BitDefender Antivirus
My BitDefender | My Shopping Cart Cart
Go

Application.Adware.Savenow.G

Spreading: high
Damage: very low
Size:
Discovered: 2005 Aug 24

SYMPTOMS:

An adware program that downloads and displays advertisments.

TECHNICAL DESCRIPTION:

Application.Adware.Savenow.G is an advertising program.
It also installs a search bar (MySearch) for internet explorer.
This adware is known as "WhenU SaveNow", and can be located on: "http://www.whenu.com { removed }"

When Application.Adware.Savenow.G is installed, it performs the following actions:
    a) Creates one or more of the following directories (and subdirectories)
        C:\Program Files\VVSN\
        C:\Program Files\VVSDL\
        C:\Program Files\Save\
        C:\Program Files\WhenUSearch\
        C:\Program Files\WeatherCast\
        C:\Program Files\ClockSync\
        C:\Documents and Settings\%user%\Start Menu\Programs\WeatherCast\
        C:\Documents and Settings\%user%\Start Menu\Programs\ClockSync\       
        C:\Documents and Settings\%user%\Start Menu\Programs\WhenU\       

    b) It may create a desktop link

    c) It may add a toolbar named "SearchBar" to InternetExplorer or to the desktop

    d) Create the following registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSearch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClockSync HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearch
HKEY_CURRENT_USER\SOFTWARE\WhenU
HKEY_CLASSES_ROOT\CLSID\{763BD795-24AE-44d7-82D8-F9A1EE799729}
HKEY_CLASSES_ROOT\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
HKEY_CLASSES_ROOT\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086} HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}
HKEY_CLASSES_ROOT\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOT\WUSN.1
HKEY_CLASSES_ROOT\WUSE.1
HKEY_CLASSES_ROOT\ACM.ACMFactory
HKEY_CLASSES_ROOT\ACM.ACMFactory.1
HKEY_CLASSES_ROOT\AppID\ACM.DLL

    e) Runs one or more of the following:
        C:\Program Files\VVSN\VVSN.exe
        C:\Program Files\Save\Save.exe
        C:\Program Files\WeatherCast\Weather.exe
        C:\Program Files\ClockSync\Sync.exe
        C:\Program Files\Save\Save.exe
        C:\Program Files\WhenUSearch\Search.exe

    f) Adds ore ore more of the following value for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        [VVSN = "C:\Program Files\VVSN\VVSN.exe"]
        [VVSN = "C:\Program Files\VVSDL\VVSDL.exe"]
        [WhenUSave = "C:\Program Files\Save\Save.exe"]
        [WhenUSearch = "C:\Program Files\WhenUSearch\Search.exe"]
        [WeatherCast = "C:\Program Files\WeatherCast\Weather.exe /q"]
        [ClockSync = "C:\Program Files\ClockSync\Sync.exe /q"]
        [WhenUSearchWHSE = "C:\Program Files\WhenUSearch\whse.exe"]
    witch will run minibug automatically on windows starts.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:
Quick Links » New Game Safe » Renew License » Free Customer Support » Free Online Scanner » Press Center
©   2009 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy | Forum