SaveDefender

Last Updated on Friday, 15 January 2010 13:11 Sunday, 20 September 2009 09:19

Rogue - Antispyware

SaveDefender is reported to be a rogue application. There are several ways a fake/rogue application may enter into your computer.

1) You may have downloaded it knowingly or unknowingly mistaking it to be something else.
2) It may have automatically downloaded while you were visiting some harmful website
3) Your computer may have a trojan virus which in turn downloads such an application.


Recently I have noticed that the malware authors are also keeping track of the removal instructions published on the internet. As soon as they think that the malware is exposed, they change the file/folder names and the locations where they are saved on the hard disk. So keeping this in mind you will require the latest information of the malware in order to be able to remove it.

It is also reported at S!Ri.URZ blog that  The Trojan-Downloader uses 2 files, the rogue installer and a trojan fake alert. This new version also comes with a RootKit and it patches files in memory: (dump_atapi.sys and dump_WMILIB.SYS). If that happens then there will be a virus component running in the memory while you are trying to remove it.  If you are unable to search and delete its files as mentioned in this article, try to do a memory scan using your antivirus application, Also do a scheduled boot time scan in order to find and delete the virus infected files, during the boot time. Usually most of the antivirus applications do a memory scan as well as a scheduled boot scan. 

You can find latest ThreatExpert analysis reports of this rogue on this link

If you happen to have the rogue installer, you can submit it to threatexpert site and get it analyzed. That will help you to get the precise information about the virus.  


 Files Associated

 These are the different EXE file names that are used in this malware

SaveDefender.exe
SaveDefenderSvc.exe
It also creates a process with a random name which will be different on different computers. For example the files below were found in different computers.
4j80s24q.exe
m3i2ot68.exe
and several semi randomly generated files in the C:\Windows directory


Trying system restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will work like a miracle in removing the infection

Free removal tools

  • Special tools to remove a single virus or a family of virus.
  • Free Online virus scanners
  • Fully functioning antivirus/ antispyware
All these tools are listed below

Manual Removal

These are the steps to be taken, if you want to or need to remove the infected files manuall. You may not find all the files that are mentioned below on an infected computer. The virus adds different files depending on its variation. I have listed all the names found in the reports available. 

Boot in safe mode

Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them.

 Remove Processes from Task Manager 

Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for SaveDefender.exe, SaveDefenderSvc.exe, and a random looking name  Select and press End Process button, Confirm to terminate the process and Close Task Manager.

Alternately you can use Windows Defender to see the path of a currently running program/ process and its publisher, so as to differentiate malware processes from processes belonging to legitimate publishers. You may find such processes listed under Unknown Publisher in windows defender.

Or you can use Sysinternal's Process Explorer for easy detection and removal of virus processes. 

Removing entry from windows startup

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible, therefore you can check / uncheck any entry from windows startup any number of times.

After the system configuration window is open, Click on the Startup tab, that will list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer so that you can see the full path of the program. Locate and uncheck  "SaveDefender", "SaveDefender Software" or SaveDefender.exe, SaveDefenderSvc.exe, and any random looking name (look for any other suspicious names)  Press Apply , Press Close/Ok , Select  "do not restart" at the next prompt.

Removing windows Service

This malware creates a new windows service named "SaveDefenderSvc" or SaveDefender Security Service. By default is is stopped. This service can be removed after deleting the file "SaveDefenderSvc.exe" and then removing it from the registry, easily done by running CCleaner.

 View Hidden Files

Before you could delete SaveDefender and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders 

  •  How to Enable to View Hidden Files and Folders in Windows XP
    •         How to Enable to View Hidden Files and Folders in Windows Vista

Deleting files

After restarting the computer, use the windows search utility to search for "SaveDefender" and also search for the names that you found and removed in the task manager or in the startup list. This search should find all its folders on the hard disk , delete the folders from the hard disk. 

These are some folders that were found on different infected computers.

C:\Documents and Settings\All Users\Start Menu\Programs\SaveDefender
C:\Program Files\SaveDefender Software
C:\Program Files\SaveDefender Software\SaveDefender
(the folders in temp are also semi randomly generated names)
%Temp%\nsg2.tmp
%Temp%\nsu3.tmp
(the file names in temp folder also differ from computer to computer)

Delete the above folders.
These are the locations of its exe files.
C:\Program Files\SaveDefender Software\SaveDefender\SaveDefender.exe
(these files below are randomly named)
C:\Windows\System32\4j80s24q.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\4j80s24q.exe
and some other files
%Temp%\nsg3.tmp\time.dll
Apart from the above folder several other files were found in the C:\Windows directory they are listed below. These are semi random named, you need to look inside the C:\Windows directoy and delete similar files if found. These files were found on a single computer.  These names will be different on every infected computer, but you can be certain that they would begin with 1 or 2 , and have OCX, BIN, CPL, EXE, DLL extentions. They will be approx 13-20 characters long. Will include letters and numbers. And some garbled text will be found inserted in between, such as not-a-virus, virus, hack, backdoor, worm , spambot and so on. This is the analysis report where I found these files.

