View Full Version : Rogue URL
New joiner. Need help!!!
Homepage hijacked by www.safetydefender.com. Claims my computer is infected and suggests I go to various Spyware program sites. Used SpyBot scanner to get rid of this Trojon but still comes back. The scanner now says computer is not infected but my homepage is still defaults to this site. Unable to change it using 'Internet Options'. Anyone got any ideas how to get rid of this problem?
steamwiz
2006-05-10, 00:46
Hi
Download: SmitfraudFix.zip from :-
http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)
1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...
steam
Hi Steamviz, Here is the file . Thanks for you help.
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: 01/05/2006
The current time is: 16:27:27.98
Running from
C:\Documents and Settings\Pankaj\My Documents\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
hp***.tmp
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 892 'explorer.exe'
Killing PID 892 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :)
Hi Steamwiz, Sorry I sent you a wrong file.
When I clicked on smitfraudfix.cmd. a window appeared with the following message.
Process .exe file missing. Unzip all the archive in a folder.
When i click OK nothing happens!!!
Regards Pankaj
steamwiz
2006-05-10, 23:58
Hi
The process.exe file should be in the folder with the smitfraudfix.cmd
When you unzip the smitfraudfix.zip there should be 7 files ...
Process.exe
Reboot.exe
restart.exe
smitfraudfix.cmd
SrchSTS.exe
swreg.exe
swsc.exe
If any of these files are missing, delete the zip file + folder and download it again...
cheers
steam
Hi, Thanks for you help. Manage to get rid of the rogue URL with some additional help from Spybot e mail service.
Regards, Pankaj
LonnyRJones
2006-05-16, 14:40
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me, steam or Tashi know.