Hacktool.Unknown Detected by AV Removed - Returns After Startup

B

BarbC

New member
Re: Hacktool.Unknown Detected by AV Removed - Returns After Startup

First my apologies if you do not consider this Malware. I personally don't know what classification this file falls into. All I know is it won't go away and I've been dealing with it since May 4th.

Initially on May 4th, Norton 2007 detected this file at startup, logged it simply as "Hacktool" and automatically removed the threat:

C:Windows\Temp\nspc.tmp

Ever since then, a version of the file (name changes slightly each time) returns when I restart. I noted each file was also submitted to Symantec automatically, so I suspected the file was being analyzed. (File variations such as nsj3.tmp, nsn3.tmp, n3l3.tmp, nsc2.tmp, etc.)

As of the May 10th .dat files from Symantec, the file is detected by Norton as "Hacktool.Unknown" and now requires a manual deletion.

http://securityresponse.symantec.com/security_response/detected_writeup.jsp?name=Hacktool.Unknown

Because of the nature of Hacktools, I do not feel comfortable just simply deleting the file. I want to stop the file from being recreated! I have run all kinds of scans, purged everything out of Temp, Prefetch and %Temp%.

I have an open case with Symantec's Virus Removal support, but after 2 tries have gotten nowhere. The Symantec technicians repeated the clearing of the folders I've cleaned up, have run tools to clean anything else they could identify. Yet the file is recreated after startup, always with a new variation in the name.

Add insult to injury - my husband's PC (which he rarely uses) came up with 770 Hacktool.Unknown yesterday. We are not networked; merely share a router for his wireless connection. I now have it to the same point I am now, with 1 file being created after startup.

Symantec has not agreed this could possibly be a false positive. I've Googled for any hint that others have encountered this.

Logs to follow. Please help!

Barb
 
Online Scan: eTrust Antivirus Web Scanner
http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx

No document to provide. Clean scan!

Scan Results: Scan Completed. 48489 files scanned. No viruses found.

File Infection Status Path

- No Infections


Spybot S&D, up-to-date, was run in Safe Mode

> Problem Fixed: Microsoft Windows ActiveDesktop registry change


Hijackthis Installed

Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:41:58 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\blueroam_client\bin\Wrapper.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Java\JRE15~1.0_0\bin\java.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: blueRoam VPN Client (clientconnect) - Unknown owner - C:\Program Files\blueroam_client\bin\Wrapper.exe" -s "C:\Program Files\blueroam_client\conf\wrapper.conf (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
 
Additional info for your assessment.

Since the files start with "ns", I contacted Mozilla Firefox, since many of their files start with "ns" as well (from the "netscape" years). They suggested I have the file analyzed by VirusTotal, which I did. It's interesting to see that a few others feel this file is suspicious, especially Webwasher-Gateway's.

Complete scanning result of "nsl2.zip", received in VirusTotal at 05.13.2007, 19:19:26 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.10.0 05.11.2007 no virus found
AntiVir 7.4.0.15 05.12.2007 no virus found
Authentium 4.93.8 05.12.2007 no virus found
Avast 4.7.997.0 05.11.2007 no virus found
AVG 7.5.0.467 05.13.2007 no virus found
BitDefender 7.2 05.13.2007 no virus found
CAT-QuickHeal 9.00 05.12.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 05.13.2007 no virus found
DrWeb 4.33 05.13.2007 no virus found
eSafe 7.0.15.0 05.13.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3628 05.11.2007 no virus found
Ewido 4.0 05.13.2007 Backdoor.Small
FileAdvisor 1 05.13.2007 no virus found
Fortinet 2.85.0.0 05.13.2007 no virus found
F-Prot 4.3.2.48 05.12.2007 no virus found
F-Secure 6.70.13030.0 05.11.2007 no virus found
Ikarus T3.1.1.7 05.13.2007 no virus found
Kaspersky 4.0.2.24 05.13.2007 no virus found
McAfee 5029 05.11.2007 no virus found
Microsoft 1.2503 05.13.2007 no virus found
NOD32v2 2262 05.12.2007 no virus found
Norman 5.80.02 05.11.2007 no virus found
Panda 9.0.0.4 05.13.2007 Suspicious file
Prevx1 V2 05.13.2007 no virus found
Sophos 4.17.0 05.11.2007 no virus found
Sunbelt 2.2.907.0 05.12.2007 no virus found
Symantec 10 05.13.2007 Hacktool.Unknown
TheHacker 6.1.6.114 05.12.2007 no virus found
VBA32 3.12.0 05.13.2007 no virus found
VirusBuster 4.3.7:9 05.13.2007 no virus found
Webwasher-Gateway 6.0.1 05.13.2007 Worm.Win32.Malware.gen (suspicious)
 
Additional info for your assessment.

I've scanned my "idle" system with RootkitRevealer.

> Technical details at Microsoft Sysinternals indicates that the bolded information should never be reported as a discrepancy.

> It also suggests that "Key name contains embedded nulls" is a technique used by malware and rootkits to hide registry data. There is a tool to delete keys with embedded nulls (Regdellnull), but I'm not going that route unless advised to do so. I'm merely trying to compile as much information as I can for a hopeful resolution.

HKLM\SECURITY\Policy\Secrets\SAC* 9/16/2006 5:46 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 9/16/2006 5:46 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollManager\currentPollMinutes 5/13/2007 3:45 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollManager\lastGoodTime 5/13/2007 3:45 PM 32 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\23B3EEC0.TMP 5/13/2007 3:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD 5/13/2007 3:37 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL 5/13/2007 3:37 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
 
After a very long week, Symantec running every perceivable scan known to man on my PC, finding a backdoor CO_mon.sys and in the end reformatting my hard drive - *sigh* ............

My original concern, flagged by Norton as "Hacktool.Unknown", is appearing to be a false positive against BlueRoam VPN, due to Bloodhound heuristics on .dat files after 5/3/07. Now the waiting game for the final conclusion.

I've been through "Holy Hell" virus removal support for the last week. :eek:

Glad I can take one pending support ticket off your list though. Keep on plugging on!
 
You must log in or register to reply here.
Back
Top