• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Hacktool.Km detection

I have a Windows 10 PC with Norton Internet Security version 22.9.1.12 I noticed an item in my quarantine folder – Detected as Hacktool.Kms it was noted as a Medium Risk. It was detected by the virus scanner part of Norton ( on a quick scan) dated 4/8/17 And found in C:\Windows\autokms.log The file quarantined doesn’t show to be an exe file but this log file In the past ( about 1 year ago –April 2016) there was an item quarantined called autokms.exe that was removed and placed in quarantine. That threat was considered "low". So not sure if the 2 might be related. Interestingly a scan ran on 4/7/17 and it didn’t detect anything. However the next day a scan detected this. Any idea why this may be so that it wasn’t detected the previous scan? Did definitions change? I ran another scan this morning and it came up clean. I also checked my C Drive and there is no autokms.exe or autokms.log

Labels: Virus

Replies

Kudos1 Stats

Re: Hacktool.Km detection

It appears that the specific signature definition was updated on the 11th of April 2017 which might explain the fact that it wasn't detected before ( you might be able to check the liveupdate history to validate this) https://www.symantec.com/security_response/writeup.jsp?docid=2017-022016...
Kudos0

Re: Hacktool.Km detection

I thought that but the scan that detected it was done April 8 2017 a few days before the detection added

Kudos1 Stats

Re: Hacktool.Km detection

You can check the page below for updates to the specific signature https://www.symantec.com/security_response/definitions/certified/ I would recommend performing a full scan with Norton as well as using a second scanner (for example malwarebytes )-both can co exist in your desktop with no issues
Kudos0

Re: Hacktool.Km detection

also i notice the item quarantined is not an exe file, but .log not sure exactly how that plays a role.
Kudos1 Stats

Re: Hacktool.Km detection

I assume it's probably related to the key generator tool detected initially (it might seem as .log file but might not necessarily be one).If you have a hash or can upload it to VT we could possibly see what is triggering on

Kudos0

Re: Hacktool.Km detection

cool, so it may just be a left over log file that initially wasnt detected but now was? and does it mean that there was no exe file left? That the detection might just be because of new signatures?
Kudos1 Stats

Re: Hacktool.Km detection

It hard to tell exactly as the file is now quarantined. You could potentially look at the creation time of the file to see if it was created during that time (April 2016). You can still get the original file from the quarantine folder (magic!) and confirm but seems a bit overkill for a hacktool. Performing a full scan with norton and using a second scanner will confirm that everything is ok!
Kudos1 Stats

Re: Hacktool.Km detection

Hello

Here is the Symantec write up for that particular Hacktool.

https://www.symantec.com/security_response/writeup.jsp?docid=2017-022016-1327-99

Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Hacktool.Km detection

when you say creation time of the file do you mean the .log file? How would I do that without taking the file out of quarantine? To Flo- I see they updated the def 4/17/17 but the detection was 4/8/17 fso it was before the updated case :(
Kudos0

Re: Hacktool.Km detection

Hello

Are you trying to get an illegal key for Office? That is what this is used for.


Hacktool.Kms is a tool used to generate keys for illegitimately-obtained versions of Microsoft Office. It may also download harmful files and deteriorate the performance of the computer


The use of a key-gen is not worth the trouble it has caused besides the fact that it is illegal. The above quote is taken from the Symantec write up in my previous post.

If you have not used a key-gen, then please submit to Symantec for further analysis.

Please use this link if you think that a file is a false positive:
https://submit.symantec.com/false_positive/
If there is a possibility that the file might be infected, please submit it to Symantec using this link:


https://submit.symantec.com/websubmit/retail.cgi?OpenDocument&src=submit



Another alternative which is fast you can use Virus Total

http://www.virustotal.com/index.html

Let us know how you made out.

Thanks.




 

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Hacktool.Km detection

I believe the copy of Microsoft office is legit. How can I confirm that? I still get the Microsoft office updates from Microsoft. would I not get updates if its an illegit copy?
Kudos0

Re: Hacktool.Km detection

Hello g_arm

You can use Google look up that topic according to the Office type and year. Microsoft will have the answers to those types of questions.

Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Hacktool.Km detection

thanks. if its not legit, would I still get the updates for Windows Office from Microsoft?
Kudos1 Stats

Re: Hacktool.Km detection

Hello

I believe that there is a licensing file that is in Office that does check. If you were able to Activate the program, then the key should be good. I have seen that file some where in Office.

The Hack that was listed is used to make illegal keys. I guess some keys do work even if illegal.

Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Hacktool.Km detection

I know we didnt purchase an illegal copy. I know the school district where we are employed allows staff to use their copy of Windows office on home PC/Laptops as staff tend to do a lot of school work function at home on their own time. So I think the activation comes from the product they have

So would it not be too far of a stretch to say that this detection is most likely not some type of malicious infection? ( the detection of the log file I mean)
Kudos0

Re: Hacktool.Km detection

Hello @g_arm You stated that your copy of Office was purchased through your school district therefore they should be running a dedicated KMS licensing server for these particular installs to activate from. You would have to be connected to THEIR network in order for a legit copy to activate since it will look for the licenses on their server. Otherwise it will not activate. As @floplot previously stated the install you are seeing DOES indeed have a keygen embedded for the sole purpose of bypassing the need to connect to the school districts network in order to activate. The registry within Windows will always have entries for the keygen as long as it remains installed on your system and you will continue getting these notices from your AV product. Your best options are to activate the install by connecting to their systems or remove the install and contact the school district for a replacement media.

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.239 / N360 Deluxe 22.17.3.50 / Norton Core v.282 on Android 2.00
Kudos0

Re: Hacktool.Km detection

no it wasnt purchased. The School IT department let people take the CD and download Windows office.
Kudos0

Re: Hacktool.Km detection

@g_arm I'm confused that you have the media disc yet had to also download. Your media CD should have sufficed as all you needed to install your product. Updates are after the fact through Windows updates. Provided you were connected to their network it should have activated with their license through their KMS server. The download you mention is more than likely where your issue lies as it was not needed. Do you remember where the download came from? Was the download a singe packaged exe file? Thanks.

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.239 / N360 Deluxe 22.17.3.50 / Norton Core v.282 on Android 2.00
Kudos0

Re: Hacktool.Km detection

I'm afraid I may have confused the situation. At the public high school where my wife works, the IT department there has allowed staff to take the windows office disk home so that windows office can be installed on personal at home laptops and PCs. It isnt purchased from the school or downloaded from the school servers, they actually give you the disk so you can install, then you return the disk. The IT people there say that its ok to install since the school purchased the program for many many PCs and laptops. So maybe they really are not allowed to do that?? Could that be the issue here?

Kudos0

Re: Hacktool.Km detection

@g_arm For there to be a C:\Windows\autokms.log detected means a "crack" was introduced to bypass activation. Older Office products activate with one of two methods. VLM- volume licensing or KMS - Key Management Server. The first would suggest the school has a certain limit to the number of installs on their license. The latter indicates a license on their systems where you MUST connect to their infrastructure to activate the product. This is a one time event and doesn't have to repeated for the particular install. The particular log entry is evidence a keygen or crack was introduced at some point during the media install. If the media disc you have is NOT a Microsoft authentic disc and is a burned copy the keygen is more than likely burned onto it. If your product is NOT activated I would uninstall it and reinstall from the disc media again and see if it will activate. And watch for the detection of a keygen. If all goes well just delete the entry C:\Windows\autokms.log and remove temp files from your system. Reboot.
"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.239 / N360 Deluxe 22.17.3.50 / Norton Core v.282 on Android 2.00
Kudos0

Re: Hacktool.Km detection

so could it be possible that the school IT woman  who gave the disk out may have burned on it a key crack? 

Kudos1 Stats

Re: Hacktool.Km detection

@g_arm  That certainly COULD be the case, I am in no way insinuating that although, it seems to be the only valid source if there wasn't a download to crack the activation after the install. Cracks are usually tied to the install process. I would uninstall the program and find another source for getting your software.

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.239 / N360 Deluxe 22.17.3.50 / Norton Core v.282 on Android 2.00
Kudos1 Stats

Re: Hacktool.Km detection

If I may...

The original post was about the detection and quarantine of the .log file. The original .exe was quarantined a year ago. If the user was trying to crack Office, he would not have come here asking about the file. My guess is it may have gotten downloaded alongside something else, as the information floplot linked to noted it is also used to download other malware. 

I also do not think it has anything to do with the copy that was obtained from the school. I too took advantage of some software that had been purchased by my employer. The license the employer had allowed employees to use the software at home legally. As noted, it could be that the school has a 50 client license and only uses 2 or 3 at the school.

The new definitions may have given Norton's scanning features more detail about leftovers from the .exe detection that allowed the detection of the .log file left behind.

I'm sure the system is clean of this threat.

Back to you....

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Hacktool.Km detection

I believe that was the point I made all along @peterweb. Unsubscibed from this thread. Thanks.

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.239 / N360 Deluxe 22.17.3.50 / Norton Core v.282 on Android 2.00
Kudos0

Re: Hacktool.Km detection

Thanks all. So it sounds like bottom line, this log detection is nothing for me to be concerned with in that its some kind of malicious infection? I know nothing is 100% certain but would a knowledgeable person say that?

Kudos0

Re: Hacktool.Km detection

Any illegal software dangerous - It is difficult to know the intentions of pirates and there is low/medium risk, that KMS, for example, is threat for your confidential information, because not always possible to know for sure the maliciousness of application if application has connection with remote server (application can (in theory) get dangerous functional from server) - (from Symantec)  "It may also download harmful files and deteriorate the performance of the computer"

This thread is closed from further comment. Please visit the forum to start a new thread.