Cannot remove keyboard substitute rootkit

I have a problem with the latest 5.4 version it tell me I have a key board substitute root kit. Of course it can’t clean it and so I downloaded Comodo’s CCE and it didn’t find it. So I rescan with Comodo Internet Security and it found it again. I tried to send it as a false positive and it tells me It can’t send the file. Then I tried to put it on the exclusion and it tells me It can’t put it on the exclusions list. So I see only two way of doing this either scan with the root kit scanner off or go back to version 5.3. Where it never had this problem. Anyone have any other ideas.

if it’s really a rootkit, i wouldn’t try adding it to an exclusion list in the first place. try downloading dr. web cureit, malwarebytes and or superantispyware. also try hitman pro. it will show you exactally where the file is but wont remove unless you buy it but if malwarebytes don’t detect it on full scan try using hitman pro to find it and the right click scan with malwarebytes, cureit and or superantispyware. sometimes a right click scan directly on the file will get what a full scan wont. i don’t know why but it does sometimes. also if you’re comfertable with gmer then try that if none of the above works but if you know nothing about gmer then i don’t suggest you use it. you could wind up doing more harm then good

Try scanning with GMER

or Panda Anti-Rootkit

Here is a list of what I’ve scan with that found nothing Malwarebytes free , SuperAnti-Spyware free, GMER , Stinger latest version , Comodo’s CCE , and Microstoft Malicious Software Removal and none of these programs can find the key board root kit only Comodo’s Internet Security latest version of 5.4 can find it but not remove it. So what now just scan with the root kit scanner off or what. Add one more program that found nothing Hitman Pro. Only Comodo’s Internet Security 5.4 with root kit scanner on found it but can’t remove it. So what am I surpose to do now ignore it or what?

Can you please post a screenshot of the detection results, preferably with the full path visible?

Ok I am new at this so please tell me how to go about posting my screen shot on here
Upon further examination of it it is a registry key. Here is what is says
Top line Root kit HiddenKey@0 Next line down give the registry key as
HKEY_CURRENT_USER\Keyboard Layout\Substitutes

This is all it says

Look here LMGTFY - Let Me Google That For You

[i]Active REG_SZ KeyboardLayout
Default: 00000409 (for standard U.S. English)

The Keyboard Layout\Substitutes key is empty by default. This subkey records a mapping between keyboard layout names. The system checks the user’s Substitutes subkey when loading the keyboard driver, and if a substitute is specified, the corresponding layout name is substituted. For example, an entry such as the following under the Keyboard Layout\Substitutes subkey indicates that the user prefers the Dvorak U.S. English keyboard layout (00010409) to the standard U.S. English keyboard layout (00000409).
00000409 : REG_SZ : 00010409[/i]

Can you please verify if your keyboard settings have other then ‘Standard US English’ settings?

If you query google on this you see that other security products have hits on this also.
Best thing would be to have a offline-boot cd like Ultimate BootCD and inspect the registry key offline.
Then you can see what’s ‘inside’ this key and if it’s legit or not, if CIS marks this as a rootkit it’s probably ‘hidden’ or ‘access denied’ that’s causing this.

I have a jpeg picture of my screen with the scan results on it if you can tell me how to upload it to the forum I will do so.

The substitute key is hidden from regedit. I am not sure when or how this happen. Not sure if my key board is set to standard English or not anymore.

Go to reply then at the bottom youll see additional options click on that then youll see where to select your file to upload then post it…

Here it is

[attachment deleted by admin]

try dr web cureit

Why?! :o to both of you … are you trying to get the OP into a real troubles?

What the Hell you are talking about! for Gd’s sake!!!

Do you have any ideas ? No! … even remotely

would you mind explaining how scanning with dr web would be a bad idea instead of just discrediting me. It does no good for me, you or the person who came here for help. Try to help this person. If you have ideas then suggest them but don’t discredit someone elses advice without and explanation. That is counter productive

i would want u to try tdsskiller and aswmbr.To find them use google.

i agree dr.web can seriously ■■■■■ up your pc. :azn:

if u want instructions on how to use it refer to this topic: