SaveArmor
Last Updated on Friday, 15 January 2010 13:11 Wednesday, 23 September 2009 13:55
| SaveArmor is reported to be a rogue application. There are several ways a fake/rogue application may enter into your computer. 1) You may have downloaded it knowingly or unknowingly mistaking it to be something else. In this case, there is one installer which if activated downloads other files and further installs them on infected computer, therefore you may find all the files or a few of them depending on if the virus was able to further download them on the infected computer. Recently I have noticed that the malware authors are also keeping track of the removal instructions published on the internet. As soon as they think that the malware is exposed, they change the file/folder names and the locations where they are saved on the hard disk. So keeping this in mind you will require the latest information of the malware in order to be able to remove it.It is also reported at S!Ri.URZ blog that The Trojan-Downloader uses 2 files, the rogue installer and a trojan fake alert. This new version also comes with a RootKit and it patches files in memory: (dump_atapi.sys and dump_WMILIB.SYS). If that happens then there will be a virus component running in the memory while you are trying to remove it. If you are unable to search and delete its files as mentioned in this article, try to do a memory scan using your antivirus application, Also do a scheduled boot time scan in order to find and delete the virus infected files, during the boot time. Usually most of the antivirus applications do a memory scan as well as a scheduled boot scan. You can find latest ThreatExpert analysis reports of this rogue on this link If you happen to have the rogue installer, you can submit it to threatexpert site and get it analyzed. That will help you to get the precise information about the virus. |
Files AssociatedThese are the different EXE file names that are used in this malware SaveArmor.exeSaveArmorSvc.exe It also creates a process with a random name which will be different on different computers. For example the files below were found in different computers. ntvdm.exe 4kfcdkxz.exe k6lpnul1.exe nc9ae1j4.exe and several semi randomly generated files in the C:\Windows directory |
Trying system restoreIf you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will work like a miracle in removing the infection
|
Free removal tools
|
Manual RemovalThese are the steps to be taken, if you want to or need to remove the infected files manuall. You may not find all the files that are mentioned below on an infected computer. The virus adds different files depending on its variation. I have listed all the names found in the reports available. |
Boot in safe mode Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them.
|
Remove Processes from Task Manager Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for SaveArmor.exe, SaveArmorSvc.exe, ntvdm.exe and random looking names Select and press End Process button, Confirm to terminate the process and Close Task Manager. Alternately you can use Windows Defender to see the path of a currently running program/ process and its publisher, so as to differentiate malware processes from processes belonging to legitimate publishers. You may find such processes listed under Unknown Publisher in windows defender.
|
Removing entry from windows startup The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible, therefore you can check / uncheck any entry from windows startup any number of times. After the system configuration window is open, Click on the Startup tab, that will list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer so that you can see the full path of the program. Locate and uncheck "SaveArmor", "SaveArmor Software" or SaveArmor.exe, SaveArmorSvc.exe, ntvdm.exe and any random looking name (look for any other suspicious names) Press Apply , Press Close/Ok , Select "do not restart" at the next prompt. Removing windows Service This malware creates a new windows service named "SaveArmorSvc" or SaveArmor Security Service. By default is is stopped. This service can be removed after deleting the file "SaveArmorSvc.exe" and then removing it from the registry, easily done by running CCleaner. |
View Hidden Files Before you could delete SaveArmor and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders
|
Deleting files After restarting the computer, use the windows search utility to search for "SaveArmor" and also search for the names that you found and removed in the task manager or in the startup list. This search should find all its folders on the hard disk , delete the folders from the hard disk. These are some folders that were found on different infected computers. C:\Documents and Settings\All Users\Start Menu\Programs\SaveArmorC:\Program Files\SaveArmor Software C:\Program Files\SaveArmor Software\SaveArmor (the folders in temp are also semi randomly generated names) %Temp%\nsg2.tmp %Temp%\nsu3.tmp (the file names in temp folder also differ from computer to computer) Delete the above folders. These are the locations of its exe files. C:\Program Files\SaveArmor Software\SaveArmor\SaveArmor.exe (these files below are randomly named) C:\Windows\System32\ntvdm.exe C:\Documents and Settings\[UserName]\Local Settings\Temp\4j80s24q.exe and some other files %Temp%\nsc3.tmp\time.dll Apart from the above folder several other files were found in the C:\Windows directory they are listed below. These are semi random named, you need to look inside the C:\Windows directoy and delete similar files if found. These files were found on a single computer. These names will be different on every infected computer, but you can be certain that they would begin with 1 or 2 , and have OCX, BIN, CPL, EXE, DLL extentions. They will be approx 13-20 characters long. Will include letters and numbers. And some garbled text will be found inserted in between, such as not-a-virus, virus, hack, backdoor, worm , spambot and so on. This is the analysis report where I found these files. 10294s9z559.bin 10405sp95ez.ocx 105z15orm5789.cpl 10710viz5s9ba.exe 11689spazb954f4.dll 11985szy4a7.ocx 12327zpambot53b9.exe 123695roz59.exe 12909spyz5d.exe 1295backd5oz883.bin 12aethz5at11769.exe 1304z5ckdoor1599.ocx 13573wo9m83z.cpl 13f4stza514659.ocx 13f4stza514659.ocx 14145h9zktoo544a.bin 1465backd9or3z51.ocx 14902not-z9virus4b5.cpl 14z865py6df9.dll 15034hacktool972z.dll 15371szy955.exe 1545znot-a-virus394.exe 15771zpa59otb6.exe 15807zackto5l693.bin 158619acktooz523.dll 15863wor94bz.bin 15975virus6z9.exe 15975wo9mz9f.exe 15z94troj15b.exe 16547hackzool9bd.bin 16941s5ambo95d1z.dll 1694za5ktool439.dll 16951wzrm394.dll 1780s5e9lz163.ocx 17899h5cktool58z.cpl 17a5zhrea932265.cpl 17ddthief529z.dll 17despyware396z5.exe 182zt9rea530258.exe 18351not-azviru53a59.cpl 18724s9amzot66c5.dll 18759not-az9irus55e.dll 18955vi5zs459.ocx 19120wor515z.ocx 1915t9oj65z.cpl 1935zot-a-virus562.ocx 193bspars9z6265.ocx 19409tro5373z.ocx 19476zorm25d5.cpl 1952znot-a-9irus70f.ocx 1957steal3z70.dll 19585noz-a-virus1b19.bin 19587not-a9virus3z5.ocx 1959zpam9ot7c0.ocx 19905hacktool64z.dll 19945not-a-v5zus59a.exe 19efzir2952.cpl 1d449pywa5ez256.exe 1d57downloaderz9509.ocx 1d5ethze915.exe 1d9zthreat279115.exe 1dc9z9ar5e175.exe 1dzfthrea530397.cpl 1e9bs5arze395.dll 1ea89ir1597z.cpl 1f9czhief5799.bin 1fc5viz1269.ocx 1fdasp95arez140.dll 1z580hacktool3e9.dll 1z5989ot-a-virus376.bin 1z876spam9ot115.cpl 1z934viru5229.bin 20445zot-a-virus449.dll 208za95ware1896.bin 20adsparsz54519.ocx 20z7ad9war5839.exe 21262no9-a-5irus2z0.bin 212st5alz559.exe 21464not-a5vzrus4fc9.dll 215509irus3z.cpl 21559virus754z.exe 21855trz93ab.dll 219bsteal5z97.ocx 22804wor5zf19.dll 236z9wo5945a.exe 23950trz91c5.cpl 23955sz974e.ocx 24911wo5mc7z.cpl 24950tro567z.bin 24954virus6z9.bin 24995orz693.exe |
Run CCleaner After deleting SaveArmor and its associated files , as there will be leftover entries in the windows regitry. CCleaner is a free temp files/registry cleaner, that will automatically clean the registry as well as remove the temp files . Click here to read more |
Edit Registry if you are comfortable in using the regedit command. You can find the registry modifications in any of the reports mentioned in the begining of this article.
|
More ProblemsIf you are unable to open Task Manager, registry editor, system restore, Folder Options etc If the virus has disabled them. There are free tools and techniques to solve this problem. They are listed here. Tools for Windows XP Tools for Windows Vista Use the system file checker If you want to make sure that the windows system files are not altered by the virus, and in case if they are altered then to repair them.
Unable to access security related sites It can happen if your Hosts file has been altered. To repair/ edit the hosts file. Login as administrator. open the following file in notepadC:\ WINDOWS \system32 \drivers \etc \hosts remove anything other than 127.0.0.1 Localhost, and save and close the file. Using Firewall Check your firewall for any suspicious communication from your computer to the internet and block it using firewall. Communincates with the following sites
|
Reprinted with permission from ThreatExpert.com |
Search within this site
Read in your language
Main Menu
| Home |
| ----Sections---- |
| Harmful Files |
| Virus Removal |
| Trojan Removal |
| Worms Removal |
| Rogues Removal |
| Unwanted Apps |
| Removal Tools |
| Current News |
| ----Articles---- |
| Warning/ Disclaimer |
| Common Folders |
| Preventive Measures |
| Removal Instructions |
| Video Tutorials |
| ----Site Info---- |
| Sitemap |
| About/Contact |
