Removing Safesear.ch
I followed all the instructions from Bitdefender. Then also ran a program to delete junk (JRT or junkremoval tool) recommended by an article on malware and I downloaded and ran Malwarebytes Anti-malware Free. This managed to get the damned search hijacker off my Firefox start-up page, but it still pops up when I open a new tab. IT LOOKS LIKE THIS: "www.safesear.ch/?type=20140627-rv-ff-nt"
BTW, Bitdefender wrote to tell me that they don't deal with this kind of program because it is a PUP and has to be downloaded. But for those of us who click too quickly or miss the hijacker for other reasons, are we to be left floating on our own in cyberspace? The damned program is malicious enough to take over many Windows shortcuts and to sneak around all efforts to remove it.
Help appreciated, now that I've finished ranting.
Comments
-
I found this:
Click 'Start menu' -> 'Control Panel' -> 'Uninstall a Program' or 'Add/Remove Programs' and choose 'Uninstall' button if you see SafeSearch in the list.
Internet Explorer:
Open Internet Explorer, go ‘Tools‘ -> ”Manage Add-ons’ -> ‘Toolbars and Extensions’. Here, look for SafeSearch and click 'uninstall'. Now open IE once again and click Tools -> Internet Option -> General tab. Enter Google or other address to make it the default start page.
Mozilla Firefox:
Open Mozilla Firefox, go ‘Tools’ -> ‘Add-ons’ -> ‘Extensions’. Find SafeSearch and click ‘Uninstall’. Now open Mozilla Firefox once more, go to Tools -> Options -> General -> Startup and select 'Show a blank page' when Firefox Starts or set a certain website, like Google or similar.
Google Chrome:
Open Google Chrome, click on wench icon, go to settings and choose 'Manage search engines'. Change search engine to google or other and delete Safesearch from the list. Then Go to section “On start” and make sure you get blank page while creating new tab.
Stop the following SafeSearch processes:
aanyvkcf.exe
safesearch.exe
rgzcdhtn.exe
Remove the following SafeSearch registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aanyvkcf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SafeSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rgzcdhtn
HKEY_CURRENT_USER\Software\PrimeSoft
HKEY_CURRENT_USER\Software\SafeSearch
HKEY_CLASSES_ROOT\.QSCH
HKEY_CLASSES_ROOT\QSCH File
HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO
HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO.1
HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}
HKEY_CLASSES_ROOT\Interface\{28E6CCE2-3F2C-4B3D-9CB4-2FC8715A3ECE}
HKEY_CLASSES_ROOT\Typelib\{82E9DE01-D860-40E4-B9C1-91F0E8272962}
HKEY_CLASSES_ROOT\Typelib\{CB5006EE-F57D-4116-B7B6-48EB564FE0F0}
HKEY_CLASSES_ROOT\mime\database\content type\application/x-QSCH
HKEY_USERS\.default\Software\Netscape\Netscape Navigator\Trusted External Applications\%System%\aanyvkcf.exe=yes
HKEY_USERS\.default\Software\Netscape\Netscape Navigator\Suffixes\Application/x-QSCH
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{00000000-0000-0000-0000-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\aanyvkcf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rgzcdhtn
Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete any of the following values:
"SafeSearch" = "c:\program files\primesoft\safesearch\safesearch.exe"
"AANYVKCF" = "%System%\aanyvkcf.exe"
"TYPE[RANDOM NUMBER]" = "application/x-QSCH"
"RGZCDHTN" = "%System%\RGZCDHTN.exe /install"
Navigate to the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
In the right pane, delete the value:
"{00000000-0000-0000-0000-000000000001}" = ""
Unregister the following SafeSearch DLL files:
safesearch.dll
_safesearch.dll
Delete the following SafeSearch files:
aanyvkcf.exe
safesearch.exe
rgzcdhtn.exe
safesearch.dll
_safesearch.dll
Delete directories:
C:\Program Files\Primesoft\SafeSearch0 -
Step 1: End all the processes related to Safesear.ch redirect virus.
1. Right click on the task bar and click on “Task Manager”.
2. Under the Processes tab, find out all running processes related to the redirect virus and then end all of them by clicking on the “End Process” button.
Step 2: Clean all temporary files and redirect virus related files.
1. Go to the following path and clean all temporary files.
C:\Documents and Settings\Yourusername\Local Settings\Temporary Internet Files
2. In the local disk C, find out and remove any suspicious files.
%Temp%\random.exe
%AllUsersProfile%\random.exe
%AppData%\Roaming\Microsoft\Windows\Templates\random.exe
Step 3: Delete all the registry entries associated with Safesear.ch redirect virus via the Registry Editor.
1. Open Registry Editor by clicking on the Start menu, typing “regedit” into the search box and clicking “regedit.exe” from the result list.
2. Search for and delete all the registry entries associated with the redirect virus (Please back up your Windows registry before making any changes to it so that you can restore your data in case of any wrong operation).
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RANDOM CHARACTERS].exe
Step 4: Reset browser settings.
Internet Explorer:
1. Click IE Tools menu and select Internet Options. Under General tab, delete http://www.safesear.ch/ and type the one you prefer. Click the Use Current and click the OK button.
2. Click Tools menu again and choose Manage Add-ons. Select Search Providers, remove the unwanted search engine and reset the one you prefer as default.
Mozilla Firefox:
1. Click on the Tools menu and choose Options. Click on the General tab, remove the unwanted website URL, and type the one you like. Click on Use Current Page and click the OK button.
2. Click on drop-down button of search engines on the Firefox Toolbar, and choose Manage Search Engines. Remove Conduit Search end reset another search provider.
Google Chrome:
1. Click Chrome menu and choose Settings and the choose “show advanced settings”. Then choose “open with specific page” and click on Set Page in the Start-up section to reset start-up page. Then, choose “Change page” in Appearance section and reset homepage.
2. Click on Manage Search Engine button. Select Safesear.ch and click X to remove it and set another as default.0