How to delete SaveNow (WhenU) - Removal tool, fix instructions

Name: SaveNow

Aliases: WhenU.SaveNow, WhenUSave, Adware-SaveNow, Adware.PurityScan

Type: Spyware (adware)

Size: -

First appeared on: 11.09.2003

Damage: Medium

Brief Description:
WhenU is a spyware program, which is usually included in applications that can be downloaded from the Internet.

WhenU provides information about the weather forecast and displays advertising pop-up windows.

Visible Symptoms:

WhenU is easy to recognize, as it displays advertising pop-up windows.

Technical description:

File names:
Save.exe
VVSN.exe
xplus.exe
savenow.exe

When Adware.Savenow is executed, it does the following:

  1. Creates the following files:
    • %ProgramFiles%\Save\Save.exe
    • %ProgramFiles%\Save\Save.html
    • %ProgramFiles%\Save\Readme.txt
    • %ProgramFiles%\Save\SaveUninst.exe
    • %ProgramFiles%\VVSN\VVSN.exe
    • %ProgramFiles%\SaveNow\Readme.txt
    • %ProgramFiles%\SaveNow\SaveNow.exe
    • %ProgramFiles%\SaveNow\SaveNow.htm
    • %ProgramFiles%\SaveNow\Uninst.exe
    • %ProgramFiles%\Xtractor Plus\hh.html
    • %ProgramFiles%\Xtractor Plus\readme.txt
    • %ProgramFiles%\Xtractor Plus\unins000.dat
    • %ProgramFiles%\Xtractor Plus\unins000.exe
    • %ProgramFiles%\Xtractor Plus\xp.exe
    • %ProgramFiles%\Xtractor Plus\Xplus.CNT
    • %ProgramFiles%\Xtractor Plus\XPLUS.HLP
    • %System%\CCRPFTV6.OCX
    • %System%\SSubTmr.dll
    • %System%\TABCTL32.OCX
    • %System%\UNACE.DLL
    • %System%\UNRAR.dll
    • %System%\Unzip32.dll
    • %Windir%\hh.ico
    • %Windir%\hhs.url

      Note:

    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
  2. Adds the values:

    "VVSN" = "%ProgramFiles%\VVSN\VVSN.exe"
    "SaveNow" = "%ProgramFiles%\SaveNow\SaveNow.exe"

    to one or more of the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run

    so that the adware runs every time Windows starts.

    Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave
    HKCR\WUSN.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Uninstall\SaveNow
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Uninstall\Xtractor Plus_is1
    HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\MenuExt\ Free Software

  3. Contacts a server at the whenu.com domain and downloads and displays advertisements.
  4. Tracks Internet browsing habits. However, the collected information is not submitted to the server. It is stored locally on the computer and used to determine which advertisements should be displayed.

Propagation:

Spyware programs are usually included in free applications downloaded from the Internet. These programs are installed on the affected computer, sometimes without user consent, without warning users that these programs will collect user details.

WhenU is usually included in third-party software, such as BearShare and other peer-to-peer (P2P) file sharing programs, RadLight Video Player, etc. It can also reach the computer by accessing certain web pages, which ask for confirmation to install an ActiveX control.

Removal instructions:
Delete all files and registry values created by WhenU