Hitman Pro Support and Discussion Thread

fps
C:\WINDOWS\system32\GameMon.des
Size . . . . . . . : 3.404.560 bytes
Age . . . . . . . : 1340.4 days (2009-06-21 11:52:03)
Entropy . . . . . : 7.9
SHA-256 . . . . . : 0D7335A08063431492EC18667C7CDD1CAA27F3568DE9C398B43A44EA831046CD
Product . . . . . : nProtect Game Monitor
Publisher . . . . : INCA Internet Co., Ltd.
Description . . . : nProtect Game Monitor Rev 1447
Version . . . . . : 2009.12.16.1
Copyright . . . . : Copyright ⓒ 2000-2007 INCA Internet
Service . . . . . : npggsvc
> Ikarus . . . . . . : Virus.Win32.Themida!IK
Fuzzy . . . . . . : 136.0
Startup
HKLM\SYSTEM\CurrentControlSet\Services\npggsvc\


Suspicious files ____________________________________________________________

C:\Dokumente und Einstellungen\PC\Lokale Einstellungen\Anwendungsdaten\PunkBuster\APB\pb\PnkBstrK.sys
Size . . . . . . . : 141.200 bytes
Age . . . . . . . : 560.3 days (2011-08-10 15:28:05)
Entropy . . . . . : 7.7
SHA-256 . . . . . : 4032A64436FC04128BEB7DF400986A3DBDBAADBFA4C11B3887C4755147082326
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.

C:\WINDOWS\system32\drivers\PnkBstrK.sys
Size . . . . . . . : 141.200 bytes
Age . . . . . . . : 560.3 days (2011-08-10 15:24:14)
Entropy . . . . . : 7.7
SHA-256 . . . . . : 4032A64436FC04128BEB7DF400986A3DBDBAADBFA4C11B3887C4755147082326
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 26.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common
to system tools, drivers and hacking utilities.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.

C:\WINDOWS\system32\xsherlock.xem
Size . . . . . . . : 666.720 bytes
Age . . . . . . . : 310.2 days (2012-04-16 17:54:5
Entropy . . . . . : 7.9
SHA-256 . . . . . : FA75544B3ABE97267905DD0AC42CC2B93BC95CC328F9383CA7DD97B72D60C23B
Product . . . . . : XIGNCODE3
Publisher . . . . : Wellbia.com Co., Ltd.
Description . . . : XIGNCODE3 Game Start Service
Version . . . . . : 3.1.0.1
Copyright . . . . : Copyright (C) 2006-2011 Wellbia.com Co., Ltd.
RSA Key Size . . . : 2048
Service . . . . . : xsherlock
Authenticode . . . : Valid
Fuzzy . . . . . . : 27.0
The file name extension of this program is not common.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common
to system tools, drivers and hacking utilities.
Starts automatically as a service during system bootup.
Program is code signed with a valid Authenticode certificate.
Startup
HKLM\SYSTEM\CurrentControlSet\Services\xsherlock\

 

With the latest beta...

Code:

Suspicious files ____________________________________________________________

   C:\System Volume Information\_restore{EAF808E9-A451-4F6F-ACB7-2EE5AF7CB4E6}\RP250\A0318488.exe
      Size . . . . . . . : 124,688 bytes
      Age  . . . . . . . : 2.3 days (2013-02-20 09:38:20)
      Entropy  . . . . . : 6.0
      SHA-256  . . . . . : 50405162B96A5EC744A3745A600BD88C03E33C9EBEABC915A289C19F17E8EA53
      Product  . . . . . : CPUEater Application
      Publisher  . . . . : Bitsum Technologies
      Description  . . . : CPUEater Application
      Version  . . . . . : 6.0.0.91
      Copyright  . . . . : Copyright (C) 2010-2013 Bitsum Technologies
      RSA Key Size . . . : 2048
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         Time indicates that the file appeared recently on this computer.

   C:\System Volume Information\_restore{EAF808E9-A451-4F6F-ACB7-2EE5AF7CB4E6}\RP251\A0318619.exe
      Size . . . . . . . : 125,200 bytes
      Age  . . . . . . . : 1.1 days (2013-02-21 14:27:28)
      Entropy  . . . . . : 6.0
      SHA-256  . . . . . : 6A2626B0DC0D3CB859BBBD31F2EA08D390F87A4F5B840A492EFB8BA9DCA73DAB
      Product  . . . . . : CPUEater Application
      Publisher  . . . . : Bitsum
      Description  . . . : CPUEater Application
      Version  . . . . . : 6.0.0.91
      Copyright  . . . . : Copyright (C) 2010-2013 Bitsum Technologies
      RSA Key Size . . . : 2048
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         Time indicates that the file appeared recently on this computer.

 

Erik, I was wondering if you could tell me a bit about how HitmanPro goes about scanning ones computer? Since HMP doesn't scan recursively (quite a shame), I was trying to run HMP in a sandbox that had blocked access to everything but the C:\Sandbox folder in an attempt to make it so that a full system scan will only scan this folder. I didn't get this to work (yet), however it occurred to me that HMP may not scan in a way where this will work anyways. Will this work the way I think it will or is it pointless?

 

Did you give HMP internet access? Can you post a sandboxie config to see what settings your using? Also if you haven't already a post over at sandboxie's forum might help as well.

