Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kdfmgr.exe Is Trend Micro, Not A Trojan!


  • Please log in to reply
3 replies to this topic

#1 rawd

rawd

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 21 March 2008 - 09:55 PM

Hello all,

Last week I had a virus attack on my explorer.exe that forced me to reinstall Windows from scratch. Since then I have had trouble with a trojan and its associated files coming back repeatedly. I even went so far as to try to read the code inside the file with ProcessExplorer, which showed it might be certified by Thawte, among other things.

Since Monday I haven't had any real problems with infections, but even after around 8-10 reinstallations of Windows (lost count) the suspicious files keep returning. I was about to use the method described here to remove the files when Cecilia - our national hero at the Swedish IDG e-forums - insisted on having me uninstall Trend Micro's Internet Security suite. The reason was that I found a bmp image that looks like the logo of Trend Micro's Transaction Protector addon for MSIE inside one of the three suspicious folders (%SystemRoot%\kdefense), as well as the system tray icon for the same TIS suite addon. The other two folders contain amongst others .ini-files that refer to other TIS components. Cecilia referred to http://www.pcguide.com/vb/showthread.php?t=59666&page=6 post #131 where it is stated that the suspicious files are legit as well as a page at PrevX. I have not really been inclined to listen to that, since I have been too suspicious about the whole thing surrounding kdfmgr.exe.

I had seen that when I started IE the suspicious kdfmgr.exe was launched by an svchost process along with the WLLoginProxy.exe, at the same time as the HSChkProxy.exe was launched by IE itself. I had also seen that the two processes disappeared when IE was terminated. Usually kdfmgr.exe and HSChkProxy.exe (the main process for the Transaction Protector ) stick around, hooking themselves to the explorer.exe process that launched the previous MSIE process. I had a period of days when kdfmgr.exe was just terminated when terminating IE, though, which I regarded as a good thing a couple of days ago, since that meant that I could avoid running a trojan simply by refraining from using IE. I even went so far as to rename the WLLoginProxy.exe to something else.

Also, interestingly enough, kdfmgr.exe is not launched when IE was initiated from within Firefox, by using the Firefox IE tab addon. At the time I thought that was a good thing, because I thought kdfmgr.exe was malware. Today I am not so sure.

I have now confirmed that the returning suspicious files...
%SystemRoot%\System32\kdfapi.dll
%SystemRoot%\System32\Kdfhok.dll
%SystemRoot%\System32\kdfinj.dll
%SystemRoot%\System32\kdfmgr.exe
%SystemRoot%\System32\kdfvmgr.exe

and folders
%SystemRoot%\kdefense
%SystemRoot%\l2schemas
%SystemRoot%\LocalSSL

...disappear when TIS is uninstalled. The dll and exe files return after reinstalling TIS, but the folders seem to need a little more time. That means that following the advice given here might actually weaken the protection offered by TIS.

And to think that I this evening submitted these files to TM as possible threats. Well, perhaps a clearer name that identifies them as TM files instead of belonging to some dodgy Bluegem Security/Kings Information & Network would be a good first step. The curious thing is that one of Trend Micro's support staff last weekend told me to try to remove kdfmgr.exe with HijackThis on reboot. I am becoming increasingly certain that was an error.

That said, I am now unsure what I should do about the dodgy

%AllUsersProfile%\Documents\{499663EE-202C-4468-874C-198A9E0BC058}
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

that the named topic in this forum claims should be removed. I think I will have to think about that for a while and see if there some more explanation given about these entries.


Strange... I have this dťjŗ vý feeling editing this post- somehow I hear someone telling me "but this I told you a long time ago", making me blush. Have to shake that off. =)

Edited by rawd, 21 March 2008 - 10:05 PM.


BC AdBot (Login to Remove)

 


#2 rawd

rawd
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 23 March 2008 - 06:57 AM

Reporting back again. Apparently I might not have been as correct as I thought. Here is a response from the Trend Micro support team I received by mail about the files I submitted:

Quote

Thank you for contacting TrendLabs!


