Jump to content

Scan Isn't Finding or Removing Unwanted Program: "MySafeSavings"


Recommended Posts

Hoping I can get some help here.  I am a total newbie at virus removal but can usually understand and follow directions carefully...   :unsure:

 

My son clicked on a "Download" ad rather than the correct download link on Saturday, and as a result we saw an immediate and overwhelming problem with ads, homepages, toolbars, etc.!  Downloaded and scanned with Malwarebytes immediately.   It found and quarantined most of the mess.  Repeated scan many times.  After the first time it just kept finding what appeared to be the one same threat.  (Though that's hard for me to tell. Same file path. ??)  But I kept running the scan and deleting the one possible threat, until eventually it found nothing. Rebooted after each scan/removal.

 

Began resuming normal computer use and found some quirky browser behavior that suggested problems were still present.  Reset all browsers to default settings. But upon exploring inside my Programs folder, I found a program that shouldn't have been there and that had been installed when the "Download" accident occurred. It is called "MySafeSavings."  I attempted to uninstall using Windows, but it wouldn't allow this to go through.  (Responded to my uninstall attempts by opening a browser tab that was a 404 error.)  

 

So, I booted into safe mode and searched for any files with "MySafeSavings".  Found five files including the program folder and the .exe file it contained.  Deleted it all in safe mode. (And also deleted it all from the Recycle Bin.) Rebooted, in normal mode, and ran the same search for "MySafeSavings."    The program folder had reappeared, but was empty.  I attempted to delete it but it said I did not have administrative privileges.  Added myself as an administrator and was able to delete it successfully. 

 

But, it reappears on every reboot and when I look in Control Panel > Programs, the program is still listed and will still not allow me to uninstall.  (Since deleting the .exe, I have noticed that mysafesavings.exe no longer appears in my active processes list in Task Manager -- which it had before.  I guess this is a good sign...?!  But something, somewhere is making the program folder continually reappear.)

 

Have rescanned with Malwarebytes many times throughout this and it finds nothing.  

 

1.  I'm a worrier and I totally don't like that unwanted program hanging around and continually reappearing and resisting uninstall!  Should I be concerned at this point?  I'm convinced this means my personal information is being stolen and distributed across the globe even as I type this...?!   :(   Ok, not really, but I am very concerned.

2.  Even if I am concerned, what can I do to get rid of it, if Malwarebytes isn't recognizing it as a threat, and if my attempts to uninstall/delete aren't working?

 

Thanks for any expert advice!  Any input is so appreciated!   :unsure:

Link to post
Share on other sites

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

:excl: There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  warning.gif Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 


Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them.

Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.

    x5o4gh.png

  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

Okay, let's perform one short check first:
 
 
FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

fixlist.txt

Link to post
Share on other sites

Yes, it is normal to happen. Okay, let's proceed with this fix:
 
 
FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

fixlist.txt

Link to post
Share on other sites

So, it looks like that process didn't work.  Here's what I'm seeing now.

 

"MySafeSavings" still appears as an installed program.  (See screenshot.)

 

Additionally, the (empty) program folder for "MySafeSavings" is still there.  (Though now I also see the copy of it that has been quarantined by Farbar.  See screenshot.)

post-200808-0-17991000-1457371691_thumb.

post-200808-0-69577900-1457371691_thumb.

Link to post
Share on other sites

FRST.gif FRST search

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

  • Copy MySafeSavings into the Search: field in FRST then click the Search Registry button.
  • FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.



FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif


Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

Link to post
Share on other sites

TwinHeadedEagle,

 

Your most recent message included two sets of instructions:  one for running a search and one for running another fix.  Is this correct?  Should I be doing both of these things -- and in that order -- or was the fix section the fix we already ran and I should ignore it?

Link to post
Share on other sites

Okay, this fix should delete all remnants:
 
FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

Link to post
Share on other sites

Rebooted and it looks like everything is gone!    :)   I no longer see MySafeSavings as an installed program, and now the only search results I'm getting for it are the two quarantined copies within FRST!  

(Screenshot attached.)  

 

So grateful for your help!  Donation coming through right now!

 

Two quick questions:

 

1.  Is there anything I need to do to finish up?  I'm guessing I can just delete FRST from the desktop and the associated quarantined files will be deleted with it?

 

2.  And, should I be worried that other problematic files are lurking here that don't have "MySafeSavings" in their file name?  In other words, if all of these "MySafeSavings" files weren't being caught by security scans, I'm wondering if there are other (differently named) files we might have inadvertently picked up in this recent accidental download that are also big problems -- but because we searched just for "MySafeSavings" we only cleaned those.  Does that make sense?  

 

Thank you, thank you, thank you!

post-200808-0-61286700-1457375210_thumb.

Link to post
Share on other sites

I made sure there are no traces of MySearchSavings on your computer. Thank you for your donation, much appreciated :)
 
 
Since there are no more problems, we can declare this PC clean thumbs_up_smiley.gif
 
Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones.
 
 
Step 1. - Creation of system restore point and tools removal.
 
 
Download DelFix by Xplode and save it to your desktop.

  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review.

Tool deletes old system restore points and creates a fresh system restore point after cleaning.
 
 
Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.
 
 
Security tips - highly recommended reading:

Maintenance tips:

Additional software that I personally use and install on all my clients devices:

  • Malwarebytes' Anti-Malware (paid version highly recommended) - to scan your system from time to time in search for malware.
  • Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
  • McShield - to prevent infections spread by removable media.
  • Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
  • CryptoPrevent - tool for protection against Cryptolocker and similar ransomware infections.
  • Adblock - to surf the web without annoying ads!
  • Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.

My help is free for everybody.
If you're happy with the help provided and/or wish to show your appreciaton, please consider a donation: btn_donateCC_LG.gif
Thank you!

 
 
 
Stay safe,
TwinHeadedEagle :)

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.