Adlice forum

General Category => Malware removal help => Topic started by: arikpik on April 21, 2020, 09:18:40 pm

Title: removal of SafeFinder from WIN7 pro
Post by: arikpik on April 21, 2020, 09:18:40 pm
hi ,

I can't remove safefinder program  WIN7 pro that hijacks my opening goole screen inside Chrome.

apparently it can't be removed by  the control panel tools.

https://search.safefinder.com/?st=sc&q=

Please advise,

Arik.P.
Title: Re: removal of SafeFinder from WIN7 pro
Post by: Curson on April 21, 2020, 11:03:26 pm
Hi arikpik,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller latest scan report with your next reply ?

Regards.
Title: Re: removal of SafeFinder from WIN7 pro
Post by: arikpik on April 22, 2020, 09:18:56 pm
Here is the report of the initial rouguekiler scan :

RogueKiller Anti-Malware V14.4.0.0 (x64) [Apr  1 2020] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits
Started in : Normal mode
User : Eyal Pickholz [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20200421_093730, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2020/04/21 21:19:51 (Duration : 00:11:14)
Switches : -minimize

いいいいいいいいいいいい Processes いいいいいいいいいいいい
[Suspicious.Path (Potentially Malicious)] wscript.exe (6284) -- C:\Windows\System32\wscript.exe -> Found
[PUP.Gen1 (Potentially Malicious)] Quoteex.exe (1528) -- C:\ProgramData\Quoteex\Quoteex.exe -> Found
[PUP.LogicHandler|Adw.LogicCramble (Malicious)] set.exe (2388) -- C:\ProgramData\Logic Cramble\set.exe -> Found
[PUP.CloudPrinter|PUP.Linkury|PUP.Gen1 (Potentially Malicious)] CloudPrinter.exe (2500) -- C:\ProgramData\CloudPrinter\CloudPrinter.exe -> Found
[Tr.Ursu (Malicious)] EaseUS Data Recovery Wizard License Code.exe (2996) -- C:\Program Files (x86)\MachinerData\EaseUS Data Recovery Wizard License Code.exe -> Found
[PUP.Popcorn (Potentially Malicious)] Updater.exe (3340) -- C:\Program Files (x86)\Popcorn Time\Updater.exe -> Found
[Tr.ProxyAgent (Malicious)] rundll32.exe (7900) -- C:\Windows\System32\rundll32.exe -> Found
[Tr.ProxyAgent (Malicious)] rundll32.exe (7936) -- C:\Windows\SysWOW64\rundll32.exe -> Found

いいいいいいいいいいいい Process Modules いいいいいいいいいいいい
>>>>>> rundll32.exe (7936) -- C:\Windows\SysWOW64\rundll32.exe
  [Tr.ProxyAgent (Malicious)] ahbilr.dll (7936) -- C:\Users\Eyal Pickholz\AppData\Local\ahbilr.dll -> Found

いいいいいいいいいいいい Services いいいいいいいいいいいい
[PUP.LogicHandler (Potentially Malicious)] backlh (2388) -- C:\ProgramData\Logic Cramble\set.exe -> Found
[PUP.Gen0 (Potentially Malicious)] CloudPrinter (2500) -- C:\ProgramData\\CloudPrinter\\CloudPrinter.exe shuz -f "C:\ProgramData\\CloudPrinter\\CloudPrinter.dat" -l -a -> Found
[Tr.Ursu (Malicious)] Main Service (2996) -- C:\Program Files (x86)\MachinerData\EaseUS Data Recovery Wizard License Code.exe 1 -> Found
[PUP.Gen0 (Potentially Malicious)] Quoteex (1528) -- C:\ProgramData\\Quoteex\\Quoteex.exe shuz -f "C:\ProgramData\\Quoteex\\Quoteex.dat" -l -a -> Found
[PUP.Popcorn (Potentially Malicious)] Update service (3340) -- C:\Program Files (x86)\Popcorn Time\Updater.exe -> Found
[Tr.Winmon (Malicious)] Winmon (0) -- \??\C:\Windows\System32\drivers\Winmon.sys -> Found
[Tr.Zusy (Malicious)] WinDefender (3420) -- C:\Windows\windefender.exe -> Found
[Tr.Winmon (Malicious)] WinmonFS (0) -- \??\C:\Windows\System32\drivers\WinmonFS.sys -> Found
[Tr.Winmon (Malicious)] WinmonProcessMonitor (0) -- \??\C:\Windows\System32\drivers\WinmonProcessMonitor.sys -> Found

いいいいいいいいいいいい Tasks いいいいいいいいいいいい
[Suspicious.Path (Potentially Malicious)] (Microsoft Windows) \koIASyAUcnLTC2 -- C:\Windows\system32\wscript.exe ["C:\ProgramData\lbXXFMhQgcaZEWVB\iSIInEH.wsf"] -> Found
[Tr.Chapak (Malicious)] \csrss -- C:\Windows\rss\csrss.exe -> Found

いいいいいいいいいいいい Registry いいいいいいいいいいいい
>>>>>> XX - Software
  [PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\mtQuoteex -- N/A -> Found
  [PUP.Gen1 (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\mtQuoteex -- N/A -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\PopcornTime -- N/A -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\Popcorn Time -- N/A -> Found
>>>>>> XX - Uninstall
  [PUP.Popcorn (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Popcorn Time_is1 -- N/A -> Found
>>>>>> O4 - Run
  [Tr.ProxyAgent (Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\Microsoft\Windows\CurrentVersion\Run|ahbilr -- rundll32.exe "C:\Users\Eyal Pickholz\AppData\Local\ahbilr.dll",ahbilr -> Found
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\Microsoft\Windows\CurrentVersion\Run|3192095 -- "C:\Users\EYALPI~1\AppData\Local\Temp\is-CUISD.tmp\ScreenShop.exe" /VERYSILENT (missing) -> Found
  [Tr.Chapak (Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\Microsoft\Windows\CurrentVersion\Run|HiddenMountain -- "C:\Windows\rss\csrss.exe" -> Found
  [Cloud.Generic (Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\Microsoft\Windows\CurrentVersion\Run|CloudNet -- "C:\Users\Eyal Pickholz\AppData\Roaming\03024efdcdc8\03024efdcdc8.exe" 31337 -> Found
>>>>>> O4 - Run
  [Cloud.Generic (Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce|jariocllozj -- "C:\Program Files (x86)\Keyboard\716736870.exe" 1 3.1586425463.5e8eee7728206 -> Found
>>>>>> O23 - Services
  [PUP.LogicHandler (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\backlh -- "C:\ProgramData\Logic Cramble\set.exe" -> Found
  [PUP.Gen0 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CloudPrinter -- C:\ProgramData\CloudPrinter\CloudPrinter.exe -> Found
  [Tr.Ursu (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Main Service -- "C:\Program Files (x86)\MachinerData\EaseUS Data Recovery Wizard License Code.exe 1" (missing) -> Found
  [PUP.Gen0 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Quoteex -- C:\ProgramData\Quoteex\Quoteex.exe -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update service -- "C:\Program Files (x86)\Popcorn Time\Updater.exe" -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winmon -- C:\Windows\System32\drivers\Winmon.sys -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinmonFS -- C:\Windows\System32\drivers\WinmonFS.sys -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinmonProcessMonitor -- C:\Windows\System32\drivers\WinmonProcessMonitor.sys -> Found
  [Tr.Zusy (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDefender -- C:\Windows\windefender.exe -> Found
  [PUP.LogicHandler (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\backlh -- "C:\ProgramData\Logic Cramble\set.exe" -> Found
  [PUP.Gen0 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CloudPrinter -- C:\ProgramData\CloudPrinter\CloudPrinter.exe -> Found
  [Tr.Ursu (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Main Service -- "C:\Program Files (x86)\MachinerData\EaseUS Data Recovery Wizard License Code.exe 1" (missing) -> Found
  [PUP.Gen0 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Quoteex -- C:\ProgramData\Quoteex\Quoteex.exe -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Update service -- "C:\Program Files (x86)\Popcorn Time\Updater.exe" -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinmonFS -- C:\Windows\System32\drivers\WinmonFS.sys -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinmonProcessMonitor -- C:\Windows\System32\drivers\WinmonProcessMonitor.sys -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Winmon -- C:\Windows\System32\drivers\Winmon.sys -> Found
  [Tr.Zusy (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinDefender -- C:\Windows\windefender.exe -> Found
>>>>>> O87 - Firewall
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{D394BD86-FCDD-46EC-886D-C6C638CF511E} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| (C:\Program Files (x86)\Popcorn Time\Updater.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{253E3D48-8900-4036-B0F3-8955F74F9FC1} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| (C:\Program Files (x86)\Popcorn Time\Updater.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{FC06434B-36F2-47C7-9841-FAC2F0C2AE6C} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe|Name=Popcorn Time| (C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B4961D4F-9D46-4AFD-BEAD-075F788FA2F1} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe|Name=Popcorn Time| (C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{A5EA01CC-E833-404C-B822-867F67E4E924} -- (Joyent Inc) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\chromecast\node.exe|Name=cs-node.exe| (C:\Program Files (x86)\Popcorn Time\chromecast\node.exe) -> Found
  [Tr.Chapak (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{0A1F1C09-ECF9-4EE0-8336-CDD760AA9772} -- v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Windows\rss\csrss.exe|Name=csrss| (C:\Windows\rss\csrss.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{C247AA71-F977-420B-8436-9F1FEFC999D7} -- (Joyent Inc) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\chromecast\node.exe|Name=cs-node.exe| (C:\Program Files (x86)\Popcorn Time\chromecast\node.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{E0F68D1E-0AAD-42C4-BBBA-0BD7821DEC5D} -- (Node.js Foundation) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\nodejs\node.exe|Name=pt-node.exe| (C:\Program Files (x86)\Popcorn Time\nodejs\node.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{FAA27643-0E09-42A1-AD6F-367B4C2A19DE} -- (Node.js Foundation) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\nodejs\node.exe|Name=pt-node.exe| (C:\Program Files (x86)\Popcorn Time\nodejs\node.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{253E3D48-8900-4036-B0F3-8955F74F9FC1} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| (C:\Program Files (x86)\Popcorn Time\Updater.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{D394BD86-FCDD-46EC-886D-C6C638CF511E} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| (C:\Program Files (x86)\Popcorn Time\Updater.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{FC06434B-36F2-47C7-9841-FAC2F0C2AE6C} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe|Name=Popcorn Time| (C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B4961D4F-9D46-4AFD-BEAD-075F788FA2F1} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe|Name=Popcorn Time| (C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{A5EA01CC-E833-404C-B822-867F67E4E924} -- (Joyent Inc) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\chromecast\node.exe|Name=cs-node.exe| (C:\Program Files (x86)\Popcorn Time\chromecast\node.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{C247AA71-F977-420B-8436-9F1FEFC999D7} -- (Joyent Inc) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\chromecast\node.exe|Name=cs-node.exe| (C:\Program Files (x86)\Popcorn Time\chromecast\node.exe) -> Found
  [Tr.Chapak (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{0A1F1C09-ECF9-4EE0-8336-CDD760AA9772} -- v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Windows\rss\csrss.exe|Name=csrss| (C:\Windows\rss\csrss.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{E0F68D1E-0AAD-42C4-BBBA-0BD7821DEC5D} -- (Node.js Foundation) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\nodejs\node.exe|Name=pt-node.exe| (C:\Program Files (x86)\Popcorn Time\nodejs\node.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{FAA27643-0E09-42A1-AD6F-367B4C2A19DE} -- (Node.js Foundation) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\nodejs\node.exe|Name=pt-node.exe| (C:\Program Files (x86)\Popcorn Time\nodejs\node.exe) -> Found
>>>>>> O20 - AppInit DLLs
  [PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs -- C:\ProgramData\Quoteex\ZonZoolight.dll -> Found
  [PUP.Gen1 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs -- C:\ProgramData\Quoteex\Zenlight.dll -> Found

