Hacktool virus found by NIS 2008

Norton Security | Norton Internet Security
1

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

2

I ran Live Update followed by a full system scan using NIS2008. Hacktool was detected by virus scanner but the NIS fault message states "Remove Failed. Hacktool cannot be removed from an unsupported file". Risk level is listed as high and when I click on "review" button, nothing happens. Details: [xpkey.exe] inside of [c:\win xp keyfinder.exe]. Also the NIS2008 tab is green which suggests all is well. If I repeat a full system scan in Win safe mode, the same messages appear but NIS still won't remove the hacktool.

 

Please, does anyone know what's going on here and why has it only started doing this in the last two days?

 

Many thanks, Melchet.

3

As you can see, there are several different types of Hacktool. What exactly was found on your system? Have you tried to disable the service that the Hacktool is running while in Safe Mode, then running the full scan? Any more information on this issue is appreciated. Thanks!

4

Hi, I have got exactly the same thing and I have searched but cannot find anything named xp keyfind.exe any where, it's still there and I cannot get rid of it. Norton said to go into safemode do a scan then delete it but I can't delete it.

                                                                                                          

 

                                                                                                Cheers.

5

Hi Tony,

 

Thanks for your assistance. I did a full NIS 2008 scan in safe mode which identified the file as a virus but was unable to remove it.

 

I searched for "win xp keyfinder.exe" in windows explorer (it was in the C:\ root directory) and then deleted it manually (and from the recycle bin), after saving it on a memory stick in case I needed it again. I then rebooted into WinXP and ran a full NIS 2008 scan. The virus has been removed, so no further problem,, although I'm not convinced that the file is actually a virus - ie. an NIS false positive.

 

I think I originally downloaded keyfinder.exe to find the 25 character Win XP Product Key that came with the OEM WinXP CD.

 

Thanks again,

 

Melchet.

Message Edited by Melchet on 07-29-2008 06:56 AM
6
Melchet wrote:

Hi Tony,

 

.....

 

I think I originally downloaded keyfinder.exe to find the 25 character Win XP Product Key that came with the OEM WinXP CD.

An easier safer way is to download the Belarc Adviser. They are a highly reputable company so you are safe logging onto their website and using the applet. It produces a full report on your hardware and software and includes the KEYs / Serial numbers for a number of applications including Windows.

 

However OEM KEYs are a special case so I don't know if they are correctly retreived. But the information is so useful I print a copy out and also save the web page as a file.

 

I have/had hacktool.exe on  my drives as part of a bootable CD recovery kit ..... but NIS2008 removed it doing a full system scan yesterday and didn't even ask me. I must try again to find the Ask me first setting ....

Message Edited by huwyngr on 07-29-2008 04:45 PM
Message Edited by huwyngr on 07-29-2008 04:46 PM
7

I too have found Hacktool but I am using the Norton through ATT DSL so it is the online version It only gives me the option of review and then it says to remove while in safe mode but I can't access Norton while in safe mode.  This is my code...

 

[xpkey.exe] inside of [keyfinder.exe] inside of [d:\recycler\s-1-5-21-1343024091-651377827-725345543-1003\dd5.zip]

 

 

I have been unable to find the file recycler..

Message Edited by cicely on 07-29-2008 04:04 PM
8

Recycler would be the Recycle Bin, I guess.

 

To see it you need to Open My Computer, CLick on Tools / Folder Options / View TAB and scroll down the list of items

 

I change:

 

  1. the "radio dot" on the group relating to Hidden files over to (.) Show Hidden FIles & Folders
  2. uncheck Hide Extensions for known file types
  3. uncheck Hide Protected Operating system files -- it will be unhappy and warn you but do it anyway while trouble shooting but do not delete anything unexpected that may appear, like Desktop Shortcuts labeled Desktop.ini

 

and OK your way out.

 

You should find a reference to Recycler on every hard drive but they are all the same if I remember correctly and if you have administrative privileges you could delete files in it -- byt you could just Empty Recycle Bin by right mouse clicking on the Recycle bin.

 

You can also dfo a lot of cleaning up by right mouse clicking on the icon under My Computer for your hard drive(s) and selecting Properties and click on the Disk Clean button. That will empty Temp files etc.

 

Hope that helps.

 

I leave the Hide extensions of known files unchecked because if you have several files with the same name and different extensions you don't see the difference easily -- like you might have on a software disk: setup.exe setup.ini and so on and with that box check you just see you have several setup files.

9

I am having the same problem with Norton system scan finding the following hacktool references: [xpkey.exe] inside of [E:\recycler\S-1-5-21-725345543-1580436667-839522115-500]de2.exe] and

[xpkey.exe] inside of[E:\recycler\S-1-5-21-725345543-839522115-500]de3.zip]

 

I have located the recycler folder on my E: drive, and have searched through all the files in it, but none are xpkey.exe files. Would it be safe to delete all the files and folders in the "E:\recycler...." folders and if so, do you think this would solve the problem? Norton says this is a high risk virus, and yet when I ran Spyware Doctor which I downladed on a trial basis, it showed three viruses that needed attention, but none of them seemed to be the the two in question which Norton consistently finds. Thanks for your help.

 

Bill

4 Likes
10

I can't advise you on the best action to take to stop any reporting by NIS that it can't remove a file it flags as dangerous -- look for a message from a Norton Staffer -- name in red -- although there are plenty of others here who know much more about AV and Norton problems than I do.

 

I'd certainly suggest trying what I mentioned in my earlier message:

 

<< ... you could just Empty Recycle Bin by right mouse clicking on the Recycle bin.

