?
Solved

SafetyDefender

Posted on 2006-04-27
11
Medium Priority
?
3,143 Views
Last Modified: 2013-12-04
Each time I click on IE, safetydefender.com opens instead of my home page. The content says that I am under the control of a remote computer and the only way to fix this is to click a link that will sell me the removal tools,ie. Spyware and Malware removal software.

I have tried smitrem and smitfraudfix, but even though they say they are cleaning my machine, when I reboot and open IE, I still am at the safetydefender website.

Has anyone else encountered this and overcome it?
0
Comment
Question by:jerryvoss
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 32

Assisted Solution

by:r-k
r-k earned 800 total points
ID: 16558992
Please download HijackThis from http://www.hijackthis.de/ and run it. Post the resulting log back to that same web page (not here) then click on "analyze" and then on the next page click on "Save Analysis" at the bottom.
Finally, post the link to the saved analyzed page here.
0
 

Author Comment

by:jerryvoss
ID: 16559469
Thank you, r-k

http://www.hijackthis.de/logfiles/4e922e2fda7987abd7d332297775bb9a.html

I hope this is the right way to post the link.

Jerry
0
 
LVL 32

Expert Comment

by:r-k
ID: 16559500
That is the ight way, thanks.

I would suggest running HJT again and asking it fix the following entries:

 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
 O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINNT\system32\hpB1F9.tmp
 
Then reboot and re-run HJT to see if these entries are really gone. If so, the problem should be mostly solved and you should be able to reset you home page.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:jerryvoss
ID: 16559812
After rebooting, I ran HJT again.  Two of the entries are gone, and the BHO has changed, but is still there.

When I opened IE, it didn't open to "safetydefender.com,"  instead, there is an empty page with the address "about:blank" and when I try to reset my home page it returns to about:blank as soon as I leave the page.

I resubmitted the logfile from the latest scan. It is: http://www.hijackthis.de/logfiles/36da920c430d1c9d4e19b164242d18d1.html

How do I get rid of about:blank?

Thank you for your help.

Jerry
0
 
LVL 23

Assisted Solution

by:bhanukir7
bhanukir7 earned 400 total points
ID: 16561497
hi there

the manual method of removing the About:Blank hijacker is probably the most difficult, since if it is not followed absolutely correctly it can return quickly. There are two programs that are needed to help with this removal. The first is HijackThis and the next is a registry program called Reglite.exe, this particular program for whatever reason seems to be able to find the hidden dll file without the hijacker trying to undo the work and attack the system again.

Once you've downloaded HijackThis and Reglite, open Registrar Lite and navigate to the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Look for the Key named AppInit_DLLs, the value in this key is the hidden dll file that is causing your problems. Write down the name of this file and think of it as the hidden.dll file

Secondly, use the Windows Recovery Console in Windows XP to rename the file.

Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD or by the option show below

Type cd \windows\system32 and press Enter

Type the following line to remove the read-only characteristic, replacing hidden.dll with the name of the dll file found with RegLite
          ATTRIB -R hidden.dll

Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename)
         RENAME hidden.dll badfile.dll

Type Exit and press Enter to Reboot Windows


bhanu
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 800 total points
ID: 16562210
Hi,
Did you download this version of Smitfraudfix on this date? --> SmitfraudFix v2.36 (April 27, 2006)

This file below (which is showing in your running processes, respawn the whole infection, and it has been included in the latest smitfraudfix update (April 27,2006)
C:\WINNT\system32\dcomcfg.exe

If yours is not the latest version please download smitfraudfix again and do the whole cleanup process.
Please download SmitfraudFix:
 http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
"smitfraudfix.cmd"
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry ?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.

 
2. If problem persists:
Then, download roguescanfix.exe , and save it to your desktop.
http://www.martijnc.be/tools/roguescanfix.exe
Double click roguescanfix.exe to install it.
Open the roguescanfix folder, and doubleclick run.bat. Make Sure you have an active internet connection!
Your desktop and icons will disappear and then reappear again, this is normal.
Wait till the message "Completed script execution" appears, then click OK.
Click "Exit" to close BFU.
Click "OK" to start the SpywareQuake/Spyfalcon uninstaller, after that click "uninstall". Please wait until it is finished.
WARNING: You will be asked to reboot your computer. Wait until the uninstallers did their job before clicking YES.

*In case you still get the message BFU.exe is not present, download BFU.zip:
http://www.merijn.org/files/bfu.zip
Unzip it and place BFU.exe in the Roguescanfix-folder. Then doubleclick Run.bat again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16562261
Oh yeah, remove the entries that r-k suggested if they're still present after running the tool, :)

Ooops, the rougescanfix canned speech is a little outdated but the fix itself is also updated with removing the the re-spawner "C:\WINNT\system32\dcomcfg.exe"
0
 

Author Comment

by:jerryvoss
ID: 16564385
Thank you all for your help.  I won't be able to try them until later in the day.

Jerry
0
 
LVL 2

Expert Comment

by:nikorba
ID: 16565384

Hi There, Check Out this link , Someone has the same problem    ;)

http://forums.techguy.org/security/461472-windows-xp-hijack-log-eliminate.html
0
 

Author Comment

by:jerryvoss
ID: 16574311
Thank you all for your help!

After I ran the newer version of SmitFraudFix in Safe Mode, I got a message saying: "Cannot inport cleanup.reg:  Error accessing the registry" but when the text file came up at the end, it reported that the registry was cleaned.

I restarted the computer in normal mode, and IE opened up to MSN, and then I reset it to my normal home page.  I've opened and closed the browser several times, and it seems to be back to normal.  Again, thank you all very much!

Jerry
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16582623
Glad to hear your problem's resolved.

Thanks, :)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month14 days, 8 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question