Results 1 to 4 of 4

Thread: help with Click.Giftload hijacker

  1. 2011-05-07, 17:20 #1
    Arbix2
    Arbix2 is offline
    Junior Member
    Join Date
    May 2011
    Posts
    2

    Default help with Click.Giftload hijacker

    Hello. I would very much appreciate any help that can be offered for this problem. My computer recently contracted the Click.Giftload hijacker and its been making things a living hell. I've run Spybot numerous times to try and get rid of it - no avail. I also ran Malwarebytes anti-malware and avira antivirus; these two programs both found a rash of trojans and rootkits (avira esp.) and removed most of them, though there are some that can't be removed as they call for a restart, which causes my computer to get stuck in a boot loop until I turn the power off. Have tried system restore back to two days but no luck there either.

    I've also encountered the error "Generic Host Process for Win 32 services has encountered a problem and needs to close." This causes my computer's sound devices to stop working and system restore to become non-functional.

    I've tried to get into microsoft windows update to fix this but my browser can't access those services for some reason.

    Also, my browser will randomly try to reroute me or open random windows, or sometimes just act slow.

    After all this, Click.Giftload seems to be my only lead.

    I would be grateful for any help.

    Thanks!

    Here's my dds:

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Owner at 10:44:44.89 on Sat 05/07/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2029.1022 [GMT -4:00]
    .
    AV: Rogers Online Protection Anti-Virus *Disabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
    AV: Norton Security Online *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Rogers Online Protection Firewall *Disabled*
    FW: Norton Security Online *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\lxddcoms.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Lexmark 2500 Series\lxddmon.exe
    C:\Program Files\Lexmark 2500 Series\lxddamon.exe
    C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.thatguywiththeglasses.com/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
    uWindows: load=?
    BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngin0.dll
    BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
    BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\rogers online protection\rogers online protection\pkR.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
    TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngin0.dll
    uRun: [Update Manager] "c:\program files\rogers\update manager\UpdateManager.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [gadcom] "c:\documents and settings\owner\application data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
    mRun: [SigmatelSysTrayApp] sttray.exe
    mRun: [WINDVDPatch] CTHELPER.EXE
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
    mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
    mRun: [ipTray.exe] "c:\program files\intel\idu\iptray.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"
    mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"
    mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
    mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
    mRun: [RogersServicepointAgent.exe] "c:\program files\rogers online protection\rogers servicepoint agent\RogersServicepointAgent.exe" /AUTORUN
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office x4\programs\QFSCHD140.EXE"
    mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    IE: Copy to &Lightning Note - c:\program files\corel\wordperfect lightning\programs\WPLightningCopyToNote.hta
    IE: Download with GetRight - c:\program files\getright\GRdownload.htm
    IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
    IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
    DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
    DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    Hosts: 91.185.193.200 l2authd.lineage2.com
    Hosts: 91.185.193.200 l2patcher.lineage2.com
    Hosts: 216.107.250.194 nProtect.lineage2.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 KL1;KL1;c:\windows\system32\drivers\kl1.sys [2009-6-1 112144]
    R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-6-1 196368]
    R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
    S0 klmdb;klmdb;c:\windows\system32\drivers\klmdb.sys --> c:\windows\system32\drivers\klmdb.sys [?]
    S0 xerxjl;xerxjl;c:\windows\system32\drivers\dqum.sys --> c:\windows\system32\drivers\dqum.sys [?]
    S2 AWService;Admin Works Agent X8;c:\program files\intel\idu\awServ.exe [2006-12-27 74520]
    S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2008-6-10 99248]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
    S3 Radialpoint Security Services;Rogers Online Protection;c:\program files\rogers online protection\rogers online protection\RpsSecurityAwareR.exe [2009-2-27 97520]
    .
    =============== Created Last 30 ================
    .
    2011-05-07 13:43:53 54016 ----a-w- c:\windows\system32\drivers\eyph.sys
    2011-05-07 13:16:55 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-05-07 13:16:55 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-07 13:14:42 -------- d-----w- c:\docume~1\owner\applic~1\Azureus
    2011-05-07 04:23:11 -------- d-----w- c:\docume~1\owner\applic~1\uTorrent
    2011-05-07 03:28:26 -------- d-----w- c:\docume~1\owner\applic~1\Azureus(2)
    2011-05-07 03:26:46 -------- d-----w- c:\docume~1\owner\applic~1\Copy of Azureus
    2011-05-07 02:04:52 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Google
    2011-05-07 01:48:39 -------- d-----w- c:\windows\system32\NtmsData
    2011-05-07 01:44:07 -------- d-----w- c:\program files\Avira
    2011-05-07 01:44:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2011-05-06 22:19:29 0 ----a-w- c:\windows\Bwusezo.bin
    2011-05-06 22:19:27 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\{250DB478-4874-4568-9969-DA00E6D262BD}
    2011-04-30 18:00:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\gC31002LkHjI31002
    2011-04-16 20:53:20 -------- d-----w- c:\program files\Amnesia - The Dark Descent
    2011-04-15 17:37:32 -------- d-----w- c:\program files\Borg
    .
    ==================== Find3M ====================
    .
    2011-05-06 22:43:31 90112 ----a-w- c:\windows\DUMPb9da.tmp
    2011-05-04 18:57:07 5224 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
    2011-04-10 17:23:11 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
    2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
    2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3320620A rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A3116F0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a317a10]; MOV EAX, [0x8a317a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A36AAB8]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A2B12A8]
    \Driver\atapi[0x8A3904F0] -> IRP_MJ_CREATE -> 0x8A3116F0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A31153B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 10:46:23.09 ===============
  2. 2011-05-11, 01:54 #2
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

