NVIDIA Optimus Problems After Virus Removal

Hello everyone, first of all, I'm sorry for the inconveniences I may cause the ones willing to help me with this issue as I am a bit of a newb when it comes to these things.

To make matters as simple as possible, let me explain the situation:

I own a laptop which I use at home for HD family video editing. It's a Dell XPS 15 L502X with a 2nd Generation Core i7-2860QM and an Nvidia Geforce GT 540M with Optimus Technology running on Windows 7 Home Premium 64-bit. The NVIDIA Optimus technology is supposed to switch between Intel HD Graphics and NVIDIA Accelerated Graphics when the application demands it. Therefore, it is of great importance to me to have this technology working, since editing 1080p footage using the Intel HD Graphics is not a pleasant experience.

However, this laptop got infected with a nasty virus, which stole some of my information, including credit card information and other sensitive data. I sent the computer to repair, but this bore no results. The person trying to eliminate the virus said he was unable to do so and thus he recommended to reinstall Windows completely. The problem is, I have gigabytes of valuable data in this computer accompanied by a lot of software I would not even want to start reinstalling. Thus, I turned to the IT person at my work, which took the laptop for the day and ran some tools to clean it. To my surprise, he was able to remove the virus and my computer was completely normal and stable. However, it was only a week after (yesterday) when I went to edit some footage that I noticed that my NVIDIA card was not running when needed. I tried forcing the card (by making it the default graphics card for every application) to run, but with no results. This is when I called the guy that removed the virus to ask him if he knew anything about this and he said he would check online. An hour later he calls me saying that one of the tools he used (Combofix) may have corrrupted my registry and so it may have rendered my graphics card useless. He told me the only solution would be to reinstall windows (Again, not an option)

So now, here I am, turning to this great forum in looks for an answer. I am willing to provide any information regarding what the IT person did (I told him I would contact a forum, so he provided me with everything he did).

I hope this issue can be resolved...I trust you guys!

Regards

have you tried updating the nvidia drivers?

Please post the ComboFix log(s), they should be located at C:\ComboFix.txt


if there are any other tools/logs that were used, please post them

then run the following diagnostic tools:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Double click dds to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.

• Double click the aswMBR.exe icon to run it
• When asked if you want to download Avast's virus definitions please select Yes.
• Click the Scan button to start the scan
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
• You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Hello CatByte,

Yes, I tried updating the NVIDIA as well as the Intel HD Graphics drivers, but to no avail...

The logs you asked for are attached to this post.

Also, one more thing to mention. The folder "Qoobox" was created in C:\, and that contains the Combofix logs, some quarantine folders, and also a Snapshot.(numbers).dat file which is the biggest file in the folder.

Thank you for your help!

try going to this site
http://www.geforce.com/drivers

see if you can download and install the drivers you need, there doesn't appear to have been anything deleted by ComboFix related to nvidia

qoobox is the ComboFix quarantine.

have you tried doing a system restore back to before you encountered this issue?

even if you have to restore back to an infected state, then we can see what the issue might be with nvidia, it may have been corrupted.

Sadly, I tried doing a system restore, but there are no restore points before the 27th of April. The combofix "fix" was performed the 23rd...

Is there any ways I could go back using the Combofix log to restore whatever was deleted or changed?

I tried uninstalling my current drivers, and installing the same ones again. I also tried installing the new "beta drivers" but also to no avail...

Also, maybe it could be a registry issue?

I'm starting to get inclined towards a "vulnerability" that Combofix may have "closed" from the point of view of how the NVIDIA Optimus technology works. Optimus technology basically enables and disables hardware as software runs. For instance, if I was only using a word processor, the computer would be using the Intel HD Graphics. However, if I change to running Adobe Premier to edit HD video, the NVIDIA card kicks in and the HD Graphics is disabled. Now, I can see why this would be considered "dangerous" by some security tools. I'm not sure how to read Combofix logs, and from what I've researched, this information will not be given to me. However, I believe it's more of a registry thing concerning a Windows setting more than it is a driver issue. Is there any way to find out through the Combofix log exactly was has been changed in the registry?

Please do the following:


Press the WinKey + R to open a run box > and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.

2012-04-24 03:46:49 . 2012-04-24 03:46:49 668 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-tsimtnccxx.reg.dat
2012-04-24 03:46:49 . 2012-04-24 03:46:49 604 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-ATR_72500.reg.dat
2012-04-24 03:46:43 . 2012-04-24 03:46:43 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat
2012-04-24 03:46:43 . 2012-04-24 03:46:43 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2012-04-24 03:46:34 . 2012-04-24 03:46:34 104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
2012-04-24 03:44:21 . 2012-04-24 03:44:21 22,277 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-04-24 03:40:33 . 2012-04-24 03:40:33 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-01-16 17:33:10 . 2012-01-16 17:33:11 1,173,991 ----a-w- C:\Qoobox\Quarantine\C\Users\Jesus\Downloads\f1_Fsx_vcrainfix.exe.vir
2011-12-31 03:38:36 . 2012-01-06 19:35:39 1,220 ----a-w- C:\Qoobox\Quarantine\C\prefs.js.vir
2011-12-21 20:09:27 . 2012-04-18 15:23:43 737,280 ----a-w- C:\Qoobox\Quarantine\C\Windows\iun6002.exe.vir
2011-12-10 07:30:51 . 2012-04-22 02:45:13 294,912 ----a-w- C:\Qoobox\Quarantine\C\Users\Jesus\AppData\Roaming\chrtmp.vir
2007-11-07 12:03:18 . 2007-11-07 12:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\Install.exe.vir

we'll restore everything removed by ComboFix, let me know if that resolves the issue, then I can report back to the developer, it has since been updated, so there may have been a bug in the version you ran

(I'll restore the files that are likely infected too,then I'll have you download a new version, see if the same files are targeted or not)


Please do the following:

to restore the registry Items, it is a little more complicated, but please do this

Open Windows explorer and navigate to this folder

C:\QooBox\Quarantine\Registry_Backups

In the right hand panel, locate these files
C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
C:\Qoobox\Quarantine\Registry_backups\AddRemove-tsimtnccxx.reg.dat
C:\Qoobox\Quarantine\Registry_backups\AddRemove-ATR_72500.reg.dat
C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat
C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

you will need to delete the extra extension so the file ends in .reg just like the first file on the list.
eg:
for C:\Qoobox\Quarantine\Registry_backups\AddRemove-tsimtnccxx.reg.dat remove the .dat so you have this remaining

C:\Qoobox\Quarantine\Registry_backups\AddRemove-tsimtnccxx.reg

To do that right click on the files, select rename

• remove only the .dat from the end of the filename
• left click near the file name to ensure the rename is correct
• Do the same for each file listed
• Next double click the renamed files to ALLOW them to merge into the registry

NEXT

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DEQUARANTINE::
C:\Qoobox\Quarantine\C\Users\Jesus\Downloads\f1_Fsx_vcrainfix.exe.vir
C:\Qoobox\Quarantine\C\prefs.js.vir
C:\Qoobox\Quarantine\C\Windows\iun6002.exe.vir
C:\Qoobox\Quarantine\C\Users\Jesus\AppData\Roaming\chrtmp.vir
C:\Qoobox\Quarantine\C\Install.exe.vir 

QUIT::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix may request an update; please allow it.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

I tried your method, and it did not work...

However, I managed to fix my problem without having to reinstall everything. I followed a tutorial on how to perform a "repair" installation, which basically restored all my windows files without touching my programs and settings. After performing this "repair" install, which was a lengthy process, my drivers would still not work. However, I uninstalled both the NVIDIA and the Intel graphics drivers, and reinstalled them (First Intel, then NVIDIA). I have to say I downloaded the Intel drivers from the Dell website, and NVIDIA drivers were just straight from nvidia. After doing this, Optimus was running fine, and everything was working the way it's supposed to.

Thank you for your help anyways!

That's great to hear,

are there any outstanding issues or are you good now?

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.