The Malwarebytes research team has determined that MySafeSavings is adware. These adware applications display advertisements not originating from the sites you are browsing.
How do I know if my computer is affected by MySafeSavings?
You may see this type of warning during install:
and this entry in your list of installed programs:
How did MySafeSavings get on my computer?
Adware applications use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove MySafeSavings?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to:
Launch Malwarebytes Anti-Malware - Then click Finish.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- If an update is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes' Anti-Malware removes MySafeSavings completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the MySafeSavings adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
Possible signs in FRST logs:
() C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe () C:\Program Files (x86)\SafeSavings\mysafesavings.exe R2 lggr; C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe [25088 2016-08-17] () [File not signed] C:\ProgramData\SafeSavings C:\Program Files (x86)\SafeSavings MySafeSavings (HKLM-x32\...\MySafeSavings) (Version: 1.0.2.2 - )Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\SafeSavings Adds the file mysafesavings.exe"="8/17/2016 4:31 PM, 578048 bytes, A Adds the folder C:\ProgramData\Microsoft\WindowsLogger Adds the file winlogger.exe"="8/17/2016 4:31 PM, 25088 bytes, A Adds the folder C:\ProgramData\SafeSavings Adds the file backup.dat"="8/17/2016 4:31 PM, 578048 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MySafeSavings] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\SafeSavings\MySafeSavings.exe" "DisplayName"="REG_SZ", "MySafeSavings" "DisplayVersion"="REG_SZ", "1.0.2.2" "EstimatedSize"="REG_DWORD", 564 "Publisher"="REG_SZ", "" "UninstallString"="REG_SZ", "explorer.exe http://uninstall.mysafesavings.com" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MySafeSavings] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lggr] "Description"="REG_SZ", "Windows unexpected exceptions logger." "DisplayName"="REG_SZ", "Windows Logger" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ............d...d...d. "ImagePath"="REG_EXPAND_SZ, "C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe -runcmd" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lggr\Security] "Security"="REG_BINARY, ........0................p...."......................... ................................... [HKEY_CURRENT_USER\Software\MySafeSavings] "id"="REG_SZ", "713792512348164"Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/22/2016 Scan Time: 12:32 PM Logfile: mbamMySafeSavings.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.22.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318711 Time Elapsed: 9 min, 21 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.MySafeSavings, C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe, 3000, Delete-on-Reboot, [9d7e044a2e6cc175a2d3cb0552b229d7] PUP.Optional.MySafeSavings, C:\Program Files (x86)\SafeSavings\mysafesavings.exe, 3484, Delete-on-Reboot, [59c2b896f4a62a0c5a995d6b43bf857b] Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.MySafeSavings, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\lggr, Quarantined, [9d7e044a2e6cc175a2d3cb0552b229d7], PUP.Optional.MySafeSavings, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MySafeSavings, Quarantined, [fc1f1836405a54e27add47ab9a69c33d], Registry Values: 1 PUP.Optional.MySafeSavings, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\lggr|ImagePath, C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe -runcmd, Quarantined, [7aa1014d980296a00f67e5ebbb49c838] Folders: 2 PUP.Optional.MySafeSavings, C:\ProgramData\Microsoft\WindowsLogger, Delete-on-Reboot, [9d7e044a2e6cc175a2d3cb0552b229d7], PUP.Optional.MySafeSavings, C:\Program Files (x86)\SafeSavings, Delete-on-Reboot, [59c2b896f4a62a0c5a995d6b43bf857b], Files: 2 PUP.Optional.MySafeSavings, C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe, Delete-on-Reboot, [9d7e044a2e6cc175a2d3cb0552b229d7], PUP.Optional.MySafeSavings, C:\Program Files (x86)\SafeSavings\mysafesavings.exe, Delete-on-Reboot, [59c2b896f4a62a0c5a995d6b43bf857b], Physical Sectors: 0 (No malicious items detected) (end)
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention