My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Adware.SaveNow.AX

MEDIUM
VERY LOW
aprox. 800k

Symptoms

An adware program that downloads and displays advertisments. Your computer may slow down.

Removal instructions:

Please be aware of the fact that if SaveNow comes bundled with other software, that software will not run if SaveNow is uninstalled.
(other software is paid by adwertising displayed by Savenow)
Please let BitDefender disinfect your files.

Analyzed By

Claudiu MARUSCEAC, virus researcher

Technical Description:

Adware.SaveNow.AX is an advertising program.
This adware is known as "WhenU SaveNow", and can be located on: "http://www.whenu.com/{removed}"

When Adware.SaveNow.AX is installed, it performs the following actions:
a) Creates one or more of the following directories (and subdirectories)
%ProgramFiles%\Save\
%USERPROFILE%\Start Menu\Programs\WhenU\

b) It may create a desktop link

c) It create some start menu links
Learn More About WhenU Save.url
Learn More About WhenU SaveNow.url
WhenU.com Website.url
Uninstall Instructions.lnk
Customer Support.lnk

d) It installs the following files
%ProgramFiles%\Save\Save.exe detected by Bitdefender as: "Adware.Whenu.I"
%ProgramFiles%\Save\save.htm
%ProgramFiles%\Save\SaveUninst.exe
%ProgramFiles%\Save\ACM.dll detected by Bitdefender as: "Adware.Savenow.AX"
%ProgramFiles%\Save\ffext.mod
%ProgramFiles%\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll detected by Bitdefender as: "Adware.Savenow.DG"
%ProgramFiles%\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\chrome.manifest
%ProgramFiles%\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\install.rdf
%ProgramFiles%\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\install.js
%ProgramFiles%\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll
%ProgramFiles%\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\Iwhenu_ff.xpt
%ProgramFiles%\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\chrome\whenu_ff.jar

e) It may add a toolbar named "SearchBar" to InternetExplorer or to the desktop

f) Create the following registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave
HKEY_CLASSES_ROOT\AppID\{127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB}
HKEY_CLASSES_ROOT\AppID\ACM.DLL
HKEY_CLASSES_ROOT\ACM.ACMFactory.1
HKEY_CLASSES_ROOT\ACM.ACMFactory
HKEY_CLASSES_ROOT\WUSN.1
HKEY_CLASSES_ROOT\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}
HKEY_CLASSES_ROOT\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}

g) Runs one or more of the following:
%ProgramFiles%\Save\Save.exe

h) Adds one or more of the following values for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[WhenUSave = "%ProgramFiles%\Save\Save.exe"]