Hitman Pro Support and Discussion Thread

Discussion in 'other anti-malware software' started by yashau, Mar 20, 2009.

  1. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Wow . . . this was hard to understand. :D
     
  2. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    Sounds like one of those situations where it's easier to reinstall Windows.
     
  3. mikeataol

    mikeataol Registered Member

    Joined:
    Jun 30, 2013
    Posts:
    2
    Location:
    USA
    @noob
    "Wow . . . this was hard to understand. "

    hmm, dont know why . Ill gladly respond

    my point was that the viris created bad symlinks, which is known, and that the updated hitmanpro is in theory now adapted for that.
    in my case, it did not see the bad symlinks.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Easiest is to restore a disk image. Which is why I'm perfectly happy with the free version (for scanning myself and cleaning others).
     
  5. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    C:\Users\Henning\Documents\Medizin\Physiologie\Speckmann '05\Examensfragen\GK1neu\Mediscript.exe
    Size . . . . . . . : 1.824.750 bytes
    Age . . . . . . . : 455.9 days (2012-04-09 15:03:3:cool:
    Entropy . . . . . : 8.0
    SHA-256 . . . . . : F580B688748ED5757BEBF371230751302B3C8912BFEC3ED88C458B7A12B808DF
    Product . . . . . : Mediscript
    Publisher . . . . : EasyBrowse® EP-Service GmbH, Schwerin (Germany)
    Description
    Version . . . . . : 1.2.0.147
    Copyright
    > Ikarus . . . . . . : Trojan.Win32.SuspectCRC!IK
    Fuzzy . . . . . . : 113.0
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Solved. Thanks :thumb:
     
  7. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Even if you get everything working again and you're "free" of infection that hit as hard as yours did...? are you sure you should go back to "business as usual"? After an infection that bad, I think you better back-up important files and then do a clean install of Windows again. 100% functional and 99,5% free of infection.
     
  8. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    C:\Users\pe130296\Documents\!!!Privat\temp\JabberToOC.exe
    Size . . . . . . . : 36.864 bytes
    Age . . . . . . . : 75.8 days (2013-04-24 22:24:43)
    Entropy . . . . . : 3.9
    SHA-256 . . . . . : 8D3055604AC503023D50199086AEDCAE0509D5E0BB0B657FF2AD8554B7569746
    Product . . . . . : JabberToOC
    Publisher . . . . : Hewlett-Packard Company
    Description . . . : JabberToOC
    Version . . . . . : 1.0.0.0
    Copyright . . . . : Copyright © Hewlett-Packard Company 2008
    > Ikarus . . . . . . : Trojan-Spy.MSIL!IK
    Fuzzy . . . . . . : 100.0
     
