I need help please on the following browser hijacker It's called "Video free for online" (Without the spaces) Video free for online.com (without the spaces) is a browser hijacker that redirects web browser (to Sc.Video free for online.com) and promotes Total Secure 2009 rogue anti-spyware. Sc.Video free for online.com generates fake security messages in order to force users to download and purchase misleading Total Secure 2009 The warning also pops up if I click on any folder in Explorer, then a I.E window will pop up and crash I did try searching Computing net for a previous solution but just kept getting the following message The server encountered an error that prevented it from completing your request. Please try reloading the request. If the problem persists, contact the administrator. This is why I have split the name into 4 parts Computing net may have banned the word as a whole? I have done all the obvious things system restore, run spyware/virus prog, cleared I.E. temp files, cookies etc, loads of google searches but appear to just be going around in circles or getting told to download "Spyware Doctor" Thanks for any help and please be careful if searching the name yourself as to not to go the site mentioned in any searches PhilC

Download SDFix.exe and save it to your Desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. Remember to re-enable the protection again afterwards before connecting to the Internet. 1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. 2. Open the c:\SDFix folder and double click RunThis.cmd to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC. 3. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. 4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Thanks jabuck for your response and very much appreciated.I followed your instructions to the letter However SDFix appears not to work with Windows Vista? In safe mode when I click on "RunThis.bat" a command window opens and then closes again within halve a second. Is this fix only appreciable to Windows XP? Once again thanks for your help and any other help would be much appreciated. I'm beginning to think a reload of Vista may be the only solution, but I have completely forgotten how I managed to dual boot this laptop into Vista or XP as it is now PhilC

Yes, thats right, I overlooked the vista part..try these scans. Please download Malwarebytes' Anti-Malware from one of these sites: MalwareBytes1 MalwareBytes2 1. Double Click mbam-setup.exe to install the application. 2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. 3. If an update is found, it will download and install the latest version. 4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. 5. When the scan is complete, click OK, then Show Results to view the results. 6. Make sure that everything found is checked, and click Remove Selected. 7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. 8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. 9. Copy&Paste the entire report in your next reply. Please download and install the latest version of HijackThis v2.0.2: Download the "HijackThis" Installer from this link: Hijack This 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Thanks again jabuck All appears to now be OK after your help This is the log from MBAM. as follows Malwarebytes' Anti-Malware 1.30 Database version: 1335 Windows 6.0.6001 Service Pack 1 29/10/2008 10:19:15 mbam-log-2008-10-29 (10-19-15).txt Scan type: Quick Scan Objects scanned: 40619 Time elapsed: 4 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 9 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\kiokio.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sodna (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{051a5447-760e-45d3-9e9a-93bf38352458} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{a127e4b3-0472-401e-a43e-4d8eafa4d931} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{10026069-7a5f-4531-811e-c8df20643bee} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ded2b61b-1a26-4566-bf2f-de539d4468dd} (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Windows\System32\c.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\Windows\System32\m.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\Windows\System32\p.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\Windows\System32\s.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\Windows\k.txt (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Users\The Phil\Start Menu\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Users\The Phil\Start Menu\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Users\The Phil\Start Menu\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Users\The Phil\AppData\Roaming\Microsoft\Windows\Start Menu\SMS TRAP.url (Rogue.Link) -> Quarantined and deleted successfully. END I've posted the hijackthis log file as a downloadable zip file, as I am not to sure if you are allowed to post this particular log on Computing Net hijackthis.zip Thanks again Phil PhilC

Yes you can post your Hijack This log, but only when asked by a helper. You will still get a warning but you can post it without the moderator deleting it. Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. In your case to run Combofix do the following: 1. Go offline turn off your Nortons antivirus, and any antispyware that you may have. 2. Run Combofix and save its log. 3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned. 4. Post the Combofix log. Remember to re-enable the protection again afterwards before connecting to the Internet. Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running or move the mouse, it will cause your system to hang.) Please post the log it produces.

