• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3144
  • Last Modified:

SafetyDefender

Each time I click on IE, safetydefender.com opens instead of my home page. The content says that I am under the control of a remote computer and the only way to fix this is to click a link that will sell me the removal tools,ie. Spyware and Malware removal software.

I have tried smitrem and smitfraudfix, but even though they say they are cleaning my machine, when I reboot and open IE, I still am at the safetydefender website.

Has anyone else encountered this and overcome it?
0
jerryvoss
Asked:
jerryvoss
  • 4
  • 3
  • 2
  • +2
3 Solutions
 
r-kCommented:
Please download HijackThis from http://www.hijackthis.de/ and run it. Post the resulting log back to that same web page (not here) then click on "analyze" and then on the next page click on "Save Analysis" at the bottom.
Finally, post the link to the saved analyzed page here.
0
 
jerryvossAuthor Commented:
Thank you, r-k

http://www.hijackthis.de/logfiles/4e922e2fda7987abd7d332297775bb9a.html

I hope this is the right way to post the link.

Jerry
0
 
r-kCommented:
That is the ight way, thanks.

I would suggest running HJT again and asking it fix the following entries:

 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
 O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINNT\system32\hpB1F9.tmp
 
Then reboot and re-run HJT to see if these entries are really gone. If so, the problem should be mostly solved and you should be able to reset you home page.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
jerryvossAuthor Commented:
After rebooting, I ran HJT again.  Two of the entries are gone, and the BHO has changed, but is still there.

When I opened IE, it didn't open to "safetydefender.com,"  instead, there is an empty page with the address "about:blank" and when I try to reset my home page it returns to about:blank as soon as I leave the page.

I resubmitted the logfile from the latest scan. It is: http://www.hijackthis.de/logfiles/36da920c430d1c9d4e19b164242d18d1.html

How do I get rid of about:blank?

Thank you for your help.

Jerry
0
 
bhanukir7Commented:
hi there

the manual method of removing the About:Blank hijacker is probably the most difficult, since if it is not followed absolutely correctly it can return quickly. There are two programs that are needed to help with this removal. The first is HijackThis and the next is a registry program called Reglite.exe, this particular program for whatever reason seems to be able to find the hidden dll file without the hijacker trying to undo the work and attack the system again.

Once you've downloaded HijackThis and Reglite, open Registrar Lite and navigate to the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Look for the Key named AppInit_DLLs, the value in this key is the hidden dll file that is causing your problems. Write down the name of this file and think of it as the hidden.dll file

Secondly, use the Windows Recovery Console in Windows XP to rename the file.

Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD or by the option show below

Type cd \windows\system32 and press Enter

Type the following line to remove the read-only characteristic, replacing hidden.dll with the name of the dll file found with RegLite
          ATTRIB -R hidden.dll

Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename)
         RENAME hidden.dll badfile.dll

Type Exit and press Enter to Reboot Windows


bhanu
0
 
rpggamergirlCommented:
Hi,
Did you download this version of Smitfraudfix on this date? --> SmitfraudFix v2.36 (April 27, 2006)

This file below (which is showing in your running processes, respawn the whole infection, and it has been included in the latest smitfraudfix update (April 27,2006)
C:\WINNT\system32\dcomcfg.exe

If yours is not the latest version please download smitfraudfix again and do the whole cleanup process.
Please download SmitfraudFix:
 http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
"smitfraudfix.cmd"
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry ?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.

 
2. If problem persists:
Then, download roguescanfix.exe , and save it to your desktop.
http://www.martijnc.be/tools/roguescanfix.exe
Double click roguescanfix.exe to install it.
Open the roguescanfix folder, and doubleclick run.bat. Make Sure you have an active internet connection!
Your desktop and icons will disappear and then reappear again, this is normal.
Wait till the message "Completed script execution" appears, then click OK.
Click "Exit" to close BFU.
Click "OK" to start the SpywareQuake/Spyfalcon uninstaller, after that click "uninstall". Please wait until it is finished.
WARNING: You will be asked to reboot your computer. Wait until the uninstallers did their job before clicking YES.

*In case you still get the message BFU.exe is not present, download BFU.zip:
http://www.merijn.org/files/bfu.zip
Unzip it and place BFU.exe in the Roguescanfix-folder. Then doubleclick Run.bat again.
0
 
rpggamergirlCommented:
Oh yeah, remove the entries that r-k suggested if they're still present after running the tool, :)

Ooops, the rougescanfix canned speech is a little outdated but the fix itself is also updated with removing the the re-spawner "C:\WINNT\system32\dcomcfg.exe"
0
 
jerryvossAuthor Commented:
Thank you all for your help.  I won't be able to try them until later in the day.

Jerry
0
 
nikorbaCommented:

Hi There, Check Out this link , Someone has the same problem    ;)

http://forums.techguy.org/security/461472-windows-xp-hijack-log-eliminate.html
0
 
jerryvossAuthor Commented:
Thank you all for your help!

After I ran the newer version of SmitFraudFix in Safe Mode, I got a message saying: "Cannot inport cleanup.reg:  Error accessing the registry" but when the text file came up at the end, it reported that the registry was cleaned.

I restarted the computer in normal mode, and IE opened up to MSN, and then I reset it to my normal home page.  I've opened and closed the browser several times, and it seems to be back to normal.  Again, thank you all very much!

Jerry
0
 
rpggamergirlCommented:
Glad to hear your problem's resolved.

Thanks, :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now