Hello,

First of all I'll try to tackle the issue of the risk classification. "Infostealer" is a broad malware detection for threats which attempt to steal personal information. As this is a malware detection, it will be treated as a high risk threat. However within the threat category there are 5 classifications - Infostealer is classed as a Category 1 threat (very low risk).

The second issue here is whether this is a valid detection or not. In order to do this we will need a copy of the file itself. I've searched our database but have been unable to locate any files with the name "kbdmonitor.ocx" or "kbdmonitor.dll". Do you perhaps know the md5 hashes of these files as this would make my search easier? If not, could you provide us with a location where we download the file in questions or alternatively submit the file to https://submit.symantec.com/retail? You will receive an email with a tracking number for the submission. Please let us know this tracking number once you receive it.

Once we have a copy of the file we determine whether it is a valid detection. If valid, we will provide an explanation why. If it turns out to be a misdetection, we will make sure to remove the detection and push out corrected definitions ASAP.

Thanks and regards

Orla

Symantec Security Response 

All -

I'm now confused if I may be doing something different than eveyrone else.  Can I get exact configuration and steps to reproduce?  I just installed SuperKeys 5.8 and tested with N360 v2.3.1.4 with protection updates from 7/31/08.  I was able to use SuperKeys without any detections or any issues.  Is it possible something has already been addressed in the current version of SuperKeys?

Nate,

I am running Norton Security Online (provided by Yahoo! Online Protection), version 10.2.0.30 . The latest update dated 8/1/08 has not changed anything: kbdmonitor.ocx still gets deleted in spite of the exception and NSO wants to immediately reboot the computer. A new thing I discovered today is that NSO also says that it discovered Infostealer in file c://WINDOWS/system32/is-NCB97.tmp , which it Blocked.

I can not see this file in the system32 directory. Not after the blocking, and not after reinstalling SuperKeys. (The reinstallation of SuperKeys only possible after suspending Auto-Protect).

Have you been running SuperKeys for a long time? In my case it can take up to maybe 10 minutes after a reinstalaltion before NSO finds it and deletes the crucial kbdmonitor.ocx file. I have excluded that file as well as the SuperKeys program directory from scans, but that does not work/help. Every time a deletion occurs NSO also says that a Browser Cache file was affected, but it does not identify that file. I have tried deleting Browser cache file both using Internet Options and the RUN-> % % procedure Symantec outlines. No change in behavior...

Orla,

Superkeys can be downloaded from http://www.vellosoft.com/SuperKeys/sk1.html . It is small, free and guaranteed harmless (been using it for over 5 years so. Have corresponded with the author).

KBDMonitor description: http://spywaredlls.prevx.com/RRFGIH1760481/KBDMONITOR.OCX.html

The file itself says it was created May 8, 2000 by Konstantin Tretyakov. This is version 3.0.0.10 . It used to be freely available from a web site that no longer exists (smartsite.cjb.net), but you can see old versions of it at the Internet Archive: http://web.archive.org/web/*/http://smartsite.cjb.net . HARMLESS.

After several rounds with Yahoo! and Norton "support", after submitting the file for analysis to Orla, now waiting for a manager of support to call me and start "understanding" the case all over again, still NOTHING FIXED!!

Will somebody please address the status of the kbdmonitor.ocx unpreventable deletion, please? Thanks for nothing so far.