    Your infected with a nasty Rootkit

    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  3. 2011-05-11, 16:52 #3
    Arbix2
    Arbix2 is offline
    Junior Member
    Join Date
    May 2011
    Posts
    2

    Default

    Hi ken545,

    Thanks for your reply! Before we go further I should tell you that before you posted I had run a few more scans with different programs and so far seem to be in good shape. I ran Kaspersky TDSSkiller which found some more malware and was able to remove it. Following that, I scanned my system with Malwarebytes, Spybot and Avira and was able to pick off a few more. After restarting, Spybot no longer detects Click.Giftload, and my system seems to be stable. I took it out of safe mode and two days on have not encountered any of my previous problems - no windows errors, and I can use windows update again. However, I don't know if I've got something lurking in the shadows.

    Here's the aswMBR log:


    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-11 10:37:51
    -----------------------------
    10:37:51.078 OS Version: Windows 5.1.2600 Service Pack 3
    10:37:51.078 Number of processors: 2 586 0x1706

    10:37:52.250 Initialize success
    10:37:54.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    10:37:54.421 Disk 0 Vendor: ST3320620A 3.AAE Size: 305245MB BusType: 3
    10:37:54.421 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
    10:37:54.421 Disk 1 Vendor: WDC_WD2500JB-00GVC0 08.02D08 Size: 238475MB BusType: 3
    10:37:54.421 Disk 0 MBR read error 0
    10:37:54.421 Disk 0 MBR scan
    10:37:54.421 Disk 0 unknown MBR code
    10:37:54.421 MBR BIOS signature not found 0
    10:37:54.421 Disk 0 scanning sectors +625121280
    10:37:54.437 Disk 0 scanning C:\WINDOWS\system32\drivers
    10:38:05.687 Service scanning
    10:38:07.109 Disk 0 trace - called modules:
    10:38:07.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys sptd.sys hal.dll pciide.sys PCIIDEX.SYS
    10:38:07.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a587ab8]
    10:38:07.125 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a5c2b00]
    10:38:07.125 Scan finished successfully
    10:39:00.171 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
    10:39:00.171 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"
  4. 2011-05-11, 18:30 #4
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    With a serious infection like a Rootkit, lets run this scanner and see

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules