Recently I encountered a threat that infected a client’s computer. The Client noticed that their Antivirus Program intervened and requested a reboot of the computer to finish the remediation. Upon Rebooting the user was unable to log on. Worse yet she had no mouse or keyboard. Fearing the worst the user pushed the power button to shut down the computer; which responded normally and gracefully shutdown the computer. Next she tried to get into Safe Mode by pressing f8. Windows booted into safe mode but again no keyboard or mouse inputs it seemed.
I was able to verify the customers complaint. Only I noted that system was still alive and I was able to PING it, which to me meant that it was still working. I remotely accessed the machines registry and enabled remote access to the machine. When attempting to connect remotely I discovered I did not have the local administrators account password. After rebooting the computer with a bootable Password Recovery CD I recovered the four letter local administrator password in only 9 seconds.
Using the recovered password I was able to remotely connect to the computer and was able to determine that the installed and updated Antivirus Software had clobbered the Windows XP PS/2 Driver (i8042prt.sys) used for both PS/2 keyboard and PS/2 Mouse Input.
I booted from the Windows XP CD and using the repair console manually replaced the i8042prt.sys driver, however I was still unable to have the system use a PS/2 Keyboard or Mouse. I found an unused USB Keyboard and began to work on the system running some additional virus removal tools. One of the tools had identified an infection known as Zero Access. After the tool completed the removal steps the system still did not work with the PS/2 Keyboard and Mouse but did work with the USB Keyboard.
I decided to run a repair install of windows to correct the issue. The repair install soon reached the point in the setup process where it booted from the hard drive, and disturbingly again I had no PS/2 Mouse and no PS/2 keyboard access. After a little research and on a hunch, I aborted the repair install (knowing that it would resume upon reboot) and tried a decidedly different tactic.
Most of the variants of the Zero Access Rootkit will infect the Master Boot Record of the hard drive which causes the machine to load part of the rootkit while the machine is still vulnerable and unprotected from viruses. I booted the Windows Recovery Console from the CD and had windows replace the MBR and Boot Sector.
Next I crossed my fingers let windows reboot. Next Windows setup continued the repair install and voila I now had access via the PS/2 Keyboard and PS/2 Mouse again and the Machine was fully remediated.
The Client was upset that the anti-virus program had disabled their computer, when they should have realized this was a fortunate circuit breaker. Their real concern should have been that their system and all their activity was almost exposed to some unknown source. Without the anti-virus program disabling this computer, every single input to the computer would be collected and redirected…and probably not for the forces of good.
Sierra Computer Group