Hitman Pro Support and Discussion Thread

Re: Trojan Popureb.E

Actually Microsoft advised fixing MBR, not reinstalling OS.
"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state."
Link with proof: -http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

 

Re: Trojan Popureb.E

Microsoft updated the article recently.

See also here and the Editors note:
www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft

 

Some quite different opinions in the Computerworld article mentioned above and different blogs;

Feng Chun, Microsoft engineer; link
"If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state," said Feng.

Symantec chiming in;
"Reinstalling is definitely overkill for this malware problem," said Vikram Thakur, principal security response manager with Symantec, in an interview today. "It can be resolved simply by fixing the MBR via an external disk."

CA blog concurs; link
"Some reports found on Internet stated a full reinstall is needed but our experience in laboratory shows that using some tools can resolve the problem without a reinstall required.
An example is the use of FixMBR or MBRFix tools which are really helpful to quickly solve this kind of threat."

According to Dell SecureWorks;
Joe Stewart, director of malware research at Dell SecureWorks, said that reinstalling Windows was the only way to insure that MBR rootkits and the additional malware they install are completely removed.
"Once you're infected, the best advice is to [reinstall] Windows and start over," said Stewart.

Webroot's Marco Giuliani; link
'Removing Popureb Doesn’t Require a Windows Reinstall' but he also writes;
"What is really a nightmare is that the Trojan looks like it has bugs and sometimes it hangs the system during the reboot stage. This could become a problem that would require you to perform a full system reinstall."

And Microsoft again;
"Microsoft recommends that customers whose systems are infected with Trojan:Win32/Popureb.E, contact Microsoft PCSafety, who can help them identify and remove malware from their systems," said Jerry Bryant, general manager of with Microsoft's Trustworthy Computing group, in an e-mailed statement. "While using the recovery console to address Master Boot Record (MBR) issues is not designed to affect personal files, we continue to recommend customers practice reasonable back-up processes."

My vote would go to; full format and restore your image..

 

1. The MBR is just 512 bytes (Sector 0).

2. A rootkit (like Popureb, Mebroot/Sinowall or TDL4) installs a hook on the hard disk driver to protect those 512 bytes, while in Windows.

3. Most bootkits store the original MBR somewhere else on disk.

Hitman Pro works its way around the rootkit's hook to read and write/restore the 512 bytes of the MBR.

Reinstall, recovery console or custom boot CDs are IMO almost never nescessary to get rid of these modern bootkits. Its a matter of the right trick/tool. Most AVs lack these tricks (skills) so that computer users have to resort to special tools that can only be used by experts. I cant ask by mother in law to run aswMBR, recovery console or boot CD. But she knows her desktop and can start Hitman Pro and click on Next a few times.

 

Hi Erik,

I don't doubt HitmanPro's capacity but what do you think about Marco Giuliani's remark (link);
"What is really a nightmare is that the Trojan looks like it has bugs and sometimes it hangs the system during the reboot stage. This could become a problem that would require you to perform a full system reinstall."

Seems only to be an issue while the trojan is installed (that's what I gather from it) so no worries after removal of Popureb/fixing the MBR?
Have you guys perhaps noticed any bugs/hangs during testing?

 

If you can't get into Windows due to flaws in the rootkit then you have no other choice. But that's why I said: are IMO almost never nescessary

Of course we have tested it (see also our video) and these were our findings:

• Popureb does not run properly on Windows XP with SP3 installed (maybe that other service packs don't work either).
• Popureb does not run on systems with non-atapi hard disk driver;
  See also Marco's article which is (as always) an excellent run down of the facts. I wish I had his amount of time to spent on a piece of malware.
• Popureb does not appear to run on Windows Vista or Windows 7.
• Popureb does not run on x64.

Popureb has several things hard coded and that is why its only running on XP with atapi.sys as miniport driver. So if you have XP with SP3 and you get infected then you have to resort to special tooling. But, when you can't boot into Windows anymore, I doubt many would think it was caused by a recent Popureb infection. I mean, its not like Windows says: "the MBR is infected and its hooking my atapi.sys, please clean MBR". So what people have to do in order to regain control over their Windows is guesswork AT BEST.

From a technical point of view, the rootkit is totally NOT INTERESTING AT ALL (well maybe for laughs, as Marco stated in his article). Mebroot and TDL3/4 are MUCH more sophisticated. But the mere fact that Microsoft did state that you have to reinstall after infection drew everybody's attention and we decided to jump on it and so did Symantec and Webroot.

To conclude, some people started to mention TDL4 with Popureb. These are WORLDS apart and are NOT RELATED at all. Even the Computerworld article mentions to use the Norton Boot CD (shameless advertisement) to get rid of TDL4. Hitman Pro is able to clean TDL3/4 infections from within Windows since 2009 (build 79), without a boot CD .

 

that is why i love hitman pro alot and it is my faborite application at this very moment keep up the good work

 

Nice addition HMP, they always releases fixes for the most prevalent malware

 

This is a bug perhaps, the problem is now a days (from the latest version onwards) HMP's free license becomes activated just by installing HMP.The snapshot below is just a few minutes old taken after a fresh install.

 

Same thing happened to me about two weeks ago but I forgot to report it at that time.

 

I didn't even think to look at the license tab until i saw these posts, it seems mine was activated around June 21st and has 15 days remaining. I have had it installed for months, so i suppose the license activated on its own after an update?

 

Well, that's not good...I just checked mine and it shows I have 11 days left, expiring on the 17th.

My wife's says exactly the same.

Neither of us has ever activated nor needed to use the license (thankfully).

 

Same here, it activated on 17th June though I did not do that.

 

I hope that Erik will provide a means to reset the program to correct this issue that apparently is pretty widespread.

(I certainly don't mind paying for a service and have often done so but it would still be nice to be able to avail ourselves of the free 30 day "trial" if and when it should ever become necessary.)

 

New member, here. Not a techie, so bear with me.

Have 32 bit XP, SP3, atapi in sys, although not with .exe that I can see. Laptop is 2006 Dell Inspiron 1505E, 2 mb RAM 1.87 ghz. Use it mainly for internet and email. Have HMP since 8/2010, automatically updated a week or so ago to Build 125. Love it. That last build finally got rid of a stray Trojan in 32 sys that would continually turn up in every HMP scan as ativtmxxc.dll and show as a 'fail' whenever I would reboot. Finally, gone w/Build 125.

Proshield malware, I discover today, is what prevented me from running HMP Build 125 scan last night. Kept stalling at 51%. Contact at Surfright last night said to install HMP Beta 126. Downloaded that. It, too, would not do a complete scan. Stalled midway. Culprit driver (one of them ) detvrjar. Gave up until today.

Today deleted last night's downloaded HMP files from IDM file list. Did not search for other stray files. Icon never appeared on my desktop for that, nor did it override my existing HMP Build 125.

System rebooted slowly today. Tried to do a System Restore but it would NOT complete at any restore point.

Proshield Malware popups immediately began. Tried to run HMP Build 125 again, Proshield deleted the HMP icon and desktop background.

Accessed Internet through Firefox and IE. Couldn't download Kaspersky at all. Downloaded Avast but never got an actual interface, although it did scan for an hour and wouldn't complete.

Then called Avast. Tech via remote spent two hours deleting junk and old Trend Micro files. Rebooted - lost internet - which has happened before when I tried to uninstall/delete Trend.

Tech called and walked me through reboot in safe mode. I could not do this again on my own. We did system restore to June 27 - very slow - took about an hour. (My problems w/beeping, sticking keys, etc. began last few days - earlier in week it was fine).

Then ran HMP Build 125 after the restore with NO problems. Right now things are quiet, but I'm afraid to turn off computer.

Questions:

1. Should I download BETA 126 for 32 bit?
2. Will it replace Build 125, or will I have two programs on my machine? Last night's download did not create another icon. I had to run it off IDM download file list.
3. When can I safely disable and re-enable System Restore? I am afraid to do this in the event I have more problems rebooting tomorrow. Right now I have restore points going back almost every day for two months.
4. Recommendations on a good internet security program that runs in real time in addition to HMP and/or Avast. Like HMP a lot - has saved me a couple of times over past year - don't want to give that up.
   

Trend has been inactive for almost a year. Told local computer place to get rid of files a year ago when I lost internet, but they didn't, just did a system restore to get me up and running. Not running any Internet Security program at all. Been relying on HMP and No Script. Got caught yesterday.

Still operating at 47% free space which has dropped 4 points in last three days. I knew problems were afoot when that began.

Many thanks for any help. Apologies for the long post. This stuff scares me.

 

Same problem as others. Expires on the 21st. 14 days left.

 

@Ariadne22: Run AV Rescue CDs like Avira and Kaspersky. Then tools like HMP.

 

Exactly the same problem here!

 

I can also report the same problem in beta build 126, I only have 10 days left and I have never activated my trial either, just incase I may need it in the future.

 

Forgive me if this sounds like a stupid question, but since I do not see a response to this license issue from Erik or a solution, has anyone directly sent Erik a PM or contacted support about the problem?

 

Maybe just a new trial license policy?

TBH it would not be strange if the trial starts when installed, kind of strange this was not the case previously.

 

I'm not sure of what use would Hitman Pro be to me if the trial started upon installation, considering i haven't had an infection for years let alone during the past 30 days. Limiting it to purely scanning with no chance of clean-up would make it just like an unlicensed version of Prevx, you can scan for free but upon detection, you're on your own unless you have a credit card at hand. At least with a "trial-of-removal" you get to see what the software is actually capable of. I've always thought if it one day cleans out a nasty piece of malware for me, i'll buy a license just to say thanks. After all, pretty much everything i've seen and read about it, has been positive to say the least.

In any case, if it's about changed policies, i would certainly like to have been notified of such an important change when the program updated itself. I also don't see any mention of licensing changes in the changelog, so i'll assume it's an error.

 

I don't think they have reset their trial policy, it have to be a bug issue cause the screenshot which I posted on the subject previously is taken just after a fresh install which shows that I have 28 days left of my free license, if they would have introduced a start of trial on installation policy then it should have been 30 days and not 28, anyways, Erik is taking unusually long to post on this matter.

 

It would be like any other trial product, you install it and get 30 days after installation with detection and removal capabilities and after those 30 days only scanning/detection unless you pay just like with most vendors trying to stay afloat earning an honest buck.

Anyway Gobbler is probably right, just strange they haven't posted they are usually very quick to respond here.

 

True, which is why i'm quite happy Hitman Pro isn't like any other trial product. I appreciate its "ace up the sleeve" nature much more than a trivial 30-day period of full-time usage, during which i am extremely unlikely to actually witness what the product is able to do for my security. Especially considering we're talking about an on-demand scanner, personally trials carry a lot more weight for resident protection applications where possible web filtering modules, RAM usage etc. are taken into account when trialing for a suitable product.

That said, i'm sure we will get our (yet unused) chances for the HMP trial back.