USB keyboard stops working when Windows 7 starts
This is an Acer AIO running Windows 7 Home Premium. All was fine until trying to update Kaspersky Internet Security... which would not activate. Client found a support number on Kaspersky's website, called it and after the answering party took control of the computer, the client was informed that the system and their entire network was virused and that they'd need to pay $199.00 to clean it up. At that point they stopped the person, asked them to disconnect and brought it to me.
I booted from a Kaspersky scan CD, updated definitions and performed a full scan (nothing found). I attempted to uninstall KIS but it hung and failed to complete. After the restart, I wanted to run Kaspersky's Software Removal Tool and needed to input a CAPTCHA code. It was at this point that I noted that I had no keyboard access. As I think about it, all actions prior to this point, within the client's Windows environment, had been by mouse control only... so it is possible that keyboard access had been unavailable from the start. [It should be noted that all tested keyboards work when booting from other environments or upon startup. Loss seems to occur upon transferring control to Windows.] After using the removal tool (which could be completed through use of the built-in touchscreen), I attempted to install KIS 2013. There were problems again (though I don't remember exactly what they were) so I again used the Removal Tool.
At this point I performed a complete image backup of all partitions on the hard drive before proceeding to determine if there was any indication of virus infection. I ran ComboFix and Malwarebytes and found no indication of any virus activity.
Attempts to do a system restore fails to complete. Hardware diagnostics on the system give no indication of problems. SFC /SCANNOW completes without concern. In Device Manager, I can see the HID Keyboard Device and USB Composite Device being added when I plug in a wired USB Keyboard. Yet still, any keyboard (other than touchscreen) fails to respond.
I would appreciate any help that might guide me towards the return of proper keyboard access.
Thanks!
Jim
I booted from a Kaspersky scan CD, updated definitions and performed a full scan (nothing found). I attempted to uninstall KIS but it hung and failed to complete. After the restart, I wanted to run Kaspersky's Software Removal Tool and needed to input a CAPTCHA code. It was at this point that I noted that I had no keyboard access. As I think about it, all actions prior to this point, within the client's Windows environment, had been by mouse control only... so it is possible that keyboard access had been unavailable from the start. [It should be noted that all tested keyboards work when booting from other environments or upon startup. Loss seems to occur upon transferring control to Windows.] After using the removal tool (which could be completed through use of the built-in touchscreen), I attempted to install KIS 2013. There were problems again (though I don't remember exactly what they were) so I again used the Removal Tool.
At this point I performed a complete image backup of all partitions on the hard drive before proceeding to determine if there was any indication of virus infection. I ran ComboFix and Malwarebytes and found no indication of any virus activity.
Attempts to do a system restore fails to complete. Hardware diagnostics on the system give no indication of problems. SFC /SCANNOW completes without concern. In Device Manager, I can see the HID Keyboard Device and USB Composite Device being added when I plug in a wired USB Keyboard. Yet still, any keyboard (other than touchscreen) fails to respond.
I would appreciate any help that might guide me towards the return of proper keyboard access.
Thanks!
Jim
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
disconnect the hard disk connect to a working machine and clean it that way
you will fins that the virus/rootkit has infected hiddrv.sys (or another part) which is essentially a wrapper, now hiddrv has been infected/deleted as part of the cleaning process the system driver no longer exists. you could copy it back in, and restore the removed drivers or you could go again. up to you
i would think that this is only the tip of the iceberg, some of these things infect mass storage device drivers too, so you might find usb sticks wont work in the machine either.
you will fins that the virus/rootkit has infected hiddrv.sys (or another part) which is essentially a wrapper, now hiddrv has been infected/deleted as part of the cleaning process the system driver no longer exists. you could copy it back in, and restore the removed drivers or you could go again. up to you
i would think that this is only the tip of the iceberg, some of these things infect mass storage device drivers too, so you might find usb sticks wont work in the machine either.
you say it has a touchscreen? use the on screen keyboard to do your diagnostic.
start run osk.exe
c:\windows\system32\osk.ex
start [all programs] accessories [ease of access] [on screen keyboard]
start run osk.exe
c:\windows\system32\osk.ex
start [all programs] accessories [ease of access] [on screen keyboard]
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Scobber - I will have to admit that I've had some disbelief that the system is actually virused. Had the Kaspersky scan shown any indication whatsoever, I'd have been more thorough by doing other offline scans. You are right, however, when you point out that best detection is accomplished when the drive being scanned isn't being controlled by the Operating System that resides on that same suspect drive. In regards to the touchscreen keyboard... that's what I've been using for keyboard input during this process (or the one Acer provided).
@nobus - Did run MBAM... but not RogueKiller or Windows Defender Offline. Have just made a bootable CD for WDO, will run it and will then follow up with RogueKiller.
As a reminder... there were no apparent problems with this system until the support agent connected and proclaimed their entire home network as virused and needing cleaning. Personally, I'm still suspicious as to the system really having an infection issue... but will pursue detection/cleaning as the current course of action.
I do appreciate everyone's effort on my behalf...
Jim
@nobus - Did run MBAM... but not RogueKiller or Windows Defender Offline. Have just made a bootable CD for WDO, will run it and will then follow up with RogueKiller.
As a reminder... there were no apparent problems with this system until the support agent connected and proclaimed their entire home network as virused and needing cleaning. Personally, I'm still suspicious as to the system really having an infection issue... but will pursue detection/cleaning as the current course of action.
I do appreciate everyone's effort on my behalf...
Jim
i just wonder whats your real name - jimBillyJoe or Bob
ASKER
Real name is Jim. Had a new client who couldn't remember my name and called me JimBillyJoeBob. I thought it was great and have used it again from time to time. Was in "one of those moods" when I signed up here (a number of years ago). So there ya go! :)
ASKER
Windows Defender Online found one item: Adware:Win32/PriceGong... which I allowed to be removed. Restarted in Normal mode and ran Rogue Killer. It found four items... two related to the clients Epson printer and two related to NewStartPanel.
Anything we can do to directly tackle regaining keyboard access or do we continue to look for viruses? I can tear into the All-In-One, gain access to the hard drive, remove it and scan it from another system if someone still thinks that needs to be done...
Anything we can do to directly tackle regaining keyboard access or do we continue to look for viruses? I can tear into the All-In-One, gain access to the hard drive, remove it and scan it from another system if someone still thinks that needs to be done...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Have run SFC /SCANNOW from the Command Prompt as Administrator. No problems found.
from your posts, i take it the virus scans did not cure the problem?
maybe time to consider a full backup-wipe - and fresh install
maybe time to consider a full backup-wipe - and fresh install
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I accepted my own comment as the solution because performing a wipe and reinstall was the option that I was seeking to avoid.
ASKER