A single process run at startup which monitors open IE windows and opens adverts when it sees targeted URLs and terms entered into forms.

Variants

SaveNow/Download comes bundled with a "WhenUDownload" ActiveX control.

SaveNow/B comes without the WhenUDownload component.

SaveNow/Save is a new version, rebranded as 'Save!', which works in the same manner.

SaveNow/Db is the same as the Save variant, but includes an ActiveX 'marker' control to prevent it being installed twice.

SaveNow/WUInst is an installer for the Save variant.

The Download , Db and WUInst variants of SaveNow can be detected by the script at this site; B and Save cannot.

Also known as

WhenU , the name of the company supplying the software.

Distribution

BearShare and other P2P applications are bundled with SaveNow, as it RadLight video player, and all software distributed by Galt Technologies.

The Db and WUInst variants are also installed by drive-by-download in pop-ups, often coupled with 'ClockSync' or 'WeatherCast'.

Advertising

Yes. SaveNow keeps a list of URLs and terms it is interested in on disk, in the file 'SaveNow\savenow.db' in Program Files. This file is obfuscated but it is trivial to decode. * The (large - often over a megabyte) file maps from these targets to adverts to serve, which are downloaded through Akamai's proxies.

Privacy violation

As well as downloading the pop-up ads, SaveNow connects to WhenU's servers to log the ad impression. It passes the name of the affiliate software which installed the software, the ID of the advert being shown, and the site URL or term that caused the pop-up to be triggered.

No cookie is set on these accesses, so at the moment users are not being tracked across sites visited.

Security issues

The WUInst variant can be used by any web site to download and install SaveNow or other code form WhenU.

Stability problems

Yes. Can cause frequent crashes.

Removal

SaveNow/B can be removed from the 'SaveNow' entry in the Control Panel's 'Add/Remove Programs' option. SaveNow/Save can sometimes be removed from a 'Save' entry in Add/Remove Programs.

SaveNow/Db does not provide an Add/Remove Programs entry and must be removed manually. SaveNow/Download may be removed through the Control Panel, but leaves an ActiveX control behind, see below for removal.

SaveNow often also installs 'WeatherCast', a system tray icon that displays the current weather conditions, and/or 'ClockSync', a trivial NTP client. Unless you find these useful for some reason, you should probably also remove them from Add/Remove Programs.

Ad-Aware can both remove SaveNow. At the time of writing, neither will remove the ActiveX object of the Db or WUInst variants.

Manual removal

Open the registry (Start->Run->regedit) and find the key:

Delete the 'SaveNow' or 'WhenUSave' value. Reboot and you should be able to delete the 'SaveNow' or 'Save' folder inside 'Program Files'.

To remove the ActiveX objects installed by the Download and Db variants, open the 'Downloaded Program Files' folder inside the Windows folder, and delet the SaveNow object. The name of this is 'WhenUDownload' in the Download variant, 'FC327B3F-377B-4CB7-8B61-27CD69816BC3' in the Db variant, and 'E2F2B9D0-96B9-4B25-B90C-636ECB207D18' in the WUInst variant.