1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

keyboard not working - error code 38

Discussion in 'Windows XP' started by LifeOfBarney, Apr 8, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. LifeOfBarney

    LifeOfBarney Thread Starter

    Joined:
    Apr 7, 2010
    Messages:
    11
    I am having similar grief as documented yesterday in http://forums.techguy.org/windows-xp/915164-solved-keyboard-not-working-error.html (error 38 on the HID Keyboard Device).

    I have a Dell Latitude D610 laptop, running Windows XP SP3. USB keyboard was working fine for months but 'quit' suddenly Tuesday. I don't believe it to be an issue with the keyboard itself as I have tried 2 other working keyboards with the same results. The onboard keyboard and touch pad work fine. All other USB devices work fine (hub, external HDD, wireless mouse, SD card reader). I get the same problem regardless which port I use for the keyboard, and when all other USB devices are disconnected.

    I've tried every permutation of uninstall/reinstall drivers I could think of. I also went as far as to remove all USB roots and controllers and rebooting to let Windows reinstall the whole lot.

    I should clarify what I mean by 'quit'. Keyboard works fine pre Windows boot or when running in Safe mode (by fine I mean the regular keys work - not the extra media / function keys). It is when I try to launch in Normal mode that the keyboard stops working - non functional when I get to the login screen, and thereafter. Num lock indicator is on after bootup and can't be turned off with the keyboard. The media/function keys seem to work in Normal mode however. I get the same error 38 if I hot connect the keyboard in Safe or Normal mode, but if I reboot into Safe mode it always goes away.

    The timing of this coincides suspiciously with a malware infection tuesday (Windows XP Smart Security 2010, and some viruses that tagged along I think - including, but not limited to, ertfor and wmpscfgs.exe). However I was able to clean my system using Malwarebytes' Anti-Malware and McAfee AV - the databases are up to date and the scans are running clean. The poster in http://forums.techguy.org/windows-xp/915164-solved-keyboard-not-working-error.html also noted malware/virus issues and timing of the problem.

    Any suggestions? Is it possible that a virus corrupted something, or that there is something remaining undetected that is affecting the system?
     
  2. Talkhard223

    Talkhard223

    Joined:
    Mar 11, 2010
    Messages:
    29
    You were the victim of a Fake Antivirus program which may have had something to do with your problem. These programs are notorious for hijacking computer functions to try and lure people into buying their worthless software. I'd ask to be moved to the Security & HTJ removal forum and post a HTJ log and see if they can discover/remove any remanants of the FakeAv and possibly other infections.

    http://forums.techguy.org/malware-re...st-before.html

    Joshua
     
  3. LifeOfBarney

    LifeOfBarney Thread Starter

    Joined:
    Apr 7, 2010
    Messages:
    11
    I think this issue was related to a hijacked kbdhid.sys file. I had suspected this file earlier, and I thought I had replaced it with a good version from another PC, but I must have missed something as it seemed to have reinstated itself - my theory is an evil copy in \dllcache (not exactly sure what/where this is - I noticed it referenced in other threads and thought I should check it, but I only see it when booting with BartPE?). I replaced both versions (windows\system32\drivers and \dllcache), reboooted, plugged in the USB keyboard, and everything is back to normal as near as I can tell.

    Some notes on symptoms I noticed:
    - USB keyboard would not work (error 38) in Normal mode
    - IE was wonky - I was getting periodic unsolicited pop-ups, and google search redirects to seemingly random pages
    - due to the previous point, I tried installing google Chrome (stable version) and it would not load any pages - not even blank.htm

    The disconcerting bit is that none of my scanners were reporting the suspect file, including McAffee, Malwarebytes, Spybot, HJT (and yes, they should all be up to date unless that was hijacked/spoofed too). To be fair to HTJ, the last log file I have is timestamped prior to the evil version of kbdhid so it is possible/likely that it was reinstated after I ran HJT.

