Hitman Pro Support and Discussion Thread

Could they be false positives, as redwolfe_98 suggested?

 

A few weeks ago, July 1, HitmanPro detected the same item on my Windows Vista x86 system.
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}\ (CouponBar)
I let HMP delete the item.
On my Windows 7 x64 system, HMP did not detect that item.
Both my Windows Vista x86 and Windows 7 x64 system have SpywareBlaster installed and its protection enabled.

How do you know that item is an ActiveX killbit?
Assuming that it is an ActiveX killbit, and that it was set by SpywareBlaster, I disabled all SpywareBlaster's protections, and then re-enabled all SpywareBlaster's protections - assuming that that might restore a killbit that was deleted by HMP, and I did a HMP scan. The mentioned item was not detected.
What does this say? Nothing for sure.
Perhaps the item is not an ActiveX killbit,
or it was not set by SpywareBlaster,
or disabling and re-enabling SpywareBlaster's protections did not restore the killbit,
or it was no longer detected by HMP for another reason?
Perhaps another possibility could be that the item was an ActiveX killbit, but that it wasn't set by SpywareBlaster, but by Spybot Search & Destroy 1.6.2, that was on my Windows Vista x86 system many years ago, but was never on my Windows 7 x64 system.

Any other ideas, anyone?
I look forward to Erik's or Mark's reply regarding this matter.

 

The AdwCleaner info says "It runs with Windows XP, Vista, 7, 8 versions 32 & 64 bits."
The Junkware Removal Tool info on Bleeping Computer, FossHub and Giga.de says "Windows XP, Vista, 7, 8."

 

because i am familiar with activex-killbits.. the location of the regkey is for activex-killbits and the "value" that it has is "400", which is the appropriate "value" for activex-killbits..

that was why i posted the screenshot, so that "surfright" could see that it was indeed an activex-killbit, which shouldn't be being flagged by "hitmanpro", and which shouldn't be removed..

 

Thanks very much.

I could locate the registry entry, but I couldn't determine whether it was a legitimate entry or not.
The thing is, there's a 2008 Spybot forum post Manual Removal Guide for CouponBar that instructs to delete the mentioned entry,
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Was that an incorrect instruction, or is it a non-legitimate registry entry? I cannot tell.

Therefore, I'm still looking forward to Erik's or Mark's reply regarding this matter.

 

Fixed this detection on Windows 10. No update of HitmanPro is required, solved it via our cloud.

Note: HitmanPro did not detect MRT.exe as malware. The detection is on a registry key underneath "Image File Execution Options", which is usually only set by malware to disable security software, including MRT.exe. HitmanPro removes these registry entries so e.g. the Microsoft Malicious Software Removal Tool can still function normally, even in the presence of malware. The erroneous detection of the registry key only happened on Windows 10. Inadvertent removal of this particular registry entry did not cause any issues with MRT.exe, Windows or any other software.

 

HitmanPro 3.7.9 build 244 BETA

Now many adware and PUPs are moving towards the use of random folder and file names, we have begun employing HitmanPro's forensic capabilities to correlate and flag this crap. We have started attacking the MultiPlug adware, which typically looks like this (I am sure some of you have encountered something similar):

C:\Program Files\Happpy2Save\A2G7EvGyAZwKqV.dat
C:\Program Files\Happpy2Save\A2G7EvGyAZwKqV.dll
C:\Program Files\Happpy2Save\A2G7EvGyAZwKqV.exe
C:\Program Files\Happpy2Save\A2G7EvGyAZwKqV.tlb

C:\Program Files\AUTToDEaLsApp\3Ako8eug2kMV0m.dat
C:\Program Files\AUTToDEaLsApp\3Ako8eug2kMV0m.dll
C:\Program Files\AUTToDEaLsApp\3Ako8eug2kMV0m.exe
C:\Program Files\AUTToDEaLsApp\3Ako8eug2kMV0m.tlb

C:\Program Files\DownSiave\dIIIj8iFr0QQS5.dat
C:\Program Files\DownSiave\dIIIj8iFr0QQS5.dll
C:\Program Files\DownSiave\dIIIj8iFr0QQS5.exe
C:\Program Files\DownSiave\dIIIj8iFr0QQS5.tlb

