Tool.exe tried to run

John

A few minutes ago, this program tried to run, but was blocked by my antivirus software. The big question is whether this was an official FR instruction or what would have caused it to run and why ? I was using the f3000 when it occured.
Any ideas ?

[Deleted User]

A quick google came up with this tool.exe is a process which is registered as a Trojan. This Trojan allows attackers to access your computer from remote locations as well as steal passwords

Steve K9ZW

@John - not FRS software and something picked up elsewhere.  Also something to get rid of.

http://bfy.tw/7CVL is a link to a list of possible help sources for you. 

Recognize that the name "Tool.exe" used for the exe is an attempt to camouflage malware as if it was system software and has been used by several different malware packages.

73

Steve K9ZW

John

ok, yes I know about that one, but this managed to ask me if I had a flex 5000A as it apparently slef loaded, then the AV kicked in, that why I wondered if it was from Flex Radio. I see in in the sandbox

John

Ok am running scans now and will then use malware bytes  as an after care. Actually, this file appears in the program dataflexradio systemsflex firmware folder

Steve K9ZW

@John - I think you might benefit from writing up the whole incident with details - what operating system, what was running and what you saw when it happened and perhaps dropping FRS a direct email with that info as well as posting it here. Include OS and all Software running including version numbers.  Info on the hardware will help complete the picture.  Since you have the file quarantined what is its size and file date?  Were you online or now?  Any other woes happening around the same time?  All the scraps of information that would help someone remotely working to help you is useful. 

You will avoid ending up with the frustration of partial responses based on what is partial information trickled out from the whole story over a series of posts in a forum situation like this.

It is pretty good indicator that something focused was running if the software had a dialogue with you, and that dialogue mentioned uncommon hardware.

Suggest considering saving the file in the Sandbox for now in case further examination is warranted.

73

Steve K9ZW

John

Ok will do.

Steve K9ZW

When the FRS folk get your information they may be able to sped some light on if the PowerSDR structure included a "Tool.exe" executable that would autorun.

Info on that file will be useful to check if it is the "right" file if their package included that file name.

You could be seeing a false positive from your antivirus, so details on that likely will be helpful (include what malware pattern update number/date your antivirus has been updated to).

Oh, once you get it figured you can help others by writing up what the resolution ended up being.  That is so helpful when a person's system gets the same troubles.

GL and 73

Steve K9ZW

John

Ok, This is what happened when the pop up window appeared. It was a white box asking if I was running the Flex 5000A with a yes no option and then the AV kicked in and said that the file was sandboxed. The file is found in the folder I mentioned and there are 2 of them. One is created 25/11/2013 @11:55 and its version 4.1.3.17357 and is 643kb in size. The other is created 23/06/2015 @ 10:40. The file size and ver is the same as the first.
I was running my f3000 when this pop up window appeared appeared. No other software was running and it was the T8 version from KE9NS
Pc is running win 10 64bit. Must go out now, but no other relevant info available.

Tim - W4TME

This answer is very wrong. Tool.exe is a program used by PowerSDR to flash the firmware on FLEX-5000 and FLEX-3000 SDRs.

Tim - W4TME

And this answer is wrong too. See my answer above.

Tim - W4TME

Tool.exe is an executable used by PowerSDR to flash firmware to the FLEX-5000 and FLEX-3000. It is not malacious and your AV software has incorrectly identified it as malware. This was a false positive.

KC9NRN

People who write malware love to use the names of actual program files. So many real executable's get flagged as malicious when yes, they can be of a malicious if a file over-rights the real file that a program was using. 

Troubleshooting systems infected with malware has gotten much easier, back in 2005 it was a nightmare. Now when I search for a file I look at the programs that have been installed and if there is another machine with the same software I check it as well.

I never assume a file is malicious until I can fully validate it. 

Steve K9ZW

Thank you Tim for unraveling the mystery question!  


Does Tool.exe automatically run periodically?  

@John you will need to "teach" your antivirus to leave the PowerSDR related Tool.Exe alone and restore the file(s) from the quarantine sandbox to their usual places.  The manual for the AV software should explain how - otherwise consider asking that manufacturer and also let them know about the false positive.

Also @John, which AV and what re the versions/updates levels of the software that got too aggressive with your PowerSDR?

And again thank you to Tim for posting the correct information for everyone.

All best and 73

Steve
K9ZW

John

Hi, I have already released it back to the folder and avast was run again with no detection after giving the file the all clear.
Its avast pro 2016.12.1.2272 version. Its the 1st time its popped up, so not sure why. Anyway, I try and run a tight case here as there is so much going on out there.
I wish av companies would take an aggressive attitude instead of defending all the time, perhaps things will change in time to come, because the amount of "good botnets could really take the fight to these spammers et al.

Tim - W4TME

Steve,

Does Tool.exe automatically run periodically?  

No.  Only when it is called by PowerSDR to flash the firmware.