InterMute
 
Contact Us | Site Map | Privacy
Products Support Partners Company News/Events Home

InterMute : Support : Spyware Research Center

Search Spyware Database: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Other


Home

SaveNow
SCBar
SearchAndBrowse
Searchex
SearchSprint
SearchSquire
SearchWWW
ShopAtHomeSelect
ShopNav
Sidesearch
SmartBrowser
SpyBlast
StarDialer
StripPlayer
SubSearch
Surfairy
SuperBar
SVAPlayer

Click Here to Download a Free TrialDescription

A single process run at startup which monitors open IE windows and opens adverts when it sees targeted URLs and terms entered into forms.

Variants

SaveNow/Download comes bundled with a "WhenUDownload" ActiveX control.

SaveNow/B comes without the WhenUDownload component.

SaveNow/Save is a new version, rebranded as 'Save!', which works in the same manner.

SaveNow/Db is the same as the Save variant, but includes an ActiveX 'marker' control to prevent it being installed twice.

SaveNow/WUInst is an installer for the Save variant.

SaveNow/Search ("WhenU Search") also includes a Search.exe process that monitors web usage to provide targeted messages in a 'toolbar' just above the Windows task bar.

The Download, Db and WUInst variants of SaveNow can be detected by the script at this site; B and Save cannot.

Also known as

WhenU, the name of the company supplying the software.

Distribution

BearShare and other P2P applications are bundled with SaveNow, as it RadLight video player, and all software distributed by Galt Technologies.

The Db and WUInst variants are also installed by drive-by-download in pop-ups, often coupled with 'ClockSync' or 'WeatherCast'.

What it does

Advertising

Yes. SaveNow keeps a list of URLs and terms it is interested in on disk, in the obfuscated file 'SaveNow\savenow.db' in Program Files. The (large - often over a megabyte) file maps from these targets to adverts to serve.

Privacy violation

SaveNow connects to WhenU's servers to log the advert; the Search variant also logs targeted terms triggering toolbar messages. It passes the name of the affiliate software which installed the software, the ID of the advert being shown, and the site URL or term that caused the pop-up to be triggered.

However no cookie is set on these accesses, and no unique ID is passed, so these are not directly trackable.

Security issues

The WUInst variant can be used by any web site to download and install SaveNow or other code form WhenU.

Stability problems

Yes. Some variants can cause frequent crashes.

Removal

SaveNow/B can be removed from the 'SaveNow' entry in the Control Panel's 'Add/Remove Programs' option. SaveNow/Save can sometimes be removed from a 'Save' entry in Add/Remove Programs. SaveNow/Search can be removed from the 'WhenU Search' entry.

SaveNow/Db does not provide an Add/Remove Programs entry and must be removed manually. SaveNow/Download may be removed through the Control Panel, but leaves an ActiveX control behind, see below for removal.

SaveNow often also installs 'WeatherCast', a system tray icon that displays the current weather conditions, and/or 'ClockSync', a trivial NTP client. Unless you find these useful for some reason, you should probably also remove them from Add/Remove Programs.

Manual removal

Open the registry (Start->Run->regedit) and find the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Delete the 'SaveNow', 'WhenUSave' or 'WhenUSearch' values. Reboot and you should be able to delete the 'SaveNow' or 'Save' folder inside 'Program Files'.

To remove the ActiveX objects installed by the Download and Db variants, open the 'Downloaded Program Files' folder inside the Windows folder, and delete the SaveNow object. The name of this is 'WhenUDownload' in the Download variant, 'FC327B3F-377B-4CB7-8B61-27CD69816BC3' in the Db variant, and 'E2F2B9D0-96B9-4B25-B90C-636ECB207D18' in the WUInst variant.

 

 

Copyright © 2005 InterMute, Inc. | Privacy Policy Home | Products | Support | Partners | Company | News