How to delete SaveNow (WhenU)

Name: SaveNowAliases: WhenU.SaveNow, WhenUSave, Adware-SaveNow, Adware.PurityScanType: Spyware (adware)Size: -First appeared on: 11.09.2003Damage: MediumBrief Description:WhenU is a spyware program, which is usually included in applications that can be downloaded from the Internet.WhenU provides information about the weather forecast and displays advertising pop-up windows.Visible Symptoms:WhenU is easy to recognize, as it displays advertising pop-up windows.Technical description: File names:Save.exeVVSN.exexplus.exesavenow.exeWhen Adware.Savenow is executed, it does the following:Creates the following files:%ProgramFiles%\Save\Save.exe%ProgramFiles%\Save\Save.html%ProgramFiles%\Save\Readme.txt%ProgramFiles%\Save\SaveUninst.exe%ProgramFiles%\VVSN\VVSN.exe%ProgramFiles%\SaveNow\Readme.txt%ProgramFiles%\SaveNow\SaveNow.exe%ProgramFiles%\SaveNow\SaveNow.htm%ProgramFiles%\SaveNow\Uninst.exe%ProgramFiles%\Xtractor Plus\hh.html%ProgramFiles%\Xtractor Plus\readme.txt%ProgramFiles%\Xtractor Plus\unins000.dat%ProgramFiles%\Xtractor Plus\unins000.exe%ProgramFiles%\Xtractor Plus\xp.exe%ProgramFiles%\Xtractor Plus\Xplus.CNT%ProgramFiles%\Xtractor Plus\XPLUS.HLP%System%\CCRPFTV6.OCX%System%\SSubTmr.dll%System%\TABCTL32.OCX%System%\UNACE.DLL%System%\UNRAR.dll%System%\Unzip32.dll%Windir%\hh.ico%Windir%\hhs.urlNote:%ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.Adds the values:"VVSN" = "%ProgramFiles%\VVSN\VVSN.exe""SaveNow" = "%ProgramFiles%\SaveNow\SaveNow.exe"to one or more of the following registry subkeys:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\RunHKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Runso that the adware runs every time Windows starts.Creates the following registry subkeys:HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSaveHKCR\WUSN.1HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Uninstall\SaveNowHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Uninstall\Xtractor Plus_is1HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\MenuExt\ Free SoftwareContacts a server at the whenu.com domain and downloads and displays advertisements.Tracks Internet browsing habits. However, the collected information is not submitted to the server. It is stored locally on the computer and used to determine which advertisements should be displayed.Propagation:Spyware programs are usually included in free applications downloaded from the Internet. These programs are installed on the affected computer, sometimes without user consent, without warning users that these programs will collect user details.WhenU is usually included in third-party software, such as BearShare and other peer-to-peer (P2P) file sharing programs, RadLight Video Player, etc. It can also reach the computer by accessing certain web pages, which ask for confirmation to install an ActiveX control. eset Trend Micro