Issue: User keyboard blocked after removing WIN32.trojan.agent spyware

Version 2

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Issue

     

    The LANDESK has detected the WIN32.trojan.agent spyware on a client computer and managed to remove it.

     

    However since removal of the spyware occurred, the user's keyboard doesn't work any more.

     

     

    Cause

     

    This was a remediation issue that has been corrected by LANDESK.

     

    Ensure that Patch Manager has downloaded the latest spyware definitions and that client computers are up-to-date.

     

     

    Workaround


    If you are already experiencing the keyboard issue, please follow these steps to make it work again:


    Step 1: On a healthy computer of the same model, locate the following entries in the Windows registry and export them to the affected computer before rebooting:


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kbdclass
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kbdclass
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\kbdclass


    Step 2: On an healthy computer, browse into the ProgramData\Vulscan folder and locate the CEAPI.DAT that contains the spyware definitions.

     

    Then log into the infected computer and replace the existing CEAPI.DAT with the one from the healthy computer.