HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Libraman

    Libraman Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    198
  2. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    81
    You're not alone. This happens for me since over three years:
    https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-336#post-2557539
     
  3. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    With HTMPA you feel like you're beaing hacked every single day so I wouldn't be worried too much, by simple opening of trusted word documents you made yourself with kingsoft office, wps.exe or downloading wallpapers via steam (like the wallpaper engine) you get all sort of reports of this kind..
     
  4. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
  5. Sand

    Sand Registered Member

    Joined:
    Apr 28, 2016
    Posts:
    26
    Mitigation CodeCave
    Timestamp 2019-03-30T21:20:19

    Platform 10.0.17763/x64 v777 06_5e
    PID 16080
    Feature 00170A30000001A2
    Application D:\CTLInfo.exe
    Created 2019-03-30T21:15:52
    Modified 2019-03-30T21:15:53
    Description CTLInfo.exe

    Intersectional control flow detected!

    Loaded Modules
    -----------------------------------------------------------------------------
    11000000-11010000 CTLInfo.exe (),
    version:
    77360000-774FC000 ntdll.dll (Microsoft Corporation),
    version: 10.0.17763.292 (WinBuild.160101.0800)
    748B0000-749B5000 hmpalert.dll (SurfRight B.V.),
    version: 3.7.9.777
    75450000-75530000 KERNEL32.dll (Microsoft Corporation),
    version: 10.0.17763.379 (WinBuild.160101.0800)
    765C0000-767BA000 KERNELBASE.dll (Microsoft Corporation),
    version: 10.0.17763.348 (WinBuild.160101.0800)
    689C0000-68A5C000 apphelp.dll (Microsoft Corporation),
    version: 10.0.17763.292 (WinBuild.160101.0800)
    76500000-765C0000 MSVCRT.dll (Microsoft Corporation),
    version: 7.0.17763.1 (WinBuild.160101.0800)
    76D00000-76D7E000 ADVAPI32.DLL (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    76F10000-76F89000 sechost.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    74CC0000-74D7F000 RPCRT4.dll (Microsoft Corporation),
    version: 10.0.17763.379 (WinBuild.160101.0800)
    749D0000-749F0000 SspiCli.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    749C0000-749CA000 CRYPTBASE.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    74C50000-74CB2000 bcryptPrimitives.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    75760000-75CAE000 SHELL32.DLL (Microsoft Corporation),
    version: 10.0.17763.348 (WinBuild.160101.0800)
    76F90000-76FCB000 cfgmgr32.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    76D80000-76EA2000 ucrtbase.dll (Microsoft Corporation),
    version: 10.0.17763.348 (WinBuild.160101.0800)
    762B0000-76339000 shcore.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    770D0000-77348000 combase.dll (Microsoft Corporation),
    version: 10.0.17763.253 (WinBuild.160101.0800)
    75CB0000-762AC000 windows.storage.dll (Microsoft Corporation),
    version: 10.0.17763.348 (WinBuild.160101.0800)
    767D0000-76850000 msvcp_win.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    76360000-7637C000 profapi.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    756A0000-756F4000 powrprof.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    75710000-75754000 shlwapi.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    74C20000-74C43000 GDI32.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    75530000-75697000 gdi32full.dll (Microsoft Corporation),
    version: 10.0.17763.316 (WinBuild.160101.0800)
    75020000-751B9000 USER32.dll (Microsoft Corporation),
    version: 10.0.17763.168 (WinBuild.160101.0800)
    76340000-76357000 win32u.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    74DE0000-74DEF000 kernel.appcore.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    75000000-75012000 cryptsp.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    76FD0000-770CC000 OLE32.DLL (Microsoft Corporation),
    version: 10.0.17763.134 (WinBuild.160101.0800)
    72EC0000-730CF000 COMCTL32.DLL (Microsoft Corporation),
    version: 6.10 (WinBuild.160101.0800)
    73280000-732A4000 WINMM.DLL (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    730D0000-730F3000 WINMMBASE.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    76CD0000-76CF5000 IMM32.DLL (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)

    SHA256:
    877b54ad30e13bd229ab81c4d5ddf4c154c27190a4b307783e55e16a421fc4dd

    Process Trace
    1 D:\CTLInfo.exe [16080] 2019-03-30T21:20:19
    2 C:\Windows\explorer.exe [3472] 2019-03-30T20:42:39
    3 C:\Windows\System32\userinit.exe [3348] 2019-03-30T20:42:39 23.8s

    Thumbprint
    f90da0a0c296eb839a26676d2ea78bcf393a53cc5cbf577b83f5826781d8cb9a

    Thumbprint
    f90da0a0c296eb839a26676d2ea78bcf393a53cc5cbf577b83f5826781d8cb9a
     
  6. Sand

    Sand Registered Member

    Joined:
    Apr 28, 2016
    Posts:
    26
    I have a question about compatibility, can we use HitmanPro.ALERT, alongside 0patch?

    I saw HitmanPro.Alert detects **** Remote allocation of shellcode ****

    Adding the 0PatchServicex64.exe to exclusions, seems to fix the problem:

    Example:

    Mitigation HeapHeapProtect
    Timestamp 2019-04-04T20:15:04

    Platform 10.0.17763/x64 v777 06_5e
    PID 7524
    Feature 00170A30000003A2
    Application C:\Program Files (x86)\0patch\Agent\0PatchTray.exe
    Created 2019-03-01T13:22:50
    Modified 2019-03-01T13:22:50
    Description 0patch Tray 19.3.1

    Shellcode (HHA) (0x00004000 bytes)
    Owner of CALLER: (anonymous; allocated from 0PatchServicex64.exe:5940)

    **** Remote allocation of shellcode ****
    Allocated by C:\Program Files (x86)\0patch\Agent\0PatchServicex64.exe - PID: 5940

    OwnerModuleName: 0PatchServicex64.exe
    OwnerModuleThumbprint: d1ccd930ed844b74fdd75dbca9da9e5313e60768977c156f2a07c9f9b99fa154

    71AF0054 ff55c4 CALL DWORD [EBP-0x3c]
    71AF0057 8bd8 MOV EBX, EAX
    71AF0059 85db TEST EBX, EBX
    71AF005B 751e JNZ 0x71af007b
    71AF005D ff55c8 CALL DWORD [EBP-0x38]
    71AF0060 8945f8 MOV [EBP-0x8], EAX
    71AF0063 eb16 JMP 0x71af007b
    71AF0065 8d8592fdffff LEA EAX, [EBP-0x26e]
    71AF006B 50 PUSH EAX
    71AF006C ff55d0 CALL DWORD [EBP-0x30]
    71AF006F 8bd8 MOV EBX, EAX
    71AF0071 85db TEST EBX, EBX
    71AF0073 7506 JNZ 0x71af007b
    71AF0075 ff55c8 CALL DWORD [EBP-0x38]
    71AF0078 8945f8 MOV [EBP-0x8], EAX
    71AF007B 56 PUSH ESI

    ----- SNIP HERE -----
    AAMJAQAAr3FUAK9xAACvcQAQAABVi+yBxID8CQL/U1ZXi1UIZIsFMAkDAIlF/DPAiUX4i/KNvYL8CQL/udwJAwDzpWalaACACQIAagBS/1W4aAOACQIA/1W8i/CAvYL8CQL/AHQYjYWS/QkC/1D/VcSL2IXbdR7/VciJRfjrFo2Fkv0JAv9Q/1XQi9iF23UG/1XIiUX4Vv9VvIXbD4R2AQkCAIC9gvwJAv8AdFCLRfwFoAkDAIswVv9V7ItF/IPADIsAg8AMixCF0nQoi8KLSBg7y3UZZotKOGaB+f8AcgZmiUg46w5mx0A4/wDrBosAO9B12lb/VfDpHQEJAgAzyWaBO01aD4WHCQMAjUM8iwADw4E4UEUJAgB1eGaBeBgLAnUIg8AYi0A46wOLQFCFwHZhSIPoGIPoCHJYQIlF9L4ICQMAjTwei8eBeAQdCQI6PnU7gQkCODQxFnUzi8eDwAiBeAQAOz06dSWBOBQgITp1HYvHg8AQgXgEJz4wJ3UPgTg6Phg0dQeD7wiLD+sGRv9N9HWxhcl0Bovxi8P/1otF/AWgCQMAizBW/1Xsi0X8g8AMiwCDwAyLEIXSdCiLwotIGDvLdRmAvYL8CQL/AHQIZsdAOP8A6w5mx0A4AQDrBosAO9B12lP/VeiFwHQcM/brAUZT/1XohcB0CIH+CQL/CQIAfO8zwIlF+OsG/1XIiUX4i0X8BaAJAwCLMFb/VfCLRfhfXluL5V3CBAkAAAkAAAkAAAkAAAkAAAkAAAkAAAkAAAkAAAkAAAkAAAkAAAkAAAn4AA==
    ----- END SNIP -----

    Loaded Modules
    -----------------------------------------------------------------------------
    00240000-002C0000 0PatchTray.exe (Acros Security),
    version: 19.03.01.10750
    77100000-7729C000 ntdll.dll (Microsoft Corporation),
    version: 10.0.17763.404 (WinBuild.160101.0800)
    74650000-74755000 hmpalert.dll (SurfRight B.V.),
    version: 3.7.9.777
    76BB0000-76C90000 KERNEL32.dll (Microsoft Corporation),
    version: 10.0.17763.404 (WinBuild.160101.0800)
    76EC0000-770BA000 KERNELBASE.dll (Microsoft Corporation),
    version: 10.0.17763.404 (WinBuild.160101.0800)
    67F50000-67FEC000 apphelp.dll (Microsoft Corporation),
    version: 10.0.17763.292 (WinBuild.160101.0800)
    75D00000-75E99000 USER32.dll (Microsoft Corporation),
    version: 10.0.17763.168 (WinBuild.160101.0800)
    756F0000-75707000 win32u.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    770C0000-770E3000 GDI32.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    76C90000-76DF7000 gdi32full.dll (Microsoft Corporation),
    version: 10.0.17763.404 (WinBuild.160101.0800)
    74ED0000-74F50000 msvcp_win.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    75140000-75262000 ucrtbase.dll (Microsoft Corporation),
    version: 10.0.17763.404 (WinBuild.160101.0800)
    74D90000-74E0E000 ADVAPI32.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    75410000-754D0000 msvcrt.dll (Microsoft Corporation),
    version: 7.0.17763.1 (WinBuild.160101.0800)
    76410000-76489000 sechost.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    74FF0000-750AF000 RPCRT4.dll (Microsoft Corporation),
    version: 10.0.17763.379 (WinBuild.160101.0800)
    74770000-74790000 SspiCli.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    74760000-7476A000 CRYPTBASE.dll (Microsoft Corporation),

    It creates about 50 events withing few seconds, inside other services too.
     
  7. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    When I tried to format a USB drive from Windows Explorer HMP.A intercepted "Windows 10" and "broke" my USB drive.

    I had to format it on macOS as Windows 10 refused to do that any longer after HMP.A aborted the first attempt.
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I haven't seen detections here, with both 0patch and HMP.A installed.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That just confirmed HMPA is working. Try again with the following. Go to the Risk Reduction block, then Cryptoguard. Uncheck the MBR box. Then the format should work. Just remember to recheck the box when you are done.
     
  10. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    > That just confirmed HMPA is working.

    Then HMPA has not been working correctly for a long time; I never got such an interception when formatting a USB drive before...
     
  11. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    I recently formatted a new USB flash drive before creating a bootable drive on it. Did not encounter any HMPA intercepts, but that would be expected as I had not yet written an MBR to it.

    But based on this report, I would expect the MBR that is now on that USB to be protected.
     
  12. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    I did not change anything and now I can format the same USB drive again, without HPM.A interception.
     
  13. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    Is it a bootable USB drive with an MBR? Or just a disk partition used for data storage?
     
  14. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    A USB thumb drive formatted with the default settings (Windows 10).

    I don’t think that’s bootable?
     
  15. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    Yes that's correct, a Windows format alone will not do that.

    It's only bootable if you ran a program to load a bootable image onto the USB drive, such as a Windows repair disk.
     
  16. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Good news:
    I just upgraded win10 1809 to 1903 build 18362.53, while HMP.A was installed and running.
    It caused no issue.
     
  17. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    Thanks for the good news!

    This past weekend I just updated Win10 1803 to 1809. I uninstalled HMPA and my AV before the update, just to ensure nothing got blocked during the update process. This has become SOP for me! Maybe unnecessary, but it makes me feel good!
     
  18. TerryM

    TerryM Registered Member

    Joined:
    Apr 29, 2009
    Posts:
    9
    Ran HitmanPro.Alert and quarantined a suspicious file. Caused massive computer problems. Anyone know how to unquarantine a file. Cannot seem to find a setting to do this. Thanks.
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Just received auto update from 775 to 779.
     
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    I don't know if there is a way to access quarantined files in HitmanPro.Alert. This may even be a flaw in HitmanPro.Alert.
    However, as the "Scan computer" option in HitmanPro.Alert runs HitmanPro, you can access quarantined files via the HitmanPro interface.
    If you haven't installed the separate HitmanPro application, you can download if from the HitmanPro website. Choose the green "FREE 30-Day Trial" button and download, run and next choose to install HitmanPro. The HitmanPro license is included in the HitmanPro.Alert license, and if HitmanPro.Alert is installed already, the license is automatically accepted in HitmanPro when that is being installed.
    Next, open the installed HitmanPro application if it isn't already open, click the Settings button, and then go to the History tab. Under History, you see Quarantine and Logs. In Quarantine, you should be able to select the quarantined file and then select Restore and confirm with OK. I hope that fixes your problems. After restoring the quarantined file and closing the HitmanPro application, a system reboot may be advisable, to make sure the restore is successful.
     
    Last edited: Apr 26, 2019
  21. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    I received the auto update Wednesday, April 24, on my two systems.
     
  22. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    I got the auto update to 779 this week. Running smoothly so far!
     
  23. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    575
    The 779 update arrived on my Windows 7 PC a couple of days ago. Last night I ran a manual scan, and just as HMP.A was about to delete the selected items, the computer blue-screened with a 7E error code.

    Don't know if this was a coincidence. After rebooting, I ran another manual scan as a test, but there was nothing to delete so the scan finished without incident. Will try again after surfing the Web for a while to accumulate a few cookies to delete.
     
  24. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    The keystroke encryption prompt pops up at the lower right corner of the screen when i'm typing. It is really annoying since it covers messenger box when i'm typing in sites like Facebook, and MeWe. Can the prompt be disabled so that HMPA continues to encrypt my keystrokes, but does not notify me with the prompt?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.