a security tool gone bad

I had never heard of threatfire until this weekend, and to be honest I wish that I could forget the experience. Threatfire is a security monitoring system that hooks into you systems and watches for malicious activity. It installs several filter drivers, including TfKbMon.sys which is installed as a Keyboard filter driver (a legitimate keylogger).

What had happenned is this driver either malfunctioned or didn't uninstall properly, which rendered the keyboard useless. Actually, the keyboard was ok, it's just that the filter driver was intercepting calls to the default ps2 windows driver (i8042prt.sys).

To correct the problem i ran the threatfire removal utility which uninstalled the driver but left quite a bit in the registry, including the entry that called it as the upper filter driver for the keyboard. Now just the fact that this program has a removal utility aside from the regular uninstall routine should be a crapware warning sign in itself...norton also has a removal utility... coincidence?

anyways, after a bit of searching (regscanner is a great tool for this) I found this key

HKLMSYSTEMControlSet001ControlClass
{4D36E96B-E325-11CE-BFC1-08002BE10318}

which defines the UpperFilters for your keyboard. A normal configuration will only have kbdclass set for UpperFilters in this key. So I reset that and then imported a good registry entry for the i8042prt services and the kbdclass (download).

of course, to make things very difficult all this was done with the on on screen keyboard, one click at a time...and when u type over seventy words a minute that is just aggravating!

Comments

Jim said…
I have Threatfire on two XP systems. My wife's system has had TFKBMON added to the KBDCLASS upperfilter twice. It is a pain to remove it but I have printed the instructions and have filed them.

On my system, I have never had the problem. Go figure?
nabiy said…
i don't think the tool under normal circumstance should give you a problem. problems seem to happen when the uninstall routine doesn't complete. maybe they didn't put the uninstall utility through rigourous testing.

the good news is that since i've written that post one of the guys from threatfire actually contacted me for details about the system and said that they'd look into the issue. So that's really postiitive and speaks well of their company.

Popular Posts