BleepingComputer.com: No Kybd or Mouse Function at XP login screen

I will look for a USB keyboard tomorrow. I really appreciate you time and help with this problem. I will let you know the outcome. Thanks again!!!!!!

If you are interested in trying to overcome the problem without waiting to get a USB keyboard, you might wish to try the following to check if the PS/2 keyboard/mouse driver is present in the correct location, and if not, where a replacement file can be found.

You will need a USB drive/flashdrive.

Please note - all text entries are case sensitive

Download GETxPUD.exe to the desktop of a working computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Next download driver.sh to your USB drive
  
• Remove the USB & CD and insert it in the sick computer
  
• Boot the Sick computer with the CD you just burned
  
• The computer must be set to boot from the CD
  
• Gently tap F12 and choose to boot from the CD
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
  
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)
  
• Confirm that you see driver.sh that you downloaded there
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash driver.sh -f
  
• Press Enter
  
• You will be prompted to input a filename.
  
• Type the following:
  
  i8042prt.sys
  
  
• Press Enter
  
• If successful, the script will search for this file.
  
• After it has finished a report will be located in the USB drive as filefind.txt
  
• Remove the USB drive and insert it back in your working computer and navigate to filefind.txt

Copy and paste the contents of findfile.txt for my review

This post has been edited by AustrAlien: 20 December 2011 - 05:40 PM

Hi AustrAlien,

Here are the results from the file search:

Search results for i8042prt.sys

46faaec61853712c6966542c5e5913ea /mnt/sda1/WINDOWS/system32/drivers/i8042prt.sys
51.3K Apr 13 2008

54ae656490b33f84b4417194aa127b25 /mnt/sda1/WINDOWS/system32/ReinstallBackups/0001/DriverFiles/i386/i8042prt.sys
49.8K Aug 18 2001

4a0b06aa8943c1e332520f7440c0aa30 /mnt/sda1/WINDOWS/system32/dllcache/i8042prt.sys
51.3K Apr 13 2008

5502b58eef7486ee6f93f3f164dcb808 /mnt/sda1/WINDOWS/$NtServicePackUninstall$/i8042prt.sys
51.5K Aug 4 2004

4a0b06aa8943c1e332520f7440c0aa30 /mnt/sda1/WINDOWS/ServicePackFiles/i386/i8042prt.sys
51.3K Apr 13 2008

krMitchell, on 21 December 2011 - 08:34 AM, said:

It appears that the infected driver file is still present in the drivers directory (RED line) and has not been removed by Avira):

/mnt/sda1/WINDOWS/system32/drivers/i8042prt.sys

The two BLUE lines show the same file in other locations: Note the size and date of the files are the same, but the md5sum value is different in the RED line, indicating some modification of the file.

The infected file will need to be removed and replaced with a good version.

At this point I must cease: To proceed any further at this stage (removing the infected file), I would be stepping over the boundary of what is allowed/what is not allowed here. I recommend that you get the USB keyboard and then follow the instructions to post for help by the Malware Removal Team.

That sounds like the best course at this point. Thank you again for your time and your assistance. I really appreciate it.

You are most welcome.

Please include a link to this topic in your new post in the Malware Removal forum so that your helper is aware of what has been done/found, and it would also be helpful if you could then post a link to your new topic in this thread.

If you have any problems posting the required logs, let us know here and we may be able to help with that.

Good luck.

This post has been edited by AustrAlien: 21 December 2011 - 02:45 PM

Hi AustrAlien,

I installed a USB keyboard and now have keyboard and mouse working. I have cleaned the system of the "XP Security 2012" virus using the info from this site:

http://www.spywareremove.com/removexpantivirus2012.html

As you suspected i8024prt.sys in the windows\driver folder was corrupt. This was found by Avira. Avira guaranteed this file and deleted some of the registry entries. I replaced the i8024prt.sys in the windows\driver folder with a known good file. The changes to the registry I believe are preventing the PS2 keyboard from working. Here is the Avira log entries:

The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path\Debugger> was removed successfully.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt> was removed successfully.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI\PNP0F13> was removed successfully.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\i8042prt> was removed successfully.
C:\WINDOWS\system32\drivers\i8042prt.sys
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4d440193.qua'.
[WARNING] The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\ImagePath> could not be repaired.
[NOTE] For the final repair, a restart of the computer is instigated.
[WARNING] The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\i8042prt\ImagePath> could not be repaired.
[NOTE] For the final repair, a restart of the computer is instigated.

Is there a way to restore the registry entries that were removed or could not be repaired? Complete scans with both Avira and Malwarebytes' Anti-Malware come up clean. I have still been unable to execute a System Restore.

BleepingComputer has a removal guide that you should also read: XP Internet Security 2012

There is no way of knowing what other effects that particular infection may have had or what other malware has managed to install itself on your system, so I continue to strongly recommend that you post in the Malware Removal forum and have your system checked and repaired.

If you cannot successfully complete a Windows System Restore, then you can perform an off-line registry restoration using xPUD (please see post #31) to restore the registry hives, including the missing key for the keyboard/mouse driver. (When Windows is confirmed clean and running reliably, you will then need to repair the Windows System Restore facility: Do not forget this!)