Solved

virus---keyboad/mouse not working

Posted on 2002-05-18
12
2,382 Views
Last Modified: 2010-05-18
I got a virus that keeps my mouse and keyboard from working..

I recently, in the last week, loaded pc cillian 2000 upgrading from version 6.0

yesterday the problems started.  the first clue i had a problem was that my mouse and keyboard did not work on a start up.
ran scan and found 2 viruses....worm_badtrans.b
and also worm_klez.h

files were quaranteened.

In trying to fix the problem,,
started in safe mode, and followed instruction for each to clean then rebooted.  I did not find any of the indicated changes in the registry, and so did not change any of the copy there. while i did not find any problems wit the registery, i did find the file cp_25389.nls which i deleted.


have rebooted several times,
.none have worked in regular windows load.

1 time, tried safe mode, and when I tried to open pcc2000, got a blue screen that failure in pccmain etc ect etc  krnl386.exe.

rebooted and it did not reappear.  I have run pc virus scan 2 other times with no viruses detected  with p[attern 283 AND Engine 6.150.0.1001 and program 7.61.0.1436

help!!!!!

i do find that on regular windows load, sometimes windows quites with just a few desktop icon pictures missing...and the hourglass onscreen, but no keyboard or mouse working...except the mouse moves but no clicking..
thanks for the help.

thanks

basicially, the scan does not pick up any problems but  it still does not work...Help and thanks


systems is win 98, pIII 500 mhz, 128 meg ram etc


status report..next day, did get the system to boot with keyboard/mouse working...1st time, locked up with execution of virus software......the ie gave blue screen.

with several reboots, 2 times loaded ok and all worked.....scan showed no viruses.

then a few more reboots, same problem....keyboard/mmouse inop, like the system has loadd all but alittle and the hour glass sometimes stays on....all icons load ok.

help
0
Comment
Question by:hassenfeld
  • 4
  • 3
  • 2
  • +3
12 Comments
 
LVL 4

Accepted Solution

by:
tituba2 earned 500 total points
ID: 7019536
What OS are you using?  Before you do ANYTHING more - BACKUP what is important to you.  Klez can and will destroy files and you may not have a vote very shortly.

Klez_H needs to be repaired using a tool.  Virus software won't clean it as Klez is very clever and destroys files of virus software products so they can't work correctly.  Until Klez is gone, you have to remove viruses with a tool.

I've had the best luck with the tool for Klez provided by Symantec and not Trend.  Go to www.symantec.com and download the tools for both Klez and Bad_Trans.  You will have to run the tool several times.  After Klez is gone, you will find it's accompanying virus (most likely Elerkn).  However, and this is a very scary one, Klez has been recent found to be dropping CIH.  Go to Symantec's site and read about CIH and I'd download that tool too.

(If you do have CIH, I'd personally format the hard drive (using /u switch), clear the MBR and start over.)

Be VERY careful about reading all the directions with the readme files on both of these tools.  If you are using XP or ME, you need to take additional steps.  

After all tools have been run, go to http://housecall.antivirus.com and run a scan.  Don't rely on local installed virus software for accurate reading.  When you are absolutely sure all is gone, uninstall and reinstall the virus software.

Virus scan all files you backuped before putting them back.

Be very careful to follow the directions on Symantec's site regarding this virus as both are very bad news, especially the variant H of Klez.  Good luck.

0
 
LVL 4

Expert Comment

by:tituba2
ID: 7019546
Also - if you go to Trend's site, search ERD, you will go to a link to create an emergency boot disk with pattern file 279.  Do this ON A CLEAN system and not the system you have these viruses on.  In fact, run the housecall on the system you create these disks from prior to creating your Emergency Boot Disks so as to be very sure.