As requested ComboFix 08-10-29.07 - The Phil 2008-10-29 21:37:20.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.400 [GMT 0:00] Running from: C:\Users\The Phil\Downloads\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Windows\system32\x64 . ((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-29 10:09 --------- d-----w C:\Users\The Phil\AppData\Roaming\Malwarebytes 2008-10-29 10:09 --------- d-----w C:\ProgramData\Malwarebytes 2008-10-29 10:09 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-10-28 14:33 --------- d---a-w C:\ProgramData\TEMP 2008-10-28 01:14 --------- d-----w C:\ProgramData\Symantec 2008-10-28 01:14 --------- d-----w C:\Program Files\Symantec 2008-10-28 01:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-10-28 00:51 --------- d-----w C:\Program Files\Perfect Uninstaller 2008-10-28 00:17 30,080 ----a-w C:\Windows\system32\drivers\RKHit.sys 2008-10-27 16:46 --------- d-----w C:\Program Files\ElcomSoft 2008-10-22 16:10 38,496 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys 2008-10-22 16:10 15,504 ----a-w C:\Windows\system32\drivers\mbam.sys 2008-10-16 10:13 --------- d-----w C:\Program Files\Windows Mail 2008-10-14 00:14 --------- d-----w C:\ProgramData\Yahoo! 2008-10-12 01:14 --------- d-----w C:\Users\The Phil\AppData\Roaming\WinFF 2008-10-03 14:14 39,984 ----a-w C:\Windows\system32\drivers\symids.sys 2008-10-03 14:14 37,936 ----a-w C:\Windows\system32\drivers\symndisv.sys 2008-10-03 14:14 27,696 ----a-w C:\Windows\system32\drivers\symredrv.sys 2008-10-03 14:14 187,952 ----a-w C:\Windows\system32\drivers\symtdi.sys 2008-10-03 14:14 146,096 ----a-w C:\Windows\system32\drivers\symfw.sys 2008-10-03 14:14 12,848 ----a-w C:\Windows\system32\drivers\symdns.sys 2008-10-03 14:14 10,804 ----a-w C:\Windows\system32\drivers\SymRedir.cat 2008-10-03 14:14 1,358 ----a-w C:\Windows\system32\drivers\SymRedir.inf 2008-10-02 03:49 827,392 ----a-w C:\Windows\System32\wininet.dll 2008-09-22 22:37 --------- d-----w C:\Program Files\Java 2008-09-22 22:36 --------- d-----w C:\Program Files\Common Files\Java 2008-09-22 21:45 --------- d-----w C:\Users\The Phil\AppData\Roaming\Audacity 2008-09-18 05:09 3,601,464 ----a-w C:\Windows\System32\ntkrnlpa.exe 2008-09-18 05:09 3,549,240 ----a-w C:\Windows\System32\ntoskrnl.exe 2008-09-18 04:56 147,456 ----a-w C:\Windows\System32\Faultrep.dll 2008-09-18 04:56 125,952 ----a-w C:\Windows\System32\wersvc.dll 2008-09-18 02:16 2,032,640 ----a-w C:\Windows\System32\win32k.sys 2008-09-06 01:55 --------- d-----w C:\Program Files\AC3Filter 2008-09-06 01:42 --------- d-----w C:\Program Files\WinFF 2008-08-24 14:10 61,208 ----a-w C:\Windows\System32\x264vfw-uninstall.exe 2008-08-12 03:39 443,392 ----a-w C:\Windows\System32\win32spl.dll 2008-08-02 03:26 36,864 ----a-w C:\Windows\System32\cdd.dll 2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll 2008-07-31 03:32 28,160 ----a-w C:\Windows\System32\Apphlpdm.dll 2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll 2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll 2008-07-31 01:13 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll 2008-03-09 15:36 174 --sha-w C:\Program Files\desktop.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104] "IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 141848] "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 166424] "Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 133656] "YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM "vidc.x264"= x264vfw.dll "msacm.ac3filter"= ac3filter.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UacDisableNotify"=dword:00000001 "InternetSettingsDisableNotify"=dword:00000001 "AutoUpdateDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{BD6A964F-0EC7-48CA-A596-23B93C996D50}C:\\users\\the phil\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= UDP:C:\users\the phil\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe "UDP Query User{30D8DA0F-7CD7-4CA8-9891-9BCD643C8828}C:\\users\\the phil\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= TCP:C:\users\the phil\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe "{D5917720-7A95-44F6-B3FC-92A75A642426}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In) "{EE907C90-66DC-4F6B-ABDF-E5474D412257}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R1 ElRawDisk;ElRawDisk;C:\Windows\system32\drivers\elrawdsk.sys [2007-03-22 20560] R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20081028.001\IDSvix86.sys [2008-09-12 270384] R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 188416] R3 qkbfiltr;Quanta Keyboard Filter Driver;C:\Windows\system32\DRIVERS\qkbfiltr.sys [2006-08-17 33664] R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-10-03 37936] R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 298496] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ *Newly Created Service* - CATCHME *Newly Created Service* - COMHOST *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-09-29 C:\Windows\Tasks\Norton Security Online - Run Full System Scan - The Phil.job - C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 09:09] 2008-10-29 C:\Windows\Tasks\User_Feed_Synchronization-{34DB31F3-D15E-4785-9371-4766FF7DB3ED}.job - C:\Windows\system32\msfeedssync.exe [2008-01-18 23:33] . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.co.uk/ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-29 21:40:03 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-29 21:40:54 ComboFix-quarantined-files.txt 2008-10-29 21:40:47 Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application. Post-Run: 30,443,384,832 bytes free 143 --- E O F --- 2008-10-29 20:59:21 PhilC