logo Home | Search
Forums | Links | About | Contact
Free Utilities
BeSecure
Yahoo! Chat Help
 -Clients
 -Updating Yahoo! Messenger
 -Yahoo! Smileys
 -Webdings Emotes
 -Remove Ads
 -Profile Problems
 -Java Chat Problems
 -Customising Smileys
 -New to Yahoo?
 -Beware Fake Logins
 -60 Smiley Menu
 -Editing Profiles
 -Profile Pics
 -Original smileys/wavs
 -Java Chat PMs
 -Messy Shortcut Links
 -Disable Auto-Update
 -Yahoo! Hoaxes
 -Account Problems
 -Custom Smiley Test
 -Yahoo! Connection Issues
 -Custom Emotions
 -Common Problems
 -DHTML/Chat2.0 Error
 -UK Adult rooms/profiles
 -Auto http:// post fix
 -Messenger 6.0
 -Messenger 6 Skinning
 -Yahoo! Mail Problems
 -Changing Profile Language
 -Messenger 7.0
Windows
Outlook Express
Internet Explorer
Computer Tutorials
Emote Share
In Depth / Articles
Profile Viewer

Favourite Sites:
Save Money, Clear Debt
Save Lives, Control Guns
Republic: Save Britain
Resources

Printer Friendly Printer Friendly
E-Mail Friend E-Mail to friend
Smiley Utility 7.0 Smiley Utility 7.0
espaņol Espaņol Hide Ad Hide Ads

Removal Instructions

Details

If your Yahoo! Instant Messenger automatically sends out IMs to your buddies with links, you're likely infected with this.

What is it?

The following I have now found in the package:
TrojanDownloader.Win32.Small.fz & TrojanDownloader.Win32.Small.gx

These are trojans which download programs from the internet. They are FSG packed and infect your PC initially, they are known to spread via posting their URLs in chat services.
TrojanClicker.Win32.Small.p
This generates clicks on porn websites with affiliate IDs in order to generate the author some revenue.
Trojan.Win32.Saonet
The actual trojan thats adds the internet explorer item.

How to Remove

There is a strict order here, you MUST follow it in the order given.
A program in memory can re install its self, and undo any changes you make, so you must always delete from memory first.

First: Delete From Memory

1) Press ctrl+alt+del and ensure you are on the processes tab.(Show Me)
2) Look for any of the following, for each one you find, click, and select end task or end process.
msroot.exe, mshosts.exe, msrootocx.exe, 8879.exe
ms*sys.exe (where * is anything, but its NOT msgsys, and its 7 letters long before the .exe.)
3) Ensure all files you ended have left the list.

Second: Delete the Files

1) Go to Start, Find>>All Files and Folders. OR XP: Start, Search, All Files and Folders.
Make sure you're looking in c:\
2) Search for each of the following, they will probably be in c:\winnt\system32 or c:\windows\system
msroot.exe, mshosts.exe, msrootocx.exe, 8879.exe
ms*sys.exe (where * is anything, but its NOT msgsys, and its 7 letters long before the .exe.)
(Show Me)
3) For each you find, ensure it matches the description, and Delete it. LEAVE it in the recycle bin in case.

Third: Delete the startup Entries

1) Go to Start, run and type regedit then press OK. Expand down the left:
 HKEY_LOCAL_MACHINE
  Software
   Microsoft
    Windows
     CurrentVersion
      click Run
2) Look for, and delete the following: (Show Me)
IMClass,RPC(command contains mshosts.exe) msroot.exe, mshosts.exe, msrootocx.exe, 8879.exe
ms*sys.exe (where * is anything, but its NOT msgsys, and its 7 letters long before the .exe.)
3) Exit the Registry Editor.

Fourth: Remove the Extra bit

1) It may also adds a link to an Islamic website in your Internet Explorer Tools menu.
To delete it:
a) Go to Start, run, type regedit press ok.
b) Edit>>Find. "saoura".
c) IF it finds it, you will see something like {F75E0D20-3328-4795-B229-59AB09F85A7A} on the left.
d) Click on that code, and delete it. (Show Me)

Fifth: Remove the Downloaded Program Files Applet

1) Go to Start, run. Type "c:\windows\downloaded program files" and press OK.
2) You might see something like This picture.. If you see it, delete it.
3) Restart your PC. You should be clean.

If after you restart, the problem continues...

1) Come back to this page, you might bookmark it!
2) You need to send me a file.
  a) Go to start, run, type regedit Press OK.
  b) Navigate down the left, clicking the + to expand the folder:
 HKEY_LOCAL_MACHINE
  Software
   Microsoft
    Windows
     CurrentVersion
      click Run
  c) You should see a list on the right. Go to Registry menu, click Export Registry File.
  d) Save it as sample.reg on your desktop.
3) Open notepad, and open the sample.reg file from your desktop.
4) Post your problem and the contents of the file on the forum.
Unfortunately, I can no longer accept attachments

Note

These instructions are compiled by myself. I infected a test windows installation and found out the above for myself.
The file names and sizes can vary, as well as locations. I cannot guarantee the infection will totally be killed.
Always make sure your anti virus scanner is upto date, and run it.