked them all up. I think these entries also appear in my SBDS log, which I attach as a zipped .txt file.
Please explain
I use xp home
Runalyzer only opens minimized to toolbar and it will not restore to full size
@Rosenfeld: as I just wrote in another topic about empty values, RunAlyzer does now show those even if they do not exist, to allow the user to make changes there from within RunAlyzer.
I agree though that just showing them as empty is a bit confusing (we made a poll about this topic, but no one had the idea that it was confusing - typical case if having to see it in real action first :D ), maybe we should grey them out somehwat?
@topmoxie: it may take a short while, but usually it should appear after a few seconds. There are very few cases where it takes minutes - we're still looking for the reason - probably an Antivirus application slowing down the building of checksums of all files (there are some AVs that really slow you down, like Symantecs).
Thanks for the explanation, from which I gather that these are registry keys that may be present for some systems but not necessarily for all, hence most likely I don't need to worry that they are missing in my registry (the PC works fine in any case).
Certainly I think it would be helpful if there was some indication that their absence is no cause for panic. :-).
You say that they are there so that one might make changes from within Runalyzer, but I for one would generally have little idea of when or why I should create a previously non existant key just because it shows up in Runalyzer, nor what value(s) to place in it.
So maybe Runalyzer should only show the keys that are present, plus any that it expects to find but are missing, that are deemed to be essential (if that can be defined more or less unambiguously).
As for keys that are present but otherwise empty, I'm not too concerned with those, if they are OS related I leave them alone (agree with your comment in the other thread).
Another help may be the "More information" tab at the bottom... we still need to fill the database with enough descriptions, but if you want to take a peek at what should be in there, but the file attached to this topic into the RunAlyzer folder :)
As for showing/not showing them - I've planed this as an option that can be easily toggled (there's still no GUI button etc. in there to use this option :D ).
Thanks, I looked at the more information for several entries in the advanced startups and it certainly is useful. For example it explains the missing keys in my registry referring to screensaver, deleted because I have set that to none.
I note that most of the notes refer explicitly to Windows 2000. I assume that the info would generally also be applicable to XP (which is what I have), or is that not so?
This is becoming a really good app and educative :-)