  9. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\client.dll
    Size . . . . . . . : 3.408.640 bytes
    Age . . . . . . . : 2.2 days (2013-07-07 13:29:21)
    Entropy . . . . . : 8.0
    SHA-256 . . . . . : 927D3EB117751281F69AEE31003D0B49F44061CF9D0061E0986E97DDA83B40A0
    Product . . . . . : Garry's Mod
    Copyright . . . . : Facepunch Studios Ltd 2012
    RSA Key Size . . . : 2048
    Authenticode . . . : Valid
    > G Data . . . . . . : Gen:Trojan.Heur.GM.0000436190
    Fuzzy . . . . . . : 99.0
    Forensic Cluster
    -0.7s C:\Program Files (x86)\Steam\depotcache\4001_2630004081422662025.manifest
    -0.7s C:\Program Files (x86)\Steam\depotcache\4002_8994349685710801403.manifest
    -0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\bin\FileSystem_Stdio.dll
    0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\client.dll
    0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\lua_shared.dll
    0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\MenuSystem.dll
    0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\resources.dll
    0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\server.dll
    0.2s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\gamemodes\sandbox\gamemode\editor_player.lua
    0.2s C:\Program Files (x86)\Steam\appcache\httpcache\cf\cf48f39c7e6bcc13668c1a1eedbc60fae37ff55a_da39a3ee5e6b4b0d3255bfef95601890afd80709
    0.2s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\gamemodes\sandbox\gamemode\cl_search_models.lua
    0.3s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\garrysmod.ver
    0.4s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\html\js\menu\control.Menu.js
    0.4s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\html\css\menu\PageOptions.css
    0.5s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\gamemodes\sandbox\gamemode\spawnmenu\creationmenu\content\contentsearch.lua
    C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\MenuSystem.dll
    Size . . . . . . . : 1.658.112 bytes
    Age . . . . . . . : 2.2 days (2013-07-07 13:29:21)
    Entropy . . . . . : 7.9
    SHA-256 . . . . . : 479D25D5E4D6DCBDCCC306404257711107F39D07270391FDD426CB9EE5A0858F
    Product . . . . . : Garry's Mod
    Copyright . . . . : Facepunch Studios Ltd 2012
    RSA Key Size . . . : 2048
    Authenticode . . . : Valid
    > G Data . . . . . . : Gen:Trojan.Heur.LP.LH9aa4U0Fhii
    Fuzzy . . . . . . : 99.0
    Forensic Cluster
    -0.8s C:\Program Files (x86)\Steam\depotcache\4001_2630004081422662025.manifest
    -0.7s C:\Program Files (x86)\Steam\depotcache\4002_8994349685710801403.manifest
    -0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\bin\FileSystem_Stdio.dll
    -0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\client.dll
    -0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\lua_shared.dll
    0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\MenuSystem.dll
    0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\resources.dll
    0.0s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\bin\server.dll
    0.2s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\gamemodes\sandbox\gamemode\editor_player.lua
    0.2s C:\Program Files (x86)\Steam\appcache\httpcache\cf\cf48f39c7e6bcc13668c1a1eedbc60fae37ff55a_da39a3ee5e6b4b0d3255bfef95601890afd80709
    0.2s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\gamemodes\sandbox\gamemode\cl_search_models.lua
    0.3s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\garrysmod.ver
    0.4s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\html\js\menu\control.Menu.js
    0.4s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\html\css\menu\PageOptions.css
    0.5s C:\Program Files (x86)\Steam\SteamApps\exolord31531\garrysmod\garrysmod\gamemodes\sandbox\gamemode\spawnmenu\creationmenu\content\contentsearch.lua
    C:\Users\nutzer\Downloads\Minecraft Downgrader 1.6.exe
    Size . . . . . . . : 21.930.496 bytes
    Age . . . . . . . : 592.8 days (2011-11-24 22:02:22)
    Entropy . . . . . : 8.0
    SHA-256 . . . . . : F37D2334311ECCB6DDD25C5C26C0C5E37F27E98A7E5C82FC84B76962587E98FC
    Product . . . . . : Minecraft Update Controller
    Description . . . : Minecraft Update Controller
    Version . . . . . : 1.0.0.0
    Copyright . . . . : Copyright © Vaquxine 2011
    > Ikarus . . . . . . : Trojan-Spy.MSIL!IK
    Fuzzy . . . . . . : 104.0
     
  10. Setcho

    Setcho Registered Member

    Joined:
    Sep 1, 2010
    Posts:
    51
    Location:
    UK
    I installed windows 8.1 a week ago and a scan flagged the following three files
    as malware

    C:\WINDOWS\SysWOW64\netprofm.dll
    C:\WINDOWS\SysWOW64\themeui.dll
    C:\WINDOWS\SysWOW64\wmdrmsdk.dll

    I did some searches and found a couple of things saying that these are false positives
    http://www.eightforums.com/system-security/27335-false-positive-windows-8-1-preview.html http://forum.bitdefender.com/index.php?showtopic=46283

    I was just after some assurance that these are FP's. Note that the second link is to the Bitdefender forum and they show Virustotal links where the files are flagged by 5 vendors as malware. However, a Virustotal scan today only shows them flagged by 1 vendor which is TrendMicro-HouseCall.
     
  11. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    Best would be Scanlog, so we can also see checksum, i think its easier to remove fp
     
  12. Setcho

    Setcho Registered Member

    Joined:
    Sep 1, 2010
    Posts:
    51
    Location:
    UK
    as requested,

    Code:
    Malware _____________________________________________________________________
    
       C:\WINDOWS\SysWOW64\netprofm.dll
          Size . . . . . . . : 183,808 bytes
          Age  . . . . . . . : 7.5 days (2013-07-02 20:14:47)
          Entropy  . . . . . : 6.5
          SHA-256  . . . . . : 5F36DFDBE62A7C01EBA706F72DE0B79FAB911D170A32876EAB91682A1D549576
          Product  . . . . . : Microsoft® Windows® Operating System
          Publisher  . . . . : Microsoft Corporation
          Description  . . . : Network List Manager
          Version  . . . . . : 6.3.9431.0
          Copyright  . . . . : © Microsoft Corporation. All rights reserved.
        > G Data . . . . . . : Gen:Variant.Graftor.2609
          Fuzzy  . . . . . . : 103.0
    
