SaveKeep and SaveDefender

17 August 2009 Rogue 1 Comment

SaveKeep and SaveDefender are misleading applications that disguises as an antivirus and anti-spyware program. SaveKeep came from the same developers who are also responsible for the propagation of WiniGuard, SaveSoldier and TrustNinja. Trojan Downloader can get these rogue programs inside the computer without your knowledge. When infected, your Internet browser will keep on redirecting to savekeep.com and downloads the installation package that later executed on to the computer.

When installed, SaveKeep prevails over your antivirus program that made useless by earlier Trojan infection. The rogue program goes over registry entry and made modifications for its own advantage. Then it will configure Internet browser to display fake error page every time you need an Internet access. Additionally, SaveKeep keeps on promoting self by displaying a lot of pop-up advertisements and browser redirects.

Just like any other rogue program, SaveKeep will continue to issue warning messages and false security scan results that forces user to purchase the registered version of the program.

Screen Shot Images:

SaveKeep

Technical Details and Additional Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Characteristics (Analysis)
This rogue program will start even without user’s intervention. It places an entry to Windows registry that calls for the main executable file.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “nhs7yj98.exe”

Malware Behavior
SaveKeep and SaveDefender attempts to persuade computer by means of annoyances cause by excessive display of advertisements, pop-up alerts and browser redirection. It also employs scare tactics to be able to push victims into obtaining the licensed version of SaveKeep.

Added Registry Entries:

HKEY_CURRENT_USER\Software\SaveKeep
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "nhs7yj98.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SaveKeep" 
HKEY_CLASSES_ROOT\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveKeep
HKEY_LOCAL_MACHINE\SOFTWARE\SaveKeep
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAVEKEEPSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SaveKeepSvc

Associated Files and Folders:

C:\Documents and Settings\All Users\Desktop\SaveKeep.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SaveKeep
C:\Documents and Settings\All Users\Start Menu\Programs\SaveKeep\1 SaveKeep.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SaveKeep\2 Homepage.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SaveKeep\3 Uninstall.lnk
C:\Documents and Settings\Bleeping\Local Settings\Temp\Pnhyy6ts.exe
C:\Documents and Settings\Bleeping\Local Settings\Temp\nhs7yj98.exe
C:\Program Files\SaveKeep Software
C:\Program Files\SaveKeep Software\SaveKeep
C:\Program Files\SaveKeep Software\SaveKeep\data.bin
C:\Program Files\SaveKeep Software\SaveKeep\license.txt
C:\Program Files\SaveKeep Software\SaveKeep\SaveKeep.exe
C:\Program Files\SaveKeep Software\SaveKeep\SaveKeepSvc.exe
C:\Program Files\SaveKeep Software\SaveKeep\uninstall.exe
C:\WINDOWS\127384hsjdue98.dll
C:\WINDOWS\187457dngjut96.exe
C:\WINDOWS\2147downloadzr56478.exe
C:\WINDOWS\36974virz4715.exe
C:\WINDOWS\52df6pyzar85512.bin
C:\WINDOWS\74165ziru87d.dll
C:\WINDOWS\713fsp5rsz9714.ocx
C:\WINDOWS\12785wo9m7z32.ocx

How to Remove SaveKeep and SaveDefender

1. Kill any running process that belongs to SaveKeep.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for the following files and click End Task.
hs7yj98.exe or (random).exe

2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit. This will open registry editor.
- Find and delete the following:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "nhs7yj98.exe"
- Close registry editor. Changes made will be save automatically.

3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please Update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.

4. Delete all files dropped by SaveKeep.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Associated Files and Folders.'

Automatic Removal of SaveKeep

In order to completely remove the threat, click here to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.

What to do next...

Comments and Suggestions

On this area you can find Visitor's personal suggestions. We cannot control and evaluate each recommended procedure from visitors so please use it at your own risks. If your inquiry pertains to SaveKeep and SaveDefender payment refund or lost serial key, kindly check the FAQ for rogue program first.

One Comment

janiesmiling
Aug 17, 2009 @ 09:13:25
To protect yourself and your computer. Try installing a good antivirus program. and you will not worry about malwear.. I’ve been using bitdefender Internet security for 3 months now and I haven’t had any problems so far. Good luck and stay protected!