Submission Summary:

What's been foundSeverity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Adware.WhenU_SaveNow SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.
Adware.Component.WhenU Common Components shared between WhenU products like ClockSync, SaveNow, SideFinder and WeatherCast.

Threat CategoryDescription
A potentially unwanted adware program designed to deliver various advertisements to the users' systems

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %CommonPrograms%\Cool Web Scrollbars\Cool Web Scrollbars Help.lnk 726 bytes MD5: 0xBEDB52EEFA3ADC9594671D17CC170961
SHA-1: 0xC6DD85649373D505541A842823CC848AAA000DA6
(not available)
2 %CommonPrograms%\Cool Web Scrollbars\Cool Web Scrollbars Readme.lnk 749 bytes MD5: 0xE6A0C8D9D26B3ED2C1CF0BD689AE57A0
SHA-1: 0x0D46E41B3F9A40476D002DC41266011E07094457
(not available)
3 %CommonPrograms%\Cool Web Scrollbars\Cool Web Scrollbars.lnk 706 bytes MD5: 0x8DCFEFB9776A1295530D6303A71B525E
SHA-1: 0x15346F365B46AF1AD0F59FF4834C87011D5301B9
(not available)
4 %DesktopDir%\Cool Web Scrollbars.lnk 694 bytes MD5: 0x314C6777517721C30BE7F078B182A4B5
SHA-1: 0xA3D40CE45BB04DCE6048A0AD80C672195FCDC142
(not available)
5 %DesktopDir%\Harmony Hollow on the Web.lnk 1,368 bytes MD5: 0x9E3FFB319E69BE75AC432C281501F08D
SHA-1: 0x9F959E7D0C7D175B13F51E1AFC5EE4EB15916B4C
Adware-s36.XP.lnk [McAfee]
6 %ProgramFiles%\Cool Web Scrollbars\arrow.gif 5,318 bytes MD5: 0xB209DF3DDD66B18E9B98F8F02224825F
SHA-1: 0x380742DA28F7E97E9D3A42FAD831D643C9EAF471
(not available)
7 %ProgramFiles%\Cool Web Scrollbars\cws.cnt 175 bytes MD5: 0xFA5C239832B7D9E9B38F12401E2968D1
SHA-1: 0xE201A084AA9EED32F909204837153433676C6935
(not available)
8 %ProgramFiles%\Cool Web Scrollbars\cws.exe 253,952 bytes MD5: 0x120FDA77D6CB79EC908A6B2A48BF8398
SHA-1: 0x2065AB5023F4D14580E506355F8CFB1F56052D4A
(not available)
9 %ProgramFiles%\Cool Web Scrollbars\cws.hlp 137,004 bytes MD5: 0xF5908958A7C624B78CABE7A42E3A8A9B
SHA-1: 0x2CFD927F4F2E91DBD83F0CA5FF89E2DB7EE490B0
(not available)
10 %ProgramFiles%\Cool Web Scrollbars\hh.html 600 bytes MD5: 0x74D513ECEB5B31C8C32C5745EF6B7646
SHA-1: 0x939524BCAC21A4DE704F2D883743BCF23FE51A29
(not available)
11 %ProgramFiles%\Cool Web Scrollbars\readme.txt 3,696 bytes MD5: 0x5A1D4471F4FCB6CBAA726A61FAD81A5F
SHA-1: 0x8D49BE4A64BE588E7E3FDC23F94BC7A059B4999E
(not available)
12 %ProgramFiles%\Cool Web Scrollbars\unins000.dat 2,250 bytes MD5: 0xEF517BF7A26F559E8E7B84DEFECCA21C
SHA-1: 0x03F4CAF7047FF36A60E127AB2085005E3516CC0A
(not available)
13 %ProgramFiles%\Cool Web Scrollbars\unins000.exe 72,298 bytes MD5: 0x2330A6FD4B2E02A43F675252DEAC2BE4
SHA-1: 0xF840FE7C4A7B1D7D7490EE875980270A3F947D11
(not available)
14 %ProgramFiles%\SaveNow\ReadMe.txt 4,180 bytes MD5: 0x158D4EB6403BEFF418666F8DBD051EE7
SHA-1: 0xF8A89CF13E96B06B6ED3075121CD5E1A7AB31C72
(not available)
15 %ProgramFiles%\SaveNow\SaveNow.exe 166,400 bytes MD5: 0x032E6F160C65B9E90B5C5A1010767B08
SHA-1: 0x1E48DA5A166C0E3B79BEBC242771CFB35E120F4D
Adware.WhenU_SaveNow [PCTools]
Adware.Savenow [Symantec]
not-a-virus:AdWare.Win32.SaveNow.w [Kaspersky Lab]
16 %ProgramFiles%\SaveNow\savenow.htm 31,588 bytes MD5: 0xC61CB66B905F859E0EA5EC681E93B7CF
SHA-1: 0x1F26E36E864FDAC2689E1BEC41FBB5BDCFCFD78A
(not available)
17 %ProgramFiles%\SaveNow\Uninst.exe 13,368 bytes MD5: 0x4277410DF62F619F8524837F53492F3F
SHA-1: 0x66F8EA0B057ABBAAECF2EF15BCACD97D436CC95E
not-a-virus:AdWare.Win32.SaveNow.au [Kaspersky Lab]
18 %Windir%\hh.ico 2,238 bytes MD5: 0x675762451E1B3C7CE5BD92415CB15AA9
SHA-1: 0x926F5F5806D91FDF0D1AB5D1B0D93E8F105041BA
(not available)
19 %Windir%\hhs.url 131 bytes MD5: 0xAF83086D1011CB7790CF64503D86A300
SHA-1: 0x72D1944E35B6C8097ACBFDEE5A7CF606F6F7E96D
Adware-xplus.url [McAfee]
20 [file and pathname of the sample #1] 541,362 bytes MD5: 0x18138595F1ED1316188E5693E1B74F83
SHA-1: 0x524270401D6D3917AB4FBB690162E41FEA4C700E
not-a-virus:AdWare.Win32.SaveNow.w, not-a-virus:AdWare.Win32.SaveNow.au [Kaspersky Lab]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
SaveNow.exe%ProgramFiles%\savenow\savenow.exe180,224 bytes
[filename of the sample #1][file and pathname of the sample #1]94,208 bytes
INS1.tmp%Temp%\INS1.tmp565,248 bytes
SaveNowInst.exe%Temp%\is-59DRT.tmp\SaveNowInst.exe126,976 bytes

 

Registry Modifications

 

Other details

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.