Summary
Summary
More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 23 August 2006 12:30:24 (GMT) |
| Last updated | 7 November 2009 14:22:57 (GMT) |
| Detected by | Sophos Anti-Virus for Windows, version 7, and PureMessage for Microsoft Exchange. |
More Information
- Summary
- More Information
WhenU is adware supported software from whenu.com, consisting of the following applications:
SearchBar
SaveNow
Save
WeatherCast
ICE
WhenU may be installed as part of the installation for other software, such as shareware or freeware downloaded from the internet.
WhenU displays advertising links and pop-up ads when the browser is active.
WhenU runs continously in the background, periodically communicating with a remote server via HTTP. WhenU may download and install updates of its software without notification.
The default installation folders are:
<Program Files>\Save
<Program Files>\WeatherCast
<Program Files>\WhenUSearch
<Program Files>\VVSN
When the aforementioned applications are installed the following files are typically created:
<Start Menu\Programs>\WeatherCast
<Start Menu\Programs>\WeatherCast\WeatherCast.lnk
<Start Menu\Programs>\WhenU
<Start Menu\Programs>\WhenU\Learn More About WhenU Save.url
<Start Menu\Programs>\WhenU\Learn More About WhenU SaveNow.url
<Start Menu\Programs>\WhenU\Uninstall.lnk
<Start Menu\Programs>\WhenU\WhenU.com Website.url
<Start Menu\Programs>\WhenUSearch
<Start Menu\Programs>\WhenUSearch\WhenUSearch Desktop Toolbar.lnk
<Common Files>\WhenU
<Common Files>\WhenU\EmbedSE.dll
<Program Files>\Save
<Program Files>\Save\ACM.dll
<Program Files>\Save\save.cch
<Program Files>\Save\save.db
<Program Files>\Save\Save.exe
<Program Files>\Save\save.htm
<Program Files>\Save\SaveUninst.exe
<Program Files>\Save\store.db
<Program Files>\WeatherCast
<Program Files>\WeatherCast\Uninst.exe
<Program Files>\WeatherCast\Weather.exe
<Program Files>\WhenUSearch\search.cch
<Program Files>\WhenUSearch\search.db
<Program Files>\WhenUSearch\search.dll
<Program Files>\WhenUSearch\Search.exe
<Program Files>\WhenUSearch\search.htm
<Program Files>\WhenUSearch\Uninst.exe
<Program Files>\WhenUSearch\whse.exe
<Program Files>\WhenUSearch\Content
<Program Files>\WhenUSearch\Content\images
<Program Files>\VVSN\VVSN.EXE
The following registry entries are created to run Save.exe, Weather.exe, Search.exe, VVSN.EXE and whse.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WeatherCast
<Program Files>\WeatherCast\Weather.exe" /q
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WhenUSave
<Program Files>\Save\Save.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WhenUSearch
<Program Files>\WhenUSearch\Search.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WhenUSearchWHSE
<Program Files>\WhenUSearch\whse.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VVSN
<Program Files>\VVSN\VVSN.EXE
The files EmbedSE.dll, ACM.dll, search.dll and Search.exe are registered as COM objects, creating registry entries under:
HKCR\WhenU.EmbedSE
HKCR\WhenU.EmbedSE.1
HKCR\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}
HKCR\TypeLib\{20752C25-2D97-4E6F-9EE2-94B74D202875}
HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}
HKCR\Interface\{711648F0-5FF5-4C81-805E-A1AEDBAB4951}
HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}
HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}
HKCR\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
HKCR\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD}
HKCR\CLSID\{763BD795-24AE-44d7-82D8-F9A1EE799729}
HKCR\CLSID\{389A5A59-1306-4389-A779-2EB9D0BC1FFB}
HKCR\ACM.ACMFactory
HKCR\ACM.ACMFactory.1
HKCR\WUSN.1
HKCR\WUSE.1
The file search.dll is registered as a Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
Registry entries are created under:
HKLM\SOFTWARE\WhenUSearch
HKLM\SOFTWARE\WhenUSave
HKCU\Software\WhenU\Weather
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
WhenU provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as: "SearchBar", "WeatherCast" and "WhenU SaveNow" (a related application is listed as "ClockSync").
|
