HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi, we'll put that on our test rig, for now you'll need to exclude Virtualbox.exe on the Anti-Exploit settings.

    upload_2021-7-14_11-50-37.png
     
  2. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,760
    How do you do that without a license? :D
     
  3. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    The stupid way, set date and time of the computer back to when the license was valid :confused:
    I'll put this one on the list to fix a way to do this via the GUI on an expired license.
     
  4. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
    Hi,

    HMPA (3.8.14 build 907) detects the following on relatives computer when executing a Foxit Reader update:
    Code:
    Code execution was blocked because this program was dropped by a productivity application that is not meant to execute external scripts or introduce new code.
    
    Details:
    
    Mitigation   Lockdown
    Timestamp    2021-07-26T18:12:23
    
    Platform     10.0.19042/x64 v907 06_9e
    PID          11180
    WoW          x86
    Feature      007D0A36000003B6
    Application  C:\Users\<snip>\AppData\Local\Temp\is-H3RC6.tmp\Foxit PDFReader Setup.tmp
    Created      2021-07-26T18:11:08
    Description  Setup/Uninstall
    
    Filename     C:\Users\<snip>\AppData\Local\Temp\is-CA0OM.tmp\CountInstallation.exe
    Created By   C:\Users\<snip>\AppData\Local\Temp\is-H3RC6.tmp\Foxit PDFReader Setup.tmp
    
    Command line:
    "C:\Users\<snip>\AppData\Local\Temp\is-CA0OM.tmp\CountInstallation.exe" /version 11.0.0.49893 /green 0 /appname "Foxit PDF Reader" /productid 1 /ReaderLang nl_nl /AgentName "Foxit Reader(bundle PhantomStd)" /AgencyID 90 /isPhantom 0 /newuser 0 /IsWin10 1 /oldversion 10.1.4.37651 /oldversionagentid  /updaterinstall UpdateServer /uninstall 0 
    Is it neccesary to disable the protection for the execution of this update?
     
    Last edited: Jul 26, 2021
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I just had Firefox 90.0.2 crash with HMP.A being the cause.
     

    Attached Files:

  6. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    HMP.A and 0patch seem to have developed an incompatibility. I went to visit Wilders Security using Internet Explorer on my Windows 7 machine, and HMP.A threw the following screen:

    HMPA vs 0patch.png
     
  7. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Crash build 907. After that HitmanPro.Alert showed a 'Locked'-message. Had to un- and reinstall build 907.

    Logboeknaam: Application
    Bron: Application Error
    Datum: 11-8-2021 08:18:08
    Gebeurtenis-id:1000
    Taakcategorie: (100)
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Naam van toepassing met fout: hmpalert.exe, versie: 3.8.14.907, tijdstempel: 0x60e7f03d
    Naam van module met fout: hmpalert.dll, versie: 3.8.14.907, tijdstempel: 0x60e768ab
    Uitzonderingscode: 0xc0000005
    Foutmarge: 0x0002172d
    Id van proces met fout: 0x13f4
    Starttijd van toepassing met fout: 0x01d78e7656b80861
    Pad naar toepassing met fout: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Pad naar module met fout: C:\Windows\System32\hmpalert.dll
    Rapport-id: aa842c79-620e-4ce4-9624-33605455a4c3

    Win10 21H1 build 19043.1165
     
  8. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Is any of these modules protected by 0Patch? can you check that please?
     
  9. Rizzoli

    Rizzoli Registered Member

    Joined:
    Aug 11, 2021
    Posts:
    5
    Location:
    SoCal
    First time posting here. I was recently looking for updated drivers for my computer on the Dell website and Hitmanpro Alert detected a drive-by download on the page. I stupidly did not note the URL to the page I was on. Below is the info from HMP.A on the detection. Is my computer now infected? I scanned my computer with Windows Defender and nothing was found. I am not sure what anything in the report means and HMP.A says "Blocked 0". Should I reinstall my computer? Thanks for your help!:

    Code:
    StackPivot | Microsoft Edge
    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    
    The application was terminated because the memory location of the call stack had suddenly changed. This can happen on purpose in case of an exploit attack or unexpectedly when the application crashes.
    
    MITRE ATT&CK
    
    Drive-by Compromise - ID: T1189, Tactic: Initial Access
    
    Details
    
    Mitigation StackPivot
    Timestamp 2021-06-25T19:56:17
    
    Platform 10.0.19042/x64 v891 8f_60%
    PID 8848
    Feature 003D1A345FBF90B6
    Application C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Created 2021-06-13T21:34:42
    Description Microsoft Edge 91
    
    Callee Type LoadLibrary
    C:\WINDOWS\system32\rsaenh.dll
    
    RSP 0x0000005C8EFFE090
    Stack top 0x0000005C8F000000
    Stack bottom 0x0000005C8F800000
    Size 0x800000
    
    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FFE5157AA02 KernelBase.dll LoadLibraryExW +0x162
    2 00007FFE51582ED1 KernelBase.dll LoadLibraryExA +0x31
    
    3 00007FFE50CA2CEE cryptsp.dll
    0f1f440000 NOP DWORD [RAX+RAX+0x0]
    488bf0 MOV RSI, RAX
    4885c0 TEST RAX, RAX
    0f8498060000 JZ 0x7ffe50ca3397
    baf8000000 MOV EDX, 0xf8
    b940000000 MOV ECX, 0x40
    48ff15a0ac0000 CALL QWORD [RIP+0xaca0]
    0f1f440000 NOP DWORD [RAX+RAX+0x0]
    4c8be0 MOV R12, RAX
    48898424a0000000 MOV [RSP+0xa0], RAX
    4885c0 TEST RAX, RAX
    0f84ab060000 JZ 0x7ffe50ca33d4
    488bd8 MOV RBX, RAX
    
    4 00007FFE514F22B5 wintrust.dll
    5 00007FFE514F1DE5 wintrust.dll WinVerifyTrust +0x45
    6 00007FFE0C0D1CC2 libsmartscreen.dll
    7 00007FFE0C0D17C8 libsmartscreen.dll
    8 00007FFE0C0D177B libsmartscreen.dll
    9 00007FFE0C0D2A0E libsmartscreen.dll
    10 00007FFE0C019610 libsmartscreen.dll
    
    Loaded Modules (159)
    -----------------------------------------------------------------------------
    00007FFE510A0000-00007FFE511A0000 hmpalert.dll (SurfRight B.V.),
    version: 3.8.9.891
    00007FFE4BA40000-00007FFE4BAE1000 WindowManagementAPI.dll (),
    version:
    00007FFE509B0000-00007FFE509C2000 UMPDC.dll (),
    version:
    00007FFE24720000-00007FFE2477C000 Windows.Internal.UI.Shell.WindowTabManager.dll (),
    version:
    00007FFE41F00000-00007FFE41FAC000 TextShaping.dll (),
    version:
    - MS skipped (154) -
    
    Process Trace
    1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848] 2021-06-25T19:53:36
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    2 C:\Windows\explorer.exe [4820] 2021-06-25T19:53:01
    3 C:\Windows\System32\userinit.exe [5536] 2021-06-25T19:53:01 23.2s
    4 C:\Windows\System32\winlogon.exe [1076] 2021-06-25T19:45:08
    winlogon.exe
    5 C:\Windows\System32\smss.exe [996] 2021-06-25T19:45:08 146ms
    \SystemRoot\System32\smss.exe 000000dc 00000084
    6 C:\Windows\System32\smss.exe [512] 2021-06-25T19:45:02
    \SystemRoot\System32\smss.exe
    
    Dropped Files
    1 C:\Users\xxx\AppData\Local\Temp\326bb9a0-a02e-4eee-8ec7-05a018bea474.tmp
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    2 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4b5d3a1d8653c567_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    3 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ad670da4d2136fbd_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    4 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a8a0066b126137ad_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    5 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3a9236f0e05504b4_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    6 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8980797c3b5e918c_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    7 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\482a4790319fddaa_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    8 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\df7c593c35881b4d_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    9 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\576d4636b81af675_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    10 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f8821ea8b24351e7_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    11 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1223ed92f72b5d2a_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    12 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\600c8c7b1fed5f9e_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    13 C:\Users\xxx\AppData\Local\Temp\5950d72e-7bd3-4588-8e42-1c9813907bc7.tmp
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    14 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e603eb28023ca9e7_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    15 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\ad2cef8f-824f-46b5-adf7-0fbbbccced4d.tmp
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    16 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Local State~RF9bc01.TMP
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    17 C:\Users\xxx\AppData\Local\Temp\acece30f-adcb-4715-93e0-a5055fa40196.tmp
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    18 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\bba60da9-503d-4bcc-80f8-74b772925c72.tmp
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    19 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RF9c4bb.TMP
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    20 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\636575cb-6f8d-4cc7-90cc-39e90c5f949a.tmp
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    Read by \Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.2105.5-0\MsMpEng.exe [3968]
    21 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF9c661.TMP
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    22 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF9c71c.TMP
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    23 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    24 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RF9f0fb.TMP
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    25 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\994059a39aa9e1e2_0
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    26 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\bb55ea8c-67c9-4e76-8ff5-bdad76c1655f.tmp
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    27 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Local State~RFa2152.TMP
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    28 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Safe Browsing\ChromeExtMalware.store_new
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    29 C:\Users\xxx\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFa4c2b.TMP
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    30 C:\Users\xxx\Desktop\9d07391a-a398-4529-93f1-e7ad9d4d7d45.tmp
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    Read by \Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.2105.5-0\MsMpEng.exe [3968]
    31 C:\Users\xxx\AppData\Local\Temp\7a12e3b2-31ff-4810-9700-5d14b31d72fe.tmp
    Dropped by \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8848]
    1 C:\Users\xxx\AppData\Local\D3DSCache\8c4ef25b5f12d6ac\52264C4C-172F-41B9-91B8-7F0C3B1E9021_VEN_1002&DEV_1636&SUBSYS_9E3&REV_C3.idx
    Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [4820]
    2 C:\USERS\xxx\APPDATA\ROAMING\MICROSOFT\WINDOWS\THEMES\CACHEDFILES\CACHEDIMAGE_1920_1080_POS4.JPG
    Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [4820]
    3 C:\Users\xxx\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db
    Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [4820]
    4 C:\Users\xxx\AppData\Local\Microsoft\Windows\INetCache\IE\L9WYLPL8\Windows[1].json
    Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [4820]
    5 C:\Users\xxx\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db
    Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [4820]
    
    Thumbprints
    258e2bc60d1aec828484191d75c628813df6f966199ce1063c210278f2f6eb03
     
    Last edited: Aug 11, 2021
  10. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi Rizzoli,

    This is probably an FP, please upgrade to the latest version 907 this should be solved.
    StackPivot had a few tweaks over the last few versions because of some new Windows OS trickery.

    No need to take any further action unless is persists on version 907 also.

    0 Blocked refers to CryptoGuard/Anti-Ransomware applications blocked, that is not the case here, it has terminated Edge and recorded the alert in the eventlog.
     
  11. Rizzoli

    Rizzoli Registered Member

    Joined:
    Aug 11, 2021
    Posts:
    5
    Location:
    SoCal
    I'm pretty sure I was already on 907. I can't check now.

    edit: just noticed above it says 3.8.9.891
     
    Last edited: Aug 11, 2021
  12. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    This alert is from version 891.
     
  13. Rizzoli

    Rizzoli Registered Member

    Joined:
    Aug 11, 2021
    Posts:
    5
    Location:
    SoCal
    OK, I guess I'm ok then. I don't remember exactly which Dell driver download page I was on when it happened but I'll try and trace my steps, thanks.
     
  14. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    I tried looking, but I just don't know which modules (or whose modules) I should be looking for in the 0patch list of patches. Give me some specific module names (DLLs) and I'll search for them, thanks!
     
  15. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Can you send a screenshot(s) to support@hitmanpro.com or post it here of the 'Patchable modules' of the 0Patch interface.
     
  16. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    OK, here are the screenshots:
    0patch patchable modules 1.png 0patch patchable modules 2.png 0patch patchable modules 3.png 0patch patchable modules 4.png 0patch patchable modules 5.png
     
  17. Rizzoli

    Rizzoli Registered Member

    Joined:
    Aug 11, 2021
    Posts:
    5
    Location:
    SoCal
    I have a stupid question. My copy of HMP.A downloads HMP everytime I run the Anti-Malware scan. Is there a way to install HMP so that it doesn't have to download everytime I do the malware scan? Apologies if this has already been covered, this thread is really big! Thanks
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Yes you can. Download from https://get.hitmanpro.com/. The first time you scan with it you should get an option to install. It will automatically pick up your HMP.A license.
     
  19. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    This kinda sucks, HMP used to so fast to scan; I could complete a scan in about 2 min. Now, with relatively the same system, it takes closes to 20. Why is that?
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    HMP only takes a couple of minutes to scan my machines. I wonder if you have a program or AV that is scanning HMP while HMP scans?

    Are you connected to a VPN when you scan?
     
  21. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    I have no other AV, other than Windows Defender. Also, I've tried it with and without my VPN (Mullvad) and I've pretty much had the same result.
     
  22. Rizzoli

    Rizzoli Registered Member

    Joined:
    Aug 11, 2021
    Posts:
    5
    Location:
    SoCal
    Thank you.
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    :thumb:
     
  24. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Can you disable the scan for remnants option and try again see if that has any impact?
     
  25. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Oh, that absolutely makes a difference. But I feel more secure with it on. Even wit that option on, scans never used to take this long.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.