home

Save.exe

WhenU Save

WHENU.COM INC

The application Save.exe by WHENU.COM INC has been detected as adware by 33 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘WhenUSave’.
Publisher:
WhenU.com, Inc.  (signed by WHENU.COM INC)

Product:
WhenU Save

Version:
4, 2, 2, 02

MD5:
47754bf98fd5a4bc05c3b08221d6426a

SHA-1:
c533f42fca267458c489077b8ddc12f1a64526fd

Scanner detections:
33 / 68

Status:
Adware

Analysis date:
4/24/2024 10:59:25 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Adware.Heur.Xq1@ROmjo4ki
671

Agnitum Outpost
Adware.Savenow.BU
7.1.1

AhnLab V3 Security
Win-AppCare/Tool.803184
2015.03.11

Avira AntiVirus
ADSPY/AdSpy.Gen
7.11.215.236

avast!
Win32:Adware-gen [Adw]
2014.9-150405

AVG
Generic2
2016.0.3149

Bitdefender
Gen:Adware.Heur.Xq1@ROmjo4ki
1.0.20.475

Bkav FE
W32.WhenUC.Adware
1.3.0.6379

Clam AntiVirus
Adware.WhenU-5
0.98/21511

Comodo Security
not-a-virus.AdTool.Win32.WhenU.i
21366

Dr.Web
Adware.SaveNow
9.0.1.095

Emsisoft Anti-Malware
Gen:Adware.Heur.Xq1@ROmjo4ki
8.15.04.05.05

ESET NOD32
Win32/Adware.WhenU.SaveNow potentially unwanted (variant)
9.11300

Fortinet FortiGate
Adware/SaveNow
4/5/2015

F-Prot
W32/HackToolX.WE
v6.4.7.1.166

F-Secure
Gen:Adware.Heur.Xq1@ROmjo4ki
11.2015-05-04_1

G Data
Gen:Adware.Heur.Xq1@ROmjo4ki
15.4.25

IKARUS anti.virus
not-a-virus:AdTool.Win32.WhenU.i
t3scan.1.8.6.0

K7 AntiVirus
Adware
13.200.15223

Kaspersky
not-a-virus:WebToolbar.Win32.WhenU
14.0.0.2239

Malwarebytes
Adware.WhenU
v2015.04.05.05

McAfee
Adware-SaveNow
5600.6805

MicroWorld eScan
Gen:Adware.Heur.Xq1@ROmjo4ki
16.0.0.285

NANO AntiVirus
Riskware.Win32.WhenU.croqkb
0.30.0.296

Quick Heal
Adware.WhenU.r4 (Not a Virus)
4.15.14.00

Reason Heuristics
PUP.Startup.WHENUCOM
15.4.5.5

Sophos
WhenU
4.98

SUPERAntiSpyware
Adware.WhenU
9955

Total Defense
Win32/WhenU
37.0.11488

Trend Micro House Call
Adware_whenu
7.2.95

Trend Micro
Adware_whenu
10.465.05

VIPRE Antivirus
WhenU.Save
38312

ViRobot
AdTool.WhenU.803184[h]
2014.3.20.0

File size:
784.4 KB (803,184 bytes)

Product version:
4, 2, 2, 02

Copyright:
Copyright 2001-2006

Original file name:
Save.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\save\save.exe

Digital Signature
Signed by:
WHENU.COM INC

Authority:
VeriSign, Inc.

Valid from:
2/7/2006 4:00:00 PM

Valid to:
4/8/2007 4:59:59 PM

Subject:
CN=WHENU.COM INC, OU=Department, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WHENU.COM INC, L=New York, S=New York, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3961E82457D32F54A770A098673031F5

File PE Metadata
Compilation timestamp:
8/25/2006 11:45:41 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:0Gxn7zLcmTN+ALJVbI8VpAAVp7fXkRbpvCnXG2DS8OlFWvJZ4zl9rh7j0:0GxFh+ALfbI6bHw8XG2O8OGvEl9F0

Entry address:
0x64FC6

Entry point:
E8, 90, BD, 00, 00, E9, 16, FE, FF, FF, 55, 8B, EC, 83, EC, 14, 53, FF, 75, 0C, 8D, 4D, EC, E8, 0E, 9D, FF, FF, 8B, 4D, 08, 81, F9, FF, 00, 00, 00, 76, 6B, 33, C0, 57, 33, DB, 66, 89, 5D, FC, 8D, 7D, FE, 66, AB, 8B, C1, C1, E8, 08, 88, 45, 08, 8B, 45, F0, 88, 4D, 09, 39, 58, 08, 5F, 75, 10, 38, 5D, F8, 74, 07, 8B, 45, F4, 83, 60, 70, FD, 33, C0, EB, 70, 6A, 01, FF, 70, 0C, FF, 70, 04, 8D, 45, FC, 50, 6A, 02, 8D, 45, 08, 50, 6A, 01, 53, E8, 5B, B3, 00, 00, 83, C4, 20, 85, C0, 74, CF, 66, 39, 5D, FE, 75, 0B...
 
[+]

Entropy:
6.2675

Code size:
545 KB (558,080 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WhenUSave

Command:
"C:\Program Files\save\save.exe"


Remove Save.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.