いいいいいいいいいいいい WMI いいいいいいいいいいいい

いいいいいいいいいいいい Hosts File いいいいいいいいいいいい

いいいいいいいいいいいい Files いいいいいいいいいいいい
[PUP.Popcorn (Potentially Malicious)] (shortcut) Popcorn Time.lnk -- C:\Users\Public\Desktop\Popcorn Time.lnk => C:\PROGRA~2\POPCOR~1\POPCOR~1.EXE -> Found
[Tr.Winmon (Malicious)] (file) WinmonProcessMonitor.sys -- C:\Windows\System32\drivers\WinmonProcessMonitor.sys -> Found
[PUP.Popcorn (Potentially Malicious)] (shortcut) Popcorn Time.lnk -- C:\Users\Eyal Pickholz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Popcorn Time.lnk => C:\PROGRA~2\POPCOR~1\POPCOR~1.EXE -> Found
[Tr.ProxyAgent (Malicious)] (file) ahbilr.dll -- C:\Users\Eyal Pickholz\AppData\Local\ahbilr.dll -> Found
[PUP.Popcorn (Potentially Malicious)] (folder) PopcornTime -- C:\Users\Eyal Pickholz\AppData\Local\PopcornTime -> Found
[Miner.Gen (Malicious)] (folder) wup -- C:\Users\Eyal Pickholz\AppData\Local\Temp\wup -> Found
[PUP.CloudPrinter|PUP.Linkury|PUP.Gen1 (Potentially Malicious)] (folder) CloudPrinter -- C:\ProgramData\CloudPrinter -> Found
[PUP.LogicHandler|Adw.LogicCramble (Malicious)] (folder) Logic Cramble -- C:\ProgramData\Logic Cramble -> Found
[PUP.Popcorn (Potentially Malicious)] (folder) Popcorn Time -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Found
[PUP.Gen1 (Potentially Malicious)] (folder) Quoteex -- C:\ProgramData\Quoteex -> Found
[PUP.Gen1 (Potentially Malicious)] (folder) Quoteexs -- C:\ProgramData\Quoteexs -> Found
[PUP.Gen1 (Potentially Malicious)] (folder) Solvusoft -- C:\ProgramData\Solvusoft -> Found
[PUP.PCProtect (Potentially Malicious)] (folder) TotalAV -- C:\ProgramData\TotalAV -> Found
[Tr.Ursu (Malicious)] (folder) MachinerData -- C:\Program Files (x86)\MachinerData -> Found
[PUP.Popcorn (Potentially Malicious)] (folder) Popcorn Time -- C:\Program Files (x86)\Popcorn Time -> Found

いいいいいいいいいいいい Web browsers いいいいいいいいいいいい
>>>>>> Chrome Config
  [PUM.SearchEngine (Potentially Malicious)] default_search_provider_data.template_url_data.keyword (C:\Users\Eyal Pickholz\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences) -- feed.sonic-search.com -> Found
Title: Re: removal of SafeFinder from WIN7 pro
Post by: Curson on April 22, 2020, 10:18:43 pm
Hi arikpik,

Please remove all the entries RogueKiller found, then follow the following process : Reset Chrome settings to default (https://support.google.com/chrome/answer/3296214?hl=en).
Is the redirection still present ?

Regards.
Title: Re: removal of SafeFinder from WIN7 pro
Post by: arikpik on April 23, 2020, 07:30:14 am
Hi,

1. It only work temporarily.I regains after a while.

2. The safefinder is still seen in the list of programs under control panel programs. The uninstall/change operation does not remove it so I believe this malware had deleted its own uninstaller.

4. Mostbof the malware and UV are not back supporting win7.

3. This is affecting seriously on my daughters ability to use the laptop for her studies specially today when working all the time from remote.

Thanks ,

Arikpik.
Title: Re: removal of SafeFinder from WIN7 pro
Post by: Curson on April 23, 2020, 05:24:08 pm
Hi arikpik,

It seems RogueKiller does not detect the whole infection, allowing it persist.
We will be doing a full system investigation.

Please download Farbar Recovery Scan Tool (x64) (https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save it to your Desktop.
Regards.
Title: Re: removal of SafeFinder from WIN7 pro
Post by: arikpik on April 23, 2020, 08:55:49 pm
Hi ,

The files are attached now.

Best regards ,

arikpik
Title: Re: removal of SafeFinder from WIN7 pro
Post by: Curson on April 23, 2020, 09:55:11 pm
Hi arikpik,

Your computer is very infected. Please make a backup of your personal data before proceeding any further.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Regards.
Title: Re: removal of SafeFinder from WIN7 pro
Post by: arikpik on April 24, 2020, 12:08:35 pm
Hi ,

Thank you for trying to assist us.

During this run the laptop had to shut down and it did not continue running the FRST following the boot.

Nevertheless it had saved a file that is attached.

Best regards ,

arikpik
Title: Re: removal of SafeFinder from WIN7 pro
Post by: Curson on April 24, 2020, 04:01:59 pm
Hi arikpik,

It seems FRST was still able to process the script.
How is your computer running now ?

Regards.
Title: Re: removal of SafeFinder from WIN7 pro
Post by: arikpik on April 24, 2020, 04:11:30 pm
Hi ,

I just bought a yearly license. My computer works great now.

One question though is if the sound that appears when the rouguekiller is detecting real time issue can be shut for this app.

Thank you for the very professional treatment.

arikpik
Ariel.pickholz
Title: Re: removal of SafeFinder from WIN7 pro
Post by: Curson on April 24, 2020, 06:48:45 pm
Hi Ariel,

I'm glad to read this.
You can now remove all the tools and linked files used during the malware removal process.

Thanks for supporting our product.
There is no way to only disable the sound, but you can turn off the whole notification system. Click on "Settings", then go to the "General" tab and toggle the "Notifications" option.

Regards.