    GMER showed some sort of hit on a full scan, which lead me to upload and scan the file at http://virscan.org/ - which reported issues detailed below:

    AntiVir
    8.2.1.210
    7.10.6.64
    2010-04-12
    TR/Patched.Gen
    0.253
    BitDefender
    7.81008.5613128
    7.31178
    2010-04-13
    Rootkit.Patched.TDSS.Gen
    3.569
    Dr.Web
    5.0.2.3300
    2010.04.13
    2010-04-13
    BackDoor.Tdss.2459
    6.522
    Ikarus
    T3.1.01.80
    2010.04.12.75611
    2010-04-12
    Rootkit.Patched.TDSS
    5.671
    Sophos
    3.06.0
    4.52
    2010-04-13
    Mal/TDSSRt-A
    3.402
    Trend Micro
    9.120-1004
    6.992.01
    2010-04-12
    Mal_TIDIES-12
    0.028



    The question I have now is do I need to do anything else to eradicate the above, or is it sufficient to simply remove the infected file?
     
  4. LifeOfBarney

    LifeOfBarney Thread Starter

    Joined:
    Apr 7, 2010
    Messages:
    11
    Updated HJT log since my previous post, for the experts to scan:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:35:21 PM, on 4/12/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\CurtisDennis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\CurtisDennis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\CurtisDennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted IP range: 10.0.0.0
    O15 - Trusted IP range: 10.0.0.0 (HKLM)
    O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Mycompany.com
    O17 - HKLM\Software\..\Telephony: DomainName = Mycompany.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Mycompany.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Mycompany.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Mycompany.com
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
    O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    --
    End of file - 5146 bytes

    *Note: I have overwritten the domain with Mycompany.com in the log for privacy reasons, but it does reflect my employer domain.
     
  5. 4harpers

    4harpers

    Joined:
    Dec 13, 2001
    Messages:
    162
    Thanks for you follow up. I had the exact same thing, keyboard not working in Win google search wierd. I will try and do your repair. What scanner did you use to clean? What is GMER? Thaks again. Like you I tried everything.
     
  6. LifeOfBarney

    LifeOfBarney Thread Starter

    Joined:
    Apr 7, 2010
    Messages:
    11
    I didn't use a scanner to repair per se, but I did use http://virscan.org/ to upload and scan the kbdhid.sys file and would recommend you do the same, to capture what nasties you are dealing with for posterity (make sure you click on Re-Scan after the file is uploaded).

    As far as repairing, I copied a known good version of the file from another computer (happened to have another system running XP SP3 3 feet away), booted with a BartPE disk I had made a year ago, renamed the suspect files and then copied in the good version. I don't have my head wrapped around the dllcache folder - it doesn't show up when running XP (at least not in normal mode). I don't know if the file replace is all I need to do. So far so good though, and none of my scanners are reporting anything since I made the change.

    GMER is supposedly a rootkit virus detector, but I found it reports a boatload of info to wade through and a lot of it may not be relevant or may be false positives. For ex. it reported a suspect atapi.sys for me, but virscan.org says it is fine.
     
  7. Miggs

    Miggs

    Joined:
    Aug 14, 2006
    Messages:
    150
    If GMER reports that ATAPI.SYS is infected then I would replace that file also.
    I would also scan with malwarebytes/spybot and superantispyware.
    I would also run at the dosprompt: sfc /scannow.

    Good luck and let us know.
     
  8. 4harpers

    4harpers

    Joined:
    Dec 13, 2001
    Messages:
    162
    Thank you LifeOfBarney, you are the only one so far that has come up with a solution that seems to have worked. I am going to try it. So, if I have this correct, you disconnected the keyboard, renamed kbdhid.sys, then copied a good file from a different computer to windows\system32\drivers, plugged in keyboard and rebooted. Is this correct? You only changed 1 file? What about windows\system32\dllcache? If not, will you please give me the order that you did this repair. Thanks again.
     
