-----Original Message-----
i have encountered an unwanted program file
named "D:\Program files\save\Save.exe" which has come
along with some other downloaded files without my notice.
it searches for port 165.21.32.62:80 using port 3015 as
soon as i log on to the internet.it comes from a company
named "Whenyou.com". i recieve constant warnings from my
Norton Internet Security software.
can you suggest ways in which i can remove this file from
my computer.
.
Spyware!
http://www.safer-networking.org/ Spybot
http://www.javacoolsoftware.com/spywareblaster.html
http://www.wilderssecurity.net/spywareguard.html
http://www.lavasoft.de/ Ad-aware
http://www.merijn.org/downloads.html (CWS)cool web
shedder and hijack this
http://216.180.233.162/~swicom/forums/
Overview
Summary: A single process runs at startup which monitors
open IE windows and opens adverts when it sees targeted
URLs and terms entered into forms. Some distributions of
this software were bundled with a "WhenUDownload" control.
One of the most pervasive pieces of piggyback software is
dubbed "SaveNow," created by a company called WhenU.com.
Distributed along with BearShare, iMesh and the Global
DivX player that allows people to watch many online
movies, it tracks where a person goes online and then
pops up separate browser windows with targeted
advertisements or special offers... continuously
downloads updated information about new offers and keeps
a record of where a person surfs on that person's own
computer. It runs continually--even when the program it
came with is not operating. Source
SaveNow is installed on your computer as a module that
comes with WhenUShop or other software that you download
from the Internet... There are a vast number of offers
and services available to Internet users that SaveNow may
display... SaveNow's offers and information are provided
to users by showing a limited number of relevant coupons
and ads in the form of interstitials ("pop-up ads") and
other ad formats. These offers and ads are shown when
users visit various sites across the Internet, based on
URLs visited by the user and/or search terms typed into
search engines and/or the HTML content of the page viewed
by the user. SaveNow's offers are delivered independently
from the site the user happens to be visiting when they
see a SaveNow offer. Source
Collects info on user's gender, age, what area the person
resides, and his or her e-mail address which they share
with others. Other info collected: referrers (HTTP
Referrers, Top-level Domains, Search Engines, Keywords,
Quality Index, Frequency Index, Newsgroup Referrers, and
E-mail Referrers), visitor statistics (Major ISPs,
Hostnames, Browsers, OSes, Countries, Timezones, Plug-
Ins, Screens, Colors, Java, and JavaScript), and more.
Alias: Adware-SaveNow [McAfee]
Category: Adware: Software that brings ads to your
computer. Such ads may or may not be targeted, but
are "injected" and/or popup, and are not merely displayed
within the form of an ad-sponsored application.
Variants: SaveNow/B comes without the WhenUDownload
component.
SaveNow/Db is the same as the Save variant, but includes
an ActiveX 'marker' control to prevent it being installed
twice.
SaveNow/Download
SaveNow/Download comes bundled with a "WhenUDownload"
ActiveX control.
SaveNow/Save is a new version, rebranded as 'Save!',
which works in the same manner.
Similar Pests: Adware
Origins
Group: WhenU., Inc.
By This Group: SaveNow/Download
Date of Origin: Variants from April, 2002 to February,
2004
Distribution
Distribution: BearShare and other P2P applications are
bundled with SaveNow, as it RadLight video player, and
all software distributed by Galt Technologies.
The Db variant is also installed by drive-by-download in
advertisements.
Prevalence: SaveNow: 0.7% of all pest reports (734 per
100,000 reports) More Info
Clot Factor: SaveNow: On average, 7 objects detected in
each machine
The "Clot Factor" is a measure of how much a pest "gums
up" a machine by adding registry entries, files, and
directories. As more objects are placed in a machine,
manual removal becomes more difficult and more error-
prone.
Countries Affected: In the past three months, we have
received reports of SaveNow in Argentina, Australia,
Austria, Belgium, Brazil, Bulgaria, Canada, Chile, China,
Colombia, Croatia, Denmark, Ecuador, Egypt, El Salvador,
Estonia, Finland, France, Germany, Greece, Guatemala,
Hong Kong, Hungary, Iceland, Iran, Ireland, Israel,
Italy, Jamaica, Japan, Lebanon, Lithuania, Luxembourg,
Mexico, Netherlands, New Zealand, Nicaragua, Norway,
Pakistan, Peru, Poland, Portugal, Romania, Russian
Federation, Saudi Arabia, Slovakia (Slovak Republic),
Slovenia, South Africa, South Korea, Spain, Sweden,
Switzerland, Syrian Arab Republic, Taiwan, Thailand,
Tunisia, Turkey, United Arab Emirates, United Kingdom,
United States, Venezuela, Viet Nam, Zimbabwe.
Growth: SaveNow: Increased 971.6% over the last 90 days
Operation
Advertising: Yes. SaveNow keeps a list of URLs and terms
it is interested in on disk, in the
file 'SaveNow\savenow.db' in Program Files. This file is
obfuscated but it is trivial to decode.* The (large -
often over a megabyte) file maps from these targets to
advertisements to serve, which are downloaded through
Akamai's proxies.
