SoftSafeness

Last Updated on Friday, 15 January 2010 13:12 Wednesday, 16 September 2009 17:56

Rogue - Antispyware

SoftSafeness is reported to be a rogue application. There are several ways a fake/rogue application may enter into your computer.

1) You may have downloaded it knowingly or unknowingly mistaking it to be something else.
2) It may have automatically downloaded while you were visiting some harmful website
3) Your computer may have a trojan virus which in turn downloads such an application.


Recently I have noticed that the malware authors are also keeping track of the removal instructions published on the internet. As soon as they think that the malware is exposed, they change the file/folder names and the locations where they are saved on the hard disk. So keeping this in mind you will require the latest information of the malware in order to be able to remove it.

I have categorized this rogue application as nsProcess.dll group. You can find information of other rogue applications belonging to this group on this link You can find latest ThreatExpert analysis reports of this rogue on this link

If you happen to have the rogue installer, you can submit it to threatexpert site and get it analyzed. That will help you to get the precise information about the virus.


Files Associated

These are the different EXE file names that are used in this malware

SoftSafeness.exe
SoftSafenessSvc.exe
ozn695m5.exe
and several semi randomly generated files in the C:\Windows directory


Trying System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will work like a miracle in removing the infection

Free removal tools

  • Special tools to remove a single virus or a family of virus.
  • Free Online virus scanners
  • Fully functioning antivirus/ antispyware
All these tools are listed below

Manual Removal

These are the steps to be taken, if you want to or need to remove the infected files manuall. You may not find all the files that are mentioned below on an infected computer. The virus adds different files depending on its variation. I have listed all the names found in the reports available.

Boot in safe mode

Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them.

Remove Processes from Task Manager

Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for SoftSafeness.exe, SoftSafenessSvc.exe, ozn695m5.exe Select and press End Process button, Confirm to terminate the process and Close Task Manager.

Alternately you can use Windows Defender to see the path of a currently running program/ process and its publisher, so as to differentiate malware processes from processes belonging to legitimate publishers. You may find such processes listed under Unknown Publisher in Windows Defender.

Or you can use Sysinternal's Process Explorer for easy detection and removal of virus processes.

Removing entry from windows startup

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible, therefore you can check / uncheck any entry from windows startup any number of times.

After the system configuration window is open, Click on the Startup tab, that will list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer so that you can see the full path of the program. Locate and uncheck "SoftSafeness" or SoftSafeness.exe, SoftSafenessSvc.exe, ozn695m5.exe (look for any other suspicious names) Press Apply , Press Close/Ok , Select "do not restart" at the next prompt.

Removing windows Service

This malware creates a new windows service named "SoftSafenessSvc" or SoftSafeness Security Service. While staying in the system configuration utility, Cilck on the Services tab, Hide all Microsoft Services, and then look in the list for the above named service, Locate and Uncheck the box in front of its name, if it is checked. (Do not do anything if it is already stopped) and Press Apply, Press Close/ Ok and Select "restart" at the next prompt. This service can be removed after deleting the file "SoftSafenessSvc.exe" and then removing it from the registry, easily done by running CCleaner.

View Hidden Files

Before you could delete SoftSafeness and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders

Deleting files

After restarting the computer, use the windows search utility to search for "SoftSafeness" and also search for the names that you found and removed in the Task Manager or in the startup list. This search should find all its folders on the hard disk , delete the folders from the hard disk.

These are some folders that were found on different infected computers.

C:\Documents and Settings\All Users\Start Menu\Programs\SoftSafeness
C:\Program Files\SoftSafeness Software
C:\Program Files\SoftSafeness Software\SoftSafeness
%Temp%\nsh2.tmpDelete the above folders.
These are the locations of its exe files.
C:\Program Files\SoftSafeness Software\SoftSafeness\SoftSafeness.exe
C:\Windows\System32\ozn695m5.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\ozn695m5.exe %Temp%\nsq2.tmp\nsProcess.dll
C:\Windows\System32\ntvdm.exe
(these two files seem to be common in this group)
Apart from the above folder several other files were found in the C:\Windows directory they are listed below. These are semi random named, you need to look inside the C:\Windows directoy and delete similar files if found.  These names will be different on every infected computer, but you can be certain that they would begin with 1 or 2 , and have OCX, BIN, CPL, EXE, DLL extentions. They will be approx 13-20 characters long. Will include letters and numbers. And some garbled text will be found inserted in between, such as not-a-virus, vizu, hack, backdo, worm and soon.

Run CCleaner

After deleting SoftSafeness and its associated files , as there will be leftover entries in the windows regitry. CCleaner is a free temp files/registry cleaner, that will automatically clean the registry as well as remove the temp files . Click here to read more

Edit Registry

if you are comfortable in using the regedit command. You can find the registry modifications in any of the reports mentioned in the begining of this article.

More Problems

If you are unable to open Task Manager, registry editor, System Restore, Folder Options etc

If the virus has disabled them. There are free tools and techniques to solve this problem. They are listed here.

Tools for Windows XP

Tools for Windows Vista

Use the System File Checker

If you want to make sure that the windows system files are not altered by the virus, and in case if they are altered then to repair them.

Unable to access security related sites

It can happen if your Hosts file has been altered. To repair/ edit the hosts file. Login as administrator. open the following file in notepad
C:\ WINDOWS \system32 \drivers \etc \hosts
remove anything other than 127.0.0.1 Localhost, and save and close the file.

Using Firewall

Check your firewall for any suspicious communication from your computer to the internet and block it using firewall.

Communincates with the following sites

  • softsafeness.com
  • 83.233.30.66 port 80
Reprinted with permission from ThreatExpert.com

Search within this site

Read in your language


Main Menu

Home
----Sections----
Harmful Files
Virus Removal
Trojan Removal
Worms Removal
Rogues Removal
Unwanted Apps
Removal Tools
Current News
----Articles----
Warning/ Disclaimer
Common Folders
Preventive Measures
Removal Instructions
Video Tutorials
----Site Info----
Sitemap
About/Contact

Useful Links

Privacy Policy