Virus problem

Welcome to Major Geeks!

ComboFix should never be your starting point and more information than just a log from it is necessary.

You have what is called a Zero Access infection.


Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide



and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

Why are your logs being obtained from safe boot mode? To properly access your status we need logs from Normal Boot mode. Safe boot mode should only be used as a work around if normal boot mode does not work. Please run MGtools in normal boot mode and attach a new log. Also tell me what problems are currently being experienced.

 

Yes this is because your driver was infected according to ComboFix. It has actually deleted it twice because the below shows in the ComboFix Quarantine.

Code:

"C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\"
i8042p~1.vir   1 Sep 2011       52480  "i8042prt.sys.vir"   
i8042p~1.vi~   1 Sep 2011       52480  "i8042prt.sys.vir_"

But your Windows folder shows another copy was already put back.

Code:

C:\WINDOWS\system32\drivers\
i8042prt.sys   1 Sep 2011       52480  "i8042prt.sys"

It could be infected too.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Why am I now seeing AVG installed???? It was not in your last logs and I did not ask you to install it. You should only be doing what we ask you to do as stated at the beginning of the READ & RUN ME FIRST.

Let me know if this is still happening after the next reboot.

It may be okay now since ComboFix did not complain about it this tim.

Depending on which ones you are referring to, you may need to do this in the Software Forum. Let's finishing the cleaning process and then worry about this.



Please also download MBRCheck to your desktop.

See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :regfind
  nhcrtat
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the logs from SystemLook
• C:\ComboFix.txt
• C:\MGlogs.zip

 

You did not create the CFScript.txt file properly. It had 0 bytes in it and thus the fix did not do anything at all. You need to rerun the instructions from the ComboFix step through to the end.

Not sure what the DLL is from but I don't see anything trying to load it at startup so it may just be for some program you run. Please put the below copy of the file into a ZIP file and attach it to your next message.

C:\Qoobox\Quarantine\C\WINDOWS\NHCRTAT.DLL.vir

 

Well that DLL file does not really seem to be a DLL file. It just contains the below numbers. It is not likely to be a problem but have no idea what program you are running that is looking for it.

1 3 1 5 2 5 7 0 2 5


If you boot your PC in safe mode do you still get an error message about this DLL missing?

Are you having any other problems at all?

 

Yes just copy the below file from below

C:\Qoobox\Quarantine\C\WINDOWS\NHCRTAT.DLL.vir

back to the C:\Windows folder and rename it back to nhcrtat.dll ( case does not matter ).

 

I'm still not sure what is trying to load that file. Let's dig a little more.


Download Autoruns by SysInternals to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Create a folder on your desktop called "autoruns"
• Extract the contents of the Autoruns.zip file into the autoruns folder you created.
• Now open this folder by double-clicking it.
• Now double-click autoruns.exe to run. (Vista and Win7 right-click and select Run as administrator)
  Note: Autoruns will automatically start scanning your system for autorun entries. This process is typically finished within 15 seconds.
• When you see Ready at the bottom-left corner of the Autoruns program, the scan is complete.
• Now click File > Save
• Change the Save as type: to Text (*.txt)
• Save AutoRuns.txt to your desktop or another location you can easily access it.
• Attach AutoRuns.txt to your next message. (How to attach items to your post)

 

Perhaps this file really was related to a Vampiro infection as Malwarebytes indicated. Please follow the instructions in the below form AVG:

http://free.avg.com/us-en/win32-vampiro

Then reboot an see if there is any change.

 

No! That would not make any sense. You still have something running that is trying to use the DLL which is why you are getting the error message at startup. Vampiro is an infection that gets into executable files ( referred to as a PE infection ) which means any program on your computer could have been and still could have infections. This may even be why some of the Windows files were being detected as infected during your first scans. It could even be the i8042prt.sys file that is the cause of this. Even thought ComboFix is not detecting it anymore, it is still possible that it or other system files may still be infected.

PE infections quite frequently require a total clean reinstall to properly fix in a fashion that a PC is reliable/trustworthy again.

Do you still have AVG installed? If so, what happens if you run a full system scan with it?

Since you do not see the error in safe boot mode, another possible way to debug what program is causing this error to show up is to use MSConfig to put your PC into selective start mode. There you would disable all non-Microsoft startups and services and then reboot. If you do not get the error message, you would then slowly enable 1 or 2 startups at a time and reboot after each one. By repeating this over and over you will eventually which startup is the cause of the error.