How do I remove this virus that redirects me?

April 2, 2011 at 16:45:21
Specs: Windows Vista
so whenever I click a link on google search page I get redirected....for example to monstermarketplace. I also get random pop-ups now and then. please help!

See More: How do I remove this virus that redirects me?

April 3, 2011 at 17:02:37

Report •

April 7, 2011 at 16:14:04
hey john... i also have the same problem.. except it direct me to a walmart add or something like that. my computer was infected with malware doctor a few weeks ago.. i removed that virus using the instructions on bleeping computer. never had a problem before.. this only happens after my computer got infected with malware doctor. anyways. i try to follow some of your instructions.. so far, i have disable my system restore and it is still disable until now.. i run malware anti malware program found 7 files infected and i deleted them already.. i also did ATF-cleaner as well .. here is the log from malware bytes.. im not confident on doing the combofix yet.. so i didnt.. my antivirus program is shaw secure which is offered by shaw cable system where i have my internet.. hope u can help me...thanks a lot

Malwarebytes' Anti-Malware

Database version: 6304

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

07/04/2011 3:21:41 PM
mbam-log-2011-04-07 (15-21-41).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 244486
Time elapsed: 1 hour(s), 21 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\CB0GKKO4NC (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CB0GKKO4NC (Trojan.FakeAlert) -> Value: CB0GKKO4NC -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\networkservice\local settings\application data\pyv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.43783160221816153.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.3463507433835883.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.9601795793592515.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

Report •

April 7, 2011 at 17:13:12
"im not confident on doing the combofix yet.. so i didnt.. my antivirus program is shaw secure which is offered by shaw cable system where i have my internet.. hope u can help me..."

marinel, with thousands of variations of infections coming out each week, you just have to try all the tools listed in my links until you are clean. Here is another to try.

When you are clean, if you ever have anything unusual happen again, Hit the OFF button, don't click on anything.

Spyware Doctor Starter Edition

Report •

Related Solutions

April 7, 2011 at 21:11:07
Do this for me:
Go to the following directory:
You will see a file called "hosts". it does not have an extension.
Open the hosts file in notepad. Notepad will allow you to open this file even though it doesn't have an extension.
Paste what is in the hosts file in this thread.

Report •

April 8, 2011 at 22:49:16
there are two files that contains "hosts".. i will paste both of them...

# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# \0xnn (non-printing character support)
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
# The following example illustrates all of these extensions:
# rhino #PRE #DOM:networking #net group's DC
# "appname \0x14" #special app server
# popular #PRE #source server
# localsrv #PRE #needed for the include
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.

Report •

April 8, 2011 at 22:50:05
here is the second file

# Copyright (c) 1993-2001 Microsoft Corp.
# This file has been automatically generated for use by Microsoft Internet
# Connection Sharing. It contains the mappings of IP addresses to host names
# for the home network. Please do not make changes to the HOSTS.ICS file.
# Any changes may result in a loss of connectivity between machines on the
# local network.
# # 2016 4 0 3 22 10 33 984

Report •

April 8, 2011 at 22:53:23
"LMHOSTS" is the wrong file marinel.

Hosts is what is wanted.

Report •

April 8, 2011 at 22:58:30
Maybe you hav'nt done Folder Options
To access: Control Panel > Folder Options or My Computer or Windows Explorer > Tools > Folder Options,
tick/check > Show hidden files and folders.

Report •

April 9, 2011 at 21:03:45
i check the folder options to show all hidden files.. its still the same.. the two files that contains the "hosts" name are LMHOSTS and hosts.ics
Can u pls tell me which one.. my computer is getting really slow.. I know that I have an old computer but I never had a problem with this before..Now even launching a browser such as mozilla firefox is slow.. pls help!!!!!!!!!

Report •

April 9, 2011 at 21:28:30
The Hosts file info was covered in the links I gave you.
Folder options

Hosts File
Myth - "Special AntiSpyware Hosts Files are necessary to prevent Spyware infections."
Reality - "Using Special AntiSpyware Hosts Files are a waste of time and leads to a false sense of security. Any Malware/Spyware can easily modify the Hosts File at will, even if it is set to Read-only. It is impossible to "lock-down" a Hosts File unless you are running as a limited user which makes using it in this case irrelevant anyway.

I rename Hosts file & use SpywareBlaster.
Do a search for the hosts file ( In Windows\system32\drivers\etc ) & rename to > hosts.txt or hostsold.
If you want to use it again, change it back to what it was.


Report •

April 9, 2011 at 22:17:34
To find out what hosts.ics is you google it.

That reveals it is Internet Connection Sharing

You then ask yourself, did I set this up, did I set it up properly, or is it a virus that has done it.

"pls help!!!!!!!!!"
Once again, you have all the tools needed in the links I gave you.

Setting up Internet Connection Sharing

Report •

Ask Question