From our telemetry, we see that it takes weeks or months for the EXE and/or DLL to be recognized by antivirus software on victim machines. But the TLB and DAT files, as well as the INI files associated with this crap, were left to remain on the PC forever. Fortunately, the new beta of HitmanPro will now detect and remove this MutiPlug PUP based on how its e.g. laid out on the local disk (the detection is not based on binary contents or activity). This more forensics-based approach ensures immediate detection of MultiPlug:



The beta is available from our Beta download page: http://www.surfright.nl/en/downloads/beta

 

Hi Erik and Hi Mark

Can you check the 1 File and whitelisted the 1 File please. I use the FP function into the Programm to submit the File to you

With best Regards
Mops21

 

Had a Display Fusion update today and then HP hit on this:

DFSSaver.scr
HEUR:Trojan.Win32.Generic

I think it may be a false positive

 

Erik, now that V3 of HMP.Alert has been released, would it be possible to take another look at this problem?

XP drives still being flagged with bogus entries with the latest HMP version when running in Win8 32-bit.

 

Just installed HMP on a PC of a relative. Just noticed something (akward), needed to set two firewall rules.

When user chooses to install in folder (HMP does remember that), the update runs from temp folder (in stead of program files folder)

 

Do you have a sha-256 of the files? Just double click the entry in the list.

 

HitmanPro only has port 80/443 outgoing connections. If you have a firewall that also filters outgoing traffic port 80/443 then you have to add two rules.

The updater runs from the temp so that it can update the one in ProgramFiles. I think you do not need to create firewall rules for the updater in the temp as the updater does not do anything on the network.

Hope this helps.

 

I have no clue what this is. I am currently on vacation. When I am back I can have another look at it. Preferably with a remote session. Just send me a PM.

 

I looked up the forensic cluster in our backend and the registry entry is actually created by CouponBar:



See this link on the CLSID:
http://www.systemlookup.com/O16/350-cpbrkpie_cab.html

Hope this helps.

 

Thanks very much, Erik.

I can't say anything about HMP's backend.
If it is righ, that would be in line with the 2008 Spybot forum post instruction that I mentioned.

However, the SystemLookup entry that you mention, that is about
CLSID {9522B3FB-7A2B-4646-8AF6-36E7F593073C}
which is
HKEY_CLASSES_ROOT\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
And that is not the same as
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

So I still think perhaps redwolfe_98 could be right, who said the deleted ActiveX Compatibility key was an ActiveX killbit, guarding against CouponBar, not created by CouponBar.

I can't tell who is right or wrong.

P.S.
Enjoy your vacation, Erik.

 

The forensic timeline comes from multiple end users with CouponBar. It is therefore right in that the key for certain is created by CouponBar.
If other tools also create the key, then the key gets removed by HitmanPro.

 

HMP (Kapersky engine) complains about uTorrent 3.4.3.40760 (Riskware). It did not do this with previous builds of uTorrent.

Is the Ignore selection only for the current scan? HMP complains about it again the next scan.

 

This is not a FP!
uTorrent is no longer trustworthy, because it installs a cryptocurrency miner....

 

Thank you very much, Erik.

If redwolfe_98 was right about
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
being an ActiveX killbit,
then I wonder why CouponBar puts its own killbit there.

I'm looking forward to both Erik's and redwolfe_98's thoughts regarding this matter.

 

Meh, I'd rather they actually detect what's malicious (the optional bundled stuff) instead of legit programs. I for one use it with settings.dat with Pimp my uTorrent.

@Stupendous Man: I use SpywareBlaster and HMP didn't detect anything regarding that entry.

 

redwolfe_98 assumes that the key is only used as a kill-bit. This is not the case. As a matter of fact there are a whole bunch of flags you can put there to control the loading of the ActiveX object. The CouponBar installer writes one or a combination of these flags: https://msdn.microsoft.com/en-us/library/aa768234(v=vs.85).aspx
Note: 0x400 is the kill-bit.

Hope this helps.

 

I thought they removed that:

http://www.myce.com/news/bittorrent-removes-bitcoin-miner-from-utorrent-installer-75746/

I hope HMP acts on the version I scan, not on historic data.

 

What is the hash of the file that is listed?

 

I don't know what value that key had on my system.
redwolfe_98 said it had the 0x400 value.
See redwolfe_98's posts #6672 and #6679.