My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

How to remove BackDoor.SdBot.MYX (oo.exe, newdotnet)

Myantispyware team January 31, 2006 No Comment

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: NewDotNet

Then using Windows Explorer, delete the following folder:
C:\Program Files\NewDotNet
C:\Program Files\MsMovies

Please Download LSPFix from here and Run the Program.
Disconnect from the Internet and close all Internet Explorer Windows.
Check the “I know what I’m doing” Button and move all instances of newdotnet7_14.dll from the left panel to the right panel then click ‘Finish’

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download Alcan.zip and unzip it to your desktop.
# Reboot into Safe Mode
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
# Enter the AlcanFix folder and double-click AlcanFix.bat to run the tool.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O2 – BHO: – {2BAF9250-30AF-4235-80FA-22FB05997124} – C:\WINDOWS\lbbho.dll
O2 – BHO: RXResultTracker Class – {59879FA4-4790-461c-A1CC-4EC4DE4CA483} – C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O2 – BHO: URLLink – {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} – C:\Program Files\NewDotNet\newdotnet7_14.dll
O4 – HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 – HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 – HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 – HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O18 – Filter: text/html – {2AB289AE-4B90-4281-B2AE-1F4BB034B647} – C:\PROGRA~1\RXTOOL~1\sfcont.dll

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Finally, restart your computer, run your anti virus.

Also download and run ATF Cleaner.
Under Main choose: Select All. Click the Empty Selected button.

Tutorials - HowTo

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.