  1021thre951733z.dll
  10551hacktool95z.dll
  10559v9rzs71d.ocx
  106985roj1z.ocx
  10a0backzo5r9201.ocx
  10b65z92597.cpl
  111925orz58.exe
  11573viru5z7f9.ocx
  12091vi5zs9f.exe
  13531vir9s4f6z.cpl
  13790spamzot5289.exe
  13909viruz507.cpl
  13f5vir9175z.bin
  14514zo5m1b9.dll
  145505ot9a-viruz77e.dll
  14561not59-virus3z5.exe
  14577ha59tozl3a9.ocx
  145809roj75z.bin
  146ez95ware1563.ocx
  14869hrea51z395.dll
  1500995rz7da.dll
  1504spazbot5499.cpl
  15059hrezt32482.dll
  150905pycz.ocx
  15278v5ru926z.cpl
  1595steal902z.bin
  1596ztroj439.cpl
  15bspzw9re2854.ocx
  162339pamboz658.cpl
  16255notza5vi9us48f.ocx
  165z95py7779.cpl
  165zt5reat320149.ocx
  16655worz79a.dll
  16928not-a-viru92az5.bin
  16c2zdd95re2881.exe
  17395wor52cfz.cpl
  177z9vi5us9b.ocx
  17818not-a-vi5u9z56.exe
  1789zworm5a45.ocx
  1807z5p9ac.ocx
  18505tzoj5699.dll
  185ct9reatz22515.ocx
  185z5sp957.bin
  18645tealz8309.exe
  18z52t59j54a.ocx
  18z795pambot7c3.exe
  19147no5-a-virusfcz.ocx
  19147no5-a-virusfcz.ocx
  19194s5y5z3.cpl
  19259t9oj795z.dll
  19383vi5usz52.exe
  19383vi5usz52.exe
  19952wzrmd2.exe
  1997steal358z.bin
  19z56hackt5ol6e99.bin    
  19z795py7dc9.dll
  1a5b9ckdzor2072.bin
  1a5z5pyw9re1255.bin
  1afzthief21905.ocx
  1b99zhreat25578.ocx
  1c6d5wzloader24119.ocx
  1d3tzi5f970.bin
  1d9fa5dware1966z.bin
  1z005sp548c9.dll
  1z085spambot49d.dll
  1z499s5y3dc9.ocx
  1z695spy194.exe
  20469tr95z6e.dll
  20515trz5194.dll
  20bathi591z26.cpl
  20ez5par9e701.cpl
  21339troj2az5.ocx
  2191zspam5ot716.ocx
  226z9tr5j2c9.ocx
  22905not-5zvirus6bb.dll
  22z50hackto9l297.ocx
  23239s5z20.bin
  23470spa59zt3df.dll
  2359spamzot14.dll
  2388v9zu5ac.exe
  23995spz675.dll
  24392spy77z5.cpl
  243caddw5re9199z.exe
  24555spy7zc9.ocx
  2456backdz9r1533.exe
  25799hacktool1z0.exe
  258z2hackt9ol7af.cpl
  25923no9-azvi5us389.cpl
  25abdownloaderz9.exe
  25adaddwaz92598.cpl
  25z99hre5t15794.dll
  26198hzckto9l653.dll
  264b9ack5ozr2880.cpl
  264z5w95m555.bin
  26579pyware5z67.bin
  26899spamboz135.exe

 Run CCleaner

After deleting SaveDefender and its associated files , as there will be leftover entries in the windows regitry. CCleaner is a free temp files/registry cleaner, that will automatically clean the registry as well as remove the temp files . Click here to read more

 Edit Registry

if you are comfortable in using the regedit command. You  can find the registry modifications in any of the reports mentioned in the begining of this article.

More Problems

If you are unable to open Task Manager, registry editor, system restore, Folder Options etc

If the virus has disabled them. There are free tools and techniques to solve this problem.  They are listed here.

Tools for Windows XP

Tools for Windows Vista

Use the system file checker

If you want to make sure that the windows system files are not altered by the virus, and in case if they are altered then to repair them.

  •  How to run System File checker utility in windows XP
    •          How to run System File checker utility in windows Vista

Unable to access security related sites

It can happen if your Hosts file has been altered. To repair/ edit the hosts file. Login as administrator. open the following file in notepad
C:\ WINDOWS \system32 \drivers \etc \hosts
remove anything other than 127.0.0.1 Localhost, and save and close the file.

Using Firewall

Check your firewall for any suspicious communication from your computer to the internet and block it using firewall.

Communincates with the following sites

  • SaveDefender.com
  • 91.212.127.131 port 80

 Reprinted with permission from ThreatExpert.com


Search within this site

Read in your language


Main Menu

Home
----Sections----
Harmful Files
Virus Removal
Trojan Removal
Worms Removal
Rogues Removal
Unwanted Apps
Removal Tools
Current News
----Articles----
Warning/ Disclaimer
Common Folders
Preventive Measures
Removal Instructions
Video Tutorials
----Site Info----
Sitemap
About/Contact

Useful Links

Privacy Policy