Saturday, May 14, 2016

How to Remove Search Safefinder Virus 
Please Read Everything

The Virus is made up of 2 links:

 feed.helperbar.com 

 that is followed by this link:

 http://search.safefinder.com/?st=dn&q=

 The real name is feed.sonic-search and the real link that is created from this virus is:

 http://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNZu5IufYkFZ0jUvZJt1ZBBSlLPjDWpKc_jSymEiqdyN1eTyQfBaZW4va3oCquwUHgzrgs0MEHrFiT_CRALUw4LPMJEPTKlW9x4rIbNKSGPkwzs2ZyFcjVWUbJO6cyYmVwZS1GgyVK40F1qlTeLEEm5-4kef0_-fWL46LAO77BoU,

 The link mentioned above goes inside Set Pages of Google Chrome Settings

 How to remove it?

 First I need to enter Control Panel and remove all suspicious programs, and I enter also
Program files, and Program Files x86 looking for strange folders and delete them.

 It is also recommended to empty the Temp Folder in AppData/Local/Temp, and the temp folder is always hidden, so I need to unhide  all the hidden files to preview them from folder options.

How to Remove the Virus from Internet Explorer:

 01-Start Run
02-regedit
03-HKEY_CURRENT_USER
04-Software
05-Microsoft
06-Internet Explorer
07-Main
08-Then I search for these files by right clicking on each and I choose Modify on Start Page
                                                                                                                                   Search Bar
                                                                                                                                   Search Page
09-I Modify Search Page and change it to https://www.google.com
10- I Modify Search Bar and change it to  https://www.google.com
11-I Modify Start Page and change it to https://www.google.com
12- If I do not want the google link, I can write any other link or make it current:blank

How to Remove the Virus from Google Chrome:

 This Virus has many entries and no matter what I do in Google Chrome, it wont work even in Safe Mode, and using external Bootable Mac DVDs/CDs is useless. If it happens and I reset my Google Chrome deleting everything, even the AppData\Local\Google files, the reset may work only in the first opening page, but in the next tab, it remains.

 I need to use Adware Malware to remove this Virus that is called: "PUP.Optional.Linkury.ACMB1"

 Removing this virus will still have remains that cannot be deleted, even after using the antivirus, and this happens quickly when I am searching for a file in Google, or Bing, or any search engine. I will notice quickly that the search text still have some remaining of the virus search find text, but it will not be effective. 

Note: do not use HITMAN PRO antivirus, it us also useless
This virus enters Program Data with lot of names like:

 -ProgramData\xifss
-ProgramData\xifss\Ecotax.bin
-ProgramData\xifss\GoodTonair.dat
-ProgramData\xifss\Zerlax.bin
-ProgramData\xifss\Bluejob.dll
-ProgramData\xifss\temp
-ProgramData\xifss\uninstall.dat
-ProgramData\xifss\Config.xml
-ProgramData\xifss\Joylab.dat
-ProgramData\xifss\snp.sc
-ProgramData\xifs\Zamit.exe
- ProgramData\xifs\ff.HP
-ProgramData\xifs\xifs.d.dat
-ProgramData\xifs\conf.config 
-ProgramData\xifs\ZenDamtop.bin
-ProgramData\xifs\ff.NT
-ProgramData\xifs\ondemand
-ProgramData\xifs\Quad-Lax.exe.config
-ProgramData\xifss\Aphome.bin
-ProgramData\xifss\Mathtop.bin
-ProgramData\xifss\md.xml
-ProgramData\xifss\Jobit.bin
-ProgramData\xifss\RankIt.bin
-ProgramData\Saophases
-ProgramData\Saophases\Goodtech.bin
-ProgramData\Saophases\Saophases.exe
-ProgramData\Saophases\Saophases.exe.config
-ProgramData\Saophases\ondemand
-ProgramData\Saophases\Unalab.bin
-ProgramData\Saophases\Blueron.exe
-ProgramData\Saophases\Trestam.dll
-ProgramData\Saophases\PrxCfg.xml
-ProgramData\Saophases\Goldenhatlight.bin
-ProgramData\Saophases.dll
-ProgramData\Saophases\snp.sc
-ProgramData\Saophases\config.xml
-ProgramData\Saophases\Zaaming.bin
-ProgramData\Zaaming.bin
-ProgramData\Ronzaps
-ProgramData\Ronzaps\snp.sc
-ProgramData\Ronzaps\ff.NT
-ProgramData\Ronzaps\ff.FT
-ProgramData\ApperocovQs\snp.sc
-ProgramData\ApperocovQs\ff.NT
-ProgramData\CloudPrinter
-ProgramData\CloudPrinter\Config.xml

