Mouse and keyboard disabled

Please open OTLPE -- Click None and paste this in the Custom Scans box:


Then click Run Scan. It shall launch a log. Please post it in your next reply.

OTL logfile created on: 6/10/2010 12:26:45 AM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 766.00 Mb Available Physical Memory | 75.00% Memory free
905.00 Mb Paging File | 824.00 Mb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.44 Gb Total Space | 47.01 Gb Free Space | 63.15% Space Free | Partition Type: NTFS
Drive D: | 1.90 Gb Total Space | 1.75 Gb Free Space | 91.89% Space Free | Partition Type: FAT
Drive E: | 1.88 Gb Total Space | 1.87 Gb Free Space | 99.63% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 280.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet004

========== Custom Scans ==========


< Code: >


< MD5 for: KEYBOARD.DRV >
[2004/08/04 07:00:00 | 000,002,000 | ---- | M] (Microsoft Corporation) MD5=ED4BF709AAD8B665075DE06A0945B030 -- C:\i386\KEYBOARD.DRV
[2004/08/04 07:00:00 | 000,002,000 | ---- | M] (Microsoft Corporation) MD5=ED4BF709AAD8B665075DE06A0945B030 -- C:\WINDOWS\system\KEYBOARD.DRV
[2004/08/04 07:00:00 | 000,002,000 | ---- | M] (Microsoft Corporation) MD5=ED4BF709AAD8B665075DE06A0945B030 -- C:\WINDOWS\system32\dllcache\keyboard.drv
[2004/08/04 07:00:00 | 000,002,000 | ---- | M] (Microsoft Corporation) MD5=ED4BF709AAD8B665075DE06A0945B030 -- C:\WINDOWS\system32\keyboard.drv

< MD5 for: KEYBOARD.INF >
[2008/04/13 12:29:43 | 000,043,203 | ---- | M] () MD5=7BBDE91DF15EA16103A3EF5C00A1FB77 -- C:\WINDOWS\inf\keyboard.inf
[2008/04/13 12:29:43 | 000,043,203 | ---- | M] () MD5=7BBDE91DF15EA16103A3EF5C00A1FB77 -- C:\WINDOWS\ServicePackFiles\i386\keyboard.inf
[2004/08/04 07:00:00 | 000,031,254 | ---- | M] () MD5=FFEEE39C5A83FA52064BD758B897B7F7 -- C:\i386\keyboard.inf
[2004/08/04 07:00:00 | 000,031,254 | ---- | M] () MD5=FFEEE39C5A83FA52064BD758B897B7F7 -- C:\WINDOWS\$NtServicePackUninstall$\keyboard.inf

< MD5 for: KEYBOARD.SYS >
[2004/08/04 07:00:00 | 000,042,537 | ---- | M] () MD5=FBBCFEC1379C5C02D88A361993EDF1B8 -- C:\i386\keyboard.sys
[2004/08/04 07:00:00 | 000,042,537 | ---- | M] () MD5=FBBCFEC1379C5C02D88A361993EDF1B8 -- C:\WINDOWS\ServicePackFiles\i386\keyboard.sys
[2004/08/04 07:00:00 | 000,042,537 | ---- | M] () MD5=FBBCFEC1379C5C02D88A361993EDF1B8 -- C:\WINDOWS\system32\dllcache\keyboard.sys
[2004/08/04 07:00:00 | 000,042,537 | ---- | M] () MD5=FBBCFEC1379C5C02D88A361993EDF1B8 -- C:\WINDOWS\system32\keyboard.sys

< MD5 for: MOUSE.DRV >
[2004/08/04 07:00:00 | 000,002,032 | ---- | M] (Microsoft Corporation) MD5=7D29780AC88BB7292CDCFF71BA67433D -- C:\i386\MOUSE.DRV
[2004/08/04 07:00:00 | 000,002,032 | ---- | M] (Microsoft Corporation) MD5=7D29780AC88BB7292CDCFF71BA67433D -- C:\WINDOWS\system\MOUSE.DRV
[2004/08/04 07:00:00 | 000,002,032 | ---- | M] (Microsoft Corporation) MD5=7D29780AC88BB7292CDCFF71BA67433D -- C:\WINDOWS\system32\dllcache\mouse.drv
[2004/08/04 07:00:00 | 000,002,032 | ---- | M] (Microsoft Corporation) MD5=7D29780AC88BB7292CDCFF71BA67433D -- C:\WINDOWS\system32\mouse.drv
< End of report >

Please open OTLPE -- Click None and paste this in the Custom Scans box:


Then click Run Scan. It shall launch a log. Please post it in your next reply.

OTL logfile created on: 6/11/2010 5:23:58 AM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 736.00 Mb Available Physical Memory | 72.00% Memory free
905.00 Mb Paging File | 813.00 Mb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.44 Gb Total Space | 47.01 Gb Free Space | 63.15% Space Free | Partition Type: NTFS
Drive D: | 1.90 Gb Total Space | 1.75 Gb Free Space | 91.89% Space Free | Partition Type: FAT
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 280.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet004

========== Custom Scans ==========


< /mdstart >
Invalid Switch: mdstart

< kbdhid.sys >

< /md5stop >
Invalid Switch: md5stop


< End of report >

Try one more time. You did not get the 5 in there correctly on one of the switches.