Storage Required: SaveNow: at least 16585KB
Risks
Privacy Issues: As well as downloading the pop-up ads,
SaveNow connects to WhenU's servers to log the ad
impression. It passes the name of the affiliate software
which installed the software, the ID of the advert being
shown, and the site URL or term that caused the pop-up to
be triggered.
Privacy Policy: Privacy policy.
Security Issues: No.
Stability Issues: Yes. Can cause frequent crashes.
Detection and Removal
Automatic Removal: PestPatrol detects this.
PestPatrol removes this.
Manual Removal: SaveNow/B and SaveNow/Save can be removed
from the Control Panel's 'Add/Remove Programs' option.
SaveNow/Db does not provide an Add/Remove Program entry
and must be removed manually. SaveNow/Download may be
removed through the Control Panel, but leaves an ActiveX
control behind, see below for removal.
Finally, SaveNow often also installs 'WeatherCast', a
system tray icon that displays the current weather
conditions. Unless you find this useful for some reason,
you should probably also remove this from Add/Remove
Programs.
Open the registry (Start->Run->regedit) and find the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run
Delete the 'SaveNow' or 'WhenUSave' value. Reboot and you
should be able to delete the 'SaveNow' or 'Save' folder
inside 'Program Files'.
To remove the ActiveX objects installed by the Download
and Db variants, open the 'Downloaded Program Files'
folder inside the Windows folder, and deleting the
SaveNow object - the name of this is 'WhenUDownload' in
the Download variant, and 'FC327B3F-377B-4CB7-8B61-
27CD69816BC3' in the Db variant.
For more removal instructions, read what Microsoft says.
Stop Running Processes:
Kill these running processes with Task Manager:
c:\saveinstcm.exe
programfilesdir+\bearshare\webstats.exe
programfilesdir+\imesh\client\savenowinst.exe
programfilesdir+\savenow\savenow.exe
programfilesdir+\savenow\uninst.exe
programfilesdir+\save\save.exe
programfilesdir+\save\saveuninst.exe
programfilesdir+\xolox\uninstall.exe
systemroot+\temp\adware\savenowinst.exe
systemroot+\temp\saveinstwm.exebabe-bs.exe
bsaveinstwm.exe
nowbox.exe
saveinstwm.exe
sync.exe
unins.exe
weather.exe
Remove AutoRun Reference:
Go To the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run. If you find the value whenusave, delete it and
reboot the machine immediately. If you find the value
nce\remove at boot 902, delete it and reboot the machine
immediately. If you find the value weathercast, delete it
and reboot the machine immediately.
Unregister DLLs:
Unregister these DLLs with Regsvr32, then reboot:
programfilesdir+\bearshare\runmsc.dllagentctl.dll
autprx32.dll
bonzitapfilters.dll
cnbabe.dll
empop3.dll
emsmtp.dll
googletoolbar_en_2.0.92-big.dll
iehelpermiddleman.dll
msimmsgr.dll
msimnetc.dll
odkob32.dll
onlinechk.dll
racreg32.dll
runmsc.dll
sndbmark.dll
systra~1.dll
tvenuax.dll
tv_enua.dll
utdns.dll
vbar332.dll
Clean Registry:
Remove these registry items (if present) with RegEdit:
HKEY_CLASSES_ROOT\clsid\{c285d18d-43a2-4aef-83fb-
bf280e660a97}
HKEY_CLASSES_ROOT\clsid\{e2f2b9d0-96b9-4b25-b90c-
636ecb207d18}
HKEY_CLASSES_ROOT\clsid\{fee7fd53-3356-4d4d-8978-
2c4ae3a7e109}
HKEY_CLASSES_ROOT\typelib\{e2f2b9d0-96b9-4b25-b90c-
636ecb207d18}
HKEY_CLASSES_ROOT\typelib\{fc327b3f-377b-4cb7-8b61-
27cd69816bc3}
HKEY_CLASSES_ROOT\wusn.1
HKEY_LOCAL_MACHINE\software\classes\.gnu
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-
4214-a4b4-caa6738d4c07}
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-
43a2-4aef-83fb-bf280e660a97}
HKEY_LOCAL_MACHINE\software\classes\magnet\defaulticon
HKEY_LOCAL_MACHINE\software\classes\magnet\shell\open\comm
and
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader.1\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\curver
HKEY_LOCAL_MACHINE\software\classes\tldctl2.urllink\curver
HKEY_LOCAL_MACHINE\software\classes\wusn.1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\run\savenow
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\run\whenusave
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\runonce\remove at boot 902
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\uninstall\gdivx
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\uninstall\savenow