The Virus Enters App Data/Local & App Data/Roaming in these names:

 -AppData\Local\Roaming\LightGate
-AppData\Local\Faseway.exe.config
-AppData\Local\Ontoplanet.dat
-AppData\Local\Faseway.dat
-AppData\Roaming\lobby.dat
-AppData\Roaming\UPUpdata\webad.xml
-AppData\Roaming\InstallationConfiguration.xml
-AppData\Roaming\ApplicationHosting.dat
-AppData\Roaming\uninstall_temp.ico
-AppData\Roaming\LightGate
-AppData\Roaming\Config.xml
-AppData\Roaming\inst.lat
-AppData\Roaming\UPUpdata
-AppData\Roaming\noah.dat
-AppData\Roaming\md.xml

 The Virus Enters the Registry with these names:

 ...CURRENT\VERSION\SILENTPROCESSEXIT\RONZAP.exe
...RENTVERSION\POLICIES\EXPLORER\RUN\Defenders
...ODE\MICROSOFT\TRACING\CloudPrinter_RASMANCS
...458-496055073-1479611835-1000\ENVIRONMENT|SNF
W6432NODE\MICROSOFT\TRACING|xifx_RASMANCS
...RENTVERSION\POLICIES\EXPLORER\RUN\Defenders
...\INTERNET EXPLORER\SEARCH|Default_Search_URL
...\INTERNET EXPLORER\SEARCHSCOPES\IELINKSRCH
...SOFT\WINDOWS|CURRENTVERSION\Run|Defenders
...ENTS\{KUH36873-MLM6-1837-47MY-6574I71SY43U}
...NT\CURRENT\VERSION\SILENTPROCESSEXIT\xifs.exe
...rnet Files\Content.IE5\1PTZOW2M\setup-1228[1].exe
...CONTROL\SERVICES|CLOUDPRINTER|ImagePath
...ME\EXTENSIONS\fcgnigmofekcllgbieijhmiggmgehkip
...58-496055073-1479611835-1000\SOFTWARE\mtxifs
HKLM\SOFTWARE\WOW6432NODE\mtRonzap
...ICES\EVENTLOG\APPLICATION\Application Hosting
HKLM\SOFTWARE\WOW6432NODE\mtxifs
...ODE\MICROSOFT\TRACING\Cloud Printer_RASAPI32
...\INTERNET EXPLORER\SEARCHSCOPES\ielnksrch|URL
...32NODE\MICROSOFT\TRACING\Ronzap_RASAPI32
...WS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs
...\INTERNET EXPLORER\SEARCHSCOPES\{IELINKSRCH}
...2NODE\MICROSOFT\TRACING|Ronzap_RASMANCS
...EM\CURRENTCONTROLSET\SERVICES\CloudPrinter
...EXPLORERS\SEARCHSCOPES\ielnksrch|DisplayName
...OFT\WINDOWS\CURRENTVERSION\RUN\Defenders
...WARE\MICROSOFT\TRACINGS\Faseway_RASMANCS
...OSOFT\INTERNET EXPLORER\SEARCHURL|Default
...96055073-1479611835-1000\SOFTWARE\mtRonzap
...ERNET EXPLORER\SEARCHSCOPES\{ielnksrch}|URL
...W6432NODE\MICROSOFT\TRACING\xifs_RASAPI32
...TWARE\MICROSOFT\TRACING\Faseway_RASAPI32
...ENTVERSION\POLICIES|EXPLORER\RUN\Defenders
...XPLORER\SEARCHSCOPES\{ielnksrch}|DisplayName
...8-496055073-1479611835-1000\ENVIRONMENT|SNP
In Conclusion, as you can see, most of the files are having repeated names, and they are spreading in different locations, beginning from the PC User's name, to Program Data (hidden folder), and inside the registry. 

                                                       Simon George Hadid
                                                          Tripoli - Lebanon
Posted by at No comments:
Subscribe to: Comments (Atom)