Savings.cool

[chriseros]

I have run across a PC that has "savings.cool" on it and Malewarebytes doesn't seem to want to pick up on it.

It looks like as of April 2018 people have using Spy Hunter 4 to remove it. See attached file.

Has anyone come across this and does Malewarebytes have a solution to remove it?

Thanks.

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Farbar Recovery Scan Tool (FRST)
  1. Download FRST and save it to your desktop
     Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
  3. Press the "Scan" button
  4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
     • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
• MB-Check
  1. Download MB-Check and save to your desktop
  2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
  3. This will produce one log file on your desktop: mb-check-results.zip
     • This file will include the FRST logs generated from the previous set of instructions
     • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[exile360]

If you can capture a sample such as an installer and provide it to the Research team, that could be helpful, otherwise Malwarebytes ADWCleaner may detect/remove it as it does cover some PUPs not detected by Malwarebytes.

[chriseros]

I can't provide an installer because it was already on the PC.

I ran ADWCleaner also and it did not pickup on it.

I was able to remove it by searching the registry and deleting it "savingscool" (there was two entries) and clearing the browser. Doing so removed it from the program list.

Without removing it from the registry it could not be deleted from the program list.

Hopefully it won't come back.

 

[exile360]

That's OK, I'm sure we can track it down eventually based on the items you reported, it's just a matter of locating the right info to point us to the source.  I'll give some of the folks in Research a heads up to keep an eye out for it and let them know that it's something we're missing at the moment and with any luck Malwarebytes won't be missing it for much longer.

Thanks for reporting this and providing the info that you have, I'm certain it will be helpful.

[exile360]

I got a response from one of our volunteer experts and he pointed me to this as well as this so it seems that at least some variant(s) of this threat/PUP are already detected by Malwarebytes, so either it's old/isn't seen in the wild any more and was culled from the Malwarebytes detection database, or you've come across a new variant which hasn't had detection/signatures added to the database yet.

Either way, I've advised them of this topic and requested samples and info for the Research team and advised that detection be restored if it was culled from the database.

[chriseros]

Thank you for looking into this.

I think this is a new variant because when I search for a solution I get this website updated April 2018.

https://howtoremove.guide/uninstall-savings-cool-virus/

Unfortunately it points to using SpyHunter.

Thanks again.

[exile360]

Just FYI, that site you linked to is for an affiliate/reseller of SpyHunter.  They're quite notorious for making false claims, stating that it will remove pretty much every threat on the planet and even ones that don't actually exist just to sell licenses to get their cut of the profits.  I'm not saying it isn't accurate, but it's not exactly a trusted resource for IT security info either.

For a little background, SpyHunter was actually classified as malware at one time by the vast majority of AV/AM vendors and the security community as a whole due to deceptive practices and spam marketing, including creating fake "infections" on systems then attempting to convince users who had installed their software to purchase a license in order to remove them, when in fact they were just registry traces that SpyHunter itself had placed there during installation.

A discussion from several users talking about their history as well as more recent experiences may be found here as well as here.

I don't know what their current status is, but personally I find it difficult to trust any corporation with such a shady history because in my opinion it sheds light on where their true priorities lay in that they didn't even begin to change their practices until their negative reputation from the security community and other security vendors began to spread to the point where their spamvertising and mass marketing campaigns were losing ground and hurting their bottom line.

[chriseros]

Thank you so much for all the info you have been very helpful.

I have found Malwarebytes to be an excellent product that I can trust cure my customers malware and PUP's and want to make sure they are aware of any new threats.

Thank you again.

[exile360]

You are quite welcome, and thank you for filling us in on this threat.  Hopefully the Research team will be able to track down some live samples so that Malwarebytes won't be missing it for long.

There is at least one thing to be said for Malwarebytes which has proven somewhat rare these days in their field: their free version uses the exact same scan engine and signatures as the paid version and provides removal of all detected threats without limit and without requiring any payment.  There are a few reasons for this, not the least of which being their belief and motto (as well as a sort of mission statement) that Everyone has the right to a malware free existence.  They also believe that it would be unethical to expect anyone to input personal information and payment information (credit card numbers, PayPal account info etc.) on a machine which is known to be infected; an issue that vendors who require payment for the remediation of the threats they detect seem quite unconcerned about and something that I personally would never do myself, knowing what I do about just how precious the bad guys who create and use infections for ill purposes tend to find such information (they like selling such info on the dark web as well as using it for everything from identity theft, to fraud, and of course making fraudulent purchases and charges to accounts which do not belong to them).

If they can find this threat, you can bet that Malwarebytes will add detection for it in short order which will help everyone afflicted by it, and hopefully it won't be long before that happens.  I'll be keeping my eyes open and I've already started getting attention to it from members of our community as I mentioned above, so hopefully at least one of them will come across the samples that the Research team needs soon.