Hacktool Virus

May 2, 2005 at 18:22:27
Specs: OS X, Powerbook G4

I have a Powebook that is running OS X and my
Norton told me I have a Hacktool.Underhand virus
and it cannot delete it. HELP! What can I do??

See More: Hacktool Virus

Report •

May 3, 2005 at 09:43:38

try booting with norton cd, and scan, as well with extensions off,quarantine if available,

Report •

May 3, 2005 at 15:52:54

I have the same problem - on a powerbook G4
- norton doesn't find or remove it when I do
a virus scan - although it does pop up with
messages that it is infecting the Swap file.
Also the computer is now freezing and
dying... Any ideas? Please...!

Report •

May 3, 2005 at 16:17:22

I have the same problem on a Dual 1.25 PowerPC G4. I get the quarantine message regarding the swapfile1. I got two more messages today (in between crashes) where it quarantined two more swapfiles, each time increasing the number that follows the title (swapfile2, swapfile3). But Norton does not show any quarantined files or history of the action. It has also caused system crashes over the last two days, approximately 6 per day. Very frustrating. Since the dates on these posts is recent, and the fact that Norton does not offer any supporting info on this virus, I am assuming it is a new one. I will be sure to post any solution our IT dept. comes up with on this site. They are on it now. Good luck.

Report •

Related Solutions

May 3, 2005 at 19:17:47

I have the same problem. My ibook is freezing every 20-30 minutes if it is online. But if it stay offline, it works well.

By the way, what is swapfile?

Hope we can get solution soon.

Report •

May 3, 2005 at 19:22:42

I had the Hacktool.Underhand virus. I booted my powerbook
G4 as firewire harddrive. Then I ran norton antivirus. Norton
found 11 infected files. There were 3 swapfiles and 8 tmp
files. I deleted them and Shut down my computer. I booted
from OS 10.4 CD and updated to 10.4. My computer is now

Report •

May 3, 2005 at 22:21:02

I have it too on my G3, OSX..
I suspect it's spyware.

Symantec tell me it's a new virus (despite their
software recognising it's presence on my system
and having its name in their list of recognised
viruses) figure that one out.. After many calls and
their assistance in helping me totally destroy my
system they have still offered no helpful
informtion. I refusd to pay for their "technical
support", which was understood by a supervisor.
however now I find that there are 20 min wait
times in their Kuala Lumpor call centre.. following
my last contact which involved them asking for my
assistance in identifying it. I think I should be
charging at their normal rate.

I've had to reinstall my system software to get to
this point, where I can only backup my stuff and
do a total rebuild. I'm not happy...

Has anyone been able ot successfully been able
to perform a online virus scan from their website?
I can't from mine despite their suggestions. (
www.sarc.com ) I only get access to the security

Report •

May 4, 2005 at 00:19:34

I have exactly the same as clcorrrea on an eMac running
OS X 10.3.9. I got the three swapfile messages but
running Norton AntiVirus did not detetct anything despite
having the latest virus definitions update.

My system crashes always happened while using

I think it may have started after I downloaded patch 3 for
NeoOfficeJ Release Candidate 1.1. With some difficulty (I
had to do a safe boot holding down shift key) I have
deleted NeoOfficeJ from my computer and so far
everything is OK again

Hope this helps others

Report •

May 4, 2005 at 01:40:04

There seems to be a lot of this going around. The
consensus over on the boards at Apple support (link
below) is that it has actually been caused by the latest
Norton Anti-Virus update.

Try removing all the Norton AV related files from your
system - it worked for me!

Report •

May 4, 2005 at 02:08:34

It's a false positive detection of the last year trojan 'just discovered' by Sophos !

Try a google on 'UnderHand'.


Report •

May 4, 2005 at 05:57:18

i have the same problem on an imac -- an infected file -- swapfile 4 -- showed up in my norton quarantine file a couple of days ago -- i deleted it -- then yesterday a norton alert said hacktool.underhand had appeared on my computer -- i ran a full norton virus scan but found nothing -- i assumed message was holdover from previous infected file, but having read posts above that probably isn't so -- am not much cop with computers so don't want to do anything drastic -- the computer is definitely playing up but not that badly -- is it best to wait and see if solution forthcoming or should more urgent action be taken -- bit frustrating that there isn't more info about this ....