       C:\WINDOWS\SysWOW64\themeui.dll
          Size . . . . . . . : 2,810,368 bytes
          Age  . . . . . . . : 7.5 days (2013-07-02 20:15:19)
          Entropy  . . . . . : 4.3
          SHA-256  . . . . . : 7CB451171E1B6DB2CFFC27B31E340D21DABD85EE42F315DAE2C0229BBFB4CC80
          Product  . . . . . : Microsoft® Windows® Operating System
          Publisher  . . . . : Microsoft Corporation
          Description  . . . : Windows Theme API
          Version  . . . . . : 6.3.9431.0
          Copyright  . . . . : © Microsoft Corporation. All rights reserved.
        > G Data . . . . . . : Gen:Variant.Graftor.3672
          Fuzzy  . . . . . . : 103.0
    
       C:\WINDOWS\SysWOW64\wmdrmsdk.dll
          Size . . . . . . . : 468,480 bytes
          Age  . . . . . . . : 7.5 days (2013-07-02 20:15:41)
          Entropy  . . . . . : 6.9
          SHA-256  . . . . . : BFFEABDDEC122390075D48E88A185D7F420B52DBF540C69B8DE940C29090BA42
          Product  . . . . . : Microsoft® DRM
          Publisher  . . . . : Microsoft Corporation
          Description  . . . : Windows Media DRM SDK DLL
          Version  . . . . . : 11.0.9431.0
          Copyright  . . . . : © Microsoft Corporation. All rights reserved.
        > G Data . . . . . . : Gen:Trojan.Heur2.LP.Cu8@aGFr4Iii
          Fuzzy  . . . . . . : 103.0
    thanks
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Resolved. Thanks! :thumb:
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Resolved. Thanks :thumb:
     
  15. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,731
    Location:
    Germany
    Hi Eric

    I have 6 Files for you to whitelisted it please
     

    Attached Files:

  16. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,731
    Location:
    Germany
    Hi Eric

    And here is the Scan Log for my 6 Files

    Code:
    HitmanPro 3.7.6.201
    www.hitmanpro.com
    
       Computer name . . . . : ALEXANDERROB-PC
       Windows . . . . . . . : 6.0.2.6002.X86/2
       User name . . . . . . : AlexanderRob-PC\Alexander Robrecht
       UAC . . . . . . . . . : Enabled
       License . . . . . . . : Free
    
       Scan date . . . . . . : 2013-07-10 08:50:50
       Scan mode . . . . . . : EWS
       Scan duration . . . . : 10m 13s
       Disk access mode  . . : Direct disk access (SRB)
       Cloud . . . . . . . . : Internet
       Reboot  . . . . . . . : No
    
       Threats . . . . . . . : 0
       Traces  . . . . . . . : 231
    
       Objects scanned . . . : 4.111.526
       Files scanned . . . . : 75.612
       Remnants scanned  . . : 2.699.042 files / 1.336.872 keys
    
    Suspicious files ____________________________________________________________
    
       C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0047\opr0425U.tmp
          Size . . . . . . . : 3.758.084 bytes
          Age  . . . . . . . : 0.9 days (2013-07-09 12:08:54)
          Entropy  . . . . . : 8.0
          SHA-256  . . . . . : C7F88CE11B8E42775023D7F11ED37FDF86796A151C1381A43638DF0C28E01D9C
          Fuzzy  . . . . . . : 22.0
             Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
             The file name extension of this program is not common.
             Authors name is missing in version info. This is not common to most programs.
             Version control is missing. This file is probably created by an individual. This is not typical for most programs.
             Time indicates that the file appeared recently on this computer.
             Program contains PE structure anomalies. This is not typical for most programs.
          Forensic Cluster
             -9.6s C:\$Recycle.Bin\S-1-5-21-911542882-2029379874-2294310465-1000\$RSH2VOI.exe
              0.0s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0047\opr0425U.tmp
              2.7s C:\$Recycle.Bin\S-1-5-21-911542882-2029379874-2294310465-1000\$RPWV8TN.exe
    
