[q_a26]

hi to all,
here my problem: my laptop has been infected with a haktool rootkit. before i removed it my keyboard functionning become strange. my fn key, c, echap ,F.. and other keys just stopped working; the blue keys hotkeys)work without pressing fn, some numbers don t work also . its not hardware problem.
i downloaded a spyware remover and it seems that it detected and removed the trojan but the keyboard is still not working correctly. i tried even installing again the OS win xp but in vain it didn t solved my problem. when i search for virus or spyware i dont find any. what am i supposed to do it s driving me crasy.
when i plug an usb keyboard it works correctly.
i tried uninstalling the laptop keyboard, the driver utility and reinstalling it but still not working too.
i have an asus Z92j series
please anyone help me. is it really because of this virus or is it another problem. if yes how to solve it
thanks in advance for your time

[Jaymie1989]

Since you have reinstalled windows and and external keyboard is working fine.

Im thinking along the lines of a faulty keyboard in the laptop. How old is the laptop?

I do think this is an "other hardware" topic though.

Have you tried using AVG Anti Rootkit

[Howard]

Hello and welcome to

I agree with Jaymie, this could just be a faulty keyboard issue.

However, since your problem only seemed to start with a rootkit infection, please do the following, so we can make sure your system is clean or otherwise.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of q_a26 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[q_a26]

hi, thanks both for the quick reply.
i am almost sure it is not hardware since my laptop is still new ( 1 year only) and besides all the keys seem working fine not stuck or anything

I am going to do what howard told me and will tell you what i find.

[Howard]

Yes, no problem mate.

Once your system is known to be clean, if you still have a keyboard problem, then it`s almost certainly a faulty keyboard.

However, we won`t know if your system is clean or not, until we`ve seen your log files.

Regards Howard

This thread is for the use of q_a26 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[q_a26]

hi,
i followed your tutorial and here are the 3 logs. i am waiting for your answers and advices
by the way, panda antirootkit gave me no alerts.
Eset live scan gave me a trojan alerts related to games on line in my disc D:. (well i left D: unformated since i still have some data on it but i don't guss those trojans are the bad ones )

[Howard]

You`re running multiple AV programmes. Please go HERE and run the Norton removal tool. Then, do the following.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Crawler

Close control panel.

Go HERE and follow the instructions for removing the semo2x.exe trojan. Then, continue with the instructions below.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

Quote:

File::
D:\ext\logiciels\hbtools.exe
C:\WINDOWS\imsins.BAK
C:\WINDOWS\autoclk.exe
C:\WINDOWS\tosOBEX.INI
C:\semo2x.exe
Folder::
C:\PROGRA~1\Crawler
C:\VundoFix Backups
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{87b3c260-bf86-11dc-89a4-0018f3720291}]
\Shell\AutoRun\command - semo2x.exe
\Shell\explore\Command - semo2x.exe
\Shell\open\Command - semo2x.exe

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of q_a26 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[q_a26]

hi again
sdfix wont install korrektly, keeps telling me the archive is corrupt even though i downloaded it several times. is there another substitute for it.
should i go to next instructions whitout using it

[Howard]

Ok, try this first.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
Note: Please delete any existing copy of Flash Disinfector(if any) on your pc and download this one.

* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
* Restart your computer and see if problem still persists.

Delete any copies of SdFix you may already have.

Download SDFix and save it to your Desktop.

Now, go and follow the instructions in this link.

Then, continue with the instructions in my post above.

Regards Howard

This thread is for the use of q_a26 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[q_a26]

always the same problem
sdfix won't work .
it is not a download problem since it download completely (size 1.15 Mo)

Hi
well i went under c:\DSfix and run Runthis.bat evn though the installtion problem was still there but it seemed to have worked (it gave me 2 alerts at th end of the kind it couldn't found 2 files may be due to the installation problem)
after that i did the rest of instructions.
here the combobox and hjt logs

[tomrca]

your log looks clean to me.

make sure that you know these though, if not fix
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C9E3FF0-701A-4DF6-A3CC-266E44428B54}: NameServer = 213.150.176.196 193.95.67.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C9E3FF0-701A-4DF6-A3CC-266E44428B54}: NameServer = 213.150.176.196 193.95.67.20

[q_a26]

hi,
what should i do to those 2 lines?

my keyboard is still not working right

[tomrca]

the reason why i asked if you knew the 017 entries is because they were not in your original hjt log. the ip's refer to Tunisia/Africa. if they are anything to do with work, home or college etc, leave them. so do you recognise the IP addresses ?
even though your laptop is only 1year old, it is still possible that the keyboard is faulty or may have had something split on it without realisation or maybe someone doesn't want to say so??

i will be back later, so find out more about those 017 entries before thinking of removing them

[q_a26]

hi, thanks for your answer
for the two lines it is ok.

well now i am sure it s not a faulty keyboard.
just now the keyboard started working Correctly again i don t know how but it was just for a few seConds but at least i was able to try the keys and see they are working fine.
i was happy sinCe I thought the problem is over but it went back the way it was without me doing anything . does this mean it still infeCted?

[tomrca]

Quote:

Originally Posted by q_a26

Correctly seConds
sinCe infeCted?

are these typing errors made by you, or is this a new fault

[q_a26]

actually, it was by it (it type only C if i press ****+c many times but at the first moment it worked corrctly with c and fn was back to work for just a few moment)
but now it doesn't type it either; back to how it was .
i am using my usb keyboard to type "c" now

[tomrca]

i am not fully conviced yet that this entry is a valid one as it has no name, even though its says it is spybot. will research on it or untill tst techie comes up with the answer

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[q_a26]

ok thanks i will be here waiting for the answer

[Howard]

Fix the 2 017 entries, only if they don`t belong to your ISP.

193.95.67.20
org-name: African Internet Numbers Registry
address: see http://www.afrinic.net
address: AFRINIC, see http://www.afrinic.net

The O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll entry is perfectly legit and shouldn`t be fixed.

Your HJT log is clean.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

semo2x.exe

Close task manager.

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Navigate to the following registry key and delete the bold portion.

HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{87b3c260-bf86-11dc-89a4-0018f3720291}

Close regedit.

Do a search of your system and delete any instances of this file: semo2x.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh Combofix log.

Regards Howard

This thread is for the use of q_a26 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[tomrca]

have you tried a scan with kaspersky? if not, try HERE

from daniweb.com.

Quote:

Re: Keyboard Virus? Urgent

Jun 12th, 2005
Dude no do. This is a virus. I solved it by downloading kaspersky virus detector. this is cool have a look at it. Thanks again mate.