Report •

May 4, 2005 at 10:16:29

I've got it too -- on a G3 PowerBook running OS X 10.3.9.

Any idea if the Apple Security Update that was issued
yesterday might help solve this problem? Any word from
Norton in determining if they are the problem?

Report •

May 4, 2005 at 10:34:32

Strongly recommend this apple discussion page which has lots of ideas for solving this


Report •

May 4, 2005 at 14:14:48

I have the same problem on my Ibook G4 and I tried to
install Internet Cleanup demo to delete the file but now
every 10 seconds I have a message that pop's up telling
me: "The installed demonstration version of Internet
Cleanup has expired.

To purchase the demo, run the Internet Cleanup
application for details"
I uninstalled the application but the Alert message
continues to pop up... I don't know what I can do!


Report •

May 4, 2005 at 15:57:06

Yesterday at noon, Norton Antivrus popped an alert that swapfile2 seemed to be infected with something called hacktool.underhand

and that it was unable to repair the file or show me whereit was so I could delete it. NOV website is no help and there best advice was to reboot in safemode if I was using a windows based system. Great! What if you're on a mac?

I do not think this is harmless as my system has now crashed six times.

If anyone knows how to resolve this issue please DO TELL!

What annoys me is that I pay for Virus Protection on a system (MAC) for many years on a system that is not as virus prone as windows systems. when I do finally have a problem NAV is no help, and to add insult to injury they charge a whopping fee for phone solution (more than the cost of the software). Why am I paying for their software then? To add insult to injury, the online help is geared for windows machines!

Can anyone reccomend an antivirus solution that is a bit more on the ball for MACS?

Report •

May 4, 2005 at 17:17:13

Using version 9.0.3 (6) (Latest definitions) of Norton AV
for Mac with OS X 10.3.9. PowerMac G4 Quicksilver.

Managed to quarantine it after finding swapfile3
corruption (and swapfiles 1 & 2) I had to resort to deleting
the affected files.

Am now running a deep clean/scan through NAV.

On a slightly different note:I had crashing issues with my
iBook G4 last year (day of purchase). I told them I was
scanning the system with Norton AntiVirus and their
System scanning software and they gave me a really hard
time about Norton. I still use Norton AV on both and
thank heavens I did - Mac's own Antivirus doesn't seem to
have detected the trojan (Hacktool.underhand). Norton
AV has. Touch wood.

Report •

May 4, 2005 at 17:46:47

I posted response # 6

I have been on the phone to Norton technical
support again. Despite losing my system etc I
was satisfied with their help this time.

They are working on the problem, it may take
a day or two to build a fix for it but they
recommend going to Apple's site to keep
up-to-date with anything they put out for it
and , in my case Norton will contact me once
they have a fix.

It seems like they are doing all they can and
it's just a matter of time now. S#1t happens
and it seems we copped it this time.


Report •

May 4, 2005 at 19:37:11

Am i to understand that one of the first OSX viruses to cause any real problems to date is actually the Norton update itself???

I've heard lots of bad experiences using norton utils in general on Macs, but really!

Glad i use Virex..although it doesn't appear to be able to catch any viruses (maybe 'cuz there aren't many?) it still leaves my system alone!

Report •

May 4, 2005 at 19:49:02

this is interesting..


Report •

May 4, 2005 at 22:39:26

I too have the Hacktool Underhand virus on my two macs despite running Symantec / Norton's latest virus protection and checking for updates daily. Same symptoms as everyone else. After 10 calls to Symantec in the last 24 hours about the problem, I have received no help at all. The threat to charge to solve a virus they could be responsible for spreading is an insult. I ignored such messages and was never asked to pay. I would be happy to pay someone who actually knows how to remove Hacktool Underhand - but no one at Symantec / Norton apparently does at this point, or if they do they can't figure out what department he works in. I can politely call their tech support personnel incompetent and undertrained. The English language is obviously not their forte, and I do not speak Hindustani, frustrating for both me and the hord of hard-working well-meaning Indian tech guys I have spoken with. Symantec obviously has not bothered to help these guys with the basics. I had to explain that OS X runs on Mac not Windows to one tech! I finally called the HQ office at 408-517-8000 for help and to complain about the massive disorder of their tech support system. I got as far as the receptionist and a promise I would get a call back from someone intended to handle such issues in the next 48 hours. This was not the first time I heard the "we will call you back" promise from Symantec employees. I will post again if I get any response from them. Meanwhile I am looking at .mac's Virex, and wondering if it is any better. Is Symantec / Norton really responsible for spreading this virus via their auto-update feature, as I have read in other posts?

