Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

I don't quite understand what you mean by "submitting the link". My Yahoo Norton Online Protection is set to submit things to Symantec automatically, I have however also submitted it manually via the program. The caveat is that there is no way for the user to add a comment like "this file is NOT a virus". Throughout their manuals and submission process it seems to me that everything submitted this way they assume is a virus-report.  I have also talked to Symantec Customer support. The moment they heard it was Yahoo version, they sent me to Yahoo. 3 people at Yahoo now have said: "Duh, why don't you talk to Symantec". I have now asked for someone at Yahoo to figure out how their deal with Symatec was signed: do they support the product or does Symantec? So far, no resolution...

So, yes, I would appreciate help: where can I submit my full question, with necessary links and references, to Symantec? 

The author of Superkeys has written about the non-spyware behavior of his program, and the poor detection techniques used by anti-virus vendors. This posting is from 2005: http://www.vellosoft.com/news/news0016.php  

My issue in concise terms is as follows:

I use a very useful program called SuperKeys, which allows me to enter simple key combinations to easily insert special characters wherever I need them. SuperKeys installs and uses a file called kbdmonitor.ocx which resides in the windows/system32 directory.

This file is a generic keyboard logger, PART OF ''KTKBDHK3.DLL'' programmed some time around the year 2000 by a Russian programmer and shared openly on the web. See MY post (#13 out of 15, by sgstandre) reg. this issue from 2006

here: http://forums.cnet.com/5208-7813_102-0.html?forumID=32&threadID=140781&messageID=1593206

Unfortunately, somewhere along the way malware programmers used the same code to log keystrokes. The issue is that keylogging in itself does not a virus make. Back in 2006 Symantec "woke up" to the file ''KTKBDHK3.DLL and started blocking it. Eventually they fixed their definitions and stopped doing it. Now again 2 years later they are going after the innocent kbdmonitor.ocx file.

Symantec is just being lazy and as of a week or so ago, AUTOMATICALLY removes what it tells me is a threat called INFOSTEALER. The removal simply consists of removing the file kbdmonitor.ocx . Obviously Norton is wrong, they are just too lazy to detect the rest of InfoStealer, whether it's present or not.

Furthermore: InfoStealer is NOT included in their list of scan exclusions (one can only chose from their list, not select what one wants).

Furthermore: excluding directory windows/system32 from the virus scan does not work. The purported virus file still gets detected. Excluding all files and folders related to SuperKey also does not help.

Futhermore: Norton Online Protection immediately goes to removal without giving me any possibility of intervention. It says the threat level is high and immediately a reboot is required. Curiously enough, when one clicks on their link to more information about INFOSTEALER, one gets taken to a Symantec web page which characterizes INFOSTEALER as a LOW security threat. So, which is it: high or low???

Furthermore: removing the file from quarantine and restoring it only works for a while. Eventually Autoscan finds the file again and the circus starts all over. If it does not find it in the same session, then upon restart my program Superkeys can not load because it tells me the kbdmonitor.ocx file is either missing or not registered correctly.

I have spent now another 4 hours on the issue and have found out that excluding all files related to the benign program SuperKeys does NOT help: the kbdmonitor.ocx file still gets auto-deleted (and I am prompted to reboot) every time AutoScan is turned on.

Since .ocx files are ActiveX controls, my theory is that Norton finds the reference to it in the Browser's (IE 7) registry and I have no way to control exclusions from Norton Scan inside the Browser. Indeed every time it deletes it, it says that 1 file was found in Browser's cache.

I have emptied the folder "Temporary Internet Files" to the last bit, -but to no avail.

Other people have the same problem with Infostealer, although they think they are actually infected by it:

http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=1948&query.id=4156#M1948

Looking forward to you resolving this. I NEED SuperKeys to work!!!

Thank you,

Andre

That should do the trick. Besides that the employees are visting quiet often here. They will find it

i'm gonna guess tho that any keylogger is going to be considered a threat... who knows if the calling program needs it for a legitimate reason.

the fact that its open source and shared freely on the web makes it's it a nice generic ingrediant for login/password stealer..

have you tried putting it in the exclusions locally??? you should be able to exclude it on your own machine...  without requesting that security be compromised for all users

This will do the trick for you but not for all the other users

personally i hope that norton always removes every keylogger from my machines…   If I want one for some reason then i’ll deal with telling norton it’s ok for my local machine…

4Runner, I think you somewhat miss the point here: the issue in my case is that I can not find a way to tell Norton that I WANT the keylogger runing on my local machine. So, thanks for your support with the second part of your statement, my friend. That’s what this is about: “dealing with telling norton it’s ok for my local machine” to use your own words. What they do with unwanted stuff, whether they delete or quarantine it, I don’t care.

