what is gmgcjs?

system · January 4, 2010, 7:52pm

Hello,
What’s gmgcjs?
Is it a Trojan or what? I have a question about avast! action in my computer as regards a certain file. Each time I switch on my computer, after some 20 - 40 minutes, I obtain a message from Avast! that a “suspicious” file has been found. The address is usually reported as:

C:\WINDOWS\System32\Drivers\gmgcjs.sys

Usually the recommendation is to “Ignore” and sometimes to delete the file. It than asks me to submit the file to Avast! laboratory. I always agree but I never got any reply. It asks me to scan all the local discs. Sometimes it says the file is of the type “ukryte usługi” which means “hidden services”. Sometimes it reports a Trojan in 1 or two files. But usually the search result is that “the number of infected files equals 0”. The problem is the scan takes a lot of time during which I cannot use my computer. And 40 minutes later you have the same once again.

I’ve only had this problem for about 4 weeks. I had used avast! home edition for over 2 years and about a week ago I upgraded to the Professional edition.

So my questions are : is gmgcjs a virus? Or is it some file in WINDOWS? How can this happen that if you delete that file in the WINDOWS catalogue, the same once deleted appears again? The message says it is dangerous - is it? Or should I answer to avast! "don’t inform me about this file again? (There is an option like that.)
Can one set avast! so that it deals with this problem automatically?
With best wishes
Julius_Z

polonus · January 4, 2010, 8:10pm

Hi Julius_Z,

Google this "random named sys file in system32\Drivers" (without “” of-course) and you find plenty of replies on this rootkitted trojan…

polonus

system · January 4, 2010, 11:05pm

Hi Polonus
I have now read the earlier discussion on how to deal with probably the same thing under different names. So I found the file, its size is now 746 kB and the date created is mentioned as December 14, 13:37 but it keeps on modifying each time you search for it.
I tried to submit it where recommended but the answer was 0 bytes transmitted.
What to do now?
Julius_Z

system · January 4, 2010, 11:12pm

And now I tried to submit it to jotti but the answer is that the file is empty - even though it’s 746 kB!

polonus · January 4, 2010, 11:28pm

Część, Julius_Z

This could be a Srizbi or Bagle detection. With removal also consider after cleansing with HJT: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx
See: http://www.bleepingcomputer.com/startups/Random_Name-18257.html

Download HJT 2.03 from here: http://www.filehippo.com/download_hijackthis/download/0b5bbb42be6243172c8e6303e69eda10/
and I will have a look at the 023in the logfile it comes up with, so add the HJT log txt file at additional options,

If you have an sptd.sys driver (driver of CD/DVD emulator; installed with Alcohol 120%, Daemon Tools and some others), then your randomly named hidden driver (“aa9ak670.sys”) is not a malicious and it is not a rootkit (just using rootkit technologies) – it’s a part of sptd.sys. This behavior (hide a dropped driver and kill the body of the driver) was made by authors of SPTD to prevent CD-copy protectors, who trying to detect and doesn’t allow to work a CD-emulator software.

pozdrawiam,

polonus

system · January 5, 2010, 6:52pm

Czołem,
Hi Polonus,
I have downloaded Hijackthis and have scanned the computer. There is a logfile and the Analyse this file. I can see it in front of me but understand very little of it. What shall I do next?
With best wishes,
Julius_Z

Pondus · January 5, 2010, 6:57pm

There is a logfile and the Analyse this file. I can see it in front of me but understand very little of it. What shall I do next?

post the logfile here so polonus can see it

system · January 5, 2010, 7:02pm

The logfile is below:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 19:32:44, on 2010-01-05
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: YouTube To ALLPlayer - {61DB16C5-B733-43F4-872E-B20DC9E72740} - C:\PROGRA~1\ALLPLA~1\YOUTUB~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM..\Run: [basicsmssmenu] “C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [sysgif32] C:\WINDOWS\TEMP~TME.tmp
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Adobe ARM] “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Google Update] “C:\Documents and Settings\Zięborak\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe” /c
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe

–
End of file - 6698 bytes

system · January 5, 2010, 7:27pm

avast! always reports it has found the gmgcjs about 25-40 minutes after switched on the computer, irrespective of what I am doing, even if I don’t touch the keyboard.

polonus · January 5, 2010, 7:48pm

You apparently do not run a software firewall,

Check on the following, for instance upload at virustotal.com

O2 - BHO: YouTube To ALLPlayer - {61DB16C5-B733-43F4-872E-B20DC9E72740} - C:\PROGRA~1\ALLPLA~1\YOUTUB~1.DLL

O4 - HKLM..\Run: [sysgif32] C:\WINDOWS\TEMP~TME.tmp Unknown application.
Possible backdoor: see:
http://www.threatexpert.com/report.aspx?md5=7a741227a3aefea1ec29d9343543e7b0
and see:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_TIKAYB.A&VSect=Sn

Fix this entry using HJT
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
The entry &Winamp Search has been identified as nasty.

O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!

Survey od active tasks:Overzicht van actieve taken: (Klik op de taken voor meer informatie)

smss.exe
System task

Session Manager Subsystem

winlogon.exe
System task

Microsoft Windows Logon Process

services.exe
System task

Windows Service Controller

lsass.exe
System task

Local Security Authority Service

Ati2evxx.exe
Driver

ATI Display Adapter Assistant

svchost.exe
System task

Microsoft Service Host Process

svchost.exe
System task

Microsoft Service Host Process

Ati2evxx.exe
Driver

ATI Display Adapter Assistant

aswUpdSv.exe
Virusscan

Avast Anti-Virus Component

Explorer.EXE
System task

Microsoft Windows Explorer

ashServ.exe
Virusscan

Avast

spoolsv.exe
System task

Microsoft Printer Spooler Service

MaxMenuMgrBasics.exe
Background task

MSS

iTunesHelper.exe
Application

Apple Itunes

ashDisp.exe
Virusscan

Avast AntiVirus

ctfmon.exe
System task

Alternative User Input Services

AppleMobileDeviceService.exe
Background task

Apple Mobile Device Service

SyncServicesBasics.exe
Background task

Sync

mDNSResponder.exe
Background task

Bonjour for Windows Component

svchost.exe
System task

Microsoft Service Host Process

ashMaiSv.exe
Virusscan

Avast Anti-Virus Component

ashWebSv.exe
Virusscan

avast! Web Scanner

iPodService.exe
Background task

Apple iTunes

firefox.exe
Application

Mozilla Firefox

msiexec.exe
System task

Windows Installer Component

HiJackThis.exe
Application

Merijn Hijackthis v.2.0.3 (BETA)

polonus

system · January 6, 2010, 12:13am

Hi there!
Uploading was not possible. I fixed the four items mentioned above (02, 04, 08 and 016), one by one, each time waiting to see what happens. Each time the thingy appeared again in an avast! report about 8 minutes 45 seconds after switched on; after which I clicked on Ignore (recommended) which resulted in another scan that took 25 minutes, switched off and on, 8 min 45 and here it is the gmgcjs alive and kicking. I tried to kill it by avast!'s delete - failed, send by email - failed, delete manually by using the mouse - failed. Still has the same size of 746 kB. Maybe just try to love it and let it stay forever, I don’t know …
Or is there anything else a human can do?
Julius_Z

polonus · January 6, 2010, 1:56am

Hi JUlius_Z,

This is cloaked malware. There is this you can do about it: http://techver2.blogspot.com/2009_11_22_archive.html
Another way is to perform the cleansing routine proposed here: http://forum.avast.com/index.php?topic=53050.msg450158#msg450158
Later we can essexboy have it analyzed,

polonus

essexboy · January 7, 2010, 7:30pm

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[]Under Additional Scans check the following:
[]Reg - Shell Spawning
[]File - Lop Check
[]File - Purity Scan
[*]Evnt - EvtViewer (last 10)