Report •

May 5, 2005 at 01:27:37

Well, i can't possibly tell you if Virex is
"better" at catching viruses (although i
know for a fact it doesn't recognize PC
ones..)- simply because i've never had one
on a Mac.
However, it's easy to use, it doesn't
interfere with the system at all , has
native versions for both classic and OSX,
it's got a really nice autoupdate feature,
and *doesn't* charge for updates-
And, frankly, i think charging for updates
to definitions for an OS that has almost no
history of viruses, and virtually none at
present..is a bit much anyways..


Report •

May 5, 2005 at 01:35:56

Er, man, i just checked the link mentioned
by wondering...eek.
You'd think it was a legit development
status report , until you look close at the
forms it's 'available' in (Client, Server, and


Report •

May 5, 2005 at 03:38:48

I was getting system-wide crashes, apparently from
Underhand or at least the NAV handling of it. I turned off
all of the NAV auto-protect stuff and I seem to be running
fine now. Can't say that this solution makes me totally
comfortable tho'.

Report •

May 5, 2005 at 04:32:55

I got the message that swapfile1 was infected with hacktool.underhand on the 04-05. I didn't delete the file from quarantine and have not had any further messages or problems. The only things that I have recently downloaded were firefox extensions, which included acrobat reader which was mentioned in several other posts. I am still running Nav.

Report •

May 5, 2005 at 06:44:51

First of all, this is not a "virus". It is a trojan, and can only
be installed on your computer by you or someone else
with local/physical/administrative access.

But that is beside the point, because NONE OF YOU HAVE

This is a FALSE POSITIVE because Symantec's signature for
detecting this tool was too broad! Since the swapfile has
large amounts of dynamically changing data, they're
apparently detecting the same overly-broad binary
snippet they're searching for in your swapfile.


Underhand is a conventional .app application bundle that
hides itself from the Dock and the normal user-space
running process listings. It can physically be searched for,
and its mode of operation is clear: it will be present in
your Login Items and process listings, and runs from the
user home directory's Library/Preferences folder. Yes,
names can be changed, etc., but it is fundamentally a Mac
OS X application bundle that runs interactively (albeit
invisibly) while a user is logged in. A signature, in the
context of AV detection, or anything else that defines it in
that manner is not present in swap, and that is technically
impossible. Therefore, this is a false positive, and the
detection scheme likely appeared in Symantec's most
recent definition update.

Symantec has CONFIRMED this and has issued new virus
definitions to fix their mistake:

Subject: Re: Hacktool babble
From: Michael Romo <michael_romo@symantec.com>
Date: Wed, 4 May 2005 10:30:09 -0700


We figured out what's happening and are releasing a new
defs file today. I will let you know when it's up!!

Mike Romo
Product Manager, Macintosh Symantec Corporation
Office: 310-449-8347
Interoffice: 6 [310] 8347
Fax: 310-449-4246
email: michael_romo@symantec.com

Also, the recommendation to UNINSTALL your virus
software is very ignorant. It IS possible for malware to
affect the platform, though statistically a lot less likely
than, e.g., Windows. However, if you have NO protection,
you may be caught unprepared when there is a real threat.

REPEAT: No one who has this report about this being in
their swapfile is infected. NO ONE.

Anyone who has any doubts may contact me below.


