Jump to content

Scan is not removing unwanted program: "MySafeSavings"

Creed

By Creed
in Resolved Malware Removal Logs

 Share

Recommended Posts

  • Replies 137
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

kevinf80

kevinf80

Posted
Posted (edited)

Can you open Registry Editor, type regedit into the search option of your task bar select ok or tap enter key. Navigate to

HKEY_Local_Machine\Software

Right click direct onto the unopened "Software" folder then select export. Save that to your desktop and name it creed 1.

Do exactly the same for this key..

HKEY_Current_User\Software     Name it creed 2

Zip and attach those files to your next reply..

To zip up right click on the reg file then select "Send to > Compressed (zipped) folder

Edited by kevinf80
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

This is crazy, safesavings does not appear in any of the software reg keys..... Navigate to C:\Program Files (x86)\SafeSavings right click on the unopened folder "SafeSavings" and select "Properties" In the new window select "Security" tab. What are the ticked permissions for "Administrators" 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Download and install CCleaner from here:

http://www.piriform.com/ccleaner/builds

Make sure to go for the slim version, it should have no unwanted extras that some free software may carry... 

Run CCleaner, from the main GUI select > Tools > Uninstall tab. The installed programs list will populate. Select "SafeSavings" (if present) then "delete entry"  just continue if the folder is not present.

Next, 

Select > Cleaner > Run Cleaner > all temp files and caches will be deleted/emptied 

Next, 

Select > Registry > "Scan for Issues" > with all found entries checked select > "Fix Selected Issues" follow prompts to make back up and remove all entries...  Zip up and attach that back up reg file to your reply….

When CCleaner is finished reboot and check if this nuisance has finally gone..... or not...
Link to post
Share on other sites
Creed

Creed

Posted
  • Author
Posted

Every time I reboot Zemana still pops up with this detected.

Microsoft CA
Status             : Scanned
Object             : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F76A30F33859DFBF5B62D92F6B47A75CC387DDD5\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F76A30F33859DFBF5B62D92F6B47A75CC387DDD5\Blob = 0400000001000000100000007740C8BF8C155FB8AA5CA6D94F9ECAFB1400000001000000140000003A2FCFC19766F5B89D8FF4A60484BE82C7229FBB030000000100000014000000F76A30F33859DFBF5B62D92F6B47A75CC387DDD50200000001000000BC0000001C0000006C0000000100000020000000000000000000000001000000650061006400610032003900300061002D0034003000370032002D0034003900390038002D0062006400660036002D0034003800370065003000310036003700300036003000340000000000000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F007600690064006500720000000F000000010000002000000031EE44542EA2E1A790C6799A40E0FC9512CD9CB56001D5ACD1829FA83B5615F91900000001000000100000005111C67930DDB60A458874BE6D960E292000000001000000A7020000308202A33082020CA00302010202084FAB45432C09F0C6300D06092A864886F70D01010B05003024310B30090603550406130255533115301306035504030C0C4D6963726F736F6674204341301E170D3135313132343031353235335A170D3234313132313031353235335A3024310B30090603550406130255533115301306035504030C0C4D6963726F736F667420434130819F300D06092A864886F70D010101050003818D0030818902818100D580ABEDAE56A6FF40B3C62EF2DF994E6A5762B921D8227CA3BEFCD2F808216F63FCC9B986C545AA207DB41D5E02E435BAA0B135E29863EDB099AD697850FE282600F4DE426714762A3EB56483B2178809AFFC245B9EF6D597BD8650A738456711D387790592CFABBE90BF6EB1F9170ADA67CA4316E6CEBF0478F216B38F13090203010001A381DD3081DA300E0603551D0F0101FF04040302010630120603551D130101FF040830060101FF020104301106096086480186F8420101040403020106301D0603551D0E041604143A2FCFC19766F5B89D8FF4A60484BE82C7229FBB30530603551D23044C304A80143A2FCFC19766F5B89D8FF4A60484BE82C7229FBBA128A4263024310B30090603550406130255533115301306035504030C0C4D6963726F736F667420434182084FAB45432C09F0C6302D06096086480186F842010D0420161E436572746966696361746520697373756564206279204C6F674D65496E2E300D06092A864886F70D01010B05000381810010817934C9ECFFC0AEB187428E15CD72697963E1861DAAC2FEBA7FAA4BE036EA2D14C471A1BBE2CE19149A1083E0A0BB438EFCFC83864082E78B6105B002ED597DAE974E509B200B4A8B639E7D0D1B57E00723E017AD82C76CF16C2A8EAA197993D028F13153EFE36EC82276D316233FAA1BE332F7EE431E22353A917BD4D979

Link to post
Share on other sites
Creed

Creed

Posted
  • Author
Posted (edited)

Here's a screenshot of what it found. 2 of the items are what I believe should be a false positive, because TenProxy.dll is part of a Hi-Rez video game and the Itibiti.exe is in quarantine of AdwCleaner. Also I believe the PCBugDoctor stuff was here before this infection. The only thing I really have a concern with is the Microsoft CA. I have not followed through with Zemana as of yet.

6d8579239f5bdde2e350e72b5c730389.png

Edited by Creed
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

If you are sure the entries you mention are legitimate and trustworthy then let them stay for now. The first one is the same item that has been flagged before by Zemana, you can let Zemana delete that one.....

The ones you believe are trustworthy need to be checked again at VirusTotal, we need to be sure those files are not patched or exploited...

Go to http://www.virustotal.com/  navigate to each identified file in turn and let VT check them out.... Let me know the results.....
 
Next,
Do you have access to another PC to create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive. It can also be run from a CD, just change to that option in the instructions…
It can be created from the PC with issues, but a different clean PC is preferred!

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit

Run the tool, Windows 7/8 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"

user posted image

In the new window accept the agreement:

user posted image

In the new window select your USB Flash Drive, then select "Next"

user posted image

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

user posted image

In the new window accept the formatting alert by selecting "Next"

user posted image

Files will be Downloaded:

user posted image

Files will be processed and created

user posted image

Flash drive will be formatted and prepared

user posted image

Files will be added to the Flash Drive and the tool will be created.

user posted image

The procedure is finished and the Tool created, click on "Finish" to complete.

user posted image

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required, Use F12 as it boots, change options...
As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.
When complete do a full scan, deal with what it finds.
When finished, remove the USB stick then press the Esc key to boot into regular windows.
Navigate to the following file:

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

Open with notepad and copy and paste it into a reply.
 
Thank you,
Kevin
Link to post
Share on other sites
Creed

Creed

Posted
  • Author
Posted

Here is the log from FRST

Farbar Recovery Scan Tool (x64) Version: 28-08-2016
Ran by ERIJA (29-08-2016 01:42:33)
Running from C:\Users\ERIJA\Desktop
Boot Mode: Normal

================== Search Registry: "MySafeSavings" ===========


====== End of Search ======

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.