Hitman Pro Support and Discussion Thread

Hello,

This is my first time on any of these threads here. I am here for a specific issue regarding trying to remove the FBI ransomware virus that freezes up your computer screen and the Hit Man procedure with the Kickstart USB drive.

I have a Windows 7 64 bit laptop that I can use to create the Kickstart USB and that is what I have done. It seems that when I install Hitman Pro on this computer, I am required to install the 64 bit version of Hitman Pro, because my laptop is 64 bit.

However, the infected computer is 32 bit and is Windows XP Pro.

I have successfully created the stick with the 64 bit program on the laptop. However, when I try to use it on the infected computer, I am able to get to the screen where it prompts to boot from the USB and it boots from the USB successfully and begins to boot up windows but then the FBI virus comes on again and the window freezes.

I wait and wait. I have waited up to 30 minutes and it stays frozen. Even though the computer seems to be booting from the Kickstart USB drive, it does not appear to be working because the Hitman Pro menu never comes up and it just stays frozen.

Does anybody have any suggestions for what I am doing wrong or how to fix it? Any help is greatly appreciated. Thanks.

OK, scratch all that. I chose to boot it up using the third option, the "Legacy Boot" and that one worked.

What is the best way to keep this virus from ever coming back?

 

Glad to hear your troubles are gone.

Download Hitman Pro and scan every file you download.

 

eh, sorry, SweX - a typo

 

Hi gotproblems

Do not Install it [them] by:-

First and Foremost Stay away from Scumwear sites, and Never close a Pop-Up Window with the X, close as advised here:- how to safely close a pop-ups.

Take Care
TheQuest

 

IKARUS is at it again ( IMO another false positive). The only vendor on Virustotal and in HMP to flag this:

Code:

Properties
Name	CmdTool.exe
Location	C:\Program Files\Shadow Defender
Size	336 KB
Time	1.8 days ago (2013-05-01 15:18:56)
Authenticode	Valid
Entropy	6.7
RSA Key Size	4096
SHA-256	7AB326184C86235B3423765817D7CE69954C84FAF89D419F5A2A67715B8F7170

Detection Names
Ikarus	Win32.Virut!IK

Scoring (105.0)
One or more antivirus vendors have indicated that the file is malicious.
The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.

 

No worries, it was a wonderful typo IMO

 

First want to say thanks for all the good info on this site.

I tried doing the usb boot. It said something like could not boot.

Is there anything I can do?

I can get into my computer using the...

Directory Services Restore Mode (windows domain controllers only)


can I go in there and then run the hitman program?

Thanks

 

Wow... that seems to be working. It is scanning now

 

well I got it to scan, It found 12 things. I deleted them all rebooted.... Fbi virus still there.
I am guessing it needs internet access to work properly?


I have been messing with this for around 5 hours.

Going to try and run malwarebytes. Im sure that wont work but It cant hurt.

 

I think you will find it might need a second clean, #5225.

Take Care
TheQuest

 

Hi Erik

Here are the virustotal results for my 6 Files. I must sent 1 File to Mcafee for check and analyze it sorry for my late answer

SHA256: d29bcfa967c23c7264592576d62d95fa8c687e8662d19dccc73653a9efb6340d
SHA1: cc2f600092b21deca57fae3ed74607166702a4f8
MD5: a508314231c49aee86987cea3eaecad1
Dateigröße: 367.5 KB ( 376320 bytes )
Dateiname: winsrv.dll
Datei-Typ: Win32 DLL
Erkennungsrate: 0 / 46
Analyse-Datum: 2013-05-09 12:06:51 UTC ( vor 0 Minuten )

SHA256: 762fa277cc3d8baf673a8451cb35b0eae6bddf993ef035753c117da40ef95aad
SHA1: 55a577039651761f6c674bc0604028c8af8f2766
MD5: 9f3b7e778875b1200426c96e0c1da9ee
Dateigröße: 10.6 MB ( 11111424 bytes )
Dateiname: IEFRAME.DLL
Datei-Typ: Win32 DLL
Erkennungsrate: 0 / 46
Analyse-Datum: 2013-05-09 12:10:59 UTC ( vor 0 Minuten )

SHA256: cc847699ce885504142741ae46c8adfcdab33826522e37afa3f8d3aa071729bc
SHA1: 314a721035e9c6dce54d29d32b8acbdd998e9f1b
MD5: 820a1e94d41cce3ee2f8eb32f9b7fa25
Dateigröße: 170.0 KB ( 174080 bytes )
Dateiname: IE4UINIT.EXE
Datei-Typ: Win32 EXE
Erkennungsrate: 0 / 46
Analyse-Datum: 2013-05-09 12:13:33 UTC ( vor 0 Minuten )

SHA256: b93a70b1b4285e99c7e04369d650780921a00babd1df2d21ff1bb121bff04e86
SHA1: 6f04d7dca634a7312e226eb0907f6ac485cf7492
MD5: eff5c10c9793011a8fc93de7e7762ee3
Dateigröße: 378.5 KB ( 387584 bytes )
Dateiname: iedkcs32.dll
Datei-Typ: Win32 DLL
Erkennungsrate: 0 / 46
Analyse-Datum: 2013-05-09 12:15:30 UTC ( vor 0 Minuten )

SHA256: b452e9b41ab819810c29afdbcac0c0ed34cda7fe27d15be178065862b34c7e8b
SHA1: 3984313e7e75687aa872c68bbf00fe59b89f8c9f
MD5: 3c755701cbf21a612e1f6b1449f109ff
Dateigröße: 3.1 MB ( 3219480 bytes )
Dateiname: opr01CDO.tmp
Datei-Typ: Win32 EXE
Erkennungsrate: 0 / 46
Analyse-Datum: 2013-05-09 12:35:57 UTC ( vor 0 Minuten )

SHA256: 5274440ac2c1f40d5224009695b20ba9bfc4c5e24be4742aeae995791f819585
SHA1: 8cdf0f74d423e13021bf8003bf9191a072dd51cf
MD5: f7e72d3a281f922bacec1a71a826d4c2
Dateigröße: 15.3 MB ( 16032648 bytes )
Dateiname: npswf32.dll
Datei-Typ: Win32 DLL
Erkennungsrate: 3 / 46
Analyse-Datum: 2013-05-09 12:39:40 UTC ( vor 1 Minute )

 

Hitmanpro removed the ukash police virus so I could access my computer again but now when I boot up the command prompt appears instead of just loading windows. If I just type explorer then windows does load.

When the cmd window appears it reads:
"C:\Users\User\Documents\69323f56.exe" is not recognised as an internal or external command, operable program or batch file.

This file was removed by Hitmanpro as a "Remnant"

Was this part of the trojan or have I deleted something that I really shouldn't have?

Any help is welcome

 

Considering the 'name' and the location of the executables, it seems to be part of the trojan, so you should be fine it if was cleaned. Try running Kickstart again to make sure there are no more remnants. After that, boot into windows as usual and run Hitmanpro to see if it finds any unwanted modification.

 

Hi Erik

I have another 2 Files for you for the Whitelist

Properties
Name opr02GTX.tmp
Location C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003
Size 2.4 MB
Time 0.1 days ago (2013-05-14 16:31:01)
Entropy 8.0
SHA-256 0278CA43469653C69C3145E7C8A3034FD67045A275D33C5B51208179B9A80303

Scoring (22.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The file name extension of this program is not common.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.