These files are verified to be normal.

Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\kdefense\k52010.ico
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\kdefense\k52011.ico
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\kdefense\k52012.bmp
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\baseeapconnectionpropertiesv1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\baseeapmethodconfig.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\baseeapmethodusercredentials.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\baseeapuserpropertiesv1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\eapcommon.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\eapconnectionpropertiesv1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\eaphostcon fig.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\eaphostusercredentials.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\eaptlsconnectionpropertiesv1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\eaptlsuserpropertiesv1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\eapuserpropertiesv1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\mschapv2connectionpropertiesv1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\mschapv2userpropertiesv1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\mspeapconnectionpropertiesv1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\mspeapuserpropertiesv1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\onex_v1.xsd
Suspicious files KDF MGR trojan.rar\Suspicious files KDFMGR trojan\l2schemas\wlan_profile_v1.xsd
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\LocalSSL\lssllang.ini



The following files need further analysis:

Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\kdfapi.dll
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\Kdfhok.dll
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\kdfinj.dll
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\kdfmgr.exe
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\kdfvmgr.exe
Suspicious files KDFMGR trojan.rar\Suspicious files KDFMGR trojan\kdefense\KStartClean.ini

UnQuote

#3 famgas

famgas

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 25 March 2008 - 02:58 PM

If youíre running Trend Internet Security Pro with transaction Protector and you activate the keyboard encryption this will start a process called kdfmgr.exe. If you havenít got Trend then maybe itís something else with the same name.

See this link to Trendís website which refers to kdfmgr.exe as being their software.

http://uk.trendmicro.com/imperia/md/conten...spro_readme.txt

I am running Trend Internet Security Pro with transaction Protector and when I have the keyboad encryption running the process kdfmgr.exe runs at the same time, as Iíd expect. However, I also get a small silver shield shaped icon on my task bar with a capital S which if I hover over it, says ďSecure keyboard service 5.0 ď This icon comes and goes when I turn Keyboard Encryption on and off.

Funny thing is this icon never used to be there until I recently reinstalled my O.S. (Vista 32 bit) I also have another PC running XP Pro also with Trend on it and I donít get this icon but I do get kdfmgr.exe.

Hope this helps

#4 shylev

shylev

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 24 March 2009 - 11:51 PM

kdfmgr.exe Is A Virus and was found running in my Task Manager a few days ago for the first time ever!

I had to go into Safe Mode by pressing F8 continously at start up Until options came up, and chose option 1, as Administrator to remove these.

These would not turn off in Task Manager. It continued to restart on its own. Funny thing it was not found in registry, when I did a search for it in FIND IT. Also, these claimed to have been part of TrendMicro operating systems, but I found none of them in C:\Program Files\Trend Micro\ Folder or files. So I was confident it was a trojan virus that Trend Micro program could not identify as a virus.

Places to look for and remove is from these areas in Safe Mode:

C:\WINDOWS\system32
and
C:\WINDOWS\Prefetch

kdfapi.dll
kdfhok.dll
kdfinj.dll
kdfmgr.exe
kdfvmgr.exe

and any other file that had kdf in it was removed as well that had same install date.

I have no clue how it got installed into my computer.

After I removed and put into trash in safe mode , I emptied trash and Created a restore point, to delete all previous restore dates so it was totally removed, if deleting all previous restore points was necessary to do, for a more complete cleansing of of my computer of it.
According to the intenet search for kdf, many people have found this and tried thier best to remove it.

Also, Trend Micro main U.S. of A. Website has nothing so far about kdfmgr.exe Look for yourself http://us.trendmicro.com/us/products/index.html

Anyone that says kdf process is part of Trend or is not a virus is a sadly mistaken. Remove kdf trojan A.S.A.P.

Edited by shylev, 24 March 2009 - 11:53 PM.

shylev




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users