Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What is the normal location for hotfix.exe on XP?


  • Please log in to reply
10 replies to this topic

#1 kurtgillis12

kurtgillis12

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 22 November 2016 - 01:01 AM

Mine is here. Is this right?

 

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates

 

 

 

Can you guys educate me a bit on this thing. Apparently its not an essential file. What program did I download to obtain it? I know its a Microsoft file, so probably a Microsoft program. Any idea which one?

 

This site says that it should be on C:\, and if it is in WINDOWS or WINDOWS\system32 it may have been malware. Is that what happened here? http://www.file.net/process/hotfix.exe.html

 

Also, Bleeping Computers own data base says I should get rid of it. I've read that it can monitor applications and can act as a keylogger. Is it doing this by default? is this even correct? How would one use it for these purposes?


Edited by hamluis, 22 November 2016 - 09:33 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 joooneto

joooneto

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 22 November 2016 - 10:35 AM

C:\Windows\softwaredistribution\download



#3 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:10:56 AM

Posted 22 November 2016 - 11:40 AM

Hi there!

I presume you are talking about this entry in the Bleeping Computer Startup Programs Database. This is not applicable in your situation as the entry is talking about hotfix.exe when it is located in %AppData%.

Instead, let's scan the file with VirusTotal:

• Go to virustotal.com
• Hit Choose File and browse your computer for the file we want to scan, C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
• Click Open and then Scan it!
• If the file has been already analyzed, please click Reanalyse, otherwise the file will automatically be scanned.
• Copy and paste the URL of the VirusTotal report in your next reply, once it has been scanned.

Thank you.
 


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#4 kurtgillis12

kurtgillis12
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 22 November 2016 - 03:50 PM

Is that where yours is?



#5 kurtgillis12

kurtgillis12
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 22 November 2016 - 04:00 PM

Hi there!

I presume you are talking about this entry in the Bleeping Computer Startup Programs Database. This is not applicable in your situation as the entry is talking about hotfix.exe when it is located in %AppData%.

Instead, let's scan the file with VirusTotal:

• Go to virustotal.com
• Hit Choose File and browse your computer for the file we want to scan, C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
• Click Open and then Scan it!
• If the file has been already analyzed, please click Reanalyse, otherwise the file will automatically be scanned.
• Copy and paste the URL of the VirusTotal report in your next reply, once it has been scanned.

Thank you.
 

https://www.virustotal.com/en/file/f2cc47d2f536b8edfd1a8f702e18c8e21972ae6cb1df65242ad183e02db50d74/analysis/1479848019/

 

 

but what about that other link I posted? That said it should not be in the Windows directory. :(

 

Whether it is malicious or not, apparently it still is a keylogger regardless. Do you think there is a file somewhere on my system that contains the keylogged info?

 

Just out of curiosity, do you have it in the same directory as me?

 



#6 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:10:56 AM

Posted 22 November 2016 - 05:16 PM

Hello again,

In my opinion, there is no reason to believe that hotfix.exe is a keylogger. file.net is probably wrong. As you can see, the file has a 0/55 detection ratio on VirusTotal. Furthermore, according to these three sources, the file is related to ASP.NET Security Update for Microsoft .NET Framework 1.1 Service Pack 1/Microsoft .NET Framework 1.1 Hotfix (KB886903).

As you can see from our very own Uninstall Programs Database (highlights are mine):
 

Description: Add or Remove Programs entry for Microsoft .NET Framework 1.1 Hotfix (KB886903). This security update for .NET Framework 1.1 addresses a vulnerability in ASP.NET that could allow elevation of privilege and information disclosure.

A canonicalization vulnerability exists in ASP.NET that could allow an attacker to bypass the security of an ASP.NET Web site and gain unauthorized access. An attacker who successfully exploited this vulnerability could take a variety of actions, depending on the specific contents of the website.

Uninstall Command: "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp"

And this is from the official Microsoft download page:
 

A security issue has been identified that could allow an attacker to compromise a computer running .NET Framework 1.1 SP1.

 
And this is from the KB page:
 

Microsoft has released security bulletin MS05-004. The security bulletin contains all the relevant information about the security update, including file manifest information and deployment options. To view the complete security bulletin, visit the following Microsoft Web site:

 
Additionally, please read very carefully what file.net said about hotfix.exe (highlights are mine):
 

If hotfix.exe is located in a subfolder of the user's profile folder, the security rating is 60% dangerous. The file size is 895,488 bytes (50% of all occurrences) or 564,736 bytes. There is no file information. The program has no visible window. It is not a Windows system file. Hotfix.exe is able to record keyboard and mouse inputs and monitor applications.

