Hitman Pro Support and Discussion Thread

[shadek]

Quote:

Originally Posted by FanJ

Thanks Eric, I expected so
It's getting time I buy a licence

Unfortunatily I don't use Twitter, so I cannot read your Tweets

You don't need an account to read tweets.

[krutoi]

Decided to give Kickstart a try this morning, but so far no joy... I have tried the release version and the beta version of the main program to create a usb drive, and have also tried the sidekick CD as well. Each time I get to the boot screen and have a blinking cursor and hitting 1, 2, or 3 does nothing - just more blinking.

I have adjusted the boot order in different ways as suggested in the troubleshooting list, but nothing seems to solve the problem.

target machine is HP/Compaq 6730b running Win7pro

[Mops21]

Hi erik

I have 5 Files for you to whitelist

Properties
Name cryptsvc.dll
Location C:\Windows\system32
Size 130 KB
Time 3.9 days ago (2013-06-11 19:48:11)
Entropy 6.5
Product Microsoft® Windows® Operating System
Publisher Microsoft Corporation
Description Cryptographic Services
Version 6.0.6002.18831
Copyright © Microsoft Corporation. All rights reserved.
Service CryptSvc
SHA-256 FEA7ACDDE2357CF0542B338A6B99BE5A3A409813FDA17B19CC0FC443EB0CBF92

Scoring (11.0)
Starts automatically as a service during system bootup.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc\

Properties
Name ieframe.dll
Location C:\Windows\System32
Size 10.6 MB
Time 2.1 days ago (2013-06-13 16:41:36)
Entropy 6.4
Product Windows® Internet Explorer
Publisher Microsoft Corporation
Description Internet Explorer
Version 8.00.6001.19437
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 C05AC4368B30378DEE544F67546B286E1C354C9F99D88F1819A625C51DB2E5DE

Scoring (8.0)
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

References
HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\

Properties
Name ie4uinit.exe
Location C:\Windows\system32
Size 170 KB
Time 2.1 days ago (2013-06-13 16:41:34)
Entropy 7.3
Product Windows® Internet Explorer
Publisher Microsoft Corporation
Description IE Per-User Initialization Utility
Version 8.00.6001.19437
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 F5B0E99827C0C76E4F24CBE631A49D045D3A4DAED1AFA02A140D70CC2005F746

Scoring (11.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\

Properties
Name iedkcs32.dll
Location C:\Windows\System32
Size 379 KB
Time 2.1 days ago (2013-06-13 16:41:34)
Entropy 6.0
Product Windows® Internet Explorer
Publisher Microsoft Corporation
Description IEAK branding
Version 18.00.6001.19437
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 CDBE29F4887B9628CB27B5EC79FD24D99750005B8000BCED17E6BDCC853D52A1

Scoring (6.0)
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\

Properties
Name NPSWF32_11_7_700_224.dll
Location C:\Windows\system32\Macromed\Flash
Size 15.3 MB
Time 3.9 days ago (2013-06-11 20:15:40)
Authenticode Valid
Entropy 7.0
RSA Key Size 2048
SHA-256 E181F28C9915DC807AE575552EE4504F915866DB002A8FDAC84D3E4FA1D54B10

Scoring (6.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
Program is code signed with a valid Authenticode certificate.

Startup
HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\

References
C:\Windows\system32\Macromed\Flash\flashplayer.xpt


Virustota Results

SHA256: fea7acdde2357cf0542b338a6b99be5a3a409813fda17b19cc0fc443eb0cbf92
SHA1: 0f5e3cac93c712839c0bb93efdbc27d66d7cbf9d
MD5: 3ede4c1f9672c972479201544969adcb
Dateigröße: 130.0 KB ( 133120 bytes )
Dateiname: cryptsvc.dll
Datei-Typ: Win32 DLL
Erkennungsrate: 0 / 47
Analyse-Datum: 2013-06-15 16:37:12 UTC ( vor 0 Minuten )