But for now it is working?

Working? Heck, no, it's not working. Customer support is totally mocking me. Here's the circular exchange with Kumar and friends that's now been going on for 4 days. HELP ME PLEASE!!!:

-------

Q1: Customer (Andre) - 07/25/2008 11:33 AM

Please refer to my posting:

http://community.norton.com/norton/board/message?board.id=other&thread.id=31

55 .

InfoStealer is on Symantec's definition/info page defined as a VERY LOW

LEVEL threat, which affected about 15 PC - IN 1999!

However, as of a week or so ago, Norton Anti-Virus keeps immediately

deleting the benign keylogger file kbdmonitor.ocx thus hampering a program I

rely on for my work called SuperKeys. The "excuse" is that now according to

the program, Infostealer is a very HIGH risk and must be deleted

immediately. WRONG.

I HAVE excluded the file from scans, however, somehow NAV says it finds it

in Browser's cache (it's an ActiveX file) and proceeds to delete it from its

excluded location, in spite of the exclusion.

--

Response (Vasantha Kumar Krishna kumar) - 07/25/2008 07:46 PM

Hello Andre,

Thank you for contacting Norton Support.

I understand from your message that you are encountering an alert mesage

stating Infostealer is a very HIGH risk and must be deleted immediately.

To resolve this issue I suggest that you exclude Auto-Protect scanfor that

file and download and run Norton Security Scan.

To exclude Auto-Protect scan for files and sub folders. Please click on the

URL below for instructions:

Title: 'How to exclude specific drives, folders and files from being scanned

in a Norton 2008 product'

Document ID: 2007072001035679

> Web URL:

http://service1.symantec.com/Support/norton2008.nsf/docid/2007072001035679

To download and run Norton Security Scan, please click on the URL below for

instructin to do so:

Title: 'What to do if you are unable to install a Norton product due to a

virus infection'

Document ID: 2007091717263913

Web URL:

http://service1.symantec.com/Support/sharedtech.nsf/docid/2007091717263913

Please feel free to contact for further assistance.

Regards,

Vasanthakumar

Norton Support

---------

Customer (Andre) - 07/26/2008 02:33 PM

You are not offering me anything new here. I already know how to exclude

files from scan. Please try to address my actual issue, that Norton in spite

of the exclusion, deletes the file.

I wrote in my submission the following (at the bottom of my email):

"I HAVE excluded the file from scans, however, somehow NAV says it finds it

in Browser's cache (it's an ActiveX file) and proceeds to delete it from its

excluded location, in spite of the exclusion."

<picture>

Here's the exclusion. I HAVE excluded both the kbdmonitor.ocx file, as

well as the SuperKeys program directory:

<picture>

But, apparently exclusion from scan does not result in exclusion from

deletion. As I wrote, Norton purportedly finds some reference in my

Browser's cache and proceeds to immediately delete

c:\\windows\system32\kbdmonitor.ocs IN SPITE of the exclusions.

<picture>

NOTE: to the right above in Norton, the RISK is labeled as HIGH!

Also note that the file just deleted is listed as "excluded from scan"

above, in the first picture! Yet, it gets deleted.

Lastly clicking on Infostealer link leads to a Symantec.com page that says the

opposite, the Risk is VERY LOW:

HELP! Just install SuperKeys and verify the behavior. SuperKeys is 100%

guaranteed a harmless program. It can be downloaded her:

http://www.vellosoft.com/SuperKeys/sk1.html

Your program needs to stop deleting specifically excluded files!!

Andre

......

Andre,

Adding the associated files and locations to the exclusions list should work to allow whatever you want to run.  You obviously will need to add ALL associated files.  Specifically, make sure that the file it keeps detecting is added to the exclusions list.  If you believe there is a legitimate file, that could not be used maliciously, being detected then please submit it through the following link.  You will get a submission tracking number in an email response.  Please PM me that tracking number and I can look into the matter to have an engineer manually re-evaluate the file to see if we are falsely detecting it.

https://submit.symantec.com/websubmit/retail.cgi

Hello,

First of all I'll try to tackle the issue of the risk classification. "Infostealer" is a broad malware detection for threats which attempt to steal personal information. As this is a malware detection, it will be treated as a high risk threat. However within the threat category there are 5 classifications - Infostealer is classed as a Category 1 threat (very low risk).

The second issue here is whether this is a valid detection or not. In order to do this we will need a copy of the file itself. I've searched our database but have been unable to locate any files with the name "kbdmonitor.ocx" or "kbdmonitor.dll". Do you perhaps know the md5 hashes of these files as this would make my search easier? If not, could you provide us with a location where we download the file in questions or alternatively submit the file to https://submit.symantec.com/retail? You will receive an email with a tracking number for the submission. Please let us know this tracking number once you receive it.

Once we have a copy of the file we determine whether it is a valid detection. If valid, we will provide an explanation why. If it turns out to be a misdetection, we will make sure to remove the detection and push out corrected definitions ASAP.

Thanks and regards

Orla

Symantec Security Response 

This sucks!  I also need my SuperKeys program to work, and in order to do so, I need kbdmonitor.ocx!!!  Norton keeps deleting the d*mn file from my computer!!! 

All -

I'm now confused if I may be doing something different than eveyrone else.  Can I get exact configuration and steps to reproduce?  I just installed SuperKeys 5.8 and tested with N360 v2.3.1.4 with protection updates from 7/31/08.  I was able to use SuperKeys without any detections or any issues.  Is it possible something has already been addressed in the current version of SuperKeys?

Nate,

I am running Norton Security Online (provided by Yahoo! Online Protection), version 10.2.0.30 . The latest update dated 8/1/08 has not changed anything: kbdmonitor.ocx still gets deleted in spite of the exception and NSO wants to immediately reboot the computer. A new thing I discovered today is that NSO also says that it discovered Infostealer in file c://WINDOWS/system32/is-NCB97.tmp , which it Blocked.

I can not see this file in the system32 directory. Not after the blocking, and not after reinstalling SuperKeys. (The reinstallation of SuperKeys only possible after suspending Auto-Protect).

Have you been running SuperKeys for a long time? In my case it can take up to maybe 10 minutes after a reinstalaltion before NSO finds it and deletes the crucial kbdmonitor.ocx file. I have excluded that file as well as the SuperKeys program directory from scans, but that does not work/help. Every time a deletion occurs NSO also says that a Browser Cache file was affected, but it does not identify that file. I have tried deleting Browser cache file both using Internet Options and the RUN-> % % procedure Symantec outlines. No change in behavior...

Orla,

Superkeys can be downloaded from http://www.vellosoft.com/SuperKeys/sk1.html . It is small, free and guaranteed harmless (been using it for over 5 years so. Have corresponded with the author).

KBDMonitor description: http://spywaredlls.prevx.com/RRFGIH1760481/KBDMONITOR.OCX.html

The file itself says it was created May 8, 2000 by Konstantin Tretyakov. This is version 3.0.0.10 . It used to be freely available from a web site that no longer exists (smartsite.cjb.net), but you can see old versions of it at the Internet Archive: http://web.archive.org/web/*/http://smartsite.cjb.net . HARMLESS.

After several rounds with Yahoo! and Norton "support", after submitting the file for analysis to Orla, now waiting for a manager of support to call me and start "understanding" the case all over again, still NOTHING FIXED!!

Will somebody please address the status of the kbdmonitor.ocx unpreventable deletion, please? Thanks for nothing so far.

We've confirmed that this was indeed a false positive and have removed the detection. This change will be included in a LiveUpdate build scheduled to be released later today. While we do our utmost to avoid false positives, there are times when our analysis systems may have difficulties in differentiating commercial/legitimate keyloggers from those used for malicious purposes. We are constantly making changes to avoid these situations but unfortunately this slipped through the cracks. We've now added this software to our clean file set so that all future definition builds will be checked against it to avoid any further false positives.

Our sincere apologies for any inconvenience this has caused you. Do let us know if you have any further problems.

Thanks and regards

Orla 

Symantec Security Response 

Did you try to submit the link or the file to Symantec?

If not I can try and look up the right link for you