Jump to content

Recommended Posts

  • Staff
What is SystemKeeperPro?

The Malwarebytes research team has determined that SystemKeeperPro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.
More information can be found on our Malwarebytes Labs blog.

How do I know if I am infected with SystemKeeperPro?

This is how the main screen of the sytem optimizer looks:

main.png

You will find these icons in your taskbar, startmenu, and on your desktop:

icons.png

and see this warning during install:

warning1.png

and these screens during "operations":

warning2.png

warning3.png

You may see this entry in your list of installed programs:

warning4.png

How did SystemKeeperPro get on my computer?

These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their site.
trick.png

How do I remove SystemKeeperPro?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of SystemKeeperPro?
  • No, Malwarebytes' Anti-Malware removes SystemKeeperPro completely.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this system optimizer.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the SystemKeeperPro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
 

protection1.png


and we block access to their domain:
 

protection2.png


Technical details for experts

You may see these entries in FRST logs:
 
 () C:\Users\{username}\AppData\Roaming\SystemKeeperPro\SystemKeeperPro.exe
 HKCU\...\Run: [SystemKeeperPro] => C:\Users\{username}\AppData\Roaming\SystemKeeperPro\SystemKeeperPro.exe [1615840 2016-08-11] ()
 C:\Users\{username}\AppData\Roaming\skp
 C:\Users\{username}\AppData\Roaming\SystemKeeperPro
 C:\Users\{username}\Desktop\SystemKeeperPro.lnk
 C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst
 C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SystemKeeperPro

SystemKeeperPro (HKCU\...\{742AFBBD-00FF-4811-B38D-004CF0620922}_is1) (Version: 12.1.0.26 - Monterix, LLC)
Alterations made by the installer:
 
File system details [View: All details] (Selection)
---------------------------------------------------
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
       Adds the file SystemKeeperPro.lnk"="12/12/2016 9:15 AM, 1011 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SystemKeeperPro
       Adds the file Get Help.url"="11/16/2016 10:10 PM, 64 bytes, A
       Adds the file SystemKeeperPro.lnk"="12/12/2016 9:15 AM, 1023 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\skp
       Adds the file w3a3sge34sq.txt"="12/12/2016 9:15 AM, 16831 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\SystemKeeperPro
       Adds the file aff.txt"="12/9/2016 3:23 PM, 11 bytes, A
       Adds the file SystemKeeperPro.exe"="8/11/2016 4:23 PM, 1615840 bytes, A
       Adds the file unins000.dat"="12/12/2016 9:15 AM, 52264 bytes, A
       Adds the file unins000.exe"="12/12/2016 9:14 AM, 941024 bytes, A
       Adds the file unins000.msg"="12/12/2016 9:15 AM, 11229 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst
       Adds the file botva2.dll"="3/1/2015 7:45 PM, 41984 bytes, HSA
       Adds the file CloseBtn.png"="11/17/2016 2:37 PM, 676 bytes, HSA
       Adds the file glow.png"="11/17/2016 2:27 PM, 2737 bytes, HSA
       Adds the file ico.ico"="11/10/2016 1:45 PM, 1150 bytes, HSA
       Adds the file innocallback.dll"="3/31/2006 5:34 PM, 65024 bytes, HSA
       Adds the file installer_bg.png"="11/15/2016 2:28 PM, 135019 bytes, HSA
       Adds the file ISSkin.dll"="11/4/2009 1:23 PM, 395184 bytes, HSA
       Adds the file ProgressBackground.png"="11/15/2016 4:12 PM, 2884 bytes, HSA
       Adds the file ProgressImg.png"="11/16/2016 10:29 AM, 2864 bytes, HSA
       Adds the file Untitled3.cjstyles"="11/17/2016 2:33 PM, 807936 bytes, HSA
       Adds the file wpidmap.dll"="11/25/2016 1:46 PM, 23040 bytes, HSA
    In the existing folder C:\Users\{username}\Desktop
       Adds the file SystemKeeperPro.lnk"="12/12/2016 9:15 AM, 1031 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
       "SystemKeeperPro"="REG_SZ", "C:\Users\{username}\AppData\Roaming\SystemKeeperPro\SystemKeeperPro.exe /ot"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{742AFBBD-00FF-4811-B38D-004CF0620922}_is1]
       "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Roaming\SystemKeeperPro\unins000.exe"
       "DisplayName"="REG_SZ", "SystemKeeperPro"
       "DisplayVersion"="REG_SZ", "12.1.0.26"
       "EstimatedSize"="REG_DWORD", 3940
       "HelpLink"="REG_SZ", "http://www.systemkeeperpro.us/support/"
       "Inno Setup: App Path"="REG_SZ", "C:\Users\{username}\AppData\Roaming\SystemKeeperPro"
       "Inno Setup: Icon Group"="REG_SZ", "SystemKeeperPro"
       "Inno Setup: Language"="REG_SZ", "english"
       "Inno Setup: Setup Version"="REG_SZ", "5.5.1.ee1 (a)"
       "Inno Setup: User"="REG_SZ", "{username}"
       "InstallDate"="REG_SZ", "20161212"
       "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\SystemKeeperPro\"
       "MajorVersion"="REG_DWORD", 12
       "MinorVersion"="REG_DWORD", 1
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "Monterix, LLC"
       "QuietUninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\SystemKeeperPro\unins000.exe" /SILENT"
       "UninstallDataFile"="REG_SZ", "C:\Users\{username}\AppData\Roaming\SystemKeeperPro\unins000.dat"
       "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\SystemKeeperPro\unins000.exe""
       "URLInfoAbout"="REG_SZ", "www.systemkeeperpro.us"
    [HKEY_CURRENT_USER\Software\SystemKeeperPro]
       "Activated"="REG_DWORD", 0
       "AutoRun"="REG_DWORD", 1
       "BackupDir"="REG_SZ", "Backup\"
       "CloseToTray"="REG_DWORD", 1
       "DemoFixTriesCnt"="REG_DWORD", 0
       "ErrFixed"="REG_DWORD", 0
       "ErrFound"="REG_DWORD", 0
       "IDLang"="REG_DWORD", 0
       "InstallID"="REG_SZ", ""
       "LastDemoFixDatei"="REG_BINARY, ....
       "LastFixDatei"="REG_BINARY, ....
       "LastScanDatei"="REG_BINARY, ....
       "LastSuccDemoFixDatei"="REG_BINARY, ....
       "LastTrayMsgDatei"="REG_BINARY, ....
       "MinAngPrcnt"="REG_BINARY, ....
       "PhSuppNum"="REG_SZ", ""
       "ProxyHost"="REG_SZ", ""
       "ProxyLogin"="REG_SZ", ""
       "ProxyPassw"="REG_SZ", ""
       "ProxyPort"="REG_SZ", ""
       "SerialNum"="REG_SZ", ""
       "ShowTrayHints"="REG_DWORD", 1
Malwarebytes Anti-Malware log:
 