 
The user's profile folder is %userprofile%, commonly C:\Users\yourusername\, not %WinDir%.
 
I personally don't use XP currently, so I don't know whether if hotfix.exe will be in the same directory it should be, if I install all Windows Updates. Curiously, what made you so concerned about this file?
 
P.S. If you'd like we can run some malware scanners to ensure your computer is clean.

Edited by bwv848, 22 November 2016 - 08:19 PM.

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#7 joooneto

joooneto

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 22 November 2016 - 05:42 PM

 

Is that where yours is?

 

 

Yes. As far as I know, is where they're installed.



#8 kurtgillis12

kurtgillis12
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 23 November 2016 - 12:42 AM

Hello again,

In my opinion, there is no reason to believe that hotfix.exe is a keylogger. file.net is probably wrong. As you can see, the file has a 0/55 detection ratio on VirusTotal. Furthermore, according to these three sources, the file is related to ASP.NET Security Update for Microsoft .NET Framework 1.1 Service Pack 1/Microsoft .NET Framework 1.1 Hotfix (KB886903).

As you can see from our very own Uninstall Programs Database (highlights are mine):
 

Description: Add or Remove Programs entry for Microsoft .NET Framework 1.1 Hotfix (KB886903). This security update for .NET Framework 1.1 addresses a vulnerability in ASP.NET that could allow elevation of privilege and information disclosure.

A canonicalization vulnerability exists in ASP.NET that could allow an attacker to bypass the security of an ASP.NET Web site and gain unauthorized access. An attacker who successfully exploited this vulnerability could take a variety of actions, depending on the specific contents of the website.

Uninstall Command: "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp"

And this is from the official Microsoft download page:
 

A security issue has been identified that could allow an attacker to compromise a computer running .NET Framework 1.1 SP1.

 
And this is from the KB page:
 

Microsoft has released security bulletin MS05-004. The security bulletin contains all the relevant information about the security update, including file manifest information and deployment options. To view the complete security bulletin, visit the following Microsoft Web site:

 
Additionally, please read very carefully what file.net said about hotfix.exe (highlights are mine):
 

If hotfix.exe is located in a subfolder of the user's profile folder, the security rating is 60% dangerous. The file size is 895,488 bytes (50% of all occurrences) or 564,736 bytes. There is no file information. The program has no visible window. It is not a Windows system file. Hotfix.exe is able to record keyboard and mouse inputs and monitor applications.

 
The user's profile folder is %userprofile%, commonly C:\Users\yourusername\, not %WinDir%.
 
I personally don't use XP currently, so I don't know whether if hotfix.exe will be in the same directory it should be, if I install all Windows Updates. Curiously, what made you so concerned about this file?
 
P.S. If you'd like we can run some malware scanners to ensure your computer is clean.

 

I already ran scanners. nothing detected it as malware. I guess this part freaked me out, "Important: Some malware camouflages itself as hotfix.exe, particularly when located in the C:\Windows or C:\Windows\System32 folder, for example Trojan-Spy.Win32.Zbot.avoy or Trojan.Win32.FakeAV.smw (detected by Kaspersky), and TROJ_GEN.R3EC3LC orTROJ_GEN.R47C2KK (detected by TrendMicro). Therefore, you should check the hotfix.exe process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer's security. This was one of the Top Download Picks of The Washington Post and PC W"

 

 

 

Mine was in the Windows directory, albeit not in JUST windows or windows32 so I guess thats not the same. 

 

If a program is said to monitor applications, what does that mean?



#9 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:10:56 AM

Posted 23 November 2016 - 11:28 AM

Greetings,

I think it is safe to assume that "monitor applications" can be understood how you would normally understand the phrase. :) Like it can see what programs are doing...

Again, please don't take everything that file.net said verbatim.
 

P.S. If you want to use a different system monitor other than Task Manager, I think Process Explorer would be a better choice.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#10 kurtgillis12

kurtgillis12
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 24 November 2016 - 07:27 PM

Greetings,

I think it is safe to assume that "monitor applications" can be understood how you would normally understand the phrase. :) Like it can see what programs are doing...

Again, please don't take everything that file.net said verbatim.
 

P.S. If you want to use a different system monitor other than Task Manager, I think Process Explorer would be a better choice.

 

 

Does it mean that it could see when you have internet explorer open, for example? Can it monitor what sites you visit as well? 



#11 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:10:56 AM

Posted 24 November 2016 - 08:07 PM

No, I don't think so. It's just a security update for the .NET framework.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users