OTL logfile created on: 6/11/2010 6:40:14 AM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 730.00 Mb Available Physical Memory | 71.00% Memory free
905.00 Mb Paging File | 806.00 Mb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.44 Gb Total Space | 47.01 Gb Free Space | 63.15% Space Free | Partition Type: NTFS
Drive D: | 1.90 Gb Total Space | 1.75 Gb Free Space | 91.89% Space Free | Partition Type: FAT
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 280.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet004

========== Custom Scans ==========



< MD5 for: KBDHID.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:kbdhid.sys
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:kbdhid.sys
[2009/07/10 14:50:37 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:kbdhid.sys
[2009/07/10 14:50:37 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:kbdhid.sys
[2008/04/13 14:39:48 | 000,014,592 | ---- | M] (Microsoft Corporation) MD5=9EF487A186DEA361AA06913A75B3FA99 -- C:\WINDOWS\ServicePackFiles\i386\kbdhid.sys
[2008/04/13 14:39:48 | 000,014,592 | ---- | M] (Microsoft Corporation) MD5=9EF487A186DEA361AA06913A75B3FA99 -- C:\WINDOWS\system32\drivers\kbdhid.sys
[2004/08/04 00:58:36 | 000,014,848 | ---- | M] (Microsoft Corporation) MD5=E182FA8E49E8EE41B4ADC53093F3C7E6 -- C:\i386\kbdhid.sys
[2004/08/04 00:58:36 | 000,014,848 | ---- | M] (Microsoft Corporation) MD5=E182FA8E49E8EE41B4ADC53093F3C7E6 -- C:\WINDOWS\$NtServicePackUninstall$\kbdhid.sys
< End of report >

Please run OTLPE

• Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:
  
  :files
  C:\WINDOWS\system32\drivers\kbdhid.sys|C:\WINDOWS\$NtServicePackUninstall$\kbdhid.sys /replace
  
  :commands
  [emptytemp]
  [reboot]
  
  
• Then click the Run Fix button at the top.
  
• Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
  
• Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
  Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

When you say "..allow it to reboot, " should it reboot on its own or do I click yes

========== FILES ==========
File C:\WINDOWS\system32\drivers\kbdhid.sys successfully replaced with C:\WINDOWS\$NtServicePackUninstall$\kbdhid.sys
========== COMMANDS ==========

[EMPTYTEMP]
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTLPE by OldTimer - Version 3.1.39.0 log created on 06112010_074705

Good.

Now, boot normally and see if the keyboard works.

no - same results as previous try


when I clicked FIX it went immediately to the reboot? window and stayed there - waited 15 min, nothing - clicked yes on reboot? window, nothing. Rebooted computer off disc - repeated process, said no to reboot? and got the report below

We will need to replace it from the Recovery Console then.

Please boot in to your Windows CD, use the R option for the Recovery Console.

Log on to the current installation.

Let me know when you have gotten this far.

I got to "Please a screen which asks "Which Windows installation would you like to log onto" and " Please select a valid installation number" (I am at the Recovery Console.

Choose option 1.

You should see a C:\ type of prompt.

thanks for your help - I need the administrator password to continue - the IT at my work used his password for the entire network at my company to set up my pc and is unable to give it to me (the company bought this PC for me so i can work from home - is ther any way around this?

Ok. We are going to fix that in OTLPE, then you should be able to run the Recovery Console without a password.

Please run OTLPE

• Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:
  
  :reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole]
  "SecurityLevel"=dword:00000001
  
  
• Then click the Run Fix button at the top.
  
• Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
  
• Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
  Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

great - I am at the C:\windows prompt in the recovery consol

Please type in the following command.

copy C:\i386\kbdhid.sys c:\WINDOWS\system32\drivers\kbdhid.sys

Once this is completed successfully, remove the CD from the computer and reboot.

See if your keyboard works.

I keyed in "copy C:\i386\kbdhid.sys c:\WINDOWS\system32\drivers\kbdhid.sys" and hit enter and I got:

Access is denied.

Type cd \ and press "Enter".

Type cd windows\system32\config and press "Enter".

Type ren system system.bak and press "Enter".

Type copy C:\i386\kbdhid.sys c:\WINDOWS\system32\drivers\kbdhid.sys and press "Enter".

Type exit and press "Enter".

See if this works.

Same - Access is denied after copy command

Alright. Seems the rootkit has blocked that file from being replaced. Let's take ownership of the file, then try again. Similar process.

Type attrib -s -r c:\windows\system32\drivers\kbdhid.sys and press "Enter".

Type copy C:\i386\kbdhid.sys c:\WINDOWS\system32\drivers\kbdhid.sys and press "Enter".

Type exit and press "Enter".

See if this works.

attrib -s -r c:\windows\system32\drivers\kbdhid.sys and press "Enter". When I ran this it didn't work " unrecognized command". I then tried attrib -s-r c:\windows\system32\drivers\kbdhid.sys (no space between -s and -r) and it worked.
Still get Access denied after copy command. What do you think?

Would you be up for an in-place upgrade of Windows, a data-safe way to place a new install of Windows in to the old one's place?

In this case, Windows would be reinstalled, and hopefully restore all functionality to hardware.

http://michaelstevenstech.com/xp_in_place_upgrade.htm

Hi I'm back! Thank you for all your help. I got impatient and formated my hard drive and reinstalled windows. I have a Seagate backup so its cool. What are my best options to avoid the repeat of this virus? Can you recommend what software to get? What about good firewall?

Software recommendations

Antivirus/Antispyware

• Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  
• AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?