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/12/16
Scan Time: 9:24 AM
Logfile: mbamSystemKeeperPro.txt
Administrator: Yes

-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.697
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: METALLICA-PC\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 351017
Time Elapsed: 8 min, 36 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
PUP.Optional.SystemKeeperPro, C:\USERS\METALLICA\APPDATA\ROAMING\SYSTEMKEEPERPRO\SYSTEMKEEPERPRO.EXE, Quarantined, [2748], [351883],1.0.697

Module: 1
PUP.Optional.SystemKeeperPro, C:\USERS\METALLICA\APPDATA\ROAMING\SYSTEMKEEPERPRO\SYSTEMKEEPERPRO.EXE, Quarantined, [2748], [351883],1.0.697

Registry Key: 1
PUP.Optional.SystemKeeperPro, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{742AFBBD-00FF-4811-B38D-004CF0620922}_is1, Delete-on-Reboot, [2748], [351883],1.0.697

Registry Value: 1
PUP.Optional.SystemKeeperPro, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SystemKeeperPro, Delete-on-Reboot, [2748], [351883],1.0.697

Data Stream: 0
(No malicious items detected)

Folder: 4
PUP.Optional.SystemKeeperPro, C:\USERS\METALLICA\APPDATA\ROAMING\SystemKeeperPro, Delete-on-Reboot, [2748], [351883],1.0.697
PUP.Optional.SystemKeeperPro, C:\USERS\METALLICA\APPDATA\ROAMING\SystemKeeperProUninst, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\USERS\METALLICA\APPDATA\ROAMING\SKP, Delete-on-Reboot, [2748], [351890],1.0.697
PUP.Optional.SystemKeeperPro, C:\USERS\METALLICA\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SYSTEMKEEPERPRO, Delete-on-Reboot, [2748], [351882],1.0.697

File: 23
PUP.Optional.SystemKeeperPro, C:\USERS\METALLICA\APPDATA\ROAMING\SYSTEMKEEPERPRO\SYSTEMKEEPERPRO.EXE, Delete-on-Reboot, [2748], [351883],1.0.697
PUP.Optional.SmartKeeperPro, C:\USERS\METALLICA\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SYSTEMKEEPERPRO.LNK, Delete-on-Reboot, [2749], [351879],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperPro\aff.txt, Delete-on-Reboot, [2748], [351883],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperPro\rawlog.txt, Delete-on-Reboot, [2748], [351883],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperPro\unins000.dat, Delete-on-Reboot, [2748], [351883],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperPro\unins000.exe, Delete-on-Reboot, [2748], [351883],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperPro\unins000.msg, Delete-on-Reboot, [2748], [351883],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\botva2.dll, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\CloseBtn.png, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\glow.png, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\ico.ico, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\innocallback.dll, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\installer_bg.png, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\ISSkin.dll, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\ProgressBackground.png, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\ProgressImg.png, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\Untitled3.cjstyles, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\SystemKeeperProUninst\wpidmap.dll, Delete-on-Reboot, [2748], [351884],1.0.697
PUP.Optional.SystemKeeperPro, C:\USERS\METALLICA\APPDATA\ROAMING\SKP\RAWLIST.DAT, Delete-on-Reboot, [2748], [351890],1.0.697
PUP.Optional.SystemKeeperPro, C:\USERS\METALLICA\DESKTOP\SYSTEMKEEPERPRO.LNK, Delete-on-Reboot, [2748], [351880],1.0.697
PUP.Optional.SystemKeeperPro, C:\USERS\METALLICA\DESKTOP\SYSTEMKEEPERPROINST.EXE, Delete-on-Reboot, [2748], [351887],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SystemKeeperPro\Get Help.url, Delete-on-Reboot, [2748], [351882],1.0.697
PUP.Optional.SystemKeeperPro, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SystemKeeperPro\SystemKeeperPro.lnk, Delete-on-Reboot, [2748], [351882],1.0.697

Physical Sector: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.