[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%*. /mp /s

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

system · January 7, 2010, 8:49pm

Today avast! reported something different. It identified gmgcjs as a rootkit so I clicked delete. The name gmgcjs is still there, in drivers, but the computer has been running uninterrupted for over one hour already without any warnings from avast!. I’ve run the scan as essexboy recommended and will try to upload as soon as they finish maintanance in Mediafire.
Julius_Z

essexboy · January 7, 2010, 8:54pm

Back up now

system · January 7, 2010, 9:22pm

I did. Where exactly to upload?

essexboy · January 7, 2010, 9:23pm

Could you upload it to mediafire and post the sharing link as per my first post Ta

system · January 7, 2010, 10:33pm

I click on Mediafire but there is is no uploader. Is it Flash I should install to upload?

system · January 8, 2010, 6:23pm

Hi essexboy

Please find enclosed the link to the scan I ran yesterday:

http://www.mediafire.com/file/2njzmzjydmz/OTS%20scan%202010.01.07.txt

avast! reported a rootkit again today that might be related to the gmgcjs. That is still present in \system32\drivers.
Thank you.
Juilius_Z

essexboy · January 8, 2010, 6:42pm

I can see it there as well - I will remove the other elements and use CF on the rootkit

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Registry - Safe List]
< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
YN -> "Flag" -> Reg Error: Invalid data type. [Reg Error: Invalid data type.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "C:\WINDOWS\Temp\~TME.tmp" -> C:\WINDOWS\Temp\~TME.tmp [C:\WINDOWS\Temp\~TME.tmp:*:Enabled:services]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a411249c-9637-11dd-8005-00304f4708d4}\Shell\AutoRun\command -> 
YY -> \{a411249c-9637-11dd-8005-00304f4708d4}\Shell\AutoRun\command\\"" -> D:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [D:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe]
YN -> \{a411249c-9637-11dd-8005-00304f4708d4} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a411249c-9637-11dd-8005-00304f4708d4}\Shell\open\command -> 
YY -> \{a411249c-9637-11dd-8005-00304f4708d4}\Shell\open\command\\"" -> D:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [D:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe]
YN -> \{dbafba68-0819-11de-80cb-00304f4708d4} -> 
[Files/Folders - Created Within 30 Days]
NY ->  5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  gmgcjs.sys -> C:\WINDOWS\System32\drivers\gmgcjs.sys
NY ->  avdrn.dat -> C:\Documents and Settings\Zięborak\Dane aplikacji\avdrn.dat
NY ->  6 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  6 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  420 C:\Documents and Settings\Zięborak\Ustawienia lokalne\Temp\*.tmp files -> C:\Documents and Settings\Zięborak\Ustawienia lokalne\Temp\*.tmp
NY ->  420 C:\Documents and Settings\Zięborak\Ustawienia lokalne\Temp\*.tmp files -> C:\Documents and Settings\Zięborak\Ustawienia lokalne\Temp\*.tmp
NY ->  420 C:\Documents and Settings\Zięborak\Ustawienia lokalne\Temp\*.tmp files -> C:\Documents and Settings\Zięborak\Ustawienia lokalne\Temp\*.tmp
NY ->  3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  12 C:\Documents and Settings\Zięborak\Ustawienia lokalne\Temp\nro.tmp\*.tmp files -> C:\Documents and Settings\Zięborak\Ustawienia lokalne\Temp\nro.tmp\*.tmp
[Files - No Company Name]
NY ->  gmgcjs.sys -> C:\WINDOWS\System32\drivers\gmgcjs.sys
NY ->  avdrn.dat -> C:\Documents and Settings\Zięborak\Dane aplikacji\avdrn.dat
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

what is gmgcjs?

Announcements