A Keylogger by itself does not a virus make!!

sgstandre · ‎07-24-2008

My issue in concise terms is as follows:

I use a very useful program called SuperKeys, which allows me to enter simple key combinations to easily insert special characters wherever I need them. SuperKeys installs and uses a file called kbdmonitor.ocx which resides in the windows/system32 directory.

This file is a generic keyboard logger, PART OF ''KTKBDHK3.DLL'' programmed some time around the year 2000 by a Russian programmer and shared openly on the web. See MY post (#13 out of 15, by sgstandre) reg. this issue from 2006

here: http://forums.cnet.com/5208-7813_102-0.html?forumID=32&threadID=140781&messageID=1593206

Unfortunately, somewhere along the way malware programmers used the same code to log keystrokes. The issue is that keylogging in itself does not a virus make. Back in 2006 Symantec "woke up" to the file ''KTKBDHK3.DLL and started blocking it. Eventually they fixed their definitions and stopped doing it. Now again 2 years later they are going after the innocent kbdmonitor.ocx file.

Symantec is just being lazy and as of a week or so ago, AUTOMATICALLY removes what it tells me is a threat called INFOSTEALER. The removal simply consists of removing the file kbdmonitor.ocx . Obviously Norton is wrong, they are just too lazy to detect the rest of InfoStealer, whether it's present or not.

Furthermore: InfoStealer is NOT included in their list of scan exclusions (one can only chose from their list, not select what one wants).

Furthermore: excluding directory windows/system32 from the virus scan does not work. The purported virus file still gets detected. Excluding all files and folders related to SuperKey also does not help.

Futhermore: Norton Online Protection immediately goes to removal without giving me any possibility of intervention. It says the threat level is high and immediately a reboot is required. Curiously enough, when one clicks on their link to more information about INFOSTEALER, one gets taken to a Symantec web page which characterizes INFOSTEALER as a LOW security threat. So, which is it: high or low???

Furthermore: removing the file from quarantine and restoring it only works for a while. Eventually Autoscan finds the file again and the circus starts all over. If it does not find it in the same session, then upon restart my program Superkeys can not load because it tells me the kbdmonitor.ocx file is either missing or not registered correctly.

I have spent now another 4 hours on the issue and have found out that excluding all files related to the benign program SuperKeys does NOT help: the kbdmonitor.ocx file still gets auto-deleted (and I am prompted to reboot) every time AutoScan is turned on.

Since .ocx files are ActiveX controls, my theory is that Norton finds the reference to it in the Browser's (IE 7) registry and I have no way to control exclusions from Norton Scan inside the Browser. Indeed every time it deletes it, it says that 1 file was found in Browser's cache.

I have emptied the folder "Temporary Internet Files" to the last bit, -but to no avail.

Other people have the same problem with Infostealer, although they think they are actually infected by it:

http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=1948&query.id=4156#M...

Looking forward to you resolving this. I NEED SuperKeys to work!!!

Thank you,

Andre

Stu · ‎04-08-2008

Did you try to submit the link or the file to Symantec?

If not I can try and look up the right link for you

"All that we are is the result of what we have thought"

sgstandre · ‎07-24-2008

I don't quite understand what you mean by "submitting the link". My Yahoo Norton Online Protection is set to submit things to Symantec automatically, I have however also submitted it manually via the program. The caveat is that there is no way for the user to add a comment like "this file is NOT a virus". Throughout their manuals and submission process it seems to me that everything submitted this way they assume is a virus-report. I have also talked to Symantec Customer support. The moment they heard it was Yahoo version, they sent me to Yahoo. 3 people at Yahoo now have said: "Duh, why don't you talk to Symantec". I have now asked for someone at Yahoo to figure out how their deal with Symatec was signed: do they support the product or does Symantec? So far, no resolution...

So, yes, I would appreciate help: where can I submit my full question, with necessary links and references, to Symantec?

The author of Superkeys has written about the non-spyware behavior of his program, and the poor detection techniques used by anti-virus vendors. This posting is from 2005: http://www.vellosoft.com/news/news0016.php

Stu · ‎04-08-2008

That should do the trick. Besides that the employees are visting quiet often here. They will find it

"All that we are is the result of what we have thought"

4runner · ‎06-20-2008

i'm gonna guess tho that any keylogger is going to be considered a threat... who knows if the calling program needs it for a legitimate reason.

the fact that its open source and shared freely on the web makes it's it a nice generic ingrediant for login/password stealer..

have you tried putting it in the exclusions locally??? you should be able to exclude it on your own machine... without requesting that security be compromised for all users

Stu · ‎04-08-2008

This will do the trick for you but not for all the other users

"All that we are is the result of what we have thought"

4runner · ‎06-20-2008

personally i hope that norton always removes every keylogger from my machines.... If I want one for some reason then i'll deal with telling norton it's ok for my local machine....

sgstandre · ‎07-24-2008

4Runner, I think you somewhat miss the point here: the issue in my case is that I can not find a way to tell Norton that I WANT the keylogger runing on my local machine. So, thanks for your support with the second part of your statement, my friend. That's what this is about: "dealing with telling norton it's ok for my local machine" to use your own words. What they do with unwanted stuff, whether they delete or quarantine it, I don't care.

