a security tool gone bad
I had never heard of threatfire until this weekend, and to be honest I wish that I could forget the experience. Threatfire is a security monitoring system that hooks into you systems and watches for malicious activity. It installs several filter drivers, including TfKbMon.sys which is installed as a Keyboard filter driver (a legitimate keylogger).
What had happenned is this driver either malfunctioned or didn't uninstall properly, which rendered the keyboard useless. Actually, the keyboard was ok, it's just that the filter driver was intercepting calls to the default ps2 windows driver (i8042prt.sys).
To correct the problem i ran the threatfire removal utility which uninstalled the driver but left quite a bit in the registry, including the entry that called it as the upper filter driver for the keyboard. Now just the fact that this program has a removal utility aside from the regular uninstall routine should be a crapware warning sign in itself...norton also has a removal utility... coincidence?
anyways, after a bit of searching (regscanner is a great tool for this) I found this key
which defines the UpperFilters for your keyboard. A normal configuration will only have kbdclass set for UpperFilters in this key. So I reset that and then imported a good registry entry for the i8042prt services and the kbdclass (download).
of course, to make things very difficult all this was done with the on on screen keyboard, one click at a time...and when u type over seventy words a minute that is just aggravating!
What had happenned is this driver either malfunctioned or didn't uninstall properly, which rendered the keyboard useless. Actually, the keyboard was ok, it's just that the filter driver was intercepting calls to the default ps2 windows driver (i8042prt.sys).
To correct the problem i ran the threatfire removal utility which uninstalled the driver but left quite a bit in the registry, including the entry that called it as the upper filter driver for the keyboard. Now just the fact that this program has a removal utility aside from the regular uninstall routine should be a crapware warning sign in itself...norton also has a removal utility... coincidence?
anyways, after a bit of searching (regscanner is a great tool for this) I found this key
HKLMSYSTEMControlSet001ControlClass
{4D36E96B-E325-11CE-BFC1-08002BE10318}
which defines the UpperFilters for your keyboard. A normal configuration will only have kbdclass set for UpperFilters in this key. So I reset that and then imported a good registry entry for the i8042prt services and the kbdclass (download).
of course, to make things very difficult all this was done with the on on screen keyboard, one click at a time...and when u type over seventy words a minute that is just aggravating!
Comments
On my system, I have never had the problem. Go figure?
the good news is that since i've written that post one of the guys from threatfire actually contacted me for details about the system and said that they'd look into the issue. So that's really postiitive and speaks well of their company.