Savingscool Proxy Hijack

Posted by Lisa Blanc on July 13, 2017

What is Savingscool Proxy Hijack?

Our cyber security experts have recently tested a program known as Savingscool Proxy Hijack which, as it turns out, is an adware-type application that was created for showing irritating, unwelcome promotional coupons of unknown origin. Hence, there is no telling whether they are safe to interact with and it is possible that some of its coupons can redirect you to questionable websites. Therefore, we think it would be wise to remove it altogether. However, before you do, you may want to get some background information on it.

What does Savingscool Proxy Hijack do?

On the face of it, Savingscool Proxy Hijack is just another adware-type computer infection dedicated to showing you coupons while you browse the web. It renders coupons regardless of the web browser you use, and they can be a bit annoying. However, that is not the worst part. Our malware researchers at Anti-spyware-101.com have concluded that this particular application may present you with questionable and even deceptive coupons that can redirect you to phishing websites, fictitious online shopping sites as well as websites featuring malware downloads. Therefore, it is in your best interest to avoid installing this program if you can.

Researchers say that this program runs the ads through a service named "wcmasc.exe (32bit)." Incidentally, another adware-type program called MySafeSavings also runs under the same service and its files are located in the exact same folders. Therefore, it is likely that both of these applications come from the same developers. Savingscool Proxy Hijack’s files are dropped in %ALLUSERSPROFILE%\boost_interprocess, %ALLUSERSPROFILE%\Microsoft\Windows\WindowsCredentialManager, and %AppData%\Roaming\Windows\SavingsCool. Furthermore, it places several subkeys in Windows Registry to make this program work. The subkeys are located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wcmasc, HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SCTab, HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SavingsCool, and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SavingsCool. All of these files and keys should be deleted to prevent this application from showing you coupons and collecting information.

Indeed, researchers say that it is likely that this program was configured to collect information about you and use it for advertising and marketing purposes. The collected information can include your IP address, Internet Service Provider name, browser type, operating system type, approximate geographical location and so on. All of this information in legal to collect as it is anonymous in nature. However, it can be used to assign geotargeted advertisements that make its creators more money.

Where does Savingscool Proxy Hijack come from?

The developers of this program are unknown, and it is no surprise because Savingscool Proxy Hijack is a malicious application. Our malware analysts say that this program may have been distributed on its dedicated website at Savings.cool which is currently down. Nevertheless, they have also found that its developers distribute it though malicious bundled software installers. These software bundles are featured on questionable free software hosting sites and can install this program on your PC secretly, but in some cases, the installers can allow you to uncheck the installation of this program from the custom or advanced settings menu. However, it seems that this program’s developers rely on ignorance to get this program on your computer, so be sure to check whether the program you downloaded for additional software when provided with this possibility.

How do I remove Savingscool Proxy Hijack?

To summarize, Savingscool Proxy Hijack is a good for nothing adware that is dedicated to making money for its developers by showing you irritating and potentially deceptive coupons that can redirect you to malicious websites. Also, it collects information to customize the ad campaign to generate more revenue. Of course, this program is disseminated using rather deceptive methods that involve bundles that hide this program’s presence. If you want to remove this malicious program, please use the instructions provided below.

Removal Instructions

  1. Hold down Windows+E keys.
  2. Enter the following file paths in the File Explorer’s address box and hit Enter.
    • %ALLUSERSPROFILE%\boost_interprocess
    • %ALLUSERSPROFILE%\Microsoft\Windows\WindowsCredentialManager
    • %AppData%\Roaming\Windows\SavingsCool
  3. Right-click the contents of the folders and click Delete.
  4. Close the File Explorer.
  5. Empty the Recycle Bin.
  6. Hold down Windows+R keys.
  7. Type regedit in the dialog box and press OK.
  8. Navigate to the following registry sub keys.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SavingsCool
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SavingsCool
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SCTab
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wcmasc
  9. Delete the SavingsCool, SCTab, and wcmasc
  10. Close the Registry Editor. 100% FREE spyware scan and
    tested removal of Savingscool Proxy Hijack*
Disclaimer
Disclaimer
Adware

Leave a Comment

Enter the numbers in the box to the right *