Forensic Cluster
-23.2s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GSS.tmp
-20.6s C:\Users\Alexander Robrecht\Desktop\Adobe Reader 11.0.3.exe
* C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GTX.tmp
2.3s C:\$Recycle.Bin\S-1-5-21-911542882-2029379874-2294310465-1000\$RQ9VCGL.exe
13.4s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GV0.tmp
15.8s C:\$Recycle.Bin\S-1-5-21-911542882-2029379874-2294310465-1000\$RMAECSE.exe

Properties
Name NPSWF32_11_7_700_202.dll
Location C:\Windows\system32\Macromed\Flash
Size 15.3 MB
Time 0.1 days ago (2013-05-14 16:56:19)
Authenticode Valid
Entropy 7.0
RSA Key Size 2048
SHA-256 70896F4F2EE4D13DD815774B9331F335BC86418E7C5FEBCC7A24846E7C87A10A

Scoring (6.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
Program is code signed with a valid Authenticode certificate.

Startup
HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\

References
C:\Windows\system32\Macromed\Flash\flashplayer.xpt

Forensic Cluster
* C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll
0.2s C:\Windows\System32\Macromed\Flash\FlashUtil32_11_7_700_202_Plugin.exe
0.4s C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
2.5s C:\Windows\Prefetch\INSTALL_FLASH_PLAYER.EXE-071F76FB.pf

 

Hi Erik

And here is the Scan Log for you

Code:

HitmanPro 3.7.3.194
www.hitmanpro.com

   Computer name . . . . : ALEXANDERROB-PC
   Windows . . . . . . . : 6.0.2.6002.X86/2
   User name . . . . . . : AlexanderRob-PC\Alexander Robrecht
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-05-14 19:39:34
   Scan mode . . . . . . : EWS
   Scan duration . . . . : 13m 2s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 4

   Objects scanned . . . : 4.000.752
   Files scanned . . . . : 65.315
   Remnants scanned  . . : 2.322.056 files / 1.613.381 keys

Suspicious files ____________________________________________________________

   C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GTX.tmp
      Size . . . . . . . : 2.533.380 bytes
      Age  . . . . . . . : 0.1 days (2013-05-14 16:31:01)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 0278CA43469653C69C3145E7C8A3034FD67045A275D33C5B51208179B9A80303
      Fuzzy  . . . . . . : 22.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The file name extension of this program is not common.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
         Program contains PE structure anomalies. This is not typical for most programs.
      Forensic Cluster
         -23.2s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GSS.tmp
         -20.6s C:\Users\Alexander Robrecht\Desktop\Adobe Reader 11.0.3.exe
          0.0s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GTX.tmp
          2.3s C:\$Recycle.Bin\S-1-5-21-911542882-2029379874-2294310465-1000\$RQ9VCGL.exe
         13.4s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GV0.tmp
         15.8s C:\$Recycle.Bin\S-1-5-21-911542882-2029379874-2294310465-1000\$RMAECSE.exe


Early Warning Scoring _______________________________________________________

   C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll
      Size . . . . . . . : 16.033.160 bytes
      Age  . . . . . . . : 0.1 days (2013-05-14 16:56:19)
      Entropy  . . . . . : 7.0
      SHA-256  . . . . . : 70896F4F2EE4D13DD815774B9331F335BC86418E7C5FEBCC7A24846E7C87A10A
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 6.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         Program is code signed with a valid Authenticode certificate.
      Startup
         HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\
      References
         C:\Windows\system32\Macromed\Flash\flashplayer.xpt
      Forensic Cluster
          0.0s C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll
          0.2s C:\Windows\System32\Macromed\Flash\FlashUtil32_11_7_700_202_Plugin.exe
          0.4s C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
          2.5s C:\Windows\Prefetch\INSTALL_FLASH_PLAYER.EXE-071F76FB.pf

 

Hi Erik.
FP uTorrentPortable.exe
The analysis of the VT is negative 0/47.

 

This was caused by removal of the ransomware. There is a new variant that replaces the explorer.exe Shell by cmd.exe Command Processor. When cmd.exe starts it executes the Command Processor AutoRun key which is hi-jacked by the ransomware.

If you want I can clean this up for your via quick support session (cost free). Send me a PM if you still need help.

A new build will go out in an hour that improves cleanup of this Reveton ransomware variant.

 

Can you send me the hash? If you double click the item in HitmanPro you will get more details.

 

HitmanPro 3.7.5 Build 196 BETA

Changelog

• ADDED: Java exploit drive-by-download detection through forensic clustering.
• IMPROVED: Forensic clustering.
• IMPROVED: Detection of zero-day ransomware through forensic clustering.
• IMPROVED: Detection and removal of malware starting via Command Processor (cmd.exe).
• IMPROVED: Remnant scanner.
• FIXED: On some computers keyboard was unresponsive in Kickstart BIOS Boot Menu
• UPDATED: Kickstart 2.2

Download
http://www.surfright.nl/downloads/beta

Please let me know how this new build runs on your system

 

is getting better and better and stronger and stronger

 

Send private message.

______________________________

FP solved
TH Erik.

 

No problems here with latest Beta, Window 7 Home Premium SP x86.

 

Hi Erik

I have some other Files for you for whitelist

 

Hi Erik

Here is the Scan Log

Code:

HitmanPro 3.7.3.194
www.hitmanpro.com

   Computer name . . . . : ALEXANDERROB-PC
   Windows . . . . . . . : 6.0.2.6002.X86/2
   User name . . . . . . : AlexanderRob-PC\Alexander Robrecht
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-05-17 19:36:28
   Scan mode . . . . . . : EWS
   Scan duration . . . . : 6m 32s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 14

   Objects scanned . . . : 3.951.098
   Files scanned . . . . : 65.210
   Remnants scanned  . . : 2.329.864 files / 1.556.024 keys

Suspicious files ____________________________________________________________

   C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GTX.tmp
      Size . . . . . . . : 2.533.380 bytes
      Age  . . . . . . . : 3.1 days (2013-05-14 16:31:01)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 0278CA43469653C69C3145E7C8A3034FD67045A275D33C5B51208179B9A80303
      Fuzzy  . . . . . . : 22.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The file name extension of this program is not common.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
         Program contains PE structure anomalies. This is not typical for most programs.
      Forensic Cluster
         -23.2s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GSS.tmp
         -20.6s C:\Users\Alexander Robrecht\Desktop\Adobe Reader 11.0.3.exe
          0.0s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GTX.tmp
         13.4s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0003\opr02GV0.tmp


Early Warning Scoring _______________________________________________________

   C:\Windows\system32\ie4uinit.exe
      Size . . . . . . . : 174.080 bytes
      Age  . . . . . . . : 3.0 days (2013-05-14 19:19:44)
      Entropy  . . . . . : 7.3
      SHA-256  . . . . . : F755180707084BB7BD7615162506625F7CB7E438B780A22CCE40DB75E8EF3768
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : IE Per-User Initialization Utility
      Version  . . . . . : 8.00.6001.19418
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 11.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\

   C:\Windows\System32\iedkcs32.dll
      Size . . . . . . . : 387.584 bytes
      Age  . . . . . . . : 3.0 days (2013-05-14 19:19:45)
      Entropy  . . . . . : 6.0
      SHA-256  . . . . . : 87D8916679C98BB0C086B5096E864AC6317B0E294E4A1FD42A833BEB6F36FBD9
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : IEAK branding
      Version  . . . . . : 18.00.6001.19418
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 6.0
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\

   C:\Windows\System32\ieframe.dll
      Size . . . . . . . : 11.111.424 bytes
      Age  . . . . . . . : 3.0 days (2013-05-14 19:19:46)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 841A2DA1F516E4F3D20539A7632E09810BB9F3C7F60DEAED77A6C486B402FF1D
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Internet Explorer
      Version  . . . . . : 8.00.6001.19418
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 8.0
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is in use by one or more active processes.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
         HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
         HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
      References
         HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
         HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\