Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i8042prt removed by Malwarebytes


  • Please log in to reply
38 replies to this topic

#1 Scooter75

Scooter75

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 30 November 2011 - 03:23 AM

Hello, I was having issues with my IE browser. Something was attempting to redirect it to many different sites. I ran a Malwarebytes scan and it found a couple rootkit.0access viruses attached to i8042prt and something in the registery. I had the program quarantine and remove the viruses. Rebooted the computer and now my mouse and keyboard will not function. I read that the i8042prt was the driver for the mouse and keyboard. I didnt know that it was going to delete the files. What can I do to start repairing this?
Thanks

Edited by Orange Blossom, 30 November 2011 - 03:28 AM.
Moved to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:53 AM

Posted 30 November 2011 - 03:55 AM

Hello and :welcome: to the BC forums.

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:53 AM

Posted 30 November 2011 - 05:38 AM

Let's get a bit more information together .... and see what we can do in the meantime.

Since this was originally posted in the XP forum, I will assume the system is Windows XP.

Do you have the XP installation CD for your system? We may be able to boot with the CD and replace the file that was quarantined and recover the use of keyboard/mouse.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 Scooter75

Scooter75
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 30 November 2011 - 06:01 AM

Yes it is windows XP and I do not have the CD you speak of with me as I am out of town for work. Even if I had it, how would I be able to operate the keyboard?

#5 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:53 AM

Posted 30 November 2011 - 07:01 AM

The keyboard/mouse will work just fine from a bootable CD.

You are away from home, working. In that case it is unlikely that you could even borrow an XP installation CD.

Not to worry: There is probably a copy of the required file available in another location on the system and we can simply copy it from there and paste it in the proper location. Assuming Service Pack 3, a suitable copy of i8042prt.sys should be found here:
C:\WINDOWS\ServicePackFiles\i386 <<< folder

So, basically the plan is very simple:
  • On a working computer, create a LiveCD with Linux operating system (in this case we will try with xPUD).
  • Boot the afflicted computer with the CD and use the xPUD operating system to do the task.
  • Locate and copy a good version of the file i8042prt.sys, which should be found in the following location:
    C:\WINDOWS\ServicePackFiles\i386 <<< folder
    (Let us know if this location does not exist or if the required file is not there.)
  • Paste a copy of the file where it needs to be:
    C:\Windows\System32\Drivers <<< folder
  • Shut down the computer, remove the LiveCD, and start Windows normally.
    The keyboard and mouse should now be working normally.

:step1: On a working computer, create a LiveCD with xPUD ....

Download GETxPUD.exe to the desktop of your working computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished will open BurnCDCC ready to burn the image.
    Please be patient: This could take awhile - download file size 63MB.
  • Click on Start and follow the prompts to burn the image to a CD.
You will use this CD to boot the ailing computer from.


:step2: Copy a good version of i8042prt.sys to the correct location
  • Boot the ailing computer to the xPUD CD.
    A Welcome to xPUD screen will appear.
  • Click on File.
  • Expand the mnt icon on the left (click on the little arrow beside the icon).
    sda1, sda2 etc. ...usually correspond to your HDD partitions.
  • Locate the partition with your Windows system files on it (probably sda1).
  • Expand the folders until you are in C:\WINDOWS\ServicePackFiles\i386 <<< folder
  • Right-click on the file i8042prt.sys > Copy.
  • Now, navigate to C:\Windows\System32\Drivers <<< folder
  • In a blank area of the folder (right-side pane), right-click > Paste.

To restart the computer:
  • Home > Power off > Restart
As the system shuts down, remove the CD from the tray.
Allow the computer to re-start and load Windows normally. The mouse/keyboard should now be functional.
Success?

Note: My apology ... my internet connection is being a proper right-royal PITA tonight! And ... I must now be off to bed for the night. Good luck.

Edited by AustrAlien, 30 November 2011 - 07:39 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#6 Scooter75

Scooter75
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 30 November 2011 - 11:40 AM

Does the CD need to be the one that came with the computer? If not, I may be able to have someone from the office come out and deliver one we have there. What about getting a USB keyboard and mouse to at least let me have some function on the laptop? Right now I can't even get past the blue login screen.
Thanks

#7 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:53 AM

Posted 30 November 2011 - 03:27 PM

What about getting a USB keyboard and mouse to at least let me have some function on the laptop?

Good thought! :thumbsup: That looks likely to be your best option. The issue should only affect the on-board keyboard/touchpad.

A USB mouse & keyboard should get you back to full functionality. With the system running normally, you will then be able to simply copy/paste the required file to its proper location as indicated earlier. Restart the computer and you should be back in business again.

IF ... a replacement file is not available in the location that I indicated earlier, then please do the following and we'll see if we can find a copy of the file in another location for you to use.

Please download SystemLook.exe and save it to your Desktop.
  • alternate download link
    For users of Windows 64 bit systems: SystemLook (64-bit)
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following code box and paste into the main text field:
    :filefind
    i8042prt.sy*
    
  • Click the Look button to start the scan.
    Please be patient, as it may take a little time.
  • When finished, a Notepad window will open with the results of the scan.
  • Please copy & paste the entire content of this log in your next reply.
Note: The log, SystemLook.txt, is saved on your Desktop.

Edited by AustrAlien, 30 November 2011 - 03:29 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 Scooter75

Scooter75
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 30 November 2011 - 09:46 PM

Ok. I used a USB keyboard and mouse to access the computer. Downloaded the program, burned it to boot disk, rebooted the computer to the disk, opened mnt icon, found i8042prt.sys, copied and pasted it to the windows\system32\drivers folder and restarted the computer. The laptop keyboard and mouse are still not functioning. I checked the driver folder and the file is there. What do you suggest now?

#9 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:53 AM

Posted 30 November 2011 - 11:27 PM

Please download and run SystemLook as per instructions in my last post, so that I can confirm the file placement is correct.

Did you leave the USB mouse/keyboard connected when you restarted your laptop? What happens if you shut down the laptop and disconnect the USB mouse/keyboard and then start the laptop again. Still no keyboard/touohpad function?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:53 AM

Posted 30 November 2011 - 11:44 PM

Please also post the relevant logs from MBAM.

Start the Malwarebytes Antimalware program:
  • The logs of past actions are automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Locate the most recent log.
  • Copy/Paste the entire contents of that report in your next reply.
    (if you ran MBAM more than once recently, then do the same for those logs too)
  • Exit MBAM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#11 Scooter75

Scooter75
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 01 December 2011 - 02:03 AM

Disconnecting the keyboard and mouse and restarting the computer did not fix it.
Here are the logs you requested.

SystemLook 30.07.11 by jpshortstuff
Log created at 00:29 on 01/12/2011 by Scott
Administrator - Elevation successful

========== filefind ==========

Searching for "i8042prt.sy*"
C:\WINDOWS\$NtServicePackUninstall$\i8042prt.sys -----c- 52736 bytes [18:30 17/12/2009] [19:00 04/08/2004] 5502B58EEF7486EE6F93F3F164DCB808
C:\WINDOWS\I386\I8042PRT.SY_ ------- 26025 bytes [20:31 16/12/2009] [19:00 04/08/2004] 819D427AB9DBE6AC2960A585087CB766
C:\WINDOWS\ServicePackFiles\i386\i8042prt.sys ------- 52480 bytes [18:55 17/12/2009] [06:48 14/04/2008] 4A0B06AA8943C1E332520F7440C0AA30
C:\WINDOWS\system32\dllcache\i8042prt.sys --a--c- 52480 bytes [20:17 30/11/2011] [02:50 01/12/2011] 4A0B06AA8943C1E332520F7440C0AA30
C:\WINDOWS\system32\drivers\i8042prt.sys --a---- 52480 bytes [20:17 30/11/2011] [02:50 01/12/2011] 4A0B06AA8943C1E332520F7440C0AA30

-= EOF =-

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8276

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/1/2011 1:01:13 AM
mbam-log-2011-12-01 (01-01-13).txt

Scan type: Quick scan
Objects scanned: 197942
Time elapsed: 25 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 Scooter75

Scooter75
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 01 December 2011 - 02:06 AM

By the way...that PUM.Disable.SecurityCenter has been quarentined and deleted several times. It just keeps coming back. Oh well, I figured it would be best to solve one problem at a time.

#13 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:53 AM

Posted 01 December 2011 - 02:24 AM

NO .... When I asked you to start MBAM, I did not want you to run a scan. All I wanted was for you to access the logs from the time before the problem arose. I want to see what MBAM actually did (what files it removed) to create the problem.

Please post all relevant logs.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#14 Scooter75

Scooter75
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 01 December 2011 - 02:31 AM

I believe this is the log you were looking for.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8276

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

11/30/2011 12:35:12 AM
mbam-log-2011-11-30 (00-35-12).txt

Scan type: Quick scan
Objects scanned: 196871
Time elapsed: 27 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt (Rootkit.0Access) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\i8042prt.sys (Rootkit.0Access) -> Quarantined and deleted successfully.

#15 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:53 AM

Posted 01 December 2011 - 03:12 AM

Let's try something really simple ...

Restart your laptop ... or press the Power On button ...
  • Start tapping the F8 key after you press the ON button, and continue tapping until you are presented with the "Windows Advanced Options Menu" screen.
  • Use the UP/DOWN arrow keys to select "Last known good configuration ..." and press the <ENTER> key.
  • Your system should start normally.
  • Check the keyboard/touchpad functionality.
Success?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users