Anyways - you'll need six floppies.  You boot from the first and follow the directions.  Pattern file 279 will load and will scan and delete viruses in DOS mode.  However,run the tool first as I don't believe the ERD set with pattern 279 will delete Klez.  It will, however, take care of Elerkn.
0
 

Author Comment

by:hassenfeld
ID: 7019637
now you have me really scared.  I have now found that the virus, if thats the problem is with pcc2000.  when I removced it and installed pcc 6.0, an earlier version, everything would load ok.  I need to repeat that I have probably scanned the system 4-5 times with pcc 2000, 1 with pcc 6.0 and also hpouse doctor already, and nothing was detected....but by what you are saying, i may still have them??

the one curouus thing is that the virus fixes refered to changes in the regusry,  i never did find the lines they mentioned.

how can I be sure the system is at least clean, yet while it does not work with ppcc 2000.

i have all my data on a separate drive, so I could reformat c:, but one of the files that had the virus was in f: (data), which was supposedly quarantined the first time and then deleted.
what else can i check??
thanks
0
 

Author Comment

by:hassenfeld
ID: 7019638
i am using win 98,  if i reinstall, is me better than 98se?(
0
 
LVL 4

Expert Comment

by:tituba2
ID: 7019646
Yes, you may very well still have them.  Klez is VERY clever and you cannot rely on any virus software product when Klez is on your system.  Klez destroys key files in Pc-cillian, Norton, McAfee in order to survive.  It gives you a false result that you are clean, when in fact, it is still resident.

Go to:
http://housecall.antivirus.com

click scan without registering
When dialog box comes up - click C drive and scan

This won't fix anything but you will get an accurate reading as to what is on your system.  If you are still infected, you need to download the tools I mentioned above and run them.

You have to run the tool first, then the emergency boot disks, then reload your virus software product and update and scan.  Go out to housecall again to verify all is gone.
0
 

Author Comment

by:hassenfeld
ID: 7019766
i have run the following programs:
boot to safe mode
run klez reboot to safe
run badtransb reboot to safe
run cih  reboot to safe
run klez again
reboot to regular windows.
ran housecall

even before all these steps, i used pcc2000 on a networked computer to scan the one with problems,  used pattern file 285.

in all cases , nothing was detected...

now, i did notice in the copy for cleaning klez, that while it removes the virus, it will not necessarily repair the files??

my only symptom is that pcc 2000 does not work with the keyboard/mouse problem, which is when these were originally discovered.



1)how sure can i be that i am ok,
2) what about not being able to use pcc 2000
yet pcc 6.0 (olderversion) seems ok
note that i had pcc 2000 installed when the problem first came up
3)  i have comcast and i did have a few odd problems getting to sign on for mail?  system locked up.....if this was related, should i be ok now??
thanks
4) do i need to do the booting with the erd?? have not done it ,,,see note on scaning with 285


what else have i overlooked...

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:tituba2
ID: 7019837
Really unsafe to be on a network with the Klez virus.  Klez searches out for network shares and can infect the entire network.  If you are not the IT person, you should notify them ASAP to scan for possible infections. Always do scanning locally and not connected to a network.

In any case.  Remove Pccillian.  Boot using the ERD disks (making sure to have created the ERD disks on a clean PC)

Yes, while it removes virus, cannot repair files.  If they are system files, you should reload your OS.

Anything freezing, locking up etc. is expected when you have these kinds of viruses.  You cannot diagnose system issues when you have a virus.  

Go out to http://housecall.antivirus.com and do a scan to verify you are OK.  If housecall finds anything, then you are not.  After you are clean, then reinstall and update your virus software.
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 7048090
?
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 7057535
status?
0
 
LVL 3

Expert Comment

by:pleasenospam
ID: 7170979
This problem MUST have been resolved by now.
0
 

Expert Comment

by:liloXwin
ID: 7299776
0
 

Expert Comment

by:ComTech
ID: 7300550
This person has been suspended for multiple violations of the Member Agreement, and will reject the proposed answer, and return your question to the Active Questions List.  The Moderator Group is deleting all 388 locked questions.

These were posted by three persons:

quirkyquirky
EliteKiller
liloXwin
 
Thank you,
ComTech
CS Admin @ EE
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now