My Power Shadow 2.8.2 is already registered!

I do not think that would work... the data is in sector 15, and that is in a hidden partition XP can not access. I am assuming it is some kind of low level write function. But, I really do not have a clue. I have almost worked up my nerve to delete the 24 bytes in sector 15... stay tuned.

Mike

 

When I installed, I did allow the connection. I didn't check the box for Comodo to remember it because it was a one time deal. I didn't allow Comodo to make an application rule for it. I'm not sure if it was Shadowsettings.exe. The connection was very quick and registered almost immediately. I used a fake name but my real second web-based mail address. So far I have received no spam or anything from PS.

I really don't believe anything malicious is going on. As far as the plug-in goes, I wonder if they are talking about the Shadowtip box that first came up after install. Remember, it was the little box with all the helpful "tips". I turned it off and checked the box to not show it again. Also, if anything was bad, I'm sure Comodo firewall would catch it trying to connect out. That's why I was asking if anyone saw the few attempts that I saw. I'm guessing there is a bug that kept checking for updates for the program and or the "tips" despite me unchecking the options.

I'm not going to try the winhex program. Most of it is way above my head. I really don't want to install anything else right now. I have checked many times with IceSword and everything looked/looks normal. I scanned PS with several excellent programs prior to install and even uploaded it to VirusTotal. If there is a way to check the "sector 15" manually or with another program I have installed, I would be glad too.

 

After reviewing WinHex results at the specified locale i'm almost of the mind to dig out my WinHex. I used it quite considerably when testing RootKits and certain Hiders. Very invaluable Low-Level viewer.

I myself would wonder after discovering those embedded lines if nothing else out of pure curiosity.

I never bothered with 2.8.2 except to consider installing it when it was first posted with the English Translations files but since 2.6 proved efficient enough i didn't proceed beyond it.

@flinchlock

I would be curious as to what you finally find. Plz keep us updated and thanks for taking the time to delve into it.

 

I downloaded WinHex geez I have a lot to learn. I did manage to get to sector 15 the best I could. Also I uninstalled my version 2.8.2 a couple days ago. I did find some of the same entries as you.

53 45 43 49 08 00 02 were all identical to yours. (the rest were 00 except for very the last number) To the right I only had the "word" SECI and nothing else. (You have the weird characters following the word SECI) At the bottom right of the "sector" (before the divider) the very last number was 54. Your pic did not show that. The differences we have could be because I uninstalled PS. I also just uninstalled WinHex. It's like a loaded gun around me lol. I hope this helps a little bit.

 

Yup, powerful = scary! Please do run WinHex... I am very curious to see if yours is all zeros since you have not instaled PS 2.8.2.

I can not take any credit, it was @idle.newbie (who's first post was about where to find that data). I knew it had to be some hidden place on my harddisk other than my 2nd partition where I did a Ghost restore. But, I would have never figured out where!

My Hex numbers..... 53 45 43 49 08 00 02 00 91 21 BC F6 FC 7C D6 81 5D D0 58 45 F8 0F 98 C4 00............8E
Your Hex numbers... 53 45 43 49 08 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00............54

Right?

I just had my screen shot too small... my last Hex number is 8E.

Hmmm, probably... I did not do a uninstall. I will see if I can test that.

Mike

 

CONFIRMATION, the PS 2.8.2 uninstall does change sector 15 to almost match yours!

My Hex numbers..... 53 45 43 49 08 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00............8E
Your Hex numbers... 53 45 43 49 08 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00............54

Hopefully, @EASTER can also confirm his sector is all 0's.

Mike

P.S. Hmmm... 53 45 43 49 = SECI = Secret Information

 

Correct, those are the Hex entries I have. It looks to be created by PS.

Lol, I could think of others, but I better not.

 

GREAT!! I wonder why my ending (8E) is different than yours (54)?

Maybe someone will tell us their numbers in sector 15?

Mike

 

Going to SECTOR 15 in WinHex on my machine with PS 2.6 shows nothing but 00000's.

Are you examining WITH or WITHOUT Power Shadow engaged?

I like to get a screen shot up of my finding for everyone but want to make sure i have the parameters EXACTLY as yours.

Thank EASTER

 

Easter, my PS 2.8.2 was uninstalled at the time that I gave Mike my hex information. Version 2.6 caused problems for me which involved a checkdisk the next time I rebooted. That is the only reason I am trying version 2.8.2.

I just now re-installed PS, and I had to register again. So, after an uninstall of PS, it didn't keep my registration name and email. I still believe this to be a safe program. I just wish that users running version 2.8.2 would just stop by and say 'hello'. It would make me feel better anyways.

Now that I reinstalled, I will keep an eye out for when it wants to connect out this time and post the logs from Comodo. This time when Winpatrol asked to allow shadowtip.exe at startup, I didn't allow. I also selected not to see the tips at the apps startup. I also unticked the box for updates to the program. Hopefully the English translation files are accurate in there placing within the program.