SHA256: c05ac4368b30378dee544f67546b286e1c354c9f99d88f1819a625c51db2e5de
SHA1: 1876110e53257dfe5f378229895c903e1773ff53
MD5: 0ec07d529decd00e2987998cd5ea148d
Dateigröße: 10.6 MB ( 11111424 bytes )
Dateiname: ieframe.dll
Datei-Typ: Win32 DLL
Erkennungsrate: 0 / 47
Analyse-Datum: 2013-06-15 16:40:17 UTC ( vor 0 Minuten )

SHA256: f5b0e99827c0c76e4f24cbe631a49d045d3a4daed1afa02a140d70cc2005f746
SHA1: f33ab2f128d6947c10282c026ffe69bfa2ab7d76
MD5: 32ce0cec088bac0bb3c611f9340ab521
Dateigröße: 170.0 KB ( 174080 bytes )
Dateiname: ie4uinit.exe
Datei-Typ: Win32 EXE
Erkennungsrate: 0 / 47
Analyse-Datum: 2013-06-15 16:42:13 UTC ( vor 0 Minuten )

SHA256: cdbe29f4887b9628cb27b5ec79fd24d99750005b8000bced17e6bdcc853d52a1
SHA1: 0f41d03d7cb5c42f4a86c020de76151edca4d7c8
MD5: 95231473a575ea545c2a5f9e0f6c5b46
Dateigröße: 378.5 KB ( 387584 bytes )
Dateiname: iedkcs32.dll
Datei-Typ: Win32 DLL
Erkennungsrate: 0 / 47
Analyse-Datum: 2013-06-15 16:43:46 UTC ( vor 0 Minuten )

SHA256: e181f28c9915dc807ae575552ee4504f915866db002a8fdac84d3e4fa1d54b10
SHA1: af043f34146c9611221f148980ff02ea6cc2c02d
MD5: 3d76b5c0e02ecc19c1f5756e8fd97f72
Dateigröße: 15.3 MB ( 16033160 bytes )
Dateiname: NPSWF32_11_7_700_224.dll
Datei-Typ: Win32 DLL
Erkennungsrate: 0 / 47
Analyse-Datum: 2013-06-15 16:47:21 UTC ( vor 1 Minute )

[Mops21]

Hi erik

And here is the Scan Log for the 5 Files

Code:

HitmanPro 3.7.6.201
www.hitmanpro.com

   Computer name . . . . : ALEXANDERROB-PC
   Windows . . . . . . . : 6.0.2.6002.X86/2
   User name . . . . . . : AlexanderRob-PC\Alexander Robrecht
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-06-15 18:19:18
   Scan mode . . . . . . : EWS
   Scan duration . . . . : 8m 53s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 125

   Objects scanned . . . : 4.288.071
   Files scanned . . . . : 71.213
   Remnants scanned  . . : 2.896.026 files / 1.320.832 keys

Early Warning Scoring _______________________________________________________

   C:\Windows\system32\cryptsvc.dll
      Size . . . . . . . : 133.120 bytes
      Age  . . . . . . . : 3.9 days (2013-06-11 19:48:11)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : FEA7ACDDE2357CF0542B338A6B99BE5A3A409813FDA17B19CC0FC443EB0CBF92
      Product  . . . . . : Microsoft® Windows® Operating System
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Cryptographic Services
      Version  . . . . . : 6.0.6002.18831
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Service  . . . . . : CryptSvc
      Fuzzy  . . . . . . : 11.0
         Starts automatically as a service during system bootup.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is in use by one or more active processes.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc\

   C:\Windows\system32\ie4uinit.exe
      Size . . . . . . . : 174.080 bytes
      Age  . . . . . . . : 2.1 days (2013-06-13 16:41:34)
      Entropy  . . . . . : 7.3
      SHA-256  . . . . . : F5B0E99827C0C76E4F24CBE631A49D045D3A4DAED1AFA02A140D70CC2005F746
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : IE Per-User Initialization Utility
      Version  . . . . . : 8.00.6001.19437
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 11.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\

