You're in: Panda Security > Home Users > security-info > overview
Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Savenow

Threat LevelModerate threatDamageHighDistributionNot widespread

Is my computer infected by Savenow?

In order to make absolutely sure that Savenow has not infected your computer, carry out a full scan of your computer using Panda Antivirus, after checking that it is updated. If it isn't and you are a registered Panda Security client, update it by clicking here.

How to remove Savenow? 

Then, if Panda Antivirus detects Savenow during the scan, it will automatically offer you the option of deleting it. Do this by following the program's instructions.

Finally, restore the original configuration of your computer by following the instructions below:

First of all, try to uninstall Savenow by using the option Add/Remove Programs in the Control Panel.

If the uninstallation of Savenow is not available, follow the routine below:

  • Unregister each one of the dynamic link libraries (DLL) that Savenow has registered:

    Access the Start menu, Run option and type and run the following line, for each of the libraries:
    regsvr32 /u "%path%\%dll_name%"
    where %path% is the directory where the library is located, and %dll_name% is each one of the following names:
    AGENTCTL.DLL
    AUTPRX32.DLL
    BONZITAPFILTERS.DLL
    CNBABE.DLL
    EMPOP3.DLL
    EMSMTP.DLL
    GOOGLETOOLBAR_EN_2.0.92-BIG.DLL
    IEHELPERMIDDLEMAN.DLL
    MSIMMSGR.DLL
    MSIMNETC.DLL
    ODKOB32.DLL
    ONLINECHK.DLL
    RACREG32.DLL
    RUNMSC.DLL
    SNDBMARK.DLL
    SSUBTMR6.DLL
    SYSTRAYUSER.DLL
    TV_ENUA.DLL
    TVENUAX.DLL
    UTDNS.DLL
    VBAR332.DLL
  • Delete the entries that Savenow has created in the Windows Registry:

    HKEY_CLASSES_ROOT\ CLSID\ {08351226-6472-43bd-8a40-d9221ff1c4ce}

    HKEY_CLASSES_ROOT\ CLSID\ {c285d18d-43a2-4aef-83fb-bf280e660a97}

    HKEY_CLASSES_ROOT\ CLSID\ {e2f2b9d0-96b9-4b25-b90c-636ecb207d18}

    HKEY_CLASSES_ROOT\ CLSID\ {fee7fd53-3356-4d4d-8978-2c4ae3a7e109}

    HKEY_CLASSES_ROOT\ typelib\ {e2f2b9d0-96b9-4b25-b90c-636ecb207d18}

    HKEY_CLASSES_ROOT\ typelib\ {fc327b3f-377b-4cb7-8b61-27cd69816bc3}

    HKEY_CLASSES_ROOT\ wusn.1

    HKEY_LOCAL_MACHINE\ Software\ classes\ .gnu

    HKEY_LOCAL_MACHINE\ Software\ classes\ CLSID\ {08351226-6472-43bd-8a40-d9221ff1c4ce}

    HKEY_LOCAL_MACHINE\ Software\ classes\ CLSID\ {0837121a-6472-43bd-8a40-d9221ff1c4ce}

    HKEY_LOCAL_MACHINE\ Software\ classes\ CLSID\ {4a2aacf3-adf6-11d5-98a9-00e018981b9e}

    HKEY_LOCAL_MACHINE\ Software\ classes\ CLSID\ {9f95f736-0f62-4214-a4b4-caa6738d4c07}

    HKEY_LOCAL_MACHINE\ Software\ classes\ interface\ {c285d18d-43a2-4aef-83fb-bf280e660a97}

