Home / malware Application.Adware.Savenow.G
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Application.Adware.Savenow.G.
Explanation :
Application.Adware.Savenow.G is an advertising program.
It also installs a search bar (MySearch) for internet explorer.
This adware is known as "WhenU SaveNow", and can be located on: "http://www.whenu.com { removed }"
When Application.Adware.Savenow.G is installed, it performs the following actions:
a) Creates one or more of the following directories (and subdirectories)
C:Program FilesVVSN
C:Program FilesVVSDL
C:Program FilesSave
C:Program FilesWhenUSearch
C:Program FilesWeatherCast
C:Program FilesClockSync
C:Documents and Settings\%user%Start MenuProgramsWeatherCast
C:Documents and Settings\%user%Start MenuProgramsClockSync
C:Documents and Settings\%user%Start MenuProgramsWhenU
b) It may create a desktop link
c) It may add a toolbar named "SearchBar" to InternetExplorer or to the desktop
d) Create the following registry keys
HKEY_LOCAL_MACHINESOFTWAREWhenUSave
HKEY_LOCAL_MACHINESOFTWAREWhenUSearch HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallWeatherCast HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallClockSync HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallWhenUSearch
HKEY_CURRENT_USERSOFTWAREWhenU
HKEY_CLASSES_ROOTCLSID{763BD795-24AE-44d7-82D8-F9A1EE799729}
HKEY_CLASSES_ROOTCLSID{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
HKEY_CLASSES_ROOTCLSID{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}
HKEY_CLASSES_ROOTInterface{43382522-A846-46F4-AC57-1F71AE6E1086} HKEY_CLASSES_ROOTInterface{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}
HKEY_CLASSES_ROOTInterface{72A836D1-BC00-43C0-A941-17960E4FB842}
HKEY_CLASSES_ROOTTypeLib{DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOTWUSN.1
HKEY_CLASSES_ROOTWUSE.1
HKEY_CLASSES_ROOTACM.ACMFactory
HKEY_CLASSES_ROOTACM.ACMFactory.1
HKEY_CLASSES_ROOTAppIDACM.DLL
e) Runs one or more of the following:
C:Program FilesVVSNVVSN.exe
C:Program FilesSaveSave.exe
C:Program FilesWeatherCastWeather.exe
C:Program FilesClockSyncSync.exe
C:Program FilesSaveSave.exe
C:Program FilesWhenUSearchSearch.exe
f) Adds ore ore more of the following value for HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
[VVSN = "C:Program FilesVVSNVVSN.exe"]
[VVSN = "C:Program FilesVVSDLVVSDL.exe"]
[WhenUSave = "C:Program FilesSaveSave.exe"]
[WhenUSearch = "C:Program FilesWhenUSearchSearch.exe"]
[WeatherCast = "C:Program FilesWeatherCastWeather.exe /q"]
[ClockSync = "C:Program FilesClockSyncSync.exe /q"]
[WhenUSearchWHSE = "C:Program FilesWhenUSearchwhse.exe"]
witch will run minibug automatically on windows starts.Last update 21 November 2011
