Getting rid of safesear.ch from Google Chrome


I took in a coworker’s computer that wouldn’t boot. I replaced a blown capacitor, power supply, and a video card.

However, I then noticed her machine seemed to be malware-infested. I got rid of most of it by sweeping it with the usual suspects of disinfectants like ComboFix, MalwareBytes, Hitman Pro, etc.

However, no matter what I tried I couldn’t get a search engine hijacker to be excised. It is the infamous safesear.ch malware, which can be a beast to remove.

Hours later, it looks like I finally have Google Chrome cleaned up.

Here is what finally did it:

https://productforums.google.com/forum/#!topic/chrome/YTsjmFFCPn8

Thanks go to rfmanning (Bob). Here is the fix (quoting from the site):

rfmanning said:
I too had the misfortune of encountering the sear.ch default search hijacking. I tried everything. I even purchased SpyHunter2 which found some remnants I had I had missed. Search still hijacked.

Here’s what worked for me…

Finally, navigate to C:\Windows\System32\GroupPolicy\Machine (alternatively C:\Windows\System32\GroupPolicy\User).

Look for Registry.pol or other .pol files that reference the extension ID. To do so, simply open the file with Notepad. If it’s the file you are looking for, delete it.

This killed the hijack and restored my ability to set my default browser in Chrome.

For those curious;

This is the contents of registr.pol, I found and deleted.

PReg [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e ; M e t r i c s R e p o r t i n g E n a b l e d ; ; ; ] [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e ; D e f a u l t S e a r c h P r o v i d e r E n a b l e d ; ; ; ] [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e ; D e f a u l t S e a r c h P r o v i d e r N a m e ; ; ; S a f e S e a r c h ] [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e ; D e f a u l t S e a r c h P r o v i d e r S e a r c h U R L ; ; z ; h t t p : / / w w w . s a f e s e a r . c h / w e b / ? t y p e = s s Рc h Рd s Рi x & q = { s e a r c h T e r m s } ] [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e ; D e f a u l t S e a r c h P r o v i d e r I c o n U R L ; ; T ; h t t p : / / w w w . s a f e s e a r . c h / i m a g e s / f a v i c o n . i c o ] [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e ; D e f a u l t S e a r c h P r o v i d e r S u g g e s t U R L ; ; Π; h t t p : / / f f . s e a r c h . y a h o o . c o m / g o s s i p ? o u t p u t = f x j s o n & c o m m a n d = { s e a r c h T e r m s } ] [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e ; D e f a u l t S e a r c h P r o v i d e r N e w T a b U R L ; ; F ; h t t p : / / w w w . s a f e s e a r . c h / ? t y p e = c h Рn t ] [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e \ R e c o m m e n d e d ; H o m e p a g e L o c a t i o n ; ; X ; h t t p : / / w w w . s a f e s e a r . c h / ? t y p e = 2 0 1 4 1 0 2 8 Рc h Рi x ] [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e \ R e c o m m e n d e d ; H o m e p a g e I s N e w T a b P a g e ; ; ; ] [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e \ R e c o m m e n d e d ; R e s t o r e O n S t a r t u p ; ; ; ] [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e \ R e c o m m e n d e d \ R e s t o r e O n S t a r t u p U R L s ; 1 ; ; X ; h t t p : / / w w w . s a f e s e a r . c h / ? t y p e = 2 0 1 4 1 0 2 8 Рc h Рi x ]

Bob

All I can add is that (a) I tried it and it worked and (b) Bob deserves a salute!

Advertisements

Tags: , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: