HitmanPro.ALERT Support and Discussion Thread

@erikloman
@markloman
I tested on two Windows 7 x64 systems.
One with HMP.A 3.1.9.369 (which is still waiting for the automatic update)
and one with HMP.A 3.1.10.373.
I don't have any .VOB, .MPEG or .AVI files available, but I tested with a .MPG file.
With HMP.A 3.1.9.369 the .MPG file played fine in Windows Media Player.
With HMP.A 3.1.10.373 trying to play the .MPG file in Windows Media Player leads to a HMP.A ROP alert.
With HMP.A 3.1.10.373 the .MPG file played fine in VLC media player.
N.B.
In the Event Viewer details, I see G Data InternetSecurity mentioned under Code Injection.
I don't know whether that is any factor in the ROP alert issue.

Code:

Mitigation   ROP

Platform     6.1.7601/x64 06_17*
PID          3932
Application  C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Description  Windows Media Player 12

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  76044712 advapi32.dll             RegQueryInfoKeyW +0xdb
2  7603E09B advapi32.dll             CryptGenRandom +0x153

3  69E2FC9A msmpeg2adec.dll         
            8945e4                   MOV          [EBP-0x1c], EAX
            33f6                     XOR          ESI, ESI
            8b45dc                   MOV          EAX, [EBP-0x24]
            3bc6                     CMP          EAX, ESI
            e80530f4ff               CALL         0x69d72cae
            880b                     MOV          [EBX], CL
            0a20                     OR           AH, [EAX]
            c40505a018c9             LES          EAX, [0xc918a005]

4  69E351BE msmpeg2adec.dll         
5  69E289B1 msmpeg2adec.dll         
6  69DA6A61 msmpeg2adec.dll         
7  69DA834E msmpeg2adec.dll         
8  6A50A566 quartz.dll              
9  6A50A746 quartz.dll              
10 6A50A6A0 quartz.dll              

Code Injection
00020000-00021000    4KB C:\Program Files (x86)\G DATA\InternetSecurity\AVKTray\AVKTray.exe [3144]
1  C:\Program Files (x86)\G DATA\InternetSecurity\AVKTray\AVKTray.exe [3144]
2  C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKWCtlx64.exe [1216]

 

Build 373 is working great. Win 10, 64.

 

Any word regarding ability to modify update check frequency?

 

Correction: Thanks for the info. I have updated my earlier post with the fact that I am only experiencing this issue with .MPG files in WMP 12. The .MPG open fine in VLC, and the .AVI open OK in both WMP 12 and VLC.

 

@markloman
@erikloman

Any comment on this?

 

N.B.
Your report was about WMP 12, but now you write WMP 10.
I suppose you still mean WMP 12, not 10?

 

I just made a typo (fixed). Windows Media Player 12 was released with Windows 7, and as far as I know WMP 10 is not available for this OS.

The Event Viewer Details shown as follows ...

Mitigation ROP

Platform 6.1.7601/x86 06_3a
PID 4736
Application C:\Program Files\Windows Media Player\wmplayer.exe
Description Windows Media Player 12
Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 767A4712 advapi32.dll RegQueryInfoKeyW +0xdb
2 7679E09B advapi32.dll CryptGenRandom +0x153

3 592088B1 msmpeg2adec.dll
8945e4 MOV [EBP-0x1c], EAX
33f6 XOR ESI, ESI
8b45dc MOV EAX, [EBP-0x24]
3bc6 CMP EAX, ESI
e8eea3f4ff CALL 0x59152cae
880b MOV [EBX], CL
0a20 OR AH, [EAX]
c40505a018c9 LES EAX, [0xc918a005]

4 59207C7C msmpeg2adec.dll
5 59211BAC msmpeg2adec.dll
6 59186A61 msmpeg2adec.dll
7 5918834E msmpeg2adec.dll
8 58B2A566 quartz.dll
9 58B2A746 quartz.dll
10 58B2A6A0 quartz.dll

 

Today HMP.A failed to update on two machines, out of 15.

HMP.A was gone, not showing in systemtray, nor in programs, in control panel.

After reinstalling HMP.A showed only a trial licence,
but I was able to insert the licence key, and activate HMP.A again

As much as I love HMP.A, I'm tiered of babysitting each and every machine, it's installed on.

 

To summarize: In my case I see the following happing with build 373 (and also with build 372, and probably a few earlier builds...):

Windows Media Player: .MPEG , .MPG , .AVI, .VOB -> Unable to play, getting a ROP (unless I disable Control Flow Integrity for WMP).

Media Monkey: .MPEG , .MPG , .AVI, .VOB -> No problems playing.

These are only the most common media type files I have, so I can't exclude there are more 'problem' media type files. However .MP4 files are working fine in both WMP as Media Monkey.

 

@Surfright

Could you tell us at which stage (mitigation) Alert would disrupt the attack from this weaponized document? My guess is it would be stopped at the cmd.exe process launch at the latest?

https://www.invincea.com/2016/05/de...ibuting-malware-using-windows-internal-tools/

 

@erikloman


The latest HitManPro Alert build 373 is flipping out all over my Chrome, nothing on Fox though. I first thought that it was due to Chrome v51 being out and I was on v50, but it keeps giving me intruder alerts on all tabs and search engines.

I ran the HitMan Pro scan repeatedly, I ran BitDefender, MalwareBytes and Emisoft Emergency Kit (all the latest versions) and none of them found anything. The first scan found the typical tracking cookies, but after those were removed all scans after multiple tries came back totally clean with no threats or suspicions or even PUPs, but I constantly get Intruder Alert warnings.

This is what came up on Chrome 50 (Chrome 51 below, with screenshots of the short message alerts below that):

And here are some screenshots of the shorter alerts:

 

Don't ask me how or why, but it seems just a simple cold boot fixed the problem. I know I rebooted my system at least a few times after HMPA's last update that said it would take effect after reboot and I rebooted my system after BitDefender (the cause of HMPA flipping out on my browers with Intruder Alerts) told me to reboot after an update last night. I guess it needed another reboot with both updated so they could hop into bed again, I don't know. LOL!

 

this just popped up whilst cyberfox was in background (wasnt even using it at time)

Mitigation ROP

Platform 6.3.9600/x64 06_3c
PID 4888
Application C:\Program Files\Cyberfox\Cyberfox.exe
Description Cyberfox 46.0.2

Callee Type ProtectVirtualMemory
0x00000043F1AAA000 (4096 bytes)

Branch Trace Opcode To
---------------------------------------- -------- ----------------------------------------
0x00007FFD29A2BDE7 xul.dll RET 0x00007FFD29A2B0E6 xul.dll

0x00007FFD29A2342F xul.dll RET 0x00007FFD29A2BDD5 xul.dll

0x00007FFD29B527A4 xul.dll RET 0x00007FFD29A23425 xul.dll

0x00007FFD29AEDCAF xul.dll RET 0x00007FFD29A23415 xul.dll

0x00007FFD29B527A4 xul.dll RET 0x00007FFD29AEDCA5 xul.dll

0x00007FFD29AEDCC5 xul.dll RET 0x00007FFD29A2BDB0 xul.dll

0x00007FFD29A2BE4C xul.dll RET 0x00007FFD29A2B0C4 xul.dll

0x00007FFD29A2342F xul.dll RET 0x00007FFD29A2BE47 xul.dll

0x00007FFD29B527A4 xul.dll RET 0x00007FFD29A23425 xul.dll

0x00007FFD29AEDCAF xul.dll RET 0x00007FFD29A23415 xul.dll

0x00007FFD29B527A4 xul.dll RET 0x00007FFD29AEDCA5 xul.dll

0x00007FFD29AEDCC5 xul.dll RET 0x00007FFD29A2BE26 xul.dll

0x00007FFD299FA51E xul.dll ~ RET* NtWaitForMultipleObjects +0xa
0x00007FFD4FFD0C6A ntdll.dll
004889 ADD [RAX-0x77], CL
0424 ADD AL, 0x24
c3 RET


Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFD4D444CE3 KernelBase.dll VirtualProtectEx +0x33
2 00007FFD4D444C9B KernelBase.dll VirtualProtect +0x1b

3 00007FFD29ADB0CA xul.dll ?SetJitExceptionHandler@js@@YAXP6AJPEAX0@Z@Z +0x10a
85c0 TEST EAX, EAX
0f95c0 SETNZ AL
4883c428 ADD RSP, 0x28
c3 RET

