Home / malware Adware.SaveNow.AX
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Adware.SaveNow.AX.
Explanation :
Adware.SaveNow.AX is an advertising program.
This adware is known as "WhenU SaveNow", and can be located on: "http://www.whenu.com/{removed}"
When Adware.SaveNow.AX is installed, it performs the following actions:
a) Creates one or more of the following directories (and subdirectories)
%ProgramFiles%Save
%USERPROFILE%Start MenuProgramsWhenU
b) It may create a desktop link
c) It create some start menu links
Learn More About WhenU Save.url
Learn More About WhenU SaveNow.url
WhenU.com Website.url
Uninstall Instructions.lnk
Customer Support.lnk
d) It installs the following files
%ProgramFiles%SaveSave.exe detected by Bitdefender as: "Adware.Whenu.I"
%ProgramFiles%Savesave.htm
%ProgramFiles%SaveSaveUninst.exe
%ProgramFiles%SaveACM.dll detected by Bitdefender as: "Adware.Savenow.AX"
%ProgramFiles%Saveffext.mod
%ProgramFiles%Mozilla Firefoxextensions{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}componentswhenu_ff.dll detected by Bitdefender as: "Adware.Savenow.DG"
%ProgramFiles%Mozilla Firefoxextensions{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}chrome.manifest
%ProgramFiles%Mozilla Firefoxextensions{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}install.rdf
%ProgramFiles%Mozilla Firefoxextensions{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}install.js
%ProgramFiles%Mozilla Firefoxextensions{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}componentswhenu_ff.dll
%ProgramFiles%Mozilla Firefoxextensions{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}componentsIwhenu_ff.xpt
%ProgramFiles%Mozilla Firefoxextensions{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}chromewhenu_ff.jar
e) It may add a toolbar named "SearchBar" to InternetExplorer or to the desktop
f) Create the following registry keys
HKEY_LOCAL_MACHINESOFTWAREWhenUSave
HKEY_CLASSES_ROOTAppID{127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB}
HKEY_CLASSES_ROOTAppIDACM.DLL
HKEY_CLASSES_ROOTACM.ACMFactory.1
HKEY_CLASSES_ROOTACM.ACMFactory
HKEY_CLASSES_ROOTWUSN.1
HKEY_CLASSES_ROOTCLSID{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}
HKEY_CLASSES_ROOTTypeLib{DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOTInterface{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}
HKEY_CLASSES_ROOTInterface{43382522-A846-46F4-AC57-1F71AE6E1086}
HKEY_CLASSES_ROOTInterface{72A836D1-BC00-43C0-A941-17960E4FB842}
g) Runs one or more of the following:
%ProgramFiles%SaveSave.exe
h) Adds one or more of the following values for HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
[WhenUSave = "%ProgramFiles%SaveSave.exe"]Last update 21 November 2011