Stu · ‎04-08-2008

But for now it is working?

"All that we are is the result of what we have thought"

sgstandre · ‎07-24-2008

Working? Heck, no, it's not working. Customer support is totally mocking me. Here's the circular exchange with Kumar and friends that's now been going on for 4 days. HELP ME PLEASE!!!:

-------

Q1: Customer (Andre) - 07/25/2008 11:33 AM

Please refer to my posting:

http://community.norton.com/norton/board/message?board.id=other&thread.id=31

55 .

InfoStealer is on Symantec's definition/info page defined as a VERY LOW

LEVEL threat, which affected about 15 PC - IN 1999!

However, as of a week or so ago, Norton Anti-Virus keeps immediately

deleting the benign keylogger file kbdmonitor.ocx thus hampering a program I

rely on for my work called SuperKeys. The "excuse" is that now according to

the program, Infostealer is a very HIGH risk and must be deleted

immediately. WRONG.

I HAVE excluded the file from scans, however, somehow NAV says it finds it

in Browser's cache (it's an ActiveX file) and proceeds to delete it from its

excluded location, in spite of the exclusion.

--

A1:

Response (Vasantha Kumar Krishna kumar) - 07/25/2008 07:46 PM

Hello Andre,

Thank you for contacting Norton Support.

I understand from your message that you are encountering an alert mesage

stating Infostealer is a very HIGH risk and must be deleted immediately.

To resolve this issue I suggest that you exclude Auto-Protect scanfor that

file and download and run Norton Security Scan.

To exclude Auto-Protect scan for files and sub folders. Please click on the

URL below for instructions:

Title: 'How to exclude specific drives, folders and files from being scanned

in a Norton 2008 product'

Document ID: 2007072001035679

> Web URL:

http://service1.symantec.com/Support/norton2008.nsf/docid/2007072001035679

To download and run Norton Security Scan, please click on the URL below for

instructin to do so:

Title: 'What to do if you are unable to install a Norton product due to a

virus infection'

Document ID: 2007091717263913

Web URL:

http://service1.symantec.com/Support/sharedtech.nsf/docid/2007091717263913

Please feel free to contact for further assistance.

Regards,

Vasanthakumar

Norton Support

---------

Q2:

Customer (Andre) - 07/26/2008 02:33 PM

You are not offering me anything new here. I already know how to exclude

files from scan. Please try to address my actual issue, that Norton in spite

of the exclusion, deletes the file.

I wrote in my submission the following (at the bottom of my email):

"I HAVE excluded the file from scans, however, somehow NAV says it finds it

in Browser's cache (it's an ActiveX file) and proceeds to delete it from its

excluded location, in spite of the exclusion."

Here's the exclusion. I HAVE excluded both the kbdmonitor.ocx file, as

well as the SuperKeys program directory:

But, apparently exclusion from scan does not result in exclusion from

deletion. As I wrote, Norton purportedly finds some reference in my

Browser's cache and proceeds to immediately delete

c:\\windows\system32\kbdmonitor.ocs IN SPITE of the exclusions.

NOTE: to the right above in Norton, the RISK is labeled as HIGH!

Also note that the file just deleted is listed as "excluded from scan"

above, in the first picture! Yet, it gets deleted.

Lastly clicking on Infostealer link leads to a Symantec.com page that says the

opposite, the Risk is VERY LOW:

HELP! Just install SuperKeys and verify the behavior. SuperKeys is 100%

guaranteed a harmless program. It can be downloaded her:

http://www.vellosoft.com/SuperKeys/sk1.html

Your program needs to stop deleting specifically excluded files!!

Andre

......

-----------

A3:

Response (Vasantha Kumar Krishna kumar) - 07/26/2008 05:44 PM

Hi Andre,

Welcome back to Norton Support.

I understand from your message that you need clarification why Infostealer is included to High Level threat.

Please note that your Norton product updates the latest virus definition through LiveUpdate, and accourding to the latest virus definition your Norton blocks threats, to protect your computer. Please run LiveUpdate to keep your Virus definition updated and run scan to remove threat. Your Norton detects high risk threats, as the high risk threats can cause more damage.

Infostealer.Irftp is a Trojan horse that mimics the online interfaces of Brazilian banks to try to steal account information. Please click on the URL below for more information:

http://www.symantec.com/security_response/writeup.jsp?docid=2004-031212-3211-99&tabid=2

Please feel free to contact for further assistance.

Regards,

Vasanthakumar

Norton Support

--------

Q4:

Now you are just mocking me!

So, you are saying that Infostealer is included as a High Level Threat because it's a Low Level threat? Are you sane?

Why can't you escalate this issue and give me an answer TO my question, not auto-generated, mechanical trivia?

The link you included to http://www.symantec.com/security_response/writeup.jsp?docid=2004-031212-3211-99&tabid=2 is different than the one the program itself sends me to. BOTH of them, however, talk of a Low Level threat.

The issue/problem/bug in your program remains: how to stop deletion of files that are supposed to be excluded???

Alternatively, how to stop InfoStealer signature detection.

PLEASE answer that. PLEASE pass it on to your programmers. THEY made the error, not me.