Fakemsn8beta Spyware help required

Hi, I noticed recently that when I run Spybot that I'd get Fakemsn8beta and windows.redirected.hosts (I think this one is now gone).
However, Fakemsn8beta keeps coming back.

I have followed the instructions in the READ & RUN ME FIRST post.
Noticed, in Bitdefender and Panda Activscan (Unable to run in Safe mode)logs the following viruses
(but were not able to be removed):
Virus:Trj/Qhost.gen
Exploit.ADODB.Stream2.Gen

I'd appreciate it if someone can review the logs and let me know how I can
clean up this mess it would be greatly appreciated.

I am running with Windows XP

Please find attached the scan logs:

 

Your HijackThis log is clean.

Delete the following:

Please post the Spybot Log.

 

Thanks for the quick reply!

I deleted the files on your list.
However, these files did not exist:

C:\WINDOWS\system32\drivers\etc\hosts.20060228-213032.backup <<----- Delete the File
C:\WINDOWS\system32\drivers\etc\hosts.20060302-213208.backup <<----- Delete the File

The closest to these file names are:

...\hosts.20060228-213028.backup
...\hosts.20060302-213207.backup

Would it be safe to delete these?

I also re-started my computer, and got a few messages like xdcofnoau folder/registr doesn't exist.

I also re-ran spybot and still got the Fakemsn8beta spyware

Thanks...

 

You can delete those backups.

Please follow the steps in the below link and attach the log:

Using GetRunKey

 

Ok here's the log from GetRunKey.

Thanks for your help so far...

 

Download
- Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread

 

Here's the result from Regsrch

 

Start -> Run
type regedit
OK

Navigate to the following registry keys:

[HKEY_USERS\S-1-5-21-1158252758-83558617-354133931-1008\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\xdcofnoau\\csrss.exe"="csrss" <<------ Locate and Delete this entry

[HKEY_USERS\S-1-5-21-1158252758-83558617-354133931-1008\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"="C:\\WINDOWS\\system32\\xdcofnoau\\csrss.exe" <<------ Locate and Delete this entry

[HKEY_USERS\S-1-5-21-1158252758-83558617-354133931-1008\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run"="C:\\WINDOWS\\system32\\xdcofnoau\\csrss.exe" <<------ Locate and Delete this entry

Reboot

How is your computer Running?

 

Please download MsnVirRem (Either zip or self extracting .exe), and save it to your desktop. Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YET

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time to scan your machine.

After it disappears, reboot back into normal mode,. Scan with Spybot. Do you still get Fakemsn8beta?

 

I removed those files from the registry.
Rebooted my computer.
Ran spybot, and this time it was clean, with no Fakemsn8beta spyware!
I'm hoping that did it!
I'll keep monitoring it.

Many thanks for all your help and your great site!

 

Good deal, glad that got it.

Safe Surfing.