• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos0

ALERT: HotFixInstaller.exe MALWARE!

ALERT:  HotFixInstaller.exe  MALWARE!

This piece of garbage went right past the defences of both Norton 360 6.0 and Malwarebytes’ on my test computer.  Comes under the guise of “Hot Iron Hotfix”.  If you see this under your processes, in my case it was consuming a good amount of resources, TERMINATE it immediately as well as another sister process name (pretty long) starting with the letter “d” that works hand-in-hand with it.  wuauclt.exe trojan may also be at play.  There is considerable aftermath with this infection.  I am in the process of purging it right now - - will have more updates of specific areas to cleanse soon.  Wanted to at least warn the community.  From research, it appears that I am not the only one to have had a “run in” with this “Hot Iron” nonsense.  Attention all Norton/Symantec Employees- please update N360’s definitions to reflect HotFixInstaller.exe as crimeware. 

Thanks,

H.B. 

Replies

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

ALERT:  HotFixInstaller.exe  MALWARE!

This piece of garbage went right past the defences of both Norton 360 6.0 and Malwarebytes’ on my test computer.  Comes under the guise of “Hot Iron Hotfix”.  If you see this under your processes, in my case it was consuming a good amount of resources, TERMINATE it immediately as well as another sister process name (pretty long) starting with the letter “d” that works hand-in-hand with it.  wuauclt.exe trojan may also be at play.  There is considerable aftermath with this infection.  I am in the process of purging it right now - - will have more updates of specific areas to cleanse soon.  Wanted to at least warn the community.  From research, it appears that I am not the only one to have had a “run in” with this “Hot Iron” nonsense.  Attention all Norton/Symantec Employees- please update N360’s definitions to reflect HotFixInstaller.exe as crimeware. 

Thanks,

H.B. 

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

Did you try running Norton Power Eraser for this threat?

If not, please try that & check whether it detects this as a threat.

http://www.norton.com/npe

Thanks,

HarryP

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

This user uses a test machine testing malware so he / she should know what he is doing.

Quads

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

Can you submit the details here?

http://www.symantec.com/security_response/submitsamples.jsp

Also, provide me the tracking number once you finish the submission.

Thanks,

HarryP

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

Ah, it is good to see that I have the attention of a Norton/Symantec Employee if, indeed, “HarryP” works for the organisation.  To be honest, this situation is “hairier” (so to speak) than I once believed - - and may be un-winnable sans a re-image.  I am noticing duplicity as well as random (seemingly innocent) “.exe’s” appearing under “Processes” of Task Manager i.e. “PresentationFontCache.exe”.  I have been deleting rogue copies of processes in Sys32 (1) , however, I may be attacking tentacles of the hydra versus the “main head” if you will.  I believe I may know where the heart of the beast lies, then again, I am attempting to establish some modicum of peace within Task Manager - - potentially an impossibility until I delete the “.exe’s” for HotFixInstaller in the registry.  We’ll see how this goes.  It may be an uphill climb if this crimeware is outputting frauds of my files.  At first glance, there were two [2] wuauclt.exe’s under Task Manager.  ONE is for Win Update.  Come to find out, the second, which is why I previously alluded to wuauclt Trojan, may be Malwarebytes’ Chameleon Tech.  Chameleon Tech allows MBAM to run unbeknownst to malware.  It’s funny, in Sys32, the sig of the second wuauclt was MBAM Corp.  Going back to “PresentationFontCache”, this is an unnecessary file in Win XP and CAN be deleted.  This is where things get interesting.  On a clean system, this file can be deleted effortlessly.  On the potentially infected machine, the file becomes un-deletable.  Suspicious?  I think so.  More typical behaviour.  Even folders implanted on the system for HotFixInstaller cannot be deleted due to a “EULA” that appears to be a Word document ending in rtf NOT .doc or docx.  Weird.  Amazing, these fiends make it appear as though it is from Microsoft and have their own symbol for their tool and it is nothing more than over-glorified scareware.  Amazing how sophisticated this stuff is getting.  I know it wasn’t from Microsoft because on another XP Professional System, in the recent Windows updates, not ONE was for a so-called “HotIron Hotfix” not to mention the high CPU spikes on the other machine thanks to that process.  I have already deleted one of these folders much to the dismay of HarryP (for Symantec submittive purposes) however, there are another three [3] just like it.  Again, traditional means could NOT delete that folder; I had to employ Malwarebytes’ “FileAssassin” (then re-start my computer for the offenders [in that folder] to be quenched).  Very complicated indeed, but, kudos to Malwarebytes’ “FileAssassin”. 

I guess I will eventually run Norton’s “Power Eraser”, though, it has not moved me in the past.  For me to be coherently connected to something, it has to speak to me.  Let me translate.  In the past, I deliberately made various alterations to a system (using gpedit) for example, taking away the “run” functionality in XP Prof. to see if NPE would detect this.  NPE didn’t - - MBAM did.  Additionally, does not the NPE usually attempt to connect to the Internet to check for updates?  Daresay, I do not desire to connect to the Internet with this system even in Safe Mode with Networking UNTIL I have cleansed this system (not with holy water) to the best of my ability.  When this first happened, I immediately quashed Internet connectivity, as this is their venue.  In some respects, I enjoy the thrill of the hunt and the ability to document (myself) where changes have occurred.  Just running “removal tools” kind of takes the science out of it.  I like to think that I can dust off my logic swords and see if I can match wits with these virus programmers of today.  Although, undoubtedly, sooner or later, I will probably be on the phone directly with Symantec with my $100 offering to the all-powerful Norton gods. (laughs).  I must admit, traditional areas where I thought this suspiciousness would have been i.e. HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, Current Version, Run - - let me down. 

No worries Mr. Norton/Symantec, despite this hiccup, I still value Norton’s product enough that I WILL be renewing my subscription.  Countless times Norton as well as MBAM have blocked attacks; I cannot and will not tar and feather the companies over this matter.  Your protection is still, far and away, 100% better than what is currently on the market.  Realistically, with the way the threatscape has evolved, to no longer college students writing joke programs, but, impoverished persons in underdeveloped nations writing new virus programs to sustain themselves, it is impossible that every definition will be accounted for.  You try your best, and, in large part, that is why you rely upon the aggregate intelligence of the communities.  I blame myself.  Many times I will go to Websites I know are trouble just to give fellow reviewers on Safe Web first-hand working knowledge NOT theory/speculative info on why, specifically, a site is dangerous.  In essence, I take one for the team. 

Regards,

H.B.

P.S.- Getting back to submitting, maybe I will make duplicates of the files (save them to a memory key) then, could I e-mail you the folders (HotFixInstaller.exe created) as attachments for you to analyse them? 

1- Based on a clean system.  This may be my “quack science”, however, if the two [2] systems are virtually identical, it stands to reason.

Accepted Solution
Kudos2

Re: ALERT: HotFixInstaller.exe MALWARE!

Hotiron Hotfix Installer (hotfixinstaller.exe) is a Microsoft process that is involved with the installation of Windows updates.  The folder can sometimes be left behind on C:\ following the installation of a Microsoft patch.  It is not malware. 

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

Send!!!

Say it ain’t so Send, say it ain’t so.  You know I love you Send, but on this, I think I am going to have to respectfully dissent. 

Granted, I have seen documented cases of where people (on other discussion forums) are explaining that it is legit, however, I have also seen users documenting that this “HotFixInstaller” rendered their system useless.  The latter was the case for me.  I noticed random CPU spikes- 15%, 30%, 70%, back down to 20% (basically) randomness that you would typically see with worm behaviour or Jos. A. Bank clothier promotions, lol. 

Another red flag.  I went into N360 6.0 “Show All Running Processes” - - HotFixInstaller.exe was NOT there, yet, it was running under Task Manager.  If that isn’t downright suspicious, I don’t know what is.  Why did you put it in lowercase?  This is exactly how the one on my test system appeared: HotFixInstaller.exe.

Bottom line, I am thinking that this might be another case like svchost.  Svchost can be a legitimate process, but, in other cases, it can be rogue as evidenced here: http://www.processlibrary.com/search/?q=svchost.exe

Kudos1

Re: ALERT: HotFixInstaller.exe MALWARE!

Hi Hammer_Bro,

CPU spikes like that are completely normal - especially if updates are being installed at the time.  That should not be a concern.  As to what you will find posted on the internet, I don't think I have ever researched any executable file without finding someone who claimed the particular file is malicious.  Malware writers can name their files anything they like, and they often do choose to borrow or approximate the names of legitimate files.  Svchost is a good example.  Of course, every Windows PC always has several instances of svchost running, so the odds are, on all but a small fraction of these machines, the svchost processes are completely normal.  FInding svchost running on a machine is not a cause for concern. 

The reason I posted is that Norton reported high CPU usage by Hotiron Hotfix Installer on my PC the other day.  This was associated with Microsoft's errant posting of redundant and flawed .NET Framework updates on Tuesday - so it was very clear to me that this was all legitimate (albeit, messy).  You are certainly familiar with your own machine, and can do your own research to arrive at your own conclusions.  I am merely pointing out that if you install Microsoft updates, you may see instances of Hotiron Hotfix Installer - that, by itself, would not be a reason to suspect anything was wrong.  Moreover, if you suspect that something is wrong, it could be due to something entirely unrelated to hotfixinstaller.exe.  Others who read tthis thread should not assume that their PCs are infected if they happen to see this process on their own computers.

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!


Hammer_Bro wrote:

Ah, it is good to see that I have the attention of a Norton/Symantec Employee if, indeed, “HarryP” works for the organisation. 


 HarryP

Symantec Employee Do you really think that one can log on here and pretend to be a Norton Staffer, get the red name?  Please don't post questions like that.

[ ... ]


You try your best, and, in large part, that is why you rely upon the aggregate intelligence of the communities.  I blame myself.  Many times I will go to Websites I know are trouble just to give fellow reviewers on Safe Web first-hand working knowledge NOT theory/speculative info on why, specifically, a site is dangerous.  In essence, I take one for the team.


Again, do you really think that because SONAR uses data from users that that is all Norton does to protect us? I hope you don't get infected by your investigations but again, fortunately for the rest of us, Norton does a lot more than depend on us users to tell them what is dangerous out there.

Hugh
Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

Hello again Send and Hugh,

Funny thing, I wasn’t installing Win updates.  Yeah, I’m not really buying the argument that what I’m dealing with is connected to legitimate Microsoft processes.  For example, I have another system pretty much identical to the “test” system and on that machine I happened to get the recent slew of Win updates and not one [1] was for so-called ‘Hot Iron’ Hotfix let alone leaving multiple residual files on C:\.  Further, at the time this ‘Hot Iron’ debacle ensued, I noticed a suspicious command promptesque window open for approx. three [3] seconds, execute some commands then magically close as quick as it came.  Too bad I couldn’t have captured the screen at that moment.  However, I have noticed this behaviour related to installation of malware in the past.  This method seems to be gaining momentum in order to work around security programs in the GUI.  I have apprised Norton/Symantec Employees (via phone) that this avenue for attack MUST be addressed in future Norton security suites for Symantec’s competitiveness.  When you explain, “I don’t think I have ever researched any executable file without finding someone who claimed the particular file is malicious.”  Yes, but the symptoms documented matched mine pretty copasetically. 

Knowing my luck, I’m the “small fraction” that gets affected by the malware. 

When you say, “Norton reported high CPU usage by Hotiron Hotfix Installer….”  Again, that is another thing that disturbs me.  Norton could not recognise that this process was running, when it was!

You explain, “if you suspect that something is wrong, it could be due to something entirely unrelated to hotfixinstaller.exe.”  No way.  All manner of questionableness commenced the second this ‘HotFixInstaller’ went into action.  “Others” will ultimately have to deduce for themselves, however, in my mind, the possibility of this being benign is shrinking by the second - - to the place where I am in the process of turning in the residual components for evaluation. 

Hugh, imposters are everywhere.  Just because someone parades around with a fancy name badge means jack crud.  However, in subsequent e-mails back and forth it is becoming more solidified in my mind, that, in fact, “HarryP” IS a genuine Symantec Employee.  As for the second comment, this probably won’t be the last time I get stung by malware, but it is for the greater good.  I would add that Norton’s IPS/Virus definitions have undoubtedly exponentially increased thanks to the contributions of reviewers such as those found on Safe Web. 

I have to laugh.  I faced a similar situation when I had grappled with the horribly annoying Adware.DoubleD infection back in 2009, which, coincidentally, Norton “missed the boat on” (so to speak).  I was correct then, and I believe history is repeating itself - - it is just a question of how long Norton desires to wait before they include this ‘HotFix’ in their rapid release definitions.  For the sake of everyone’s computers, I hope that it is sooner rather than later.    

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

Windows 7 Home Premium x64 SP1 *** Norton 360 v21.6.0.32
Kudos3

Re: ALERT: HotFixInstaller.exe MALWARE!


Hammer_Bro wrote:

[ ... ]

Hugh, imposters are everywhere.  Just because someone parades around with a fancy name badge means jack crud.  However, in subsequent e-mails back and forth it is becoming more solidified in my mind, that, in fact, “HarryP” IS a genuine Symantec Employee. 

[ ... ]



I don't want to belabor this but your attitude is so unreal that it only shows a lack of knowledge of how these forums work.

People who post here have no choice in the descriptive phrase below their name or in the color of their name ...  This is assigned after checking by moderators. Harry P has been around since 2010 and he has posted over 400 times -- the liklihood of him not being a Symantec Employee is zero.

Personally I find your attitude on this condescending and bordering on "ad hominem".

Hugh
Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

Hugh,

You mentioned that the person possessed a, “red name”.  I am assuming that you were referencing that Norton Employee’s names will be a red colour?  If the assumption is true, all I’m saying is that I don’t care about that.  For me to judge the measure of the man, I desired to have personal contact (through the private messaging system) which has occurred. 

Oh, about Pink Floyd- (from the post documenting the community Website’s slowness) yes, the timeliness of Floyd (especially for these times) is remarkably transcendent - - especially Mother Can I Trust The Government? 

Dave,

It is good to hear from you again.  I apologise if it seems as though I am being unreasonable such to the degree of that “sturgess” fellow, and you know I have the greatest respect for Hugh, Quads, yourself, and Send - - I just feel like (although Send is trying and I genuinely appreciate that) he is characterising my situation through the prism of Microsoft Windows Update, when I think more is at hand.  For example, usually Windows Updates (on XP Professional) would be under Add/Remove Programs, however, the questionable files on my “test” system (claiming to be from Microsoft) are not there, but residing loosely on C:\.  In any event, I have now submitted these questionable files to Symantec - - and will continue the cleanup of my “test” system in the meantime. 

One last note on the post created by “sturgess”- although I can empathize with him, I concur with the majority, it is unrealistic to believe that every virus definition will be accounted for, in large part, why I believe strongly in the contributions of reviewers like on Safe Web.  Moreso, imagine for a moment if Norton had to guarantee something to that extent - - they would go out of business! 

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!


Hammer_Bro wrote:
For example, usually Windows Updates (on XP Professional) would be under Add/Remove Programs, however, the questionable files on my “test” system (claiming to be from Microsoft) are not there, but residing loosely on C:\. 

Hi Hammer_Bro,

The updates themselves will be listed in Add/Remove Programs.  The Hotiron Hotfix Installer folders are left behind in C:\, as explained here:

http://www.bleepingcomputer.com/forums/topic336675.html

Kudos1

Re: ALERT: HotFixInstaller.exe MALWARE!

While I am honoured you would mention me in the same breath as "...Hugh, Quads, and Send...",  There comes a point where you are either still searching for an answer to your issue,  or you are giving an opinion,  in which case there are other boards here in the Norton Community to discuss your issue.

Thanks,  Dave.

Windows 7 Home Premium x64 SP1 *** Norton 360 v21.6.0.32
Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

Trust me, Dave.  I have been searching for solid answers for this phenomenon, believe you me. 

I decided to re-examine Add/Remove Programs.  Granted, I found items pertaining to ‘Hotfix’, but, NOTHING SPECIFICALLY for so-called ‘HotIron’.  Astonishingly, I did find updates installed on 5/11/2012, the day the computer went berserk.  Frankly, I’m not certain as to how this happened - - I could swear the second I saw patterns outside the norm, I immediately held down the power button, terminating all processes.  In any event, I researched the ‘KB’ reference numbers in Microsoft’s knowledge base for the updates installed, and they stem from updates released May 8th from Microsoft.  On Microsoft’s page, I still didn’t find anything about ‘HotIron’, however, the ‘KB’ numbers and description from the suspicious folders on my system matched with what was on Microsoft’s Website. 

At this point, I will mark Send’s first post (on this topic) as the solution, but there are still so many unanswered questions. 

In all my years working with Win Updates, I have NEVER seen one that impacted the OS so adversely.  Crazy CPU consumption to the point where my cursor became extremely sluggish.  Again, the last time I experienced this was confronting the Sasser Worm.  Additionally, could a Windows Update open up a command prompt window?  Then there is the instance of two [2] wuauclt.exe’s under Task Manager.  One I can understand represents Win Update Shield in the System Tray with updates ready to be installed.  Fine.  The other briefly appears (at a high resource consumption) then disappears.  Could that be the one that temporarily checks to see if an update is available? 

Was this update even really necessary?  I’m tempted to say if it looks and acts like malware, it is.  I call shenanigans on Microsoft!  Shame on you, Microsoft, for releasing such a poorly written update to the place where it scared numerous users into thinking that it was malware and that their protection programs failed them!  Come to think of it, the other process that I thought started with the letter “d” running concurrently with HotFixInstaller under Task Manager may have been something like “NDP30SP2-KB2656407.msp” - - another component from the updates released May 8th.  Moving forward, will there be a conflict if I try to get this update again being that I shredded it with MBAM’s FileAssassin?

P.S.- Although it looks like I have irreparably offended Hugh, Send is sitting back, takes a sip of his latte and remarks, “Foolish Hammer Bro, I tried to tell you HotFixInstaller was a Windows Update.  No matter, I’ll just chalk you up to another solution in my column, ha, ha, ha.”  (then his jazz music starts playing)  To that I would say, “With the behaviour exhibited, could’ve fooled me….”   

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

<< Although it looks like I have irreparably offended Hugh, >>

You didn't offend me at all -- I had nothing to add to how you characterised yourself in that message to two of us.

Hugh
Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!


Hammer_Bro wrote:

In all my years working with Win Updates, I have NEVER seen one that impacted the OS so adversely.


I have been fortunate never to have had an issue with a Microsoft Update.  But I have read some grisly stories about the interesting predicaments that they can sometimes cause.  That's why I always create a new full disk image backup prior to every Patch Tuesday.  Painstakingly undoing the damage caused by a messed-up  update is not my idea of having a good time.

Kudos0

Re: ALERT: HotFixInstaller.exe MALWARE!

Hugh,

Good to hear, good to hear.  Dodged a darn near bullet there.  The absolute last thing I desire is to anger someone who has masterfully crafted over 16,000 posts. 

Send,

Interesting.

Last note:- To all who contributed to this thread, a sincere thank you from the bottom of my heart, you gentlemen are top-notch in my book. 

Best,

H.B.

Replies are locked for this thread.