 

The only restrictions I have placed on that sandbox are deny restrictions to as many folders as possible in order to isolate the folder I want. The problem I'm having now is that it(Windows) says it doesn't have the privileges to run. I'm do not have the "Drop Rights" setting enabled. My guess is that I'm blocking something in C:\Windows that is responsible for UAC asking for elevation; what that is, I have no idea. I tried explorer.exe but no luck. The reason I posted here is because I wasn't sure if HMP would scan all the files in the folders that it can see if I do a full scan.

 

I would consider asking on sandboxie's forum or doing a search over there. Since HMP is working and sandboxie is the creating the issue. Since using sandboxie for a few years I've come to find out that it's probably an easy solution. All you have to do is ask.

 

UAC prompts are done by C:\Windows\System32\consent.exe, found that out when I was playing with Eset HIPS when it was just introduced in v5 and seemed to pop-up on everything, including tons of windows stuff like consent.exe which I had to give consent first in order to be able to consent the UAC prompt it wanted to pop-up Anyone knows if Eset v6's HIPS is still a pita?

 

I did not block C:\Windows\S* so that should not have been a problem.

 

anyone?

Btw the last Beta is running fine on Win7Ultimate64

 

I think RUN means that it's currently running, don't know about WRP.

 

RUN - the file is executed via auto run key / startup folder
SERVICE - the file is executed as Service
DRIVER - the file is a executed as Driver
1234 - the file is currently running as process with PID 1234
WRP - the file is Windows Resource Protected; means it is never deleted but replaced by a clean version; see also http://msdn.microsoft.com/en-us/library/aa382503.aspx

 

Thanks

 

2 fps
7199229B6394B6708AB0BD3CEE675B7CAD67CC77E3EE2EE58DFDF583AA1AA340

A5F78EC1F8F5E4724271138C09F89259D3886CB3545EE8C1726E8A56CD141E32

 

7199229B6394B6708AB0BD3CEE675B7CAD67CC77E3EE2EE58DFDF583AA1AA340 = 31/42, definitely malware, so no FP.

The other one I'm still investigating.

 

not sure, user told me its some kind of patch, i have not the file, so i can not say something about it

 

I sincerely hope you do not check if a file is clean or malware by putting it on VirusTotal. That would be extremely lame and unprofessional.

 

The judgement of almost the entire security industry regarding these two files should give you some indication that the people who wrote these files had no education regarding proper software design. I would definitely keep these two files from my systems, even though they could be safe.
That said, I had some time to take a look at them myself and we're clearing the files. Note that the mentioned tools are not written by software professionals which is probably why the huge amount of security vendors are flagging these as malicious:
NHL09RosterPatch.exe - 7199229b6394b6708ab0bd3cee675b7cad67cc77e3ee2ee58dfdf583aa1aa340
NHLSeasonStatisticsExporter.exe - a5f78ec1f8f5e4724271138c09f89259d3886cb3545ee8c1726e8a56cd141e32

 

Hi all

Hitman Pro 3.7.2 Build 190

Build 190 (2013-03-01)

•IMPROVED: Kickstart blocking ransomware stealing the desktop from HitmanPro.
•UPDATED: Kickstart Bootstrap loader 1.3.
•ADDED: Norgwegian language.

http://www.surfright.nl/en/whatsnew

http://www.surfright.nl/en/downloads/

 

HitmanPro 3.7.3 Build 191 BETA

Kickstart 2.0
On some computers with a specific BIOS, Windows would not start when booting with a HitmanPro.Kickstart USB flash drive. The result is a frozen display and/or blinking cursor.

We've made major changes to the Kickstart bootstrap loader. The result is that these systems will now also be able to boot from HitmanPro.Kickstart USB flash drive to remove MBR and/or police themed ransomware. Take back control, Kickstart your PC!

Changelog

• UPDATED: Kickstart 2.0 bootstrap loader.
• FIXED: On some BIOSes, when booting with Kickstart, Windows loader would hang with either frozen screen or blinking cursor.

Download
http://www.surfright.nl/downloads/beta

If you had problems booting your system with Kickstart, this is the version you want. Please let me know how this runs on your system

 

Hitman shows this as suspicious:
47AA72D2DD4A746BC63FC5171D8F475C7691F317F8B1E5007832FA7100C10923
first seen on vt in 2010 with 0 hits

 

Can you post the log?

 

no, but was only as xml file, and there was filephat and md5, no more info.

 

Hi erikloman

HMP just sat [trying to] Initializing, for some reason it will not connect to the Internet. [Not starting network connection].

Which is better then before where it was stuck on a frozen screen.

With regards
Take Care
TheQuest

PS: My System:- M$ OS Win7U x64 SP1/ Asus P9X79 PRO , Intel i7-3960X, Asus HD7970, 16GB RipjawsX DDR3, Corsair Force-GT 120GB SSD/6Gbs + Crucial M4 250GB SSD/6Gbs, NetGear DGN2000.

 

In moving from Build 189 to 190, is it necessary to create a new KickStart usb or bootable CD?

 

I have never created the Kickstart USB stick, since I'd rather not because I am using FD-ISR. So, I will not be able to test that feature of HMP.