Jump to content

Recommended Posts

  • Staff
What is FindMeSavings?

The Malwarebytes research team has determined that FindMeSavings is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by FindMeSavings?

You may see this Scheduled Task:

warning3.png

How did FindMeSavings get on my computer?

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove FindMeSavings?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to:
    Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • If an update is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of FindMeSavings?
  • No, Malwarebytes' Anti-Malware removes FindMeSavings completely.
  • This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the FindMeSavings adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late.
 

protection1.png


Technical details for experts

Possible signs in FRST logs:
 C:\Windows\System32\Tasks\rundll
 C:\Windows\Tasks\rundll.job
 C:\ProgramData\FindMeSavings

Task: {D8CD4FA2-2B77-4A96-80C9-86510F8C596C} - System32\Tasks\rundll => Rundll32.exe "C:\ProgramData\FindMeSavings\FindMeSavings.dll",tnk
Task: C:\Windows\Tasks\rundll.job => C:\Windows\system32\rundll32.exe5C:\ProgramData\FindMeSavings\FindMeSavings.dll
Alterations made by the installer:
File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\ProgramData\FindMeSavings
       Adds the file 169.tmp"="8/18/2016 9:15 AM, 56 bytes, A
       Adds the file FindMeSavings.dll"="3/24/2014 4:42 AM, 2671616 bytes, A
    In the existing folder C:\Windows\System32\Tasks
       Adds the file rundll"="8/18/2016 9:15 AM, 13218 bytes, A
    In the existing folder C:\Windows\Tasks
       Adds the file rundll.job"="8/18/2016 9:15 AM, 1486 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\MGT]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures]
       "rundll.job"="REG_BINARY, ................................
       "rundll.job.fp"="REG_DWORD", 1897806838
Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/18/2016
Scan Time: 10:52 AM
Logfile: mbamFindMeSavings.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.08.18.02
Rootkit Database: v2016.08.15.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 318134
Time Elapsed: 8 min, 43 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Bonanza, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E0E96F25-520D-499B-B87D-5A8B5B2DA8F3}, Delete-on-Reboot, [9dedd17bd7c3dd594b8f748749baea16], 
PUP.Optional.Bonanza, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\rundll, Delete-on-Reboot, [187282ca782268ce36a5a853d52ee61a], 

Registry Values: 1
PUP.Optional.Bonanza, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E0E96F25-520D-499B-B87D-5A8B5B2DA8F3}|Path, \rundll, Delete-on-Reboot, [9dedd17bd7c3dd594b8f748749baea16]

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.FindMeSavings, C:\ProgramData\FindMeSavings, Quarantined, [078360ecacee7db9d942c907758fae52], 

Files: 4
PUP.Optional.Bonanza, C:\Windows\System32\Tasks\rundll, Quarantined, [7d0dd6766a30c67036a2bb40669d2fd1], 
PUP.Optional.Bonanza, C:\Windows\Tasks\rundll.job, Quarantined, [93f74507f7a37fb7d70299625da6ef11], 
PUP.Optional.FindMeSavings, C:\ProgramData\FindMeSavings\169.tmp, Quarantined, [078360ecacee7db9d942c907758fae52], 
PUP.Optional.FindMeSavings, C:\ProgramData\FindMeSavings\FindMeSavings.dll, Quarantined, [078360ecacee7db9d942c907758fae52], 

Physical Sectors: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Edited by Metallica
Link to post
Share on other sites
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.