Hitman Pro Support and Discussion Thread

relax....it's just the behavior scanner of hitman pro...the next time it flags something like this just click next and it'll upload the files to the cloud where they will be scanned by multi Avs including gdata, dr.web, emsisoft, etc(although dr.web gives the most false positives in my case ) and then hitman will show you the result of the scanning whether the files are clean or not...then you're given the option to activate your free license to remove them if malicious if you use hitman pro free....

 

He's not using Early warning score, recent versions display the text Early warning score above the scan window, plus the EWS shields are blue, not yellow

@Mats
I did a search and the first DLL seems to belong to ScreenCapture Control from Tecent Inc. and the other to Foxmail from the same company, so if you've installed those softwares it seems allright. You can upload the files to virustotal.com to have them scanned by 40+ scanners for some peace of mind.

 

Oh, it's in the Next drop down menu. I never opened that, I've just clicked Next. Thanks atomomega.

Your search skills are better than mine, I searched those two .dlls too but didn't come up with Foxmail. And yes I did install Foxmail to trial it last Spring before I settled on Thunderbird. Funny why it took Hitman Pro 9 months to flag those two files.

And I already had sent those two to Virus Total - they came up clean.

So, one final question from a noob...

My Hitman Pro is not yet activated. If I were to tell Hitman Pro to Delete those two files, does that start my 30 day window?

 

Is it possible for me to have a remote look why these files are flagged as suspicious? I will send you a PM.

Yes your trial will start, but you will get a window stating whether you want to start the trial.

 

I just had Erik remotely look at and scan my computer to investigate those files. It was determined that they were false positives.

SurfRight's customer support is very impressive. I can't picture many software companies going to those lengths and giving their customers that kind of personal service. Particularly a customer who has never given them a dime. Wow.

SurfRight and Hitman Pro Rock!

 

That is not how it works for me. Since 131, I always get one file being flagged as suspicious. Hitting next doesn't load anything to the cloud. In my case it is a false positive.

C:\Toolbx\StatBar.exe
SHA1=e5831a98d2a730afb8ae6131456ebc81f029e7bb
SHA256=a8e6a5a6597c714e43cc826fb1596336f0051bdc7bf7b98e46633d4ca96f74a4

VirusTotal: 0/42

Al

 

Here is another false positive that only shows up when doing a default scan.
Quick Scan misses it.

C:\Toolbx\Nirsoft\NirSoft\WirelessKeyView.exe
SHA1=da006c7668a4ef05dd8948b373818a5d60e00021
SHA256=3b7db83cd2093f2e8ad1a69725119f7cdf39e62fec28e804b5c679bbdcab35c9

VirusTotal: 21 /43 (48.8%)

http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/

Al

 

Hi Adric. It is an FP. I have solved it in the cloud. Thanks!

Erik

 

Hi Erik, thanks for taking care of wirelesskeyview. I'm still wondering about statbar.exe from my other post. This file was never flagged in previous versions of HMP. I know it's only flagged as suspicious and gets ignored, but I would rather not see it flagged at all As a last resort, I could use the "Report that this file is safe" drop-down, but I want to avoid doing that if the file is accepted as a false positive .

Al

 

Ewido detected once in the current version, which I chose to ignore.



cf. (...as per another snapshot)

See here for detections of Ewido with the new Build 133 Beta

Edited: deleted Quote ref.

 

Can you provide the SHA-256 of these 3 files?

 

Here we go...

........edwido.exe > 57418033b47c8a2c7a9b14683e422a689094e02ac0706

SecuritySuite.exe > bf59b41e3ab132423e0ceb2d4cf6f41d8e686925dc777f4

.......uninstall.exe > c9d595b160306998799c8287e07d539b26c232d899e7fc

 

All three hashes are not SHA-256 hashes (they should be 64 hex characters in length; 64 hex characters = 32 bytes = 256-bits)

I personally use HashTab to calculate hashes:
http://implbits.com/HashTab/HashTabWindows.aspx

 

Sorry, I downloaded HashCalc and I am sure I used it correctly to calculate the right hashes.

Anyhow, I just installed HashTab, but I don't see an exe file in my 'Program Folder'

I just see the following. I thought I should be seeing something in the context menu. Any clues in getting it to work, please?

 

Go to the Ewido files and right-click and choose properties from the context menu, and choose the File Hashes tab (just like your screenshot).

Then right-click on the SHA-256 and choose Copy.

Paste the value in the Post.

 

Thanks, Erik

I got it right, this time, hopefully.


........edwidoctrl.exe > 57418033B47C8A2C7A9B14683E422A689094E02AC0706D06B9BD898BCC9559C9

....SecuritySuite.exe > BF59B41E3AB132423E0CEB2D4CF6F41D8E686925DC777F4269F8847FB14DF69D

...........uninstall.exe > C9D595B160306998799C8287E07D539B26C232D899E7FC74853A35F35BE234B2

 

Is there a way to install the beta? It doesn't ask if I want to leave a copy on my computer. It did when I installed it on my Dad's computer, but not on any other one.

Also, are there any plans for a future version having real-time protection, and maybe free on-demand removal?

 

Also curious about this.

 

Yes, you can run HitmanPro 3.6 as non-beta, but you will lose your HitmanPro 3.5 install.

If you rename HitmanPro36beta.exe to HitmanPro36.exe (remove the word beta) then it will upgrade your 3.5 install to 3.6.

Please let us know how Beta 1 works when running as non-beta.

Erik

 

Sorry if this is a repeat, but search didn't turn anything up...

Is there a way for hitman pro to scan a drive other than the boot drive? I've got a TDSS variant rootkit infection on a friend's PC that I'm trying to clear up for him, and I've got his drive slaved into my PC, but I can't get Hitman Pro to scan anything other than my C: drive.

His computer is an older XP Pro machine that he bought as surplus from his employer, so no free trial is available on his machine (it's still a member of a domain). I'm just doing this as a favor to him, so I'm trying to get by without spending any money..

 

Just tried the x64 version, upgrade was fine. Running ok so far.

 

HitmanPro is meant to run ON the infected machine. This is because HitmanPro needs to behavioral scan the system and see what is running in-memory and what is automatically starting. So hooking up an drive from a different system is not going to find much.

HitmanPro 4 will likely support your configuration though.

Hope this helps.

Erik

 

If you can't install Hitman Pro in it you can try this:

http://security.symantec.com/nbrt/npe.aspx?lcid=1034

It will ask you for internet connection and a reboot in order to detect rootkits.

 

HMP is great indeed, i love it! but one thing i hate about it, when you find some supuscios file or malware, it does not have option to directly to go to the file, and you must go and manually search trough folders, and somtimes the file is locateding in many subfloders, so you have to open like 10 of them and search careful which is pain and boring really.

It could be awesome if you add option for us so we can select the file and jump directly to the folders which are marked by hitman pro, MBAM has this option, and i bet its quite easy for you to make it as well, thanks in advance

 

This morning I had a FP with a .sys from Trusteer Rapport that HMP identified as a rootkit (the first FP in a year and a half, BTW). I selected 'report as false positive' from the detection results. Is this enough?