 

You can also do a lot of cleaning up by right mouse clicking on the icon under My Computer for your hard drive(s) and selecting Properties and click on the Disk Clean button. That will empty Temp files etc. which is a place where files can hide and cause problems >>

 

I'd try both and reboot the computer and see what happens.

 

But keep an eye on here for specific help.

11

Hi again,

              I've searched everywhere and I can't find keyfinder or xpkey anywhere. I'm not that good with computors either! This is what Norton 2008 is telling me.   [xpkey   inside of   d:\winsysxp\keyfinder.exe]  and [xpkey.exe   inside of   keyfinder.exe   inside of

d:\winsysxp\kf141.zip]  these are two viruses. I empty'd the recycle bin as well. Spybot does not pick it up and the only thing that has been done lately is my wife used Norton system works to do a clean up.

 

                                                                                                        Cheers Tomcon

 

 

12

Hi huwyngr Guru. Thanks for the suggestions. I went to the Recycle bin and deleted all files in my E drive. In fact, I deleted all files in all my drives in the recycle bin as I daily backup all that I need to save. The viruses still appeared on the scan, so I next went to the E drive itself and to the recycler folder, and deleted the folder which Norton Scan reported contained the viruses [E:\recycler\S-1-5-21-725345543-1580436667-839522115-500]de2.exe]. Now I get no viruses detected when I run a scan on the E drive, so I guess my problem is resolved.

 

Thanks again,

 

Bill

13

I was finally able to get a clean scan by going and changing the properties on the recycler bin on drive d to hold no files.  What I don't understand is why Norton didnt do it for me.  I don't know much about computers and I had to go to two different message boards to find out how to fix it... and this one wasn't the one to help.  What is the point in having this if I end up doing it manually anyway?  Shouldn't Norton have fixed it ?  I have all my files updated apparently something happened in the past week or two to cause this.  Don't know if I will get an answer but wanted to ask all the same .


Have a great day all

 

Cicely

14
cicely wrote:

I was finally able to get a clean scan by going and changing the properties on the recycler bin on drive d to hold no files.

 

 What I don't understand is why Norton didnt do it for me.  I don't know much about computers and I had to go to two different message boards to find out how to fix it... and this one wasn't the one to help.  What is the point in having this if I end up doing it manually anyway? 

 

Shouldn't Norton have fixed it ?  I have all my files updated apparently something happened in the past week or two to cause this.  Don't know if I will get an answer but wanted to ask all the same .


Have a great day all

 

Cicely

If you are asking why Norton did not change the properties of the recycle bin I can't tell you except I would not want it to go around changing my settings on something that can make a difference on recovering an error.

 

On the general question of this and similar detections I wonder if anyone here has been using a KEY/password recovery utility like MagicJellyBean (yes that is its name! <g>) since it and similar tools that one may download and use for legitimate purposes carry out functions that security programs (and not just Norton -- do a Google on that zip filename and you'll see how many experience this) detect and because it does what malware may be doing it gets flagged. I've lost a hacktool from a number of utilities that I have for legitimate recovery situations (why I keep them on CD too <s>).

 

You might want to reconsider changing the recycle bin properties so that nothing is kept there back to "normal" now that you have gotten rid of the errant file and know that emptying the recycle bin (including using that DiskClean function on the drive properties has solved your problem.

 

Anyway I'm glad you cleared up the problem.

15

That’s good news – thanks for the feedback.

16

I am sorry if I sounded harsh.... That was not my intention I have just been trying to get rid of this file for over a week now and have been scared to do my online business due to the possible security issue.   I had emptied the recycle bin and that didn't work the only way I could get it was to change the properties on the D drive which I don't use. 

Again I apologize for the way I worded my last comment and to say since looking around this message board I have found out a lot of things.  It is nice where you can go and get answers to your computer questions and not have to pay big bucks :)

 

I am now able to breathe a sigh of relief and surf safely.

Have a great week all.

Cicely

17

Thanks for the feedback which adds to the knowledgebase.

 

I had to reread your message to look for "hrash" and didn't find it <g>

 

Take care and come back if there is something else you need help on or can pass on to others.

18

Windows does not usually allow access to files that begin with 's-' followed by a series of numbers separated by dashes. This unually identifies a restore point file that must be 'restored' before its contents are accessible. Simply clearing the Recycle Bin will not eliminate these 'hidden' restore points. You should be able to log on as an administrator and delete the restore point file stored in the recycler.

 

Sorry... I neglected to read all the posts in the thread. What you did by changing the properties of the 'D' drive was to prevent Windows from storing a copy of the Restore Points there. This can be accomplished by drilling down to Start/All Programs/Accessories/System Tools/System Restore. Click on System Restore Settings... in the left pane, highlight the target drive, choose Settings... and check the box "Turn off System Restore on this drive". If you rely on backups to recover from a drive failure, you will not be able to restore (in this case) the 'D' drive.

 

A safer method is as I outlined orginally. ie logon as Administrator and delete the file named in your Symanted report on the 'D' drive.

Message Edited by ddm_buddy on 07-30-2008 04:42 PM
19

Thanks Buddy,

                         I turned off restore for the D drive and it turned up again so I went in and found the xp keyfinder manually and deleted it. It was a lot easier than I was thinking it would be, I deleted everything that had xp key in its name. Not sure whether this will stuff anything up but as I said earlier I don't know much about computors. Thanks again. 

20

Well done guys.

Sounded like a nasty one there ;)