HKEY_LOCAL_MACHINE\software\whenu
HKEY_LOCAL_MACHINE\software\whenusave
HKEY_USERS\.default\software\whenu
HKEY_USERS\s-1-5-21-329068152-1677128483-854245398-500
\software\microsoft\windows\currentversion\run\weathercast
HKEY_USERS\s-1-5-21-329068152-1677128483-854245398-500
\software\whenu
HKEY_USERS\s-1-5-21-796845957-842925246-1060284298-500
\software\whenu
Remove Files:
Remove these files (if present) with Windows Explorer:
c:\saveinstcm.exe
desktopdir+\xolox download folder.lnk
profilepath+\local settings\temporary internet
files\content.ie5\edi7wh0r\offscript2[1].html
profilepath+\start menu\programs\xolox\uninstall xolox.lnk
programfilesdir+\bearshare\runmsc.dll
programfilesdir+\bearshare\webstats.bat
programfilesdir+\bearshare\webstats.exe
programfilesdir+\bearshare\webstats.ini
programfilesdir+\ebatesmoemoneymaker\system\code\s.class
programfilesdir+\imesh\client\savenowinst.exe
programfilesdir+\savenow\savenow.db
programfilesdir+\savenow\savenow.exe
programfilesdir+\savenow\savenow.htm
programfilesdir+\savenow\uninst.exe
programfilesdir+\save\readme.txt
programfilesdir+\save\save.db
programfilesdir+\save\save.exe
programfilesdir+\save\save.htm
programfilesdir+\save\saveuninst.exe
programfilesdir+\xolox\uninstall.exe
systemroot+\downloaded program files\fc327b3f-377b-4cb7-
8b61-27cd69816bc3
systemroot+\downloaded program files\whenudownload
systemroot+\temp\adware\savenowinst.exe
systemroot+\temp\saveinstwm.exeagentctl.dll
autprx32.dll
babe-bs.exe
bad_navigation.htm
bad_navigationmain.htm
bearshare.txt
bonzi.acs
bonzitapfilters.dll
bsaveinstwm.exe
cnbabe.dll
empop3.dll
emsmtp.dll
five roses.url
googletoolbar_en_2.0.92-big.dll
history.txt
hosts.dat
iehelpermiddleman.dll
iehelpermiddleman.tlb
install.log
j001.nbd
make money.url
msimmsgr.dll
msimnetc.dll
nowbox.exe
nowbox.lnk
odkob32.dll
offline.htm
offlinemain.htm
onlinechk.dll
onluck.url
racreg32.dll
regicon.ocx
richtx32.ocx
saveinstwm.exe
short.acs
sndbmark.dll
sportsinteraction.com.url
sync.exe
systra~1.dll
tvenuax.dll
tv_enua.dll
tv_enua.hlp
unins.exe
uninstall nowbox.lnk
utdns.dll
vbar332.dll
vssver.scc
weather.exe
Remove Directories:
Remove these directories (if present) with Windows
Explorer:
c:\program\save
desktopdir+\sportsinteraction.com.url
programfilesdir+\bearshare
programfilesdir+\save
programfilesdir+\savenow
programfilesdir+\start menu\programs\weathercast
Research
File Analyses: SaveNow: agentctl.dll · autprx32.dll ·
babe-bs.exe · bad_navigation.htm ·
bad_navigationmain.htm · bearshare.txt · bonzi.acs ·
bonzitapfilters.dll · bsaveinstwm.exe · cnbabe.dll ·
empop3.dll · emsmtp.dll · five roses.url ·
googletoolbar_en_2.0.92-big.dll · history.txt ·
hosts.dat · iehelpermiddleman.dll ·
iehelpermiddleman.tlb · install.log · install.log ·
j001.nbd · make money.url · msimmsgr.dll ·
msimnetc.dll · nowbox.exe · nowbox.lnk · odkob32.dll
· offline.htm · offlinemain.htm · onlinechk.dll ·
onluck.url · racreg32.dll · readme.txt · regicon.ocx
· richtx32.ocx · runmsc.dll · save.db · save.db ·
save.exe · save.exe · save.exe · save.exe · save.exe
· save.exe · save.exe · save.exe · save.htm ·
save.htm · save.htm · save.htm · save.htm ·
saveinstwm.exe · saveinstwm.exe · saveinstwm.exe ·
savenow.db · savenow.exe · savenow.exe · savenow.exe
· savenow.htm · savenow.htm · savenow.htm ·
savenow.htm · savenowinst.exe · savenowinst.exe ·
savenowinst.exe · saveuninst.exe · saveuninst.exe ·
saveuninst.exe · saveuninst.exe · saveuninst.exe ·
saveuninst.exe · saveuninst.exe · saveuninst.exe ·
short.acs · sndbmark.dll · sportsinteraction.com.url ·
sync.exe · systra~1.dll · tvenuax.dll · tv_enua.dll ·
tv_enua.hlp · unins.exe · uninst.exe · uninst.exe ·
uninst.exe · uninst.exe · uninst.exe · uninstall
nowbox.lnk · utdns.dll · vbar332.dll · vssver.scc ·
weather.exe · weather.exe · weather.exe · webstats.bat
· webstats.exe · webstats.ini
More Info: Microsoft's Knowledge Base article mentioning
stability problems with SaveNow
AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google,
HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By: Andrew Clover
PestPatrol's Pest Research Center
Last Revised: February 15, 2004
Copyright: © 2004 PestPatrol, Inc. All rights reserved.
