amateur

Hi,

You have a lot of dangerous malware disabled by msconfig, including some backdoor trojans. Your system may have been compromised. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

============================================

Please print these instructions before beginning. Read them carefully and follow them in the order they are presented.
============================================

Please can you download LSP-Fix. Do not run this tool! You must only run this tool if you cannot connect to the Internet later after removing NewDotNet. This should then repair your internet connection again.

============================================

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix) Do not use it yet, we'll do that later in Safe Mode.

=========================================

Please go to Start>Control Panel>Add/Remove Programs and remove the following, if present:

Trojan Remover
Admanager Controller
UnSpyPC
AdStatus Service
NewDotNet
VVSN

========================================

Make sure that you can see hidden files
· Click Start
· Open My Computer
· Select the Tools menu and click Folder Options
· Select the View Tab
· Under the Hidden files and folders heading select Show hidden files and folders
· Uncheck the Hide protected operating system files (recommended) option
· Click Yes to confirm
· Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

==========================================
Copy/paste the following text inside the quote box into a new notepad document. It must be Notepad, not wordpad. Make sure the "wordwrap" is unchecked in Format.

Save it to your desktop as fixme.reg Save it as File Type All Files. Double click fixme.reg and answer yes when asked to merge it into the registry.

Make sure that there is no space before REGEDIT4, and there is a single space after the last line.

===================================

Using Windows Explorer (right click on start, click on Explore), navigate to and delete these folders, if found:

C:\Program Files\Trojan Remover
C:\Program Files\Admanager Controller
C:\Program Files\UnSpyPC
C:\Program Files\AdStatus Service
C:\Program Files\NewDotNet
C:\Program Files\VVSN

====================================

For the missing AUTOEXEC.NT please do the following:

If you are having XP home download and use next:
http://homepage.ntlworld.com/spencer...PHomeFiles.exe

If you are having XP Professional download and use next:
http://homepage.ntlworld.com/spencer...XPProfiles.exe

its a self extracting file and will replace the necessary files!

========================================

disable Spyware Doctor so that it will not interfere with the fixes

To disable Spyware Doctor:

• Click the Spyware Doctor icon in the System Tray.
• Click Settings.
• Click Startup Settings under Pick a Category.
• Uncheck Run at Windows startup.
• Click Apply and Exit Spyware Doctor

Once your log is clean you can re-enable Spyware Doctor.

================================================

Open HijackThis. Please close all browsers, windows, applications, email, etc., except HijackThis. Then scan with HijackThis and put a checkmark against the following entries:

R3 - URLSearchHook: (no name) - {5CBB43F0-686E-0431-3268-1D5C17AAC40B} - (no file)
O1 - Hosts: localhost 127.0.0.1
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt2.com/files/777.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl48bf2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11


Make sure that all browsers, etc. are closed and click on "fix checked". Exit HijackThis.
============================================
The step before that is to "right click on your connection". Usually Local Area Connection for Cable and DSL. Properties will not be available for Network Connections but will be for your connection.

============================================

• Run Fixwareout.
• Click Next,
• then Install,
• make sure Run fixit is checked
• and click Finish.
• The fix will begin; follow the prompts.
• You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.

When you run fixwareout , simply follow the prompts, you will need to restart when prompted.

CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. If you are sure you do not need a specific DNS address here, you may proceed.

Once back in Windows, close all web browsers.

• Go into Control Panel>Network Connections.
• Right click on your connection
• and click Properties.
• On the Properties page, highlight Internet Protocol(TCP/IP)
• Click Properties. This will bring up another page.
• Select Obtain DNS Server Automatically.
• Click the ok button. The page will close.
• Press ok on the page in front of you.
  
• Go to Start > Run and type in cmd
• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  
• ipconfig /flushdns
• Hit Enter
• Exit the command window
• Restart the computer.
• Start the Internet and IE.
• Open this file c:\fixwareout\report.txt and post the contents of it, along with the msconfiglook.bat, and a new HijackThis log please.

======================================

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. Click here if you don't know how to do that. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!
NOTE: Process.exe is detected by some antivirus programs (AntiVir, Dr.WEB, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

=====================================

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.

======================================

Run SDFix that you downloaded earlier.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

=======================================

Finally, update your Java.

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 10.

• Scroll down to where it says " Java Runtime Environment (JRE) 5.0 Update 10
  The J2SE Runtime Environment (JRE) allows end-users to run Java applications.".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the icon next to it.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-1_5_0_010-windowsi586-p.exe to install the newest version.

=======================================

Post back :

rapport.txt
Report.txt
and a fresh HijackThis log. Let me know how things are now.