   C:\Windows\System32\iedkcs32.dll
      Size . . . . . . . : 387.584 bytes
      Age  . . . . . . . : 2.1 days (2013-06-13 16:41:34)
      Entropy  . . . . . : 6.0
      SHA-256  . . . . . : CDBE29F4887B9628CB27B5EC79FD24D99750005B8000BCED17E6BDCC853D52A1
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : IEAK branding
      Version  . . . . . : 18.00.6001.19437
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 6.0
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\

   C:\Windows\System32\ieframe.dll
      Size . . . . . . . : 11.111.424 bytes
      Age  . . . . . . . : 2.1 days (2013-06-13 16:41:36)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : C05AC4368B30378DEE544F67546B286E1C354C9F99D88F1819A625C51DB2E5DE
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Internet Explorer
      Version  . . . . . : 8.00.6001.19437
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 8.0
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is in use by one or more active processes.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
         HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
         HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
      References
         HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
         HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\

   C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll
      Size . . . . . . . : 16.033.160 bytes
      Age  . . . . . . . : 3.9 days (2013-06-11 20:15:40)
      Entropy  . . . . . : 7.0
      SHA-256  . . . . . : E181F28C9915DC807AE575552EE4504F915866DB002A8FDAC84D3E4FA1D54B10
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 6.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         Program is code signed with a valid Authenticode certificate.
      Startup
         HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\
      References
         C:\Windows\system32\Macromed\Flash\flashplayer.xpt
      Forensic Cluster
          0.0s C:\Windows\System32\Macromed\Flash\NPSWF32_11_7_700_224.dll
          0.3s C:\Windows\System32\Macromed\Flash\FlashUtil32_11_7_700_224_Plugin.exe
          0.5s C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe

[erikloman]

Quote:

Originally Posted by krutoi

Decided to give Kickstart a try this morning, but so far no joy... I have tried the release version and the beta version of the main program to create a usb drive, and have also tried the sidekick CD as well. Each time I get to the boot screen and have a blinking cursor and hitting 1, 2, or 3 does nothing - just more blinking.

I have adjusted the boot order in different ways as suggested in the troubleshooting list, but nothing seems to solve the problem.

target machine is HP/Compaq 6730b running Win7pro

If you have a multi-boot/multi-disk system then it currently will not work on your system.

[erikloman]

Quote:

Originally Posted by Mops21

Hi erik

And here is the Scan Log for the 5 Files
...

I've whitelisted them.

[Mops21]

Quote:

Originally Posted by erikloman

I've whitelisted them.

Hi Erik

Thank you very much for your answer

[krutoi]

Quote:

Originally Posted by erikloman

If you have a multi-boot/multi-disk system then it currently will not work on your system.

just a basic plain vanilla system running win7 - normal bios startup options

[markusg]

could be a fp:
C:\Users\Christian\Downloads\installer_Wood_Background_Music_Beat_Wallchan_665381_wallpaper.exe
Size . . . . . . . : 1.023.288 bytes
Age . . . . . . . : 170.2 days (2012-12-29 20:59:51)
Entropy . . . . . : 7.6
SHA-256 . . . . . : A2589E65C1ACE27B62C630A0AC7DD9130993EECEABF76A3D458965451A77F5F2
RSA Key Size . . . : 2048
Authenticode . . . : Valid
> Ikarus . . . . . . : Trojan.Win32.StartPage!IK
Fuzzy . . . . . . : 107.0

[markusg]

C:\Users\Timm\Desktop\Ordner\Cheategine\Cheat Engine 6.2\xmplayer.exe
Size . . . . . . . : 188.928 bytes
Age . . . . . . . : 347.0 days (2012-07-06 18:51:06)
Entropy . . . . . : 6.0
SHA-256 . . . . . : 4A7D1838CAB46EB5632A3E3EEDC5F5C4BE5535F1DB6B2E2C0CE1831F7302AC8D
> Ikarus . . . . . . : Trojan.Win32.Spy!IK
Fuzzy . . . . . . : 106.0
C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Life and Mana Crystal Installer.exe
Size . . . . . . . : 10.240 bytes
Age . . . . . . . : 101.0 days (2013-03-09 18:41:2
Entropy . . . . . : 3.8
SHA-256 . . . . . : 28A148B11FD5BC0A35BF6311768E00A1CBDDABDD59AF14A5A4B28262CE1E3BCF
Description . . . :
Version . . . . . : 0.0.0.0
Copyright . . . . :
> Ikarus . . . . . . : Win32.SuspectCrc!IK
Fuzzy . . . . . . : 106.0
C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Omnirs Weapons Installer.exe
Size . . . . . . . : 110.592 bytes
Age . . . . . . . : 23.1 days (2013-05-26 16:35:07)
Entropy . . . . . : 7.9
SHA-256 . . . . . : 00362933ED3134878970F7191210BD11934A125865001FEF7B39C5687AE31FB0
Description . . . :
Version . . . . . : 0.0.0.0
Copyright . . . . :
> Ikarus . . . . . . : Win32.SuspectCrc!IK
Fuzzy . . . . . . : 114.0
Forensic Cluster
-12.2s C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Omnirs Weapons\Config.ini
-12.2s C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Omnirs Weapons\Config.ini
-5.4s C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Omnirs Weapons\Omnirs Weapons.dll
-5.4s C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Omnirs Weapons\Omnirs Weapons.dll
-1.8s C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Omnirs Weapons.obj
-1.8s C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Omnirs Weapons.obj
0.0s C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Omnirs Weapons Installer.exe
0.0s C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Omnirs Weapons Installer.exe

C:\Users\Timm\Documents\My Games\Terraria\ModPacks\Timms Warning Mod Installer.exe
Size . . . . . . . : 8.704 bytes
Age . . . . . . . : 115.9 days (2013-02-22 21:13:05)
Entropy . . . . . : 4.9
SHA-256 . . . . . : 1BE84E542718D8DD025F7B3B8FA8DED9BB5148E1CBF589EFA20C0592F89AC38B
Description . . . :
Version . . . . . : 0.0.0.0
Copyright . . . . :
> Ikarus . . . . . . : Win32.SuspectCrc!IK
Fuzzy . . . . . . : 106.0

C:\Users\Timm\Documents\My Games\Terraria\ModPacks\YYY HaMLR Installer.exe
Size . . . . . . . : 32.768 bytes
Age . . . . . . . : 270.9 days (2012-09-20 20:51:02)
Entropy . . . . . : 7.0
SHA-256 . . . . . : B19A35682C6FEA66965A52457D8C5C269FF446DE3323BADA57C372A65208371B
Description . . . :
Version . . . . . : 0.0.0.0
Copyright . . . . :
> Ikarus . . . . . . : Win32.SuspectCrc!IK
Fuzzy . . . . . . : 106.0

[G1111]

F.P.
SHA256: 99c3850a96eccab0a9a366223616e9616e09c73147c196d499477ebb6121c327
File name: tdsskiller.exe
Kaspersky TDSS Killer

Virustotal is 1/47 (Comodo Packed.Win32.MUPX.Gen)

HMP Scan
Malware _____________________________________________________________________

C:\Kaspersky TDSS Killer\tdsskiller.exe
Size . . . . . . . : 2,240,864 bytes
Age . . . . . . . : 3.0 days (2013-06-15 22:09:50)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 99C3850A96ECCAB0A9A366223616E9616E09C73147C196D499477EBB6121C327
Product . . . . . : TDSSKiller
Publisher . . . . : Kaspersky Lab ZAO
Description . . . : TDSS rootkit removing tool
Version . . . . . : 2.8.18.0
Copyright . . . . : © 1997-2013 Kaspersky Lab ZAO.
RSA Key Size . . . : 2048
Authenticode . . . : Valid
> Ikarus . . . . . . : Trojan.Crypt!IK