Author Topic: www.safesear.ch over takes home pages  (Read 10382 times)

0 Members and 1 Guest are viewing this topic.

Offline atckris

  • Newbie
  • *
  • Join Date: Oct 2011
  • Posts: 8
  • Karma: 0
    • View Profile
www.safesear.ch over takes home pages
« on: April 07, 2015, 04:55:01 pm »
www.safesear.ch over takes home pages (YES SPELLING IS CORRECT)
I have ran the latest tweaking AIO, Malwarebytes, SAS, YAC, Hijack This, a few others
As soon as you set the page to anything else and close and reopen on ALL THREE IE, Chrome and Firefox it comes right back.
NO EXTENSIONS or ADDONS, never was a program in ADD/REMOVE.

After running all these, i followed a google post to delete the file:  c:\windows\System32\grouppolicy\machine\registy.pol

I did get Chrome to hold on to www.yahoo.com so far, will know more tomorrow.  BUT IE and FIREFOX are still locked to www.safesear.ch

I searched the registry and found NOTHING

EERRRR anyideas

Offline Willy2

  • Hero Member
  • *****
  • Join Date: Oct 2011
  • Posts: 1165
  • Karma: 18
    • View Profile
« Last Edit: April 07, 2015, 11:59:28 pm by Willy2 »

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: www.safesear.ch over takes home pages
« Reply #2 on: April 08, 2015, 12:09:27 am »
To remove browser hijackers I would recommend a scan by AdwCleaner followed by one with Junkware Removal Tool.

http://www.bleepingcomputer.com/download/adwcleaner/

Click on Scan and some items may appear in the lower pane which you can uncheck for any you wish to keep.

When the scan has completed click on Report and it will show what it has and will delete when you close the report and click on Cleaning.

Another report will be produced after the reboot to show what it has deleted.

The link for JRT is lower down the AdwCleaner page.

This usually takes a bit longer to run but will produce its report upon completion.

Offline atckris

  • Newbie
  • *
  • Join Date: Oct 2011
  • Posts: 8
  • Karma: 0
    • View Profile
Re: www.safesear.ch over takes home pages
« Reply #3 on: April 08, 2015, 08:14:49 am »
I have ran Adwcleaner and Junkremover already (that was included in the "others" programs

it is NOT a TOOLBAR it has changed the HOMEPAGE and when i reset it, and close the browsers it comes back.

The ONLY program i have not run suggested so far is the HITMAN PRO.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: www.safesear.ch over takes home pages
« Reply #4 on: April 08, 2015, 08:44:40 am »
Run the appropriate MS Fixit to reset the Hosts File to see if that makes any difference. http://support.microsoft.com/en-us/kb/972034

What did ADW and JRT find as they are usually adept at removing browser hijackers.

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: www.safesear.ch over takes home pages
« Reply #5 on: April 08, 2015, 01:46:13 pm »
Sounds like it is more likely a hidden rootkit doing it, have you ran TDSSKiller.exe and combofix.exe yet?

Shane