Aliases: WhenU.SaveNow, WhenUSave, Adware-SaveNow, Adware.PurityScan
Type: Spyware (adware)
First appeared on: 11.09.2003
WhenU is a spyware program, which is usually included in applications that can be downloaded from the Internet.
WhenU provides information about the weather forecast and displays advertising pop-up windows.
WhenU is easy to recognize, as it displays advertising pop-up windows.
When Adware.Savenow is executed, it does the following:
- Creates the following files:
- %ProgramFiles%\Xtractor Plus\hh.html
- %ProgramFiles%\Xtractor Plus\readme.txt
- %ProgramFiles%\Xtractor Plus\unins000.dat
- %ProgramFiles%\Xtractor Plus\unins000.exe
- %ProgramFiles%\Xtractor Plus\xp.exe
- %ProgramFiles%\Xtractor Plus\Xplus.CNT
- %ProgramFiles%\Xtractor Plus\XPLUS.HLP
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- Adds the values:
"VVSN" = "%ProgramFiles%\VVSN\VVSN.exe"
"SaveNow" = "%ProgramFiles%\SaveNow\SaveNow.exe"
to one or more of the following registry subkeys:
so that the adware runs every time Windows starts.
Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Uninstall\SaveNow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Uninstall\Xtractor Plus_is1
HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\MenuExt\ Free Software
- Contacts a server at the whenu.com domain and downloads and displays advertisements.
- Tracks Internet browsing habits. However, the collected information is not submitted to the server. It is stored locally on the computer and used to determine which advertisements should be displayed.
Spyware programs are usually included in free applications downloaded from the Internet. These programs are installed on the affected computer, sometimes without user consent, without warning users that these programs will collect user details.
WhenU is usually included in third-party software, such as BearShare and other peer-to-peer (P2P) file sharing programs, RadLight Video Player, etc. It can also reach the computer by accessing certain web pages, which ask for confirmation to install an ActiveX control.
Delete all files and registry values created by WhenU