Hitman Pro Support and Discussion Thread

Hi Erik

Can you update the Site please it says Build 192 but it must be Build 193

http://www.surfright.nl/en/downloads/

 

I am getting this "Trojan warning" after I installed Build 193. I use BitDefender and it's pointing to trufo.sys. See image.

http://s1.bild.me/bilder/150113/4262902BD_trojan2.png

Loaded it to virustotal and it's clean.

~ VirusTotal Results Removed per Policy ~

 

hi erik

Here is another one FP for you to whitelist

SHA256: b452e9b41ab819810c29afdbcac0c0ed34cda7fe27d15be178065862b34c7e8b
SHA1: 3984313e7e75687aa872c68bbf00fe59b89f8c9f
MD5: 3c755701cbf21a612e1f6b1449f109ff
Dateigröße: 3.1 MB ( 3219480 bytes )
Dateiname: opr01CDO.tmp
Datei-Typ: Win32 EXE
Erkennungsrate: 0 / 46
Analyse-Datum: 2013-04-07 12:53:52 UTC ( vor 0 Minuten )

 

Hi erik

And here is my Scan Log

Code:

HitmanPro 3.7.3.193
www.hitmanpro.com

   Computer name . . . . : ALEXANDERROB-PC
   Windows . . . . . . . : 6.0.2.6002.X86/2
   User name . . . . . . : AlexanderRob-PC\Alexander Robrecht
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-04-07 14:42:16
   Scan mode . . . . . . : EWS
   Scan duration . . . . : 7m 18s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 10

   Objects scanned . . . : 3.886.756
   Files scanned . . . . : 60.160
   Remnants scanned  . . : 2.283.934 files / 1.542.662 keys

Suspicious files ____________________________________________________________

   C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0069\opr01CDO.tmp
      Size . . . . . . . : 3.219.480 bytes
      Age  . . . . . . . : 1.8 days (2013-04-05 19:09:16)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : B452E9B41AB819810C29AFDBCAC0C0ED34CDA7FE27D15BE178065862B34C7E8B
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 28.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The file name extension of this program is not common.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.


Potential Unwanted Programs _________________________________________________

   HKLM\SOFTWARE\Classes\AppID\secman.DLL\ (Babylon)
   HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\ (Babylon)
   HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
   HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ (Babylon)
   HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1\ (Babylon)
   HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager\ (Babylon)
   HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\ (Babylon)

 

What is Surfright's stance on commercial/corporate keyloggers?
raymond.cc tested some antirootkit tools against 3 of them, HMP detected 1, flagged 1 as suspicious and failed to detect the last one.
http://www.raymond.cc/blog/10-antirootkits-tested-to-detect-and-remove-a-hidden-rootkit/

 

Good question.
Looking forward to the answer.

 

Hello guys,

I have been using HitmanPro for a while without any problems. Since the last two scans I get a message that I don't understand (see screenshot).

It reads

The only option is repair. But I dont want to do that because no file is indicated and I dont want to corrupt my system.

Can anyone help me?

Thank you!

 

Unless I missed it, have you folks changed the flag from excludefile to excludelist? I didn't notice it until now.

 

Got the same Trojan warning on 1 of my 3 Bitdefender Free installs.

 

HitmanPro 3.7.3 Build 194 BETA

Changelog

• FIXED: HitmanPro driver leaked some nonpaged kernel memory when scanning in Direct Disk Access mode.
• IMPROVED: Minor improvements to Compatible Disk Access mode.
• IMPROVED: Detection of zero-day Urausy ransomware through forensic file clustering.

Download: http://www.surfright.nl/downloads/beta

We've made a slight change to the driver. Please let me know how this version runs on your system! It should no longer leak nonpaged memory.

 

Can you send me your scan log via PM ?

 

Downloaded and ran latest beta, No problems to report. Scan took 2 minutes and 4 seconds.

 

Scan log sent via PM.