  9. Talkhard223

    Talkhard223

    Joined:
    Mar 11, 2010
    Messages:
    29
    The TDSS infection you are showing is a quite popular Rootkit that morphs constantly, there are many variations out there of this infection. The steps you took may have gotten rid of it, but I would keep a close eye on it and make sure all your applications are up to date (adobe, java, windows, office, etc) This was most likely installed on an exploit in one of those programs. If it were me, I'd ask to be moved over to the maware forums and have them double check it as TDSS can be a real pain to remove.
     
  10. LifeOfBarney

    LifeOfBarney Thread Starter

    Joined:
    Apr 7, 2010
    Messages:
    11
    4harpers, the sequence I used was:
    - unplugged keyboard
    - booted off a DVD using BartPE and opened a command window
    - renamed kbdhid.sys in both system32\drivers AND dllcache (latter seems to be the key and I am not sure how to do this when booting Windows normally, or whether it can be done)
    - copied the good file into system32\drivers (can't remember if I put it in dllcache as well but if this is a Windows caching thing, one would think it would re-cache it for you automatically)
    - rebooted normally
    - reconnected the keyboard - and Windows found/installed it without the error 38

    Edit: found this on the dllcache - "The dllcache folder is extremely important so Windows XP hides it from you! To view it go to: My Computer > Tools > Folder Options > View > "uncheck" Hide protected operating system files."
     
  11. 4harpers

    4harpers

    Joined:
    Dec 13, 2001
    Messages:
    162
    LifeOfBarney, I can't thank you enough for your advice. I don't have BartPE but will try a command line from safe mode.
    Do you remember how you worte the comand line to remane the file? Thanks again, I am only asking because I really don't know what I am doing other than following what you did. Thanks again
     
  12. LifeOfBarney

    LifeOfBarney Thread Starter

    Joined:
    Apr 7, 2010
    Messages:
    11
    Miggs: GMER reported a 'suspicious mod' on a what I believe to be a good atapi.sys as well, so I am thinking it is a false positive. No hits on virscan.org on either version of atapi.sys, either. But I will keep my eye on it.

    I tried sfc - but am getting a zillion prompts for XP SP3 CD and XP CD. Sadly I don't have either at my disposal as my laptop was imaged in another city by my employer. Is there any way to get around this? If I booted off my BartPE disk (which would not have the same windows key) and ran the scan would that work?
     
  13. LifeOfBarney

    LifeOfBarney Thread Starter

    Joined:
    Apr 7, 2010
    Messages:
    11
    4harpers - I would try booting in safe mode and just using explorer to rename the bad file and copy in the new one. It should work if the keyboard is not plugged in, I think. You may need to adjust your explorer settings in order to see the folder though, per my edit in the last post to you.
     
  14. 4harpers

    4harpers

    Joined:
    Dec 13, 2001
    Messages:
    162
    Thanks, I will let you know how it turns out.
     
  15. Shinigamiky

    Shinigamiky

    Joined:
    May 9, 2010
    Messages:
    2
    Ok, I've got the same problem with the error 38 (I also have the dodgy google-searches-getting-hijacked, I didn't realise it could be related as I've had that for a while, in all of my browsers not just IE)
    I've tried all the troubleshooter methods, I've tried a method from another forum that involved regedit and deleting extra stuff off the upperfilter/lowerfilter (there was no extra stuff to delete).
    My keyboard works in safemode but not in normal mode and it's driving me crazy.

    I can follow instructions easy enough and I'm not completely lacking in computer-savvy, but the solution given here sort of confuses me, I think I sort of get the steps but I'm not sure if I can do it, mostly because I don't think I can replace the 'kdbhid.sys', I don't have another computer to take it from (the only other computer is the one I'm typing this on, and it's running vista whereas I'm running XP, does that make a difference?)

    I'm sort of lost for solutions, help please?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/915642

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice