05-13-2012 10:58 PM
ALERT: HotFixInstaller.exe MALWARE!
This piece of garbage went right past the defences of both Norton 360 6.0 and Malwarebytes’ on my test computer. Comes under the guise of “Hot Iron Hotfix”. If you see this under your processes, in my case it was consuming a good amount of resources, TERMINATE it immediately as well as another sister process name (pretty long) starting with the letter “d” that works hand-in-hand with it. wuauclt.exe trojan may also be at play. There is considerable aftermath with this infection. I am in the process of purging it right now - - will have more updates of specific areas to cleanse soon. Wanted to at least warn the community. From research, it appears that I am not the only one to have had a “run in” with this “Hot Iron” nonsense. Attention all Norton/Symantec Employees- please update N360’s definitions to reflect HotFixInstaller.exe as crimeware.
Solved! Go to Solution.
05-14-2012 03:29 PM
Did you try running Norton Power Eraser for this threat?
If not, please try that & check whether it detects this as a threat.
05-15-2012 01:47 PM
Can you submit the details here?
Also, provide me the tracking number once you finish the submission.
05-16-2012 02:18 AM
Ah, it is good to see that I have the attention of a Norton/Symantec Employee if, indeed, “HarryP” works for the organisation. To be honest, this situation is “hairier” (so to speak) than I once believed - - and may be un-winnable sans a re-image. I am noticing duplicity as well as random (seemingly innocent) “.exe’s” appearing under “Processes” of Task Manager i.e. “PresentationFontCache.exe”. I have been deleting rogue copies of processes in Sys32 (1) , however, I may be attacking tentacles of the hydra versus the “main head” if you will. I believe I may know where the heart of the beast lies, then again, I am attempting to establish some modicum of peace within Task Manager - - potentially an impossibility until I delete the “.exe’s” for HotFixInstaller in the registry. We’ll see how this goes. It may be an uphill climb if this crimeware is outputting frauds of my files. At first glance, there were two  wuauclt.exe’s under Task Manager. ONE is for Win Update. Come to find out, the second, which is why I previously alluded to wuauclt Trojan, may be Malwarebytes’ Chameleon Tech. Chameleon Tech allows MBAM to run unbeknownst to malware. It’s funny, in Sys32, the sig of the second wuauclt was MBAM Corp. Going back to “PresentationFontCache”, this is an unnecessary file in Win XP and CAN be deleted. This is where things get interesting. On a clean system, this file can be deleted effortlessly. On the potentially infected machine, the file becomes un-deletable. Suspicious? I think so. More typical behaviour. Even folders implanted on the system for HotFixInstaller cannot be deleted due to a “EULA” that appears to be a Word document ending in rtf NOT .doc or docx. Weird. Amazing, these fiends make it appear as though it is from Microsoft and have their own symbol for their tool and it is nothing more than over-glorified scareware. Amazing how sophisticated this stuff is getting. I know it wasn’t from Microsoft because on another XP Professional System, in the recent Windows updates, not ONE was for a so-called “HotIron Hotfix” not to mention the high CPU spikes on the other machine thanks to that process. I have already deleted one of these folders much to the dismay of HarryP (for Symantec submittive purposes) however, there are another three  just like it. Again, traditional means could NOT delete that folder; I had to employ Malwarebytes’ “FileAssassin” (then re-start my computer for the offenders [in that folder] to be quenched). Very complicated indeed, but, kudos to Malwarebytes’ “FileAssassin”.
I guess I will eventually run Norton’s “Power Eraser”, though, it has not moved me in the past. For me to be coherently connected to something, it has to speak to me. Let me translate. In the past, I deliberately made various alterations to a system (using gpedit) for example, taking away the “run” functionality in XP Prof. to see if NPE would detect this. NPE didn’t - - MBAM did. Additionally, does not the NPE usually attempt to connect to the Internet to check for updates? Daresay, I do not desire to connect to the Internet with this system even in Safe Mode with Networking UNTIL I have cleansed this system (not with holy water) to the best of my ability. When this first happened, I immediately quashed Internet connectivity, as this is their venue. In some respects, I enjoy the thrill of the hunt and the ability to document (myself) where changes have occurred. Just running “removal tools” kind of takes the science out of it. I like to think that I can dust off my logic swords and see if I can match wits with these virus programmers of today. Although, undoubtedly, sooner or later, I will probably be on the phone directly with Symantec with my $100 offering to the all-powerful Norton gods. (laughs). I must admit, traditional areas where I thought this suspiciousness would have been i.e. HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, Current Version, Run - - let me down.
No worries Mr. Norton/Symantec, despite this hiccup, I still value Norton’s product enough that I WILL be renewing my subscription. Countless times Norton as well as MBAM have blocked attacks; I cannot and will not tar and feather the companies over this matter. Your protection is still, far and away, 100% better than what is currently on the market. Realistically, with the way the threatscape has evolved, to no longer college students writing joke programs, but, impoverished persons in underdeveloped nations writing new virus programs to sustain themselves, it is impossible that every definition will be accounted for. You try your best, and, in large part, that is why you rely upon the aggregate intelligence of the communities. I blame myself. Many times I will go to Websites I know are trouble just to give fellow reviewers on Safe Web first-hand working knowledge NOT theory/speculative info on why, specifically, a site is dangerous. In essence, I take one for the team.
P.S.- Getting back to submitting, maybe I will make duplicates of the files (save them to a memory key) then, could I e-mail you the folders (HotFixInstaller.exe created) as attachments for you to analyse them?
1- Based on a clean system. This may be my “quack science”, however, if the two  systems are virtually identical, it stands to reason.
05-24-2012 05:57 PM - edited 05-24-2012 06:12 PM
Hotiron Hotfix Installer (hotfixinstaller.exe) is a Microsoft process that is involved with the installation of Windows updates. The folder can sometimes be left behind on C:\ following the installation of a Microsoft patch. It is not malware.
