Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

SaveKeeper Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

The Savekeeper is one among the latest of the family of rogue security applications. I have observed this scareware being downloaded and prompted to install by the Fake Windows Security Center rogue. This needs to be manually installed. This also installs a bunch of random named exe, dll, bin, cpl and ocx files in the Windows folder which are later flagged as malware in its own scans.

The installer setup.exe (787586 bytes) is flagged by 10 out of the 41 virus engines available at VirusTotal. It belongs to the WiniGuard [Symantec] family and is detected as Trojan:Win32/FakeSmoke by Microsoft and also known by the alias of Trojan.Win32.FraudPack.tch.

081 SaveKeeper Analysis and Removal

SaveKeeper Associated Files and Folders

  • C:\Program Files\SaveKeeper Software\SaveKeeper\SaveKeeper.exe
  • C:\Program Files\SaveKeeper Software\SaveKeeper\uninstall.exe
  • C:\Program Files\SaveKeeper Software\SaveKeeper\SaveKeeperSvc.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\nsn5.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\nsn5.tmp\nsProcess.dll
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\nsn5.tmp\nsSCM.dll
  • C:\Documents and Settings\All Users\Desktop\SaveKeeper.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\SaveKeeper\1 SaveKeeper.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\SaveKeeper\2 Homepage.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\SaveKeeper\3 Uninstall.lnk

Some or all of the file names may be randomly generated.

SaveKeeper Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAVEKEEPERSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAVEKEEPERSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAVEKEEPERSVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveKeeperSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveKeeperSvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveKeeperSvc\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAVEKEEPERSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAVEKEEPERSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAVEKEEPERSVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SaveKeeperSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SaveKeeperSvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SaveKeeperSvc\Enum
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SaveKeeper
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveKeeper
  • HKEY_LOCAL_MACHINE\SOFTWARE\SaveKeeper
  • HKEY_USERS\S-1-5-21-746137067-776561741-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files\SaveKeeper Software\SaveKeeper\SaveKeeper.exe -min
  • HKEY_USERS\S-1-5-21-746137067-776561741-1417001333-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\SaveKeeper Software\SaveKeeper\SaveKeeper.exe
  • HKEY_USERS\S-1-5-21-746137067-776561741-1417001333-1004\Software\SaveKeeper

SaveKeeper Associated Domains

This scareware was observed accessing the following domains during installation and operation:

http://www.savekeeper. com
http://www.fast-paysolution. com

Note: Visiting the domains mentioned above may harm your computer system.

SaveKeeper Removal (How to remove SaveKeeper)

The free versions of MalwareBytes’s Anti-Malware Free edition and SuperAntiSpyware do not appear to remove this rogue security software currently.

  1. Download HijackThis
  2. Download CCleaner.
  3. Boot in to Windows Safe mode.
  4. Use HijackThis to fix the following entries:
    • C:\Program Files\SaveKeeper Software\SaveKeeper\SaveKeeper.exe
    • HKCU\..\Run: [SaveKeeper] C:\Program Files\SaveKeeper Software\SaveKeeper\SaveKeeper.exe -min
    • O23 – Service: SaveKeeper Security Service (SaveKeeperSvc) – Unknown owner – C:\Program Files\SaveKeeper Software\SaveKeeper\SaveKeeperSvc.exe (file missing)
  5. Turn System Restore off and on.
  6. Install, scan and clean the temporary files with CCleaner.

The SaveKeeper scareware should now be disabled.

SaveKeeper — Screenshots

SaveKeeper — video

Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: