Secure Keyboard Service 5.0

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Am I infected? What do I do?

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Secure Keyboard Service 5.0, Part of another virus?

Options

Carpy View Member Profile	Feb 1 2008, 11:28 PM Post #1
New Member Group: Members Posts: 6 Joined: 28-January 08 Member No.: 186,653	I have a logo running in my taskbar called Secure Keyboard Service 5.0. I've found the running process called kdfmgr.exe but when I end it, it comes back. What is this part of? Virtumonde? Anyone know the best way to get rid of it?

quietman7 View Member Profile	Feb 2 2008, 12:08 AM Post #2
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Please download OTMoveIt2 by OldTimer and save to your Desktop. Double-click on OTMoveIt2.exe to launch the program. Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy. QUOTE C:\WINDOWS\system32\kdfmgr.exe Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the light blue bar) and choose Paste. Click the red MoveIt! button. The list will be processed and the results will be displayed in the right-hand pane. Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and *Paste* it in your next reply. Click Exit when done. A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run. -- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway. QUOTE Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system. Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection". After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply. Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet. Please download and install SUPERAntiSpyware Free Double-click SUPERAntiSypware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.) Under the "Configuration and Preferences", click the Preferences... button. Click the "*General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked. Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked): Close browsers before scanning.* Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen and exit the program. Do not run a scan just yet. Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Double-click ATF-Cleaner.exe to run the program. Under Main "*Select Files to Delete" choose: Select All. Click the Empty Selected* button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". Scan with SUPERAntiSpyware as follows: Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose *Perform Complete Scan* and click "Next". After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "*Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes" and reboot normally. To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply. Click Close to exit the program. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

Carpy View Member Profile	Feb 2 2008, 12:33 AM Post #3
New Member Group: Members Posts: 6 Joined: 28-January 08 Member No.: 186,653	C:\WINDOWS\system32\kdfmgr.exe moved successfully. OTMoveIt2 v1.0.17 log created on 02012008_232724 ------------------------------------------------------------------------------------------------------ VundoFix V6.7.7 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Scan started at 10:25:02 PM 2/1/2008 Listing files found while scanning.... No infected files were found. Beginning removal... ----------------------------------------------------------------------------------------------------------- Next reply will contain results from ATF cleaner and SUPERantispyware

quietman7 View Member Profile	Feb 2 2008, 09:38 AM Post #4
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Vundofix did not find anything but your log shows you are using an older version of Java. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop. Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications". Click the "Download" button to the right. Select your Platform: "Windows". Select your Language: "English". Read the License Agreement, and then check the box that says: "Accept License Agreement". Click Continue and the page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

famgas View Member Profile	Mar 24 2008, 05:30 AM Post #5
New Member Group: Members Posts: 2 Joined: 22-March 08 Member No.: 198,089	Hi kdfmgr.exe runs the anti-keylogger from Trend Micros Transaction Protector. You can find it mentioned on Trend's website. I'm pretty certain Secure Keyboard Service 5.0 is the same thing. I have been using Transaction Protector for a while under Vista & IE7. I never used to get the Secure Keyboard Service 5.0 icon on the task bar but I have recently reinstalled the O.S. and Trend Internet Security Pro and only after this has this icon begun to appear on the task bar when I'm running Transaction Protector. When I terminate Trends anti-keylogger the secure keyboard 5.0 icon goes as well, so I'm as certain as I can be it is the same thing, but would like to confirm this if I can. Anyone any ideas? Regards famgas

quietman7 View Member Profile	Mar 24 2008, 08:00 AM Post #6
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	This is what I found in regards to the file. kdfmgr.exe kdfmgr.exe - Known malware -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 9th January 2009 - 07:22 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides