Threatfire killed Keyboard - Can't login - Any help

[halcyon]

ThreatFire on my XP SP3 auto-updated itself.

Upon bootup I noticed I can't use keyboard in the Login screen anymore (works ok in bios/recovery console).

So, I canNOT login to do any changes to Windows.

I noticed from via recovery console that bootlog says system is repeatedly trying to load tfkbmon.sys from system32\drivers directory. However no such file is in that directory.

I suspect this is the issue: TF has patched the keyboard pathway with it's own kbmonitor, but borked the install on auto-update.

Now I can't fix the install (because I can't log in) and I can't enable the kb monitor, because it's not there to begin wíth.

Any ideas on how to solve this?

Remember, I can't log into Windows (not in any of the Normal/Safe/Last Known Good modes), because keyboard does not work.

I tried extracting (on another comp) the tfkbmon.sys from the TF installer setup file, but I cannot find it. The installer uses a non-standard archive method and TEMP folder does not contain the file either. One thing is for certain: I will not install TF on any other machine ever again

If somebody could extract the tfkbmons.sys (latest release), maybe I could get it to my borked machine via recovery console.

[vijayind]

Boot via Bootable CD/DVD/USB Drive and check these locations:
C:/I386
C:/Windows/ServicePackFiles/i386
C:/Windows/$NtServicePackUninstall$
C:/Windows/$NtUninstallKB826942$ (KB backup example)

If you are lucky, you may find tfkbmon.sys backup in any of these directories. If you find it, copy it to %windir%\system32\drivers and then boot into safemode.

[halcyon]

Thanks.

Unfortunately none of those places contain tfkbmon.sys.

I suspect that is because it is NOT a default Windows file.

It is a ThreatFire keyboard monitor driver.

It's not in any of the other usual suspect placed either (LastKnown, etc).

EDIT: I got the file via PC Tools and moved it via recovery console. Working now.

Case closed

[Fuzzfas]

Quote:

Originally Posted by halcyon

Thanks.

Unfortunately none of those places contain tfkbmon.sys.

I suspect that is because it is NOT a default Windows file.

It is a ThreatFire keyboard monitor driver.

Correct. It's TF's own keyboard monitoring driver.

Quote:

If somebody with the latest ThreatFire could just upload (not zipped) the tfkbmon.sys file and post the download link, I'd really appreciate it.

Here you go.

http://rapidshare.com/files/168816417/TfKbMon.zip.html

[halcyon]

Thanks Fuzzfas!

[Fuzzfas]

For nothing. I am sorry actually, i was reading quickly and didn't notice the "not zipped" request. It's probably too late now, but just in case.

http://rapidshare.com/files/168841990/TfKbMon.sys.html

I hope you fix this.

[acr1965]

On reboot you can use your onscreen keyboard. On the sign in screen in the lower left you should see a blue box (ease of access). Click it and choose the "type without keyboard" option. The onscreen keyboard will pop up and you can sign in with your password from that. You will also need to use the same onscreen keyboard once you are signed in. But that will at least get you to your desktop again. About the only cure to the Threatfire issue is to un-install it. I had the same problem with TF in Vista a short while back.

[PeterVO]

Hello,

had the same problem. What follows is the solution:

1) start the "Recovery Console"; either from the "WinXP Install"-CD or as an option during the pc's bootprocess.

2) at the c:\windows-prompt, type "listsvc" and scroll down the list until you come accross the Treatfire-service which will have a "manual" setting.

3) at the prompt type: "enable tfkbmon service_boot_start". A confirmation message will be displayed.

4) at the prompt, copy the file "tfkbmon.sys" to "C:\WINDOWS\system32\drivers" because the automatic Threatfire-update "forgot" to put it there.

5) type "exit" at the prompt to exit the "recovery console" and reboot the pc after which you'll be able to use the keyboard again at the login screen.

Kind regards,

PeterVO

[jmonge]

Quote:

Originally Posted by PeterVO

Hello,

had the same problem. What follows is the solution:

1) start the "Recovery Console"; either from the "WinXP Install"-CD or as an option during the pc's bootprocess.

2) at the c:\windows-prompt, type "listsvc" and scroll down the list until you come accross the Treatfire-service which will have a "manual" setting.

3) at the prompt type: "enable tfkbmon service_boot_start". A confirmation message will be displayed.

4) at the prompt, copy the file "tfkbmon.sys" to "C:\WINDOWS\system32\drivers" because the automatic Threatfire-update "forgot" to put it there.

5) type "exit" at the prompt to exit the "recovery console" and reboot the pc after which you'll be able to use the keyboard again at the login screen.

Kind regards,

PeterVO

goin to do all this just because of threatfire who suppose to secure computers i consider this equal or even worse than a virus,what a pain

[Dark Shadow]

I knew there was a reason I did not trust threatfire and unistalled it long ago.

[jmonge]

Quote:

Originally Posted by djohn

I knew there was a reason I did not trust threatfire and unistalled it long ago.

i gave threatfire last chance and blow it away when it tries to quarantine its own brother spyware doctor which i was trialing,both of them got strike 3 out of my pc

[Dark Shadow]

Quote:

Originally Posted by jmonge

i gave threatfire last chance and blow it away when it tries to quarantine its own brother spyware doctor which i was trialing,both of them got strike 3 out of my pc

Err, I also Had some weird behavior from threatfire out the blue some valid programs where flagged a possiable keyloggers and some time the treatfire tray would magicaly disapear or the GUI would not open.That was my early warning to say bye bye.what good is a behavior blocker when it doesn't know how to behave itself.

[jmonge]

Quote:

Originally Posted by djohn

Err, I also Had some weird behavior from threatfire out the blue some valid programs where flagged a possiable keyloggers and some time the treatfire tray would magicaly disapear or the GUI would not open.That was my early warning to say bye bye.what good is a behavior blocker when it doesn't know how to behave itself.

thats true,i love bev blocker but some times they are not that smart so thats why i prefer to run hips cause are more complex covering more of your system protection

[paniccom]

Wish I could remember what Threatfire did to my system awhile back, but it was weird enough for me to uninstall and hope it hadn't permanently damaged my system. But I must like living on the edge because I'm using Mamutu now, and it seems much better. Seems like a solid program and I'm thinking of purchasing after trial.

[Espresso]

Earlier tonight I deleted that TF driver from my drivers folder (I uninstalled TF a couple months ago), and must've missed it in the list of drivers in PServ because after I rebooted my keyboard would no longer work. After searching the registry for kbdclass (keyboard driver name) I found there was an upper filter in this class that linked to the TF driver.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}

After deleting it, it worked fine.

[jmonge]

Quote:

Originally Posted by Espresso

Earlier tonight I deleted that TF driver from my drivers folder (I uninstalled TF a couple months ago), and must've missed it in the list of drivers in PServ because after I rebooted my keyboard would no longer work. After searching the registry for kbdclass (keyboard driver name) I found there was an upper filter in this class that linked to the TF driver.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}

After deleting it, it worked fine.

tf driver acting like spyware?

[EASTER]

Quote:

Originally Posted by jmonge

tf driver acting like spyware?

Looks like that HOT! Potatoe is getting hotter all the time

Maybe time for PCTools/Symantec to pass it off to another firm that has the skills to make Behavioral Blockers sing tunes Hey EMSI might could market two or just buy out the competition

[TOADFROG]

Today keyboards on 2 desktop XP Pro PC's quit working. After hours of troubleshooting I found indications that threatfire causes the problem: for example:
Keyboard killed - please post tfkbmon.sys
http://www.pctools.com/forum/showthread.php?t=54787
I've edited the registry on both PC's to fix the problem, if you use XP this should work [Don't know about Vista]:

OPEN UP THE ON-SCREEN KEYBOARD in Start->All Programs->Accessories->Accessibility->On-Screen Keyboard

Now, open the START MENU AND CLICK RUN. In here, type "REGEDIT" and hit enter (on the nifty on-screen keyboard, of course.)

Once there, click Edit at the top, then click Find.
Type "KBDCLASS" and press find. Now, look at the key it found. If it is named Upperfilter or Lowerfilter, then that's one of the ones you're looking for.
If not, press f3 (find next) on the on-screen keyboard, and wait for it to find another. In my repair, I found kbdclass about 20 times, but only 4 of them were the keys I was looking for.
Now, when you find one named Upperfilter or Lowerfilter, look at the contents of the key, mine, for example, read "kbdclass vmkbd".
IF IT SAYS ANYTHING BESIDES "KBDCLASS", THEN YOU NEED TO FIX THAT KEY.
RIGHT CLICK IT AND CLICK MODIFY. From here, DELETE EVERYTHING EXCEPT "KBDCLASS", and SAVE THE CHANGES. [I typically found TfKbMon on the line above KBDCLASS and removed it]
YOU SHOULD HAVE TO MODIFY A FEW OF THESE, or maybe even just one. Just make sure you search through the whole registry, by hitting f3 until you get a message saying "Windows has finished searching the registry." Then do the uninstall in device manager and reinstall in 'add hardware" like the troubleshooting utility says.
Then uninstall threatfire...if the problems have occurred from 2007 thru early 2009, it's not likely to be fixed. This took hours to research and repair.
Good luck

[m00nbl00d]

Quote:

Originally Posted by jmonge

thats true,i love bev blocker but some times they are not that smart so thats why i prefer to run hips cause are more complex covering more of your system protection

It's not a problem about being a behavior blocker (or a wannabe in this case ). It's an "old" (for as long as I can remember it) issue with ThreatFire.

If you uninstall it, for example, but still leave behind the driver tfkbmon.sys, then no problem.
But, if you decide to delete it, then bye-bye keyboard, and in some cases, touch pad.

I guess that, in the case of the user, ThreatFire(d) managed not to update the driver as well, or if a faulty update, it deleted that driver.

That's why I never liked to use it, nor did I ever recommend it. Not until this issue is solved. If there's even a way to solve it.

I don't know why, but, some security products, seem to be doing a better job at destroying operating system's functionality, than many malware out there.

Maybe that's the new way to fight it. If you can't beat them, join them, and steal their careers.

[NormanF]

That's why a Goback type program like Rollback RX is a lifesaver. If a software install messes up system settings you can roll back the computer to a point in time when you know it worked perfectly. These things do happen.

[LoneWolf]

Quote:

Originally Posted by NormanF

These things do happen.

Yes they do.

[ExCavTanker]

I use SnoopFree and when I installed ThreatFire to try it out, SnoopFree warned me it was trying to install a keyboard monitor driver, Uh ain't no way in hell I'm going to load a 'security' program that will try to hook my keyboard.

When I installed PrevX Eedge 3.0, no such warning.

[TOADFROG]

"If you uninstall it, for example, but still leave behind the driver tfkbmon.sys, then no problem.
But, if you decide to delete it, then bye-bye keyboard, and in some cases, touch pad. ""
I removed tfkbmon.sys [just searched windows directory to be sure] without problem, ...because the regedit strategy REMOVES references to that file which, had those references remained and the file been removed, would have caused the freezing.
Editing the registry to TfKbMon references is effective.

[TOADFROG]

Quote:

Originally Posted by NormanF

That's why a Goback type program like Rollback RX is a lifesaver. If a software install messes up system settings you can roll back the computer to a point in time when you know it worked perfectly. These things do happen.

I used system restore to go back to when there were no problems...but I still had no keyboard...Rollback RX may be more effective, but I doubt many people have it. When I researched this problem I found a lot of people tried several strategies that didn't work...editing the registry as I described did work.

[Makav3l1]

I had the same issue and just used the virtual keyboard to sign in and uninstall threatfire. Problem solved. Maybe I will try it again when they finally add the 'deny' option.