 

Hi Erik

I have 6 Files for the Whitelist for you

Properties
Name opr01CDO.tmp
Location C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0069
Size 3.1 MB
Time 6.0 days ago (2013-04-05 19:09:16)
Needs Elevation Yes
Entropy 8.0
SHA-256 B452E9B41AB819810C29AFDBCAC0C0ED34CDA7FE27D15BE178065862B34C7E8B

Scoring (28.0)
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The file name extension of this program is not common.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.


Properties
Name winsrv.dll
Location C:\Windows\System32
Size 368 KB
Time 2.0 days ago (2013-04-09 19:30:53)
Entropy 6.6
Product Microsoft® Windows® Operating System
Publisher Microsoft Corporation
Description Multi-User Windows Server DLL
Version 6.0.6002.18804
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 D29BCFA967C23C7264592576D62D95FA8C687E8662D19DCCC73653A9EFB6340D

Scoring (12.0)
Program is running but currently exposes no human-computer interface (GUI).
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows


Properties
Name ieframe.dll
Location C:\Windows\System32
Size 10.6 MB
Time 2.0 days ago (2013-04-09 19:30:57)
Entropy 6.4
Product Windows® Internet Explorer
Publisher Microsoft Corporation
Description Internet Explorer
Version 8.00.6001.19412
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 762FA277CC3D8BAF673A8451CB35B0EAE6BDDF993EF035753C117DA40EF95AAD

Scoring (8.0)
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

References
HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\



Properties
Name ie4uinit.exe
Location C:\Windows\system32
Size 170 KB
Time 2.0 days ago (2013-04-09 19:30:55)
Entropy 7.3
Product Windows® Internet Explorer
Publisher Microsoft Corporation
Description IE Per-User Initialization Utility
Version 8.00.6001.19412
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 CC847699CE885504142741AE46C8ADFCDAB33826522E37AFA3F8D3AA071729BC

Scoring (11.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\


Properties
Name iedkcs32.dll
Location C:\Windows\System32
Size 379 KB
Time 2.0 days ago (2013-04-09 19:30:55)
Entropy 6.0
Product Windows® Internet Explorer
Publisher Microsoft Corporation
Description IEAK branding
Version 18.00.6001.19412
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 B93A70B1B4285E99C7E04369D650780921A00BABD1DF2D21FF1BB121BFF04E86

Scoring (6.0)
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\



Properties
Name NPSWF32_11_7_700_169.dll
Location C:\Windows\system32\Macromed\Flash
Size 15.3 MB
Time 2.1 days ago (2013-04-09 17:09:39)
Authenticode Valid
Entropy 7.0
RSA Key Size 2048
SHA-256 5274440AC2C1F40D5224009695B20BA9BFC4C5E24BE4742AEAE995791F819585

Scoring (6.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
Program is code signed with a valid Authenticode certificate.

Startup
HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\

References
C:\Windows\system32\Macromed\Flash\flashplayer.xpt

Forensic Cluster
* C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll
0.3s C:\Windows\System32\Macromed\Flash\FlashUtil32_11_7_700_169_Plugin.exe
0.5s C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_7_700_169.exe

 

Hi

And here is the Scan Log

Code:

HitmanPro 3.7.3.193
www.hitmanpro.com

   Computer name . . . . : ALEXANDERROB-PC
   Windows . . . . . . . : 6.0.2.6002.X86/2
   User name . . . . . . : AlexanderRob-PC\Alexander Robrecht
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-04-11 20:07:23
   Scan mode . . . . . . : EWS
   Scan duration . . . . : 4m 18s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 29

   Objects scanned . . . : 3.888.701
   Files scanned . . . . : 60.542
   Remnants scanned  . . : 2.280.433 files / 1.547.726 keys

Suspicious files ____________________________________________________________

   C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0069\opr01CDO.tmp
      Size . . . . . . . : 3.219.480 bytes
      Age  . . . . . . . : 6.0 days (2013-04-05 19:09:16)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : B452E9B41AB819810C29AFDBCAC0C0ED34CDA7FE27D15BE178065862B34C7E8B
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 28.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The file name extension of this program is not common.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.


Potential Unwanted Programs _________________________________________________

   HKLM\SOFTWARE\Classes\AppID\secman.DLL\ (Babylon)
   HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ (Babylon)
   HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1\ (Babylon)
   HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager\ (Babylon)

Early Warning Scoring _______________________________________________________

   C:\Windows\system32\ie4uinit.exe
      Size . . . . . . . : 174.080 bytes
      Age  . . . . . . . : 2.0 days (2013-04-09 19:30:55)
      Entropy  . . . . . : 7.3
      SHA-256  . . . . . : CC847699CE885504142741AE46C8ADFCDAB33826522E37AFA3F8D3AA071729BC
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : IE Per-User Initialization Utility
      Version  . . . . . : 8.00.6001.19412
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 11.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\

   C:\Windows\System32\iedkcs32.dll
      Size . . . . . . . : 387.584 bytes
      Age  . . . . . . . : 2.0 days (2013-04-09 19:30:55)
      Entropy  . . . . . : 6.0
      SHA-256  . . . . . : B93A70B1B4285E99C7E04369D650780921A00BABD1DF2D21FF1BB121BFF04E86
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : IEAK branding
      Version  . . . . . : 18.00.6001.19412
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 6.0
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\

   C:\Windows\System32\ieframe.dll
      Size . . . . . . . : 11.111.424 bytes
      Age  . . . . . . . : 2.0 days (2013-04-09 19:30:57)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 762FA277CC3D8BAF673A8451CB35B0EAE6BDDF993EF035753C117DA40EF95AAD
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Internet Explorer
      Version  . . . . . : 8.00.6001.19412
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 8.0
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is in use by one or more active processes.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
         HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
         HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
      References
         HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
         HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\

   C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll
      Size . . . . . . . : 16.032.648 bytes
      Age  . . . . . . . : 2.1 days (2013-04-09 17:09:39)
      Entropy  . . . . . : 7.0
      SHA-256  . . . . . : 5274440AC2C1F40D5224009695B20BA9BFC4C5E24BE4742AEAE995791F819585
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 6.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         Program is code signed with a valid Authenticode certificate.
      Startup
         HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\
      References
         C:\Windows\system32\Macromed\Flash\flashplayer.xpt
      Forensic Cluster
          0.0s C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll
          0.3s C:\Windows\System32\Macromed\Flash\FlashUtil32_11_7_700_169_Plugin.exe
          0.5s C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_7_700_169.exe

   C:\Windows\System32\winsrv.dll
      Size . . . . . . . : 376.320 bytes
      Age  . . . . . . . : 2.0 days (2013-04-09 19:30:53)
      Entropy  . . . . . : 6.6
      SHA-256  . . . . . : D29BCFA967C23C7264592576D62D95FA8C687E8662D19DCCC73653A9EFB6340D
      Product  . . . . . : Microsoft® Windows® Operating System
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Multi-User Windows Server DLL
      Version  . . . . . : 6.0.6002.18804
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 12.0
         Program is running but currently exposes no human-computer interface (GUI).
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is in use by one or more active processes.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows

 

Solved. Thanks

 

Solved. Thanks

 

Do you still have the issue with the Build 194 (BETA)?
http://www.surfright.nl/downloads/beta

 

ATM we do not specifically search for Keyloggers. If we find it, then its 'behaving' suspiciously (Keyloggers generally do). In addition, when the keylogger is recognized by any of our partners in the cloud, then its listed as well.

Hope this helps.

 

HMP is good but Norton Power Eraser is better?! That's pretty odd.

 

Norton Power Eraser:

More is not always better

 

Ok, I see. Will the missed sample be added to HMP?

 

Norton Power Eraser could be compared to the EWS mode in HitmanPro. Every time that I run it I get at least half a dozen false positives. Symantec clearly states that it is a last resource scanner that should be used with extreme caution.

 

Without trying to put words in your mouth, but instead, seeking clarification, are you saying that you do or don't detect commercial monitoring software programs, such as eBlaster or Net Nanny?

 

hi erik, check your messages please.