    
    Early Warning Scoring _______________________________________________________
    
       C:\Windows\system32\FntCache.dll
          Size . . . . . . . : 798.208 bytes
          Age  . . . . . . . : 0.5 days (2013-07-09 20:19:11)
          Entropy  . . . . . : 6.3
          SHA-256  . . . . . : 82A2C47AD4262E85AE9E8DAC22F4E4D31115E649DA28BFA5B7C64CD9BD3F7D39
          Product  . . . . . : Microsoft® Windows® Operating System
          Publisher  . . . . : Microsoft Corporation
          Description  . . . : Windows Font Cache Service
          Version  . . . . . : 7.0.6002.23097
          Copyright  . . . . : © Microsoft Corporation. All rights reserved.
          Service  . . . . . : FontCache
          Fuzzy  . . . . . . : 11.0
             Starts automatically as a service during system bootup.
             Program starts automatically without user intervention.
             Time indicates that the file appeared recently on this computer.
             The file is in use by one or more active processes.
             The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
             The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
          Startup
             HKLM\SYSTEM\CurrentControlSet\Services\FontCache\
    
       C:\Windows\system32\ie4uinit.exe
          Size . . . . . . . : 174.080 bytes
          Age  . . . . . . . : 0.5 days (2013-07-09 20:18:55)
          Entropy  . . . . . : 7.3
          SHA-256  . . . . . : A4F82DD0FB5BCF570F62B7A073C4E4EACCA6677175C69F949FCD8A04E0D285E5
          Product  . . . . . : Windows® Internet Explorer
          Publisher  . . . . : Microsoft Corporation
          Description  . . . : IE Per-User Initialization Utility
          Version  . . . . . : 8.00.6001.19443
          Copyright  . . . . : © Microsoft Corporation. All rights reserved.
          Fuzzy  . . . . . . : 11.0
             Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
             Program starts automatically without user intervention.
             Time indicates that the file appeared recently on this computer.
             The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
             The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
          Startup
             HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
             HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    
       C:\Windows\System32\iedkcs32.dll
          Size . . . . . . . : 387.584 bytes
          Age  . . . . . . . : 0.5 days (2013-07-09 20:18:55)
          Entropy  . . . . . : 6.0
          SHA-256  . . . . . : A24078B2F95A3C2A133B3E2780F57B46A8F324099824687A9745818369A4B37A
          Product  . . . . . : Windows® Internet Explorer
          Publisher  . . . . : Microsoft Corporation
          Description  . . . : IEAK branding
          Version  . . . . . : 18.00.6001.19443
          Copyright  . . . . : © Microsoft Corporation. All rights reserved.
          Fuzzy  . . . . . . : 6.0
             Program starts automatically without user intervention.
             Time indicates that the file appeared recently on this computer.
             The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
             The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
          Startup
             HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\
    
       C:\Windows\System32\ieframe.dll
          Size . . . . . . . : 11.111.424 bytes
          Age  . . . . . . . : 0.5 days (2013-07-09 20:18:56)
          Entropy  . . . . . : 6.4
          SHA-256  . . . . . : AA5C1310EA40DC7730F1F2312F317D0C69370A42879EE959093396937E1911C6
          Product  . . . . . : Windows® Internet Explorer
          Publisher  . . . . : Microsoft Corporation
          Description  . . . : Internet Explorer
          Version  . . . . . : 8.00.6001.19443
          Copyright  . . . . : © Microsoft Corporation. All rights reserved.
          Fuzzy  . . . . . . : 8.0
             Program starts automatically without user intervention.
             Time indicates that the file appeared recently on this computer.
             The file is in use by one or more active processes.
             The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
             The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
          Startup
             HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
             HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
             HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
          References
             HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
             HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
    
       C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll
          Size . . . . . . . : 16.166.280 bytes
          Age  . . . . . . . : 0.8 days (2013-07-09 12:39:32)
          Entropy  . . . . . : 7.0
          SHA-256  . . . . . : 100E0862C77E7D17C4D933D8305B0CBAACE3A9E2452393BBB25A8273D344639B
          RSA Key Size . . . : 2048
          Authenticode . . . : Valid
          Fuzzy  . . . . . . : 6.0
             Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
             Authors name is missing in version info. This is not common to most programs.
             Version control is missing. This file is probably created by an individual. This is not typical for most programs.
             Program starts automatically without user intervention.
             Time indicates that the file appeared recently on this computer.
             Program is code signed with a valid Authenticode certificate.
          Startup
             HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\
          References
             C:\Windows\system32\Macromed\Flash\flashplayer.xpt
          Forensic Cluster
              0.0s C:\Windows\System32\Macromed\Flash\NPSWF32_11_8_800_94.dll
              0.3s C:\Windows\System32\Macromed\Flash\FlashUtil32_11_8_800_94_Plugin.exe
              0.5s C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe
    
    
    
    
     
  17. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    @Mops21
    why are 2 posts needed? you can put it in one post :)
     
  18. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    C:\Users\Hannes\Desktop\RWTH_OpenVPN_Installer_7.exe
    Size . . . . . . . : 1.432.016 bytes
    Age . . . . . . . : 1.2 days (2013-07-09 09:28:03)
    Entropy . . . . . : 8.0
    SHA-256 . . . . . : 45610701DD478B77F01F69BC0BB77CC236CF40CCCC5337712F242D198DE393B2
    > Ikarus . . . . . . : Trojan-Dropper.Win32.NSIS!IK
    Fuzzy . . . . . . : 116.0
    Forensic Cluster
    0.0s C:\Users\Hannes\Desktop\RWTH_OpenVPN_Installer_7.exe
    0.0s C:\Users\Hannes\Desktop\RWTH_OpenVPN_Installer_7.exe
     
  19. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    C:\Users\Klaus\AppData\Local\Apps\2.0\KPRH08T9.LM4\M7ZE2HPO.NN9\game..tion_274b60bfce57d9e6_0001.0000_7f54574cc6d64f29\GamerzHost.de CSGO Config Creator.exe
    -> Quarantined
    Size . . . . . . . : 260.608 bytes
    Age . . . . . . . : 169.9 days (2013-01-22 17:59:16)
    Entropy . . . . . : 7.5
    SHA-256 . . . . . : 71A4BC07E9D5CE7DC063EFC4E2E3DB15B05886F3CA3E488B2239F597F84B9F01
    Product . . . . . : CSGO Config Creator
    Description . . . : CSGO Config Creator
    Version . . . . . : 1.0.0.0
    Copyright . . . . : Copyright © 2012
    > Ikarus . . . . . . : Trojan-PWS.MSIL!IK
    Fuzzy . . . . . . : 109.0


    Suspicious files ____________________________________________________________

    C:\Windows\system32\hasplms.exe
    Size . . . . . . . : 4.941.768 bytes
    Age . . . . . . . : 108.8 days (2013-03-24 22:10:1:cool:
    Entropy . . . . . : 7.7
    SHA-256 . . . . . : 8661FDD7344A1059B99450BA22C29F70C2DF2D3A381AA47D5B24A514DE8C029F
    Product . . . . . : LDK License Manager Service
    Publisher . . . . : SafeNet Inc.
    Description . . . : Sentinel LDK License Manager Service
    Version . . . . . : 13.23.1.26482
    Copyright . . . . : © 2012 SafeNet, Inc. All rights reserved.
    RSA Key Size . . . : 2048
    Service . . . . . : hasplms
    Authenticode . . . : Valid
    Fuzzy . . . . . . : 26.0
    The file name extension of this program is not common.
    Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
    The Entry Point of this file lies in a resource section. This is an indication of malware infection.
    The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common
    to system tools, drivers and hacking utilities.
    Starts automatically as a service during system bootup.
    Program contains PE structure anomalies. This is not typical for most programs.
    Program is code signed with a valid Authenticode certificate.
    Startup
    HKLM\SYSTEM\CurrentControlSet\Services\hasplms\
     
  20. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,058
    Location:
    United Surveillance States
    Would it be asking too much to have a separate HMP FP submission thread? ;)
     
  21. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    I would very much like to see such a thread :D
     
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Yes, or perhaps some other solution, because this thread is sometimes flooding with scan logs etc.
     
  23. desert_by_night

    desert_by_night Registered Member

    Joined:
    Apr 27, 2012
    Posts:
    30
    Location:
    Portugal
  24. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia

    I wonder why he didn't try to run HitmanPro in Force Breach mode !

    Link: -http://hitmanpro.wordpress.com/2012/04/12/hitmanpro-against-police-themed-ransomware/-
     
  25. Dragon_tacos

    Dragon_tacos Registered Member

    Joined:
    Jul 22, 2013
    Posts:
    1
    Sorry if this has been covered but i tried searching everywhere and looking through the couple hundred pages and im using my phone which makes it slightly harder as well.

    When i run the kickstart from the usb, using any of the 3 options i always get the windows start up repair and can never get past that so that i can run the hitman pro. Im trying to remove this police virus...

    I set the bias to run the usb hdd first. Im not exactly super pc savy but I've come this far, just not sure how to avoid startup repair. None of the youtube videos have a start up repair it just jumps to windows starting...

    I tried doing a restore of my windows before the virus but it said i had no backup available. Also im using win7.

    Thanks for any help!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.