Posted on April 7th, 2009 by nabiy
Category: cleaning, malware removal, security
There is a really great list of repair tools for the conficker worm here on the conficker working groups site and they have a pretty cool infection test.
I personally think the conficker worm is overhyped. The two main methods of infection have both been patched. Those two methods being a buffer overflow in the services process (which was patched way back with MS08-067) and the Autorun vulnerability (i mentioned that earlier in the blog). If your network admin is worth his salt then you have nothing to worry about because the risk is easy to mitigate. Home users are also probably safe if auto-update enabled and autorun has been disabled.
It also bothers me a little when i see the alerts go off like this for a threat that is overhyped. Why are they raising red flags now and not six months ago?
Posted on December 4th, 2008 by nabiy
Category: Featured Articles, cleaning, malware removal, security, threatfire
I had never heard of threatfire until this weekend, and to be honest I wish that I could forget the experience. Threatfire is a security monitoring system that hooks into you systems and watches for malicious activity. It installs several filter drivers, including TfKbMon.sys which is installed as a Keyboard filter driver (a legitimate keylogger).
What had happenned is this driver either malfunctioned or didn't uninstall properly, which rendered the keyboard useless. Actually, the keyboard was ok, it’s just that the filter driver was intercepting calls to the default ps2 windows driver (i8042prt.sys).
To correct the problem i ran the threatfire removal utility which uninstalled the driver but left quite a bit in the registry, including the entry that called it as the upper filter driver for the keyboard. Now just the fact that this program has a removal utility aside from the regular uninstall routine should be a crapware warning sign in itself…norton also has a removal utility… coincidence?
anyways, after a bit of searching (regscanner is a great tool for this) I found this key
HKLMSYSTEMControlSet001ControlClass
{4D36E96B-E325-11CE-BFC1-08002BE10318}
which defines the UpperFilters for your keyboard. A normal configuration will only have kbdclass set for UpperFilters in this key. So I reset that and then imported a good registry entry for the i8042prt services and the kbdclass (download).
of course, to make things very difficult all this was done with the on on screen keyboard, one click at a time…and when u type over seventy words a minute that is just aggravating!