4 00007FFD29724DFC xul.dll
5 00007FFD29A2B0FC xul.dll
6 00007FFD29A2AEE7 xul.dll
7 00007FFD29A311EA xul.dll
8 00007FFD29A3195A xul.dll
9 00007FFD29A33725 xul.dll
10 000001EDC70524B7 (anonymous; xul.dll)

Code Injection
0000000000430000-0000000000436000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1208]
0000000000440000-0000000000441000 4KB
00007FFD4FF58000-00007FFD4FF59000 4KB

Process Trace
1 C:\Program Files\Cyberfox\Cyberfox.exe [4888]
2 C:\Windows\explorer.exe [3172]
3 C:\Windows\System32\userinit.exe [3076]

Also of interest when I checked the historical data on process explorer, hmpalert.exe was using about 15% of cpu cycles steadily until cyberfox got killed.

 

First, if your security programs have not found anything, consider a possibility that one of your Chrome extensions have a conflict with HMPA and are causing a false alert.

Try temporarily disabling your Chrome extensions and see if that stops the alerts. Then enable them one at a time until you get another alert. Then you will possibly have a suspect extension that Erik can test with to hopefully fix the issue.

Chrome 50 & 51 are working fine here with 373, but I have a different set of extensions than you, with the exception of Privacy Badger. That is not causing me any pain. I noticed that one on your screen shot.

 

Yeah that was the first thing I tried, and it didn't matter. At first I thought it was only in Chrome, but then when I went over to my Fox browser (I use both Chrome & Fox simultaneously for basically different things) and restarted it, Fox started doing it too. That's when I started looking up the things in the actual Alert tech sheets and they all basically pointed to BitDefender's Active Virus Control Folder. I then realized it was basically HMPA and BD not getting along. I decided to do another reboot, because I noticed the font on my stickynotes changed and figured something didn't load right on my last reboot after I got BSOD. I'm on an i7 5960 OCed to 4.63 and I tried pushing it to 4.71, which went well till I got BSODed when encoding and doing my usual multitasking. I put it back to 4.63 and just booted her up going back to business as usual. A few hours ago is when it started flipping out on my browsers and after I noticed my stickynotes not right... anyway another cold boot and everything seems back to normal.

 

Glad you got it sorted! It's amazing that with all these various programs we are not in the ditch more often with conflicts. Respect to Erik & Mark for dealing with this convoluted space and giving us an awesome program to cover our a@@es.

 

auto-updated: HitmanPro.Alert 3.1.10 build 373

On Windows 10 x64. No issues so far.

 

Build 373 works well in my win10x64 with SSF and SBie so far

 

Build 373 runs perfectly on Win7-64 with Emsisoft Antimalware & Comodo Firewall (Hips disabled)

 

Users are reporting that 373 now works with Rapport for their banking.

 

Man you made my day! I was so frustrated!!

 

@erikloman
@markloman
On my Windows 7 x64 installation with HMP.A 3.1.10.371, the new 3.1.10.373 was offered by automatic update, that same day.
However, on my Windows 7 x64 installation with HMP.A 3.1.9.369, the new 3.1.10.373 is still not offered by automatic update.
I know from the past that recent HMP.A beta/ test/ prerelease installations are updated first, and the less recent test and stable versions are updated somewhat later.
But by now, five days have passed.
Shouldn't HMP.A 3.1.9.369 (and 3.1.9.368, the previous general availability release) be automatically updated, by know?
Or is automatic update disabled, perhaps, because of reported issues, like the reported WMP ROP alerts?

 

ok that WMP is embedded into the OS...but is there still someone that in 2016 use it as mediaplayer?

 

Yup. Most of my default media file associations are set to WMP 12. It's a part of Windows and should not be broken.

But seriously, who uses any media players much in 2016? The web browser is where it's happening now. Streaming content is so much better than storing a bunch of offline files. That is so last century!

I also have VLC. If I plan to really watch something offline, I will choose "open with: VLC". But for short video clips and such, WMP is good enough. And if I listen to my mp3 library, it is usually with WMP. I tossed iTunes long ago ...