Removing Safesear.ch

I followed all the instructions from Bitdefender. Then also ran a program to delete junk (JRT or junkremoval tool) recommended by an article on malware and I downloaded and ran Malwarebytes Anti-malware Free. This managed to get the damned search hijacker off my Firefox start-up page, but it still pops up when I open a new tab. IT LOOKS LIKE THIS: "www.safesear.ch/?type=20140627-rv-ff-nt"


BTW, Bitdefender wrote to tell me that they don't deal with this kind of program because it is a PUP and has to be downloaded. But for those of us who click too quickly or miss the hijacker for other reasons, are we to be left floating on our own in cyberspace? The damned program is malicious enough to take over many Windows shortcuts and to sneak around all efforts to remove it.


Help appreciated, now that I've finished ranting.

Comments

  • I found this:


    Click 'Start menu' -> 'Control Panel' -> 'Uninstall a Program' or 'Add/Remove Programs' and choose 'Uninstall' button if you see SafeSearch in the list.


    Internet Explorer:


    Open Internet Explorer, go ‘Tools‘ -> ”Manage Add-ons’ -> ‘Toolbars and Extensions’. Here, look for SafeSearch and click 'uninstall'. Now open IE once again and click Tools -> Internet Option -> General tab. Enter Google or other address to make it the default start page.


    Mozilla Firefox:


    Open Mozilla Firefox, go ‘Tools’ -> ‘Add-ons’ -> ‘Extensions’. Find SafeSearch and click ‘Uninstall’. Now open Mozilla Firefox once more, go to Tools -> Options -> General -> Startup and select 'Show a blank page' when Firefox Starts or set a certain website, like Google or similar.


    Google Chrome:


    Open Google Chrome, click on wench icon, go to settings and choose 'Manage search engines'. Change search engine to google or other and delete Safesearch from the list. Then Go to section “On start” and make sure you get blank page while creating new tab.


    Stop the following SafeSearch processes:


    aanyvkcf.exe


    safesearch.exe


    rgzcdhtn.exe


    Remove the following SafeSearch registry keys:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aanyvkcf


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SafeSearch


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rgzcdhtn


    HKEY_CURRENT_USER\Software\PrimeSoft


    HKEY_CURRENT_USER\Software\SafeSearch


    HKEY_CLASSES_ROOT\.QSCH


    HKEY_CLASSES_ROOT\QSCH File


    HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO


    HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO.1


    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}


    HKEY_CLASSES_ROOT\Interface\{28E6CCE2-3F2C-4B3D-9CB4-2FC8715A3ECE}


    HKEY_CLASSES_ROOT\Typelib\{82E9DE01-D860-40E4-B9C1-91F0E8272962}


    HKEY_CLASSES_ROOT\Typelib\{CB5006EE-F57D-4116-B7B6-48EB564FE0F0}


    HKEY_CLASSES_ROOT\mime\database\content type\application/x-QSCH


    HKEY_USERS\.default\Software\Netscape\Netscape Navigator\Trusted External Applications\%System%\aanyvkcf.exe=yes


    HKEY_USERS\.default\Software\Netscape\Netscape Navigator\Suffixes\Application/x-QSCH


    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{00000000-0000-0000-0000-000000000001}


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\aanyvkcf


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rgzcdhtn


    Navigate to the subkey:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    In the right pane, delete any of the following values:


    "SafeSearch" = "c:\program files\primesoft\safesearch\safesearch.exe"


    "AANYVKCF" = "%System%\aanyvkcf.exe"


    "TYPE[RANDOM NUMBER]" = "application/x-QSCH"


    "RGZCDHTN" = "%System%\RGZCDHTN.exe /install"


    Navigate to the subkey:


    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar


    In the right pane, delete the value:


    "{00000000-0000-0000-0000-000000000001}" = ""


    Unregister the following SafeSearch DLL files:


    safesearch.dll


    _safesearch.dll


    Delete the following SafeSearch files:


    aanyvkcf.exe


    safesearch.exe


    rgzcdhtn.exe


    safesearch.dll


    _safesearch.dll


    Delete directories:


    C:\Program Files\Primesoft\SafeSearch

  • How to Remove Safesear.ch


    Step 1: End all the processes related to Safesear.ch redirect virus.


    1. Right click on the task bar and click on “Task Manager”.


    2. Under the Processes tab, find out all running processes related to the redirect virus and then end all of them by clicking on the “End Process” button.


    Step 2: Clean all temporary files and redirect virus related files.


    1. Go to the following path and clean all temporary files.


    C:\Documents and Settings\Yourusername\Local Settings\Temporary Internet Files


    2. In the local disk C, find out and remove any suspicious files.


    %Temp%\random.exe


    %AllUsersProfile%\random.exe


    %AppData%\Roaming\Microsoft\Windows\Templates\random.exe


    Step 3: Delete all the registry entries associated with Safesear.ch redirect virus via the Registry Editor.


    1. Open Registry Editor by clicking on the Start menu, typing “regedit” into the search box and clicking “regedit.exe” from the result list.


    2. Search for and delete all the registry entries associated with the redirect virus (Please back up your Windows registry before making any changes to it so that you can restore your data in case of any wrong operation).


    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM CHARACTERS].exe


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM CHARACTERS].exe


    Step 4: Reset browser settings.


    Internet Explorer:


    1. Click IE Tools menu and select Internet Options. Under General tab, delete http://www.safesear.ch/ and type the one you prefer. Click the Use Current and click the OK button.


    2. Click Tools menu again and choose Manage Add-ons. Select Search Providers, remove the unwanted search engine and reset the one you prefer as default.


    Mozilla Firefox:


    1. Click on the Tools menu and choose Options. Click on the General tab, remove the unwanted website URL, and type the one you like. Click on Use Current Page and click the OK button.


    2. Click on drop-down button of search engines on the Firefox Toolbar, and choose Manage Search Engines. Remove Conduit Search end reset another search provider.


    Google Chrome:


    1. Click Chrome menu and choose Settings and the choose “show advanced settings”. Then choose “open with specific page” and click on Set Page in the Start-up section to reset start-up page. Then, choose “Change page” in Appearance section and reset homepage.


    2. Click on Manage Search Engine button. Select Safesear.ch and click X to remove it and set another as default.