05-25-2012 12:44 AM
Say it ain’t so Send, say it ain’t so. You know I love you Send, but on this, I think I am going to have to respectfully dissent.
Granted, I have seen documented cases of where people (on other discussion forums) are explaining that it is legit, however, I have also seen users documenting that this “HotFixInstaller” rendered their system useless. The latter was the case for me. I noticed random CPU spikes- 15%, 30%, 70%, back down to 20% (basically) randomness that you would typically see with worm behaviour or Jos. A. Bank clothier promotions, lol.
Another red flag. I went into N360 6.0 “Show All Running Processes” - - HotFixInstaller.exe was NOT there, yet, it was running under Task Manager. If that isn’t downright suspicious, I don’t know what is. Why did you put it in lowercase? This is exactly how the one on my test system appeared: HotFixInstaller.exe.
Bottom line, I am thinking that this might be another case like svchost. Svchost can be a legitimate process, but, in other cases, it can be rogue as evidenced here: http://www.processlibrary.com/search/?q=svchost.ex
05-25-2012 10:07 AM - edited 05-25-2012 10:28 AM
CPU spikes like that are completely normal - especially if updates are being installed at the time. That should not be a concern. As to what you will find posted on the internet, I don't think I have ever researched any executable file without finding someone who claimed the particular file is malicious. Malware writers can name their files anything they like, and they often do choose to borrow or approximate the names of legitimate files. Svchost is a good example. Of course, every Windows PC always has several instances of svchost running, so the odds are, on all but a small fraction of these machines, the svchost processes are completely normal. FInding svchost running on a machine is not a cause for concern.
The reason I posted is that Norton reported high CPU usage by Hotiron Hotfix Installer on my PC the other day. This was associated with Microsoft's errant posting of redundant and flawed .NET Framework updates on Tuesday - so it was very clear to me that this was all legitimate (albeit, messy). You are certainly familiar with your own machine, and can do your own research to arrive at your own conclusions. I am merely pointing out that if you install Microsoft updates, you may see instances of Hotiron Hotfix Installer - that, by itself, would not be a reason to suspect anything was wrong. Moreover, if you suspect that something is wrong, it could be due to something entirely unrelated to hotfixinstaller.exe. Others who read tthis thread should not assume that their PCs are infected if they happen to see this process on their own computers.
05-25-2012 01:03 PM
Ah, it is good to see that I have the attention of a Norton/Symantec Employee if, indeed, “HarryP” works for the organisation.
Symantec EmployeeDo you really think that one can log on here and pretend to be a Norton Staffer, get the red name? Please don't post questions like that.
[ ... ]
You try your best, and, in large part, that is why you rely upon the aggregate intelligence of the communities. I blame myself. Many times I will go to Websites I know are trouble just to give fellow reviewers on Safe Web first-hand working knowledge NOT theory/speculative info on why, specifically, a site is dangerous. In essence, I take one for the team.
Again, do you really think that because SONAR uses data from users that that is all Norton does to protect us? I hope you don't get infected by your investigations but again, fortunately for the rest of us, Norton does a lot more than depend on us users to tell them what is dangerous out there.
05-26-2012 12:44 AM
Hello again Send and Hugh,
Funny thing, I wasn’t installing Win updates. Yeah, I’m not really buying the argument that what I’m dealing with is connected to legitimate Microsoft processes. For example, I have another system pretty much identical to the “test” system and on that machine I happened to get the recent slew of Win updates and not one  was for so-called ‘Hot Iron’ Hotfix let alone leaving multiple residual files on C:\. Further, at the time this ‘Hot Iron’ debacle ensued, I noticed a suspicious command promptesque window open for approx. three  seconds, execute some commands then magically close as quick as it came. Too bad I couldn’t have captured the screen at that moment. However, I have noticed this behaviour related to installation of malware in the past. This method seems to be gaining momentum in order to work around security programs in the GUI. I have apprised Norton/Symantec Employees (via phone) that this avenue for attack MUST be addressed in future Norton security suites for Symantec’s competitiveness. When you explain, “I don’t think I have ever researched any executable file without finding someone who claimed the particular file is malicious.” Yes, but the symptoms documented matched mine pretty copasetically.
Knowing my luck, I’m the “small fraction” that gets affected by the malware.
When you say, “Norton reported high CPU usage by Hotiron Hotfix Installer….” Again, that is another thing that disturbs me. Norton could not recognise that this process was running, when it was!
You explain, “if you suspect that something is wrong, it could be due to something entirely unrelated to hotfixinstaller.exe.” No way. All manner of questionableness commenced the second this ‘HotFixInstaller’ went into action. “Others” will ultimately have to deduce for themselves, however, in my mind, the possibility of this being benign is shrinking by the second - - to the place where I am in the process of turning in the residual components for evaluation.
Hugh, imposters are everywhere. Just because someone parades around with a fancy name badge means jack crud. However, in subsequent e-mails back and forth it is becoming more solidified in my mind, that, in fact, “HarryP” IS a genuine Symantec Employee. As for the second comment, this probably won’t be the last time I get stung by malware, but it is for the greater good. I would add that Norton’s IPS/Virus definitions have undoubtedly exponentially increased thanks to the contributions of reviewers such as those found on Safe Web.
I have to laugh. I faced a similar situation when I had grappled with the horribly annoying Adware.DoubleD infection back in 2009, which, coincidentally, Norton “missed the boat on” (so to speak). I was correct then, and I believe history is repeating itself - - it is just a question of how long Norton desires to wait before they include this ‘HotFix’ in their rapid release definitions. For the sake of everyone’s computers, I hope that it is sooner rather than later.