Dave Schroeder
Apple Distinguished Educator
University of Wisconsin - Madison
Division of Information Technology
Platforms and Operating Systems
1210 W Dayton St Rm B263
Madison, WI 53706-1685
(608) 265-4737

Report •

May 5, 2005 at 06:59:56

Me also on my G4 running OSX 10.3.7

Norton tells me swapfile1 is infected with Hacktool.underhand

There is nothing in my quarentine folder, and a full scan of my drive tells me there is no virus at all. Then i get a crash, or Norton alerts me with the above message.

The swapfile files are in the folder var/vm but i dont know what they do so i dont know what effect deleting them will have.

I get crashes 2 or 3 times a day at the moment this has been happening forthe last 3 or 4 days now.

and this link posted above http://discussions.info.apple.com/webx?127@964.dksdaKbHRII.0@.ee6b280

has no page. and apples support site lists nothing about swapfile or underhand that i can find.

Report •

May 5, 2005 at 08:03:02


You DO NOT have this trojan. This was an error with
Symantec's definitions, and its trying to tamper with your
swapfile. The swapfile is essential to the operation of the
computer! If NAV tries to move/delete/"quarantine" the
swapfile, your computer will crash/hard freeze/kernel panic.

Repeat: this was an ERROR in Symantec's virus definitions.
See my last message on this topic. You ARE NOT INFECTED
with anything.

Report •

May 5, 2005 at 08:09:23


To anyone who is experiencing crashing/hanging

This is NOT because you are infected with anything! NAV
is trying to inappropriately remove/"quarantine" your
swapfile, and that action itself is what is causing the
issues. You are virtually guaranteed to get a hard freeze
or kernel panic if the swapfile is tampered with.

Symantec released new virus definitions yesterday to clear
up this confirmed issue with the previous version of the
definitions. You are NOT infected; it was NAV itself that
was giving this false positive, and trying to remove the
swapfile is what was causing the issue.

Report •

May 5, 2005 at 09:35:12


Report •

May 5, 2005 at 15:59:36

So thanks to Symantec we now know we do not have a
virus that their program identified as a virus, that is good,
but is Symantec planning to make up for days of lost work
and frustration they caused their customers? I know I will
be looking at other anit-virus programs more closely to
see who I will be leaving Symantec for if they don't do
anything more than belatedly post a solution to a problem
they created.

Report •

May 8, 2005 at 16:11:16

Okay, so I was getting the same message so I dled
the new virus definitions from Symantec. I tried to
install them, but about halfway through my system
kernel panics. This has happened more than once.
Should I just uninstall Norton? If I reinstall it, will the
virus definitions be up to date?
I'm so sick of this.

Report •

May 10, 2005 at 23:31:19

Well, it looks as though it was an honest mistake by Symantec..
And frankly, i think maybe a little activity , even a false alert , might be a good thing for the mac community, as regards viruses.
As an earlier poster pointed out, one day , out of nowhere, some malicious virus, trojan, or bot could appear, and the damage to unprotected Macs could well be severe , since there's so much complacency regarding dangers to the mac platform.
Even though , as a mostly OS9 user, i am at even lower of a risk, i still keep my defs up to date..because *anything* is possible (even if admittedly not so likely...)

Obviously, i think i believe you think i said what you want to believe, but i think you didn't believe what i think i really said...

Report •

May 23, 2005 at 05:49:35

i understand that swapfile 1 isnt a real virus or trojan but
this still really doesnt help, i ran NAV and am up to date
on all osx updates. the main problem i have due to this is
that my dv editing software will not capture fron my dv
deck, it doesnt detect the camera and crashes when
capture is set. i have tried other editing sofware and some
programmes do not even start. It was recomended that i
delete the infected files, is this wise?

i would be greatful of any help

Report •

May 27, 2005 at 06:54:34

Something horrifying just happened on
my 10.2.6 mac and I suspect it's related
to this...

Even though I don't run commonly under
an admin account, within a matter of 10

1. My available drive space dwindled from
2 Gb to 200 Mb (turns out to be a
proliferation of swapfiles)

2. First Finder view options, then other
preference files began to be erased.

3. No open files could be saved to disk.

4. ps revealed nothing interesting but the
drive was spinning like crazy.

5. Trying to open some documents gave
the message that the file was in use by
another user.

I restarted and am running under OS 9.
Am terrified to startup under X again.

Report •

Ask Question