sUBs

Hello again.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

++++++++++++++++
---- WARNING -----
++++++++++++++++

You are not running HijackThis from an ideal location. This program creates backup files which we may need to use later & should be run from a permanent folder. If the program is in a temporary folder, important backups may be accidentally deleted if your system is set to empty temp files automatically.

1. Please go into Windows Explorer
2. Click on C:\
3. Then click on File > New > Folder
4. Call it HJT, or another name of your choice.
5. From the previous folder, move HijackThis.exe, hijackthis.log & Backups folder to the newly created folder.

Spywarekilla - These programs are rogueware and we highly recommend that you uninstall them. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

++++++++++++++++++++++++++++++++++
--- Prepairing the computer for the fix ---
++++++++++++++++++++++++++++++++++

Go to My Computer > Tools > Folder Options > View tab and make sure that the following are enabled;

• Show hidden files and folders.
• Display the contents of system folders
• Uncheck the Hide protected operating system files option.

++++++++++++++++++++++++
--- Items to download ---
++++++++++++++++++++++++

Download and install CleanUp!. We shall use it to clean out the Temp folders as installation programs and hijack programs leave a lot of junk there. Don't run it yet. We'll run it later.

Download KillBox v2.0.0.175 . We shall need it later.

Download ewido security suite & update it’s database. Run a scan and let it clean the PC.

++++++++++++++++++++++++++++++++++++
--- Reboot your system into Safe Mode ---
++++++++++++++++++++++++++++++++++++

1. Shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

++++++++++++++++
---- FIX -----
++++++++++++++++

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\ALCMTR.EXE
c:\windows\system32\omcdkot.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

SpywareKilla
Ebates Moe Money Maker

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)Please remember to close all other windows, including browsers then click Fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [yqQy7MD] C:\WINDOWS\gotrh.exe
O4 - HKLM\..\Run: [lpcyzms] c:\windows\system32\yhkclfa.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"
O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (HKCU)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Run KillBox. Select "Delete on Reboot". Select all the items in the 'quote' box below by highlighting them. Copy them to clipboard by pressing [Ctrl] + [C] on your keyboard. Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Delete the following folders. Some may no longer exist

C:\Program Files\Ebates_MoeMoneyMaker\
C:\PROGRA~1\SPYWAR~1\

Run CleanUp! now. Click Yes when it asks you if you want to logoff.

Reboot Windows back into Normal Mode.

If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus. Select the “autoclean” option when using Trend Micro.

Please post a fresh Hijack This log so that we can check if your system is clean.

Please report in detail if you were unable to run/find/delete any files