    HKEY_LOCAL_MACHINE\ Software\ classes\ magnet\ defaulticon

    HKEY_LOCAL_MACHINE\ Software\ classes\ magnet\ shell\ open\ command

    HKEY_LOCAL_MACHINE\ Software\ classes\ Runmsc.loader.1\ CLSID

    HKEY_LOCAL_MACHINE\ Software\ classes\ Runmsc.loader\ CLSID

    HKEY_LOCAL_MACHINE\ Software\ classes\ Runmsc.loader\ curver

    HKEY_LOCAL_MACHINE\ Software\ classes\ tldctl2.urllink\ curver

    HKEY_LOCAL_MACHINE\ Software\ classes\ wusn.1

    HKEY_LOCAL_MACHINE\ Software\ classes\ wusn.1\ wusn_id

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\ savenow

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\ whenusave

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce\ remove at boot 902

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ savenow

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ gdivx\ displayname

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ gdivx\ uninstallstring

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ displayicon

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ displayname

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ displayversion

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ helplink

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ publisher

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ uninstallstring

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ urlinfoabout

    HKEY_LOCAL_MACHINE\ Software\ whenu

    HKEY_LOCAL_MACHINE\ Software\ whenusave

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ city

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ db_incomplete

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ db_local_update

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ db_server_update

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ exitsurvey_url

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ extra_url

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ extraver_url

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ fulldbtime

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ heartbeattime

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ lastshown

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ partnerdesc

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ eepe\ partnerfile

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ rdlt\ installtime

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ rdlt\ partner

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ rdlt\ partnerdesc

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ vidg\ installtime

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ vidg\ partner

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ vidg\ partnerdesc

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ vidg\ partnerfile

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ pat_chunks_url

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ setupcmdline

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ update_url

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ updatetime

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ urlchangecount

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ zip

    HKEY_LOCAL_MACHINE\ Software\ whenusave\ zip_old_rs

    HKEY_USERS\ s-1-5-21-329068152-1677128483-854245398-500\ Software\ whenu

    HKEY_USERS\ s-1-5-21-329068152-1677128483-854245398-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\ weathercast

    HKEY_USERS\ s-1-5-21-796845957-842925246-1060284298-500\ Software\ whenu
  • Delete the following files, which are in the Program files directory:
    SAVE.EXESAVE.DBSAVE.HTM y SAVEUNINST.EXE in the subfolder \SAVE.

    SAVENOW.DBSAVENOW.EXESAVENOW.HTM y UNINST.EXE in the subfolder \SAVENOW.

    S.CLASS in the subfolder \EBATESMOEMONEYMAKER\ SYSTEM\ CODE.

    SAVENOWINST.EXE in the subfolder \IMESH\ CLIENT.

    SBHC.EXE in the subfolder \SUPERBAR.

    UNINSTALL.EXE in the subfolder \XOLOX.
  • Delete the following files, which are in the Windows Desktop:
    SPORTSINTERACTION.COM.URL and XOLOX DOWNLOAD FOLDER.LNK
  • Delete the following files, which are in the directory where Savenow is installed:
    AGENTCTL.DLL
    AUTPRX32.DLL
    BABE-BS.EXE
    BAD_NAVIGATION.HTM
    BAD_NAVIGATIONMAIN.HTM
    BEARSHARE.TXT
    BONZI.ACS
    BONZITAPFILTERS.DLL
    BSAVEINSTWM.EXE
    CNBABE.DLL
    EMPOP3.DLL
    EMSMTP.DLL
    FIVE ROSES.URL
    GOOGLETOOLBAR_EN_2.0.92-BIG.DLL
    HISTORY.TXT
    HOSTS.DAT
    IEHELPERMIDDLEMAN.DLL
    IEHELPERMIDDLEMAN.TLB
    INSTALL.LOG
    J001.NBD
    MAKE MONEY.URL
    MSIMMSGR.DLL
    MSIMNETC.DLL
    MSINET.OCX
    MSWINSCK.OCX
    NOWBOX.EXE
    NOWBOX.LNK
    ODKOB32.DLL
    OFFLINE.HTM
    OFFLINEMAIN.HTM
    ONLINECHK.DLL
    ONLUCK.URL
    RACREG32.DLL
    REGICON.OCX
    RICHTX32.OCX
    SHORT.ACS
    SNDBMARK.DLL
    SPORTSINTERACTION.COM.URL
    SSA3D30.OCX
    SSUBTMR6.DLL
    SYNC.EXE
    SYSTRAYUSER.DLL
    TV_ENUA.DLL
    TV_ENUA.HLP
    TVENUAX.DLL
    UNINS.EXE
    UNINSTALL NOWBOX.LNK
    UNWISE.EXE
    UTDNS.DLL
    VBAR332.DLL
    VSSVER.SCC
    WEATHER.EXE
  • Delete the following directories, if they exist:
    %program files%\ SAVE

    %program files%\ SAVENO

    %pro
    gram files%\ START MENU\ PROGRAMS\ WEATHERCAST
  • Restart the computer.
  • In order to make sure that Savenow is completely eliminated from your computer, carry out a full scan of your computer using Panda Antivirus.

Additional notes:

  • For instructions on how to modify the Windows Registry, click here.
  • If your computer has Windows Millenium installed, click  here to permanently remove all trace of the malware.
  • If your computer has Windows XP installed, click here to permanently remove all trace of the malware.

How can I protect my computer from Savenow? 

In order to keep your computer protected, bear the following tips in mind:

  • Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
  • Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
  • Keep your permanent antivirus protection enabled at all times.
For more detailed information about how to protect your computer against viruses, click here.