Author Topic: removal of SafeFinder from WIN7 pro  (Read 8374 times)

0 Members and 2 Guests are viewing this topic.

April 21, 2020, 09:18:40 PM

arikpik

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
removal of SafeFinder from WIN7 pro
« on: April 21, 2020, 09:18:40 PM »
hi ,

I can't remove safefinder program  WIN7 pro that hijacks my opening goole screen inside Chrome.

apparently it can't be removed by  the control panel tools.

https://search.safefinder.com/?st=sc&q=

Please advise,

Arik.P.

Reply #1April 21, 2020, 11:03:26 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #1 on: April 21, 2020, 11:03:26 PM »
Hi arikpik,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller latest scan report with your next reply ?

Regards.

Reply #2April 22, 2020, 09:18:56 PM

arikpik

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #2 on: April 22, 2020, 09:18:56 PM »
Here is the report of the initial rouguekiler scan :

RogueKiller Anti-Malware V14.4.0.0 (x64) [Apr  1 2020] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits
Started in : Normal mode
User : Eyal Pickholz [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20200421_093730, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2020/04/21 21:19:51 (Duration : 00:11:14)
Switches : -minimize

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Suspicious.Path (Potentially Malicious)] wscript.exe (6284) -- C:\Windows\System32\wscript.exe -> Found
[PUP.Gen1 (Potentially Malicious)] Quoteex.exe (1528) -- C:\ProgramData\Quoteex\Quoteex.exe -> Found
[PUP.LogicHandler|Adw.LogicCramble (Malicious)] set.exe (2388) -- C:\ProgramData\Logic Cramble\set.exe -> Found
[PUP.CloudPrinter|PUP.Linkury|PUP.Gen1 (Potentially Malicious)] CloudPrinter.exe (2500) -- C:\ProgramData\CloudPrinter\CloudPrinter.exe -> Found
[Tr.Ursu (Malicious)] EaseUS Data Recovery Wizard License Code.exe (2996) -- C:\Program Files (x86)\MachinerData\EaseUS Data Recovery Wizard License Code.exe -> Found
[PUP.Popcorn (Potentially Malicious)] Updater.exe (3340) -- C:\Program Files (x86)\Popcorn Time\Updater.exe -> Found
[Tr.ProxyAgent (Malicious)] rundll32.exe (7900) -- C:\Windows\System32\rundll32.exe -> Found
[Tr.ProxyAgent (Malicious)] rundll32.exe (7936) -- C:\Windows\SysWOW64\rundll32.exe -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> rundll32.exe (7936) -- C:\Windows\SysWOW64\rundll32.exe
  [Tr.ProxyAgent (Malicious)] ahbilr.dll (7936) -- C:\Users\Eyal Pickholz\AppData\Local\ahbilr.dll -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[PUP.LogicHandler (Potentially Malicious)] backlh (2388) -- C:\ProgramData\Logic Cramble\set.exe -> Found
[PUP.Gen0 (Potentially Malicious)] CloudPrinter (2500) -- C:\ProgramData\\CloudPrinter\\CloudPrinter.exe shuz -f "C:\ProgramData\\CloudPrinter\\CloudPrinter.dat" -l -a -> Found
[Tr.Ursu (Malicious)] Main Service (2996) -- C:\Program Files (x86)\MachinerData\EaseUS Data Recovery Wizard License Code.exe 1 -> Found
[PUP.Gen0 (Potentially Malicious)] Quoteex (1528) -- C:\ProgramData\\Quoteex\\Quoteex.exe shuz -f "C:\ProgramData\\Quoteex\\Quoteex.dat" -l -a -> Found
[PUP.Popcorn (Potentially Malicious)] Update service (3340) -- C:\Program Files (x86)\Popcorn Time\Updater.exe -> Found
[Tr.Winmon (Malicious)] Winmon (0) -- \??\C:\Windows\System32\drivers\Winmon.sys -> Found
[Tr.Zusy (Malicious)] WinDefender (3420) -- C:\Windows\windefender.exe -> Found
[Tr.Winmon (Malicious)] WinmonFS (0) -- \??\C:\Windows\System32\drivers\WinmonFS.sys -> Found
[Tr.Winmon (Malicious)] WinmonProcessMonitor (0) -- \??\C:\Windows\System32\drivers\WinmonProcessMonitor.sys -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Suspicious.Path (Potentially Malicious)] (Microsoft Windows) \koIASyAUcnLTC2 -- C:\Windows\system32\wscript.exe ["C:\ProgramData\lbXXFMhQgcaZEWVB\iSIInEH.wsf"] -> Found
[Tr.Chapak (Malicious)] \csrss -- C:\Windows\rss\csrss.exe -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> XX - Software
  [PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\mtQuoteex -- N/A -> Found
  [PUP.Gen1 (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\mtQuoteex -- N/A -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\PopcornTime -- N/A -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\Popcorn Time -- N/A -> Found
>>>>>> XX - Uninstall
  [PUP.Popcorn (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Popcorn Time_is1 -- N/A -> Found
>>>>>> O4 - Run
  [Tr.ProxyAgent (Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\Microsoft\Windows\CurrentVersion\Run|ahbilr -- rundll32.exe "C:\Users\Eyal Pickholz\AppData\Local\ahbilr.dll",ahbilr -> Found
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\Microsoft\Windows\CurrentVersion\Run|3192095 -- "C:\Users\EYALPI~1\AppData\Local\Temp\is-CUISD.tmp\ScreenShop.exe" /VERYSILENT (missing) -> Found
  [Tr.Chapak (Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\Microsoft\Windows\CurrentVersion\Run|HiddenMountain -- "C:\Windows\rss\csrss.exe" -> Found
  [Cloud.Generic (Malicious)] (X64) HKEY_USERS\S-1-5-21-1537819233-3836446741-3658253957-1001\Software\Microsoft\Windows\CurrentVersion\Run|CloudNet -- "C:\Users\Eyal Pickholz\AppData\Roaming\03024efdcdc8\03024efdcdc8.exe" 31337 -> Found
>>>>>> O4 - Run
  [Cloud.Generic (Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce|jariocllozj -- "C:\Program Files (x86)\Keyboard\716736870.exe" 1 3.1586425463.5e8eee7728206 -> Found
>>>>>> O23 - Services
  [PUP.LogicHandler (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\backlh -- "C:\ProgramData\Logic Cramble\set.exe" -> Found
  [PUP.Gen0 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CloudPrinter -- C:\ProgramData\CloudPrinter\CloudPrinter.exe -> Found
  [Tr.Ursu (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Main Service -- "C:\Program Files (x86)\MachinerData\EaseUS Data Recovery Wizard License Code.exe 1" (missing) -> Found
  [PUP.Gen0 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Quoteex -- C:\ProgramData\Quoteex\Quoteex.exe -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update service -- "C:\Program Files (x86)\Popcorn Time\Updater.exe" -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winmon -- C:\Windows\System32\drivers\Winmon.sys -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinmonFS -- C:\Windows\System32\drivers\WinmonFS.sys -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinmonProcessMonitor -- C:\Windows\System32\drivers\WinmonProcessMonitor.sys -> Found
  [Tr.Zusy (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDefender -- C:\Windows\windefender.exe -> Found
  [PUP.LogicHandler (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\backlh -- "C:\ProgramData\Logic Cramble\set.exe" -> Found
  [PUP.Gen0 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CloudPrinter -- C:\ProgramData\CloudPrinter\CloudPrinter.exe -> Found
  [Tr.Ursu (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Main Service -- "C:\Program Files (x86)\MachinerData\EaseUS Data Recovery Wizard License Code.exe 1" (missing) -> Found
  [PUP.Gen0 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Quoteex -- C:\ProgramData\Quoteex\Quoteex.exe -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Update service -- "C:\Program Files (x86)\Popcorn Time\Updater.exe" -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinmonFS -- C:\Windows\System32\drivers\WinmonFS.sys -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinmonProcessMonitor -- C:\Windows\System32\drivers\WinmonProcessMonitor.sys -> Found
  [Tr.Winmon (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Winmon -- C:\Windows\System32\drivers\Winmon.sys -> Found
  [Tr.Zusy (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinDefender -- C:\Windows\windefender.exe -> Found
>>>>>> O87 - Firewall
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{D394BD86-FCDD-46EC-886D-C6C638CF511E} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| (C:\Program Files (x86)\Popcorn Time\Updater.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{253E3D48-8900-4036-B0F3-8955F74F9FC1} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| (C:\Program Files (x86)\Popcorn Time\Updater.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{FC06434B-36F2-47C7-9841-FAC2F0C2AE6C} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe|Name=Popcorn Time| (C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B4961D4F-9D46-4AFD-BEAD-075F788FA2F1} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe|Name=Popcorn Time| (C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{A5EA01CC-E833-404C-B822-867F67E4E924} -- (Joyent Inc) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\chromecast\node.exe|Name=cs-node.exe| (C:\Program Files (x86)\Popcorn Time\chromecast\node.exe) -> Found
  [Tr.Chapak (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{0A1F1C09-ECF9-4EE0-8336-CDD760AA9772} -- v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Windows\rss\csrss.exe|Name=csrss| (C:\Windows\rss\csrss.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{C247AA71-F977-420B-8436-9F1FEFC999D7} -- (Joyent Inc) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\chromecast\node.exe|Name=cs-node.exe| (C:\Program Files (x86)\Popcorn Time\chromecast\node.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{E0F68D1E-0AAD-42C4-BBBA-0BD7821DEC5D} -- (Node.js Foundation) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\nodejs\node.exe|Name=pt-node.exe| (C:\Program Files (x86)\Popcorn Time\nodejs\node.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{FAA27643-0E09-42A1-AD6F-367B4C2A19DE} -- (Node.js Foundation) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\nodejs\node.exe|Name=pt-node.exe| (C:\Program Files (x86)\Popcorn Time\nodejs\node.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{253E3D48-8900-4036-B0F3-8955F74F9FC1} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| (C:\Program Files (x86)\Popcorn Time\Updater.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{D394BD86-FCDD-46EC-886D-C6C638CF511E} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| (C:\Program Files (x86)\Popcorn Time\Updater.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{FC06434B-36F2-47C7-9841-FAC2F0C2AE6C} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe|Name=Popcorn Time| (C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B4961D4F-9D46-4AFD-BEAD-075F788FA2F1} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe|Name=Popcorn Time| (C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{A5EA01CC-E833-404C-B822-867F67E4E924} -- (Joyent Inc) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\chromecast\node.exe|Name=cs-node.exe| (C:\Program Files (x86)\Popcorn Time\chromecast\node.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{C247AA71-F977-420B-8436-9F1FEFC999D7} -- (Joyent Inc) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\chromecast\node.exe|Name=cs-node.exe| (C:\Program Files (x86)\Popcorn Time\chromecast\node.exe) -> Found
  [Tr.Chapak (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{0A1F1C09-ECF9-4EE0-8336-CDD760AA9772} -- v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Windows\rss\csrss.exe|Name=csrss| (C:\Windows\rss\csrss.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{E0F68D1E-0AAD-42C4-BBBA-0BD7821DEC5D} -- (Node.js Foundation) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\nodejs\node.exe|Name=pt-node.exe| (C:\Program Files (x86)\Popcorn Time\nodejs\node.exe) -> Found
  [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{FAA27643-0E09-42A1-AD6F-367B4C2A19DE} -- (Node.js Foundation) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\nodejs\node.exe|Name=pt-node.exe| (C:\Program Files (x86)\Popcorn Time\nodejs\node.exe) -> Found
>>>>>> O20 - AppInit DLLs
  [PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs -- C:\ProgramData\Quoteex\ZonZoolight.dll -> Found
  [PUP.Gen1 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs -- C:\ProgramData\Quoteex\Zenlight.dll -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[PUP.Popcorn (Potentially Malicious)] (shortcut) Popcorn Time.lnk -- C:\Users\Public\Desktop\Popcorn Time.lnk => C:\PROGRA~2\POPCOR~1\POPCOR~1.EXE -> Found
[Tr.Winmon (Malicious)] (file) WinmonProcessMonitor.sys -- C:\Windows\System32\drivers\WinmonProcessMonitor.sys -> Found
[PUP.Popcorn (Potentially Malicious)] (shortcut) Popcorn Time.lnk -- C:\Users\Eyal Pickholz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Popcorn Time.lnk => C:\PROGRA~2\POPCOR~1\POPCOR~1.EXE -> Found
[Tr.ProxyAgent (Malicious)] (file) ahbilr.dll -- C:\Users\Eyal Pickholz\AppData\Local\ahbilr.dll -> Found
[PUP.Popcorn (Potentially Malicious)] (folder) PopcornTime -- C:\Users\Eyal Pickholz\AppData\Local\PopcornTime -> Found
[Miner.Gen (Malicious)] (folder) wup -- C:\Users\Eyal Pickholz\AppData\Local\Temp\wup -> Found
[PUP.CloudPrinter|PUP.Linkury|PUP.Gen1 (Potentially Malicious)] (folder) CloudPrinter -- C:\ProgramData\CloudPrinter -> Found
[PUP.LogicHandler|Adw.LogicCramble (Malicious)] (folder) Logic Cramble -- C:\ProgramData\Logic Cramble -> Found
[PUP.Popcorn (Potentially Malicious)] (folder) Popcorn Time -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Found
[PUP.Gen1 (Potentially Malicious)] (folder) Quoteex -- C:\ProgramData\Quoteex -> Found
[PUP.Gen1 (Potentially Malicious)] (folder) Quoteexs -- C:\ProgramData\Quoteexs -> Found
[PUP.Gen1 (Potentially Malicious)] (folder) Solvusoft -- C:\ProgramData\Solvusoft -> Found
[PUP.PCProtect (Potentially Malicious)] (folder) TotalAV -- C:\ProgramData\TotalAV -> Found
[Tr.Ursu (Malicious)] (folder) MachinerData -- C:\Program Files (x86)\MachinerData -> Found
[PUP.Popcorn (Potentially Malicious)] (folder) Popcorn Time -- C:\Program Files (x86)\Popcorn Time -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> Chrome Config
  [PUM.SearchEngine (Potentially Malicious)] default_search_provider_data.template_url_data.keyword (C:\Users\Eyal Pickholz\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences) -- feed.sonic-search.com -> Found

Reply #3April 22, 2020, 10:18:43 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #3 on: April 22, 2020, 10:18:43 PM »
Hi arikpik,

Please remove all the entries RogueKiller found, then follow the following process : Reset Chrome settings to default.
Is the redirection still present ?

Regards.

Reply #4April 23, 2020, 07:30:14 AM

arikpik

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #4 on: April 23, 2020, 07:30:14 AM »
Hi,

1. It only work temporarily.I regains after a while.

2. The safefinder is still seen in the list of programs under control panel programs. The uninstall/change operation does not remove it so I believe this malware had deleted its own uninstaller.

4. Mostbof the malware and UV are not back supporting win7.

3. This is affecting seriously on my daughter’s ability to use the laptop for her studies specially today when working all the time from remote.

Thanks ,

Arikpik.

Reply #5April 23, 2020, 05:24:08 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #5 on: April 23, 2020, 05:24:08 PM »
Hi arikpik,

It seems RogueKiller does not detect the whole infection, allowing it persist.
We will be doing a full system investigation.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here using the "Attachments and other options > Attach" feature.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.

Reply #6April 23, 2020, 08:55:49 PM

arikpik

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #6 on: April 23, 2020, 08:55:49 PM »
Hi ,

The files are attached now.

Best regards ,

arikpik

Reply #7April 23, 2020, 09:55:11 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #7 on: April 23, 2020, 09:55:11 PM »
Hi arikpik,

Your computer is very infected. Please make a backup of your personal data before proceeding any further.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Regards.

Reply #8April 24, 2020, 12:08:35 PM

arikpik

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #8 on: April 24, 2020, 12:08:35 PM »
Hi ,

Thank you for trying to assist us.

During this run the laptop had to shut down and it did not continue running the FRST following the boot.

Nevertheless it had saved a file that is attached.

Best regards ,

arikpik

Reply #9April 24, 2020, 04:01:59 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #9 on: April 24, 2020, 04:01:59 PM »
Hi arikpik,

It seems FRST was still able to process the script.
How is your computer running now ?

Regards.

Reply #10April 24, 2020, 04:11:30 PM

arikpik

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #10 on: April 24, 2020, 04:11:30 PM »
Hi ,

I just bought a yearly license. My computer works great now.

One question though is if the sound that appears when the rouguekiller is detecting real time issue can be shut for this app.

Thank you for the very professional treatment.

arikpik
Ariel.pickholz

Reply #11April 24, 2020, 06:48:45 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: removal of SafeFinder from WIN7 pro
« Reply #11 on: April 24, 2020, 06:48:45 PM »
Hi Ariel,

I'm glad to read this.
You can now remove all the tools and linked files used during the malware removal process.

Thanks for supporting our product.
There is no way to only disable the sound, but you can turn off the whole notification system. Click on "Settings", then go to the "General" tab and toggle the "Notifications" option.

Regards.