 

Odd. Perhaps 2.8.2 goes further in their connecting out then i would have presumed isn't really so neccessary.
I know in PS 2.6, you simply uncheck the box in the menu "Remind Me When A New Version Is Available" and no more accessing the net returns. Many applications have been offering this for years.

I do hope you all the luck on 2.8.2 though. I still don't find any benefits to ever upgrading to any new version at this point, UNTILL, they finally impliment also EXIT shadow-mode WITHOUT REBOOT feature also. That will be the ticket for me to upgrade.

 

Hi Easter and thanks. Believe me, If I could run 2.6, I definitely would. I have the middle box under the 'Remind Me' tab of 5 options unticked that says 'remind me when a new version is available'. After running in Full Shadow mode for 30 minutes, here is what I see. I did edit (copy and paste separately) the 'parent' box so I could add it to the picture.

 

Thanks innerpeace. Very interesting. Your screenshots (thx 4 thoz), are very evident that ShadowTip is apparently connecting out, for what purpose one can only speculate at this time, but the remedy is to BLOCK it if it poses a privacy concern, and anything doing that without clear explaination is candidate.

It's almost a shame we don't have at least one Chinese member here who might could act as a go-between for this app given it's obvious interest and popularity in these forums.

 

GREAT, that is just another confirmation that ONLY PS 2.8.2 writes stuff into sector 15.

Does not make any difference... PS 2.8.2 writes in sector 15 only during install and uninstall. I have about a 99% confidence factor about that.

I am 100% sure why my 2nd install of PS 2.8.2 showed it already installed... I did NOT do a uninstall, just a Copy/Update from Secondary => Primary. The sector 15 data was still there even after the Copy/Update.

That is also why I was so upset... PS 2.8.2 had written data to my hard disk OUTSIDE of my 2nd XP partition! Then I got more and more paranoid about if any other programs also have written stuff outside of my partiton 2. If I do an image restore, or a FD-ISR Copy/Update, I am NOT 100% back before the installation or uninstall of PS 2.8.2.

Mike

 

I have 2.8.2 on one of my computers and haven't gotten any pop ups from Comodo. I have blocked PS in Comodo . Also I have SSM and blocked anything from PS, network access.

 

I agree.

I assume you are correct.

Good Advice!

I have multiple partitions, and usually only make a Ghost image of partition 2... my XP stuff.

I have a very small (15m) partition 1 just to boot to a W98se "DOS" only that contains only the none GUI programs from the W98se CD... fdisk, edit, move, attrib, etc. This is where I make boot floppies of all kinds of stuff.

The only Ghost image I have of partition 1, is after PS 2.8.2 wrote to sector 15. (Too bad there is not a smiley for dumb axe.)

I am planning on doing a total rebuild with a slimmed down XP, etc this summer, and will zero the disk and start all over. But, I like doing that kind of stuff.

Mike

 

I wonder why u are supporting some wrong attitudes from PS, just because somehow it was possible to get it free.
Even in version 2.6 if u uncheck update option, it becomes checked after a while( after a reboot I think) and PS always tried to connect out. I have stated it since long in first PS thread.
Version 2.8 goes a step ahead, writing in sector 15 etc.

 

In fact, I do not think it is a kind of serious problem.
I use V2.6, have never been botherd with such "connect-out" issue. Just try some hips app like tiny-firewall to completely prohibit "shadowtip.exe" to run----write files/inject code into other process/launch internet connection.
Besides, deny outbound TCP access OF "shadowsetting.exe". That is all.

NOT a big deal.

 

Why I should bother for all this?
I will prefer some alternative. A software like this behaviour on my system is a big irritation for me.
What if same behaviour is showed by a payware application?

 

I registerd twice and compared the reserved sectors.
Look at the attached pictures.

 

Hmmm... unique... they will be able to check who has been naught and who has been nice.

What program did you use to see the differences?

Mike

 

MAYBE U just give up PS-----this will be a good choice .
IMO, PS is really light,efficient,powerful,upto date to protect my system without any usage of CPU/RAM .

Privacy? JUST block any connection with 210.51.168.100:80 , not complicated.

BTW: I don't think PS is spyware, a little over-reactive IMO. "Even in version 2.6 if u uncheck update option, it becomes checked after a while( after a reboot I think) and PS always tried to connect out".-----Just once when shadowsetting.exe is launched, no more, at least in my system. So, how this would happen? R U sure your PS is the official release or not modified by someone else?

 

I use Total Commander.

I know lots of tools that can compare files at --->

http://en.wikipedia.org/wiki/Comparison_of_file_comparison_tools

 

Does it allow to compare disk sectors? or did you save the disk info to files and diff those?

Here is my new sector 15 now...

Mike