Threatfire killed Keyboard - Can't login - Any help

Discussion in 'other anti-malware software' started by halcyon, Nov 30, 2008.

Thread Status:
Not open for further replies.
  1. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    ThreatFire on my XP SP3 auto-updated itself.

    Upon bootup I noticed I can't use keyboard in the Login screen anymore (works ok in bios/recovery console).

    So, I canNOT login to do any changes to Windows.

    I noticed from via recovery console that bootlog says system is repeatedly trying to load tfkbmon.sys from system32\drivers directory. However no such file is in that directory.

    I suspect this is the issue: TF has patched the keyboard pathway with it's own kbmonitor, but borked the install on auto-update.

    Now I can't fix the install (because I can't log in) and I can't enable the kb monitor, because it's not there to begin wíth.

    Any ideas on how to solve this?

    Remember, I can't log into Windows (not in any of the Normal/Safe/Last Known Good modes), because keyboard does not work.

    I tried extracting (on another comp) the tfkbmon.sys from the TF installer setup file, but I cannot find it. The installer uses a non-standard archive method and TEMP folder does not contain the file either. One thing is for certain: I will not install TF on any other machine ever again :)

    If somebody could extract the tfkbmons.sys (latest release), maybe I could get it to my borked machine via recovery console.
     
    Last edited: Nov 30, 2008
  2. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Boot via Bootable CD/DVD/USB Drive and check these locations:
    C:/I386
    C:/Windows/ServicePackFiles/i386
    C:/Windows/$NtServicePackUninstall$
    C:/Windows/$NtUninstallKB826942$ (KB backup example)

    If you are lucky, you may find tfkbmon.sys backup in any of these directories. If you find it, copy it to %windir%\system32\drivers and then boot into safemode.
     
  3. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Thanks.

    Unfortunately none of those places contain tfkbmon.sys.

    I suspect that is because it is NOT a default Windows file.

    It is a ThreatFire keyboard monitor driver.

    It's not in any of the other usual suspect placed either (LastKnown, etc).

    EDIT: I got the file via PC Tools and moved it via recovery console. Working now.

    Case closed
     
    Last edited: Nov 30, 2008
  4. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Correct. It's TF's own keyboard monitoring driver.


    Here you go.

    http://rapidshare.com/files/168816417/TfKbMon.zip.html
     
  5. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Thanks Fuzzfas!
     
  6. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
  7. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    On reboot you can use your onscreen keyboard. On the sign in screen in the lower left you should see a blue box (ease of access). Click it and choose the "type without keyboard" option. The onscreen keyboard will pop up and you can sign in with your password from that. You will also need to use the same onscreen keyboard once you are signed in. But that will at least get you to your desktop again. About the only cure to the Threatfire issue is to un-install it. I had the same problem with TF in Vista a short while back.
     
  8. PeterVO

    PeterVO Registered Member

    Joined:
    Aug 25, 2003
    Posts:
    87
    Location:
    Belgium, Leuven
    Hello,

    had the same problem. What follows is the solution:

    1) start the "Recovery Console"; either from the "WinXP Install"-CD or as an option during the pc's bootprocess.

    2) at the c:\windows-prompt, type "listsvc" and scroll down the list until you come accross the Treatfire-service which will have a "manual" setting.

    3) at the prompt type: "enable tfkbmon service_boot_start". A confirmation message will be displayed.

    4) at the prompt, copy the file "tfkbmon.sys" to "C:\WINDOWS\system32\drivers" because the automatic Threatfire-update "forgot" to put it there.

    5) type "exit" at the prompt to exit the "recovery console" and reboot the pc after which you'll be able to use the keyboard again at the login screen.

    Kind regards, :D

    PeterVO
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    goin to do all this just because of threatfire who suppose to secure computers i consider this equal or even worse than a virus,what a pain:D
     
  10. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I knew there was a reason I did not trust threatfire and unistalled it long ago.
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i gave threatfire last chance and blow it away when it tries to quarantine its own brother spyware doctor which i was trialing,both of them got strike 3 out of my pc:D
     
  12. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Err, I also Had some weird behavior from threatfire out the blue some valid programs where flagged a possiable keyloggers and some time the treatfire tray would magicaly disapear or the GUI would not open.That was my early warning to say bye bye.what good is a behavior blocker when it doesn't know how to behave itself.
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thats true,i love bev blocker but some times they are not that smart so thats why i prefer to run hips cause are more complex covering more of your system protection;)
     
  14. paniccom

    paniccom Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    100
    Wish I could remember what Threatfire did to my system awhile back, but it was weird enough for me to uninstall and hope it hadn't permanently damaged my system. But I must like living on the edge because I'm using Mamutu now, and it seems much better. Seems like a solid program and I'm thinking of purchasing after trial.
     
    Last edited: Dec 5, 2008
  15. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Earlier tonight I deleted that TF driver from my drivers folder (I uninstalled TF a couple months ago), and must've missed it in the list of drivers in PServ because after I rebooted my keyboard would no longer work. After searching the registry for kbdclass (keyboard driver name) I found there was an upper filter in this class that linked to the TF driver.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}

    After deleting it, it worked fine.
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    tf driver acting like spyware?:D o_O :D
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Looks like that HOT! Potatoe is getting hotter all the time :cool:

    Maybe time for PCTools/Symantec to pass it off to another firm that has the skills to make Behavioral Blockers sing tunes :D Hey EMSI might could market two or just buy out the competition :blink:
     
  18. TOADFROG

    TOADFROG Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    16
    Today keyboards on 2 desktop XP Pro PC's quit working. After hours of troubleshooting I found indications that threatfire causes the problem: for example:
    Keyboard killed - please post tfkbmon.sys
    http://www.pctools.com/forum/showthread.php?t=54787
    I've edited the registry on both PC's to fix the problem, if you use XP this should work [Don't know about Vista]:

    OPEN UP THE ON-SCREEN KEYBOARD in Start->All Programs->Accessories->Accessibility->On-Screen Keyboard

    Now, open the START MENU AND CLICK RUN. In here, type "REGEDIT" and hit enter (on the nifty on-screen keyboard, of course.)

    Once there, click Edit at the top, then click Find.
    Type "KBDCLASS" and press find. Now, look at the key it found. If it is named Upperfilter or Lowerfilter, then that's one of the ones you're looking for.
    If not, press f3 (find next) on the on-screen keyboard, and wait for it to find another. In my repair, I found kbdclass about 20 times, but only 4 of them were the keys I was looking for.
    Now, when you find one named Upperfilter or Lowerfilter, look at the contents of the key, mine, for example, read "kbdclass vmkbd".
    IF IT SAYS ANYTHING BESIDES "KBDCLASS", THEN YOU NEED TO FIX THAT KEY.
    RIGHT CLICK IT AND CLICK MODIFY. From here, DELETE EVERYTHING EXCEPT "KBDCLASS", and SAVE THE CHANGES. [I typically found TfKbMon on the line above KBDCLASS and removed it]
    YOU SHOULD HAVE TO MODIFY A FEW OF THESE, or maybe even just one. Just make sure you search through the whole registry, by hitting f3 until you get a message saying "Windows has finished searching the registry." Then do the uninstall in device manager and reinstall in 'add hardware" like the troubleshooting utility says.
    Then uninstall threatfire...if the problems have occurred from 2007 thru early 2009, it's not likely to be fixed. This took hours to research and repair.
    Good luck
     
    Last edited: Mar 11, 2009
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It's not a problem about being a behavior blocker (or a wannabe in this case :D). It's an "old" (for as long as I can remember it) issue with ThreatFire.

    If you uninstall it, for example, but still leave behind the driver tfkbmon.sys, then no problem.
    But, if you decide to delete it, then bye-bye keyboard, and in some cases, touch pad.

    I guess that, in the case of the user, ThreatFire(d) managed not to update the driver as well, or if a faulty update, it deleted that driver.

    That's why I never liked to use it, nor did I ever recommend it. Not until this issue is solved. If there's even a way to solve it.

    I don't know why, but, some security products, seem to be doing a better job at destroying operating system's functionality, than many malware out there. :eek:

    Maybe that's the new way to fight it. If you can't beat them, join them, and steal their careers. o_O
     
  20. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    That's why a Goback type program like Rollback RX is a lifesaver. If a software install messes up system settings you can roll back the computer to a point in time when you know it worked perfectly. These things do happen.
     
  21. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Yes they do.
     
  22. ExCavTanker

    ExCavTanker Registered Member

    Joined:
    Apr 21, 2008
    Posts:
    50
    Location:
    Michigan, USA
    I use SnoopFree and when I installed ThreatFire to try it out, SnoopFree warned me it was trying to install a keyboard monitor driver, Uh ain't no way in hell I'm going to load a 'security' program that will try to hook my keyboard.

    When I installed PrevX Eedge 3.0, no such warning;).
     
  23. TOADFROG

    TOADFROG Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    16
    "If you uninstall it, for example, but still leave behind the driver tfkbmon.sys, then no problem.
    But, if you decide to delete it, then bye-bye keyboard, and in some cases, touch pad. ""
    I removed tfkbmon.sys [just searched windows directory to be sure] without problem, ...because the regedit strategy REMOVES references to that file which, had those references remained and the file been removed, would have caused the freezing.
    Editing the registry to TfKbMon references is effective.
     
  24. TOADFROG

    TOADFROG Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    16
    I used system restore to go back to when there were no problems...but I still had no keyboard...Rollback RX may be more effective, but I doubt many people have it. When I researched this problem I found a lot of people tried several strategies that didn't work...editing the registry as I described did work.
     
  25. Makav3l1

    Makav3l1 Registered Member

    Joined:
    Nov 26, 2007
    Posts:
    241
    I had the same issue and just used the virtual keyboard to sign in and uninstall threatfire. Problem solved. Maybe I will try it again when they finally add the 'deny' option.
     
Loading...
Thread Status:
Not open for further replies.