Hitman Pro Support and Discussion Thread

because your av's own engine had a bad detection rate and your av heavily rely on Ikarus and BD for malware detection too much anyways and even it with Ikarus gone the av still haves a lot of FPs

 

btw they had at one time 6 av engines

1 and 2.gdata (avast and bd)
3.Emsisoft
4.Ikarus
5.dr web
6.prevx

 

3 engine :

Bitdefender, kaspersky, F-SECURE [ or Avast].

5 engine:

Bitdefender, kaspersky, F-SECURE, Avira, AVAST,


top engines could be added:
top detection rate engines:
Avira
avast
f-secure
trustport
Bullguard

we need also remamber that HitmanPro is search and remove so
best Engines needed to be top performance in File detection,

so read about AV testing,

www.av-comparatives.org
www.virusbtn.com


++++ if you want make a different pls vote to 2 polls,



http://www.poll-maker.com/poll66676xc85B49D8-3
https://www.wilderssecurity.com/showthread.php?t=360314

 

My choice would be: BD, Kaspersky, Avira

 

My choice would be to see its capabilities in their current state reviewed and determine from there on if additional engines are even necessary. Anything else is just pointless speculation.

 

Agreed!

 

Installer for Fastone Capture flagged as suspicious. Virustotal shows 1/50. TrendMicro-HouseCall TROJ_GE.21F04DFD (most likely an FP)
When I rescan the file with HMP, the file is no longer flagged. When I reboot and rescan, it becomes suspicious again. Why is that?

Code:

Properties
Name	FSCaptureSetup77.exe
Location	Z:\@Software\@desktop\FSCapture
Size	2.6 MB
Time	11.0 days ago (2014-02-10 14:27:45)
Needs Elevation	Yes
Entropy	8.0
SHA-256	9308FBC1C73931A1FDA36F71A2EC2D06DBB79134F8739718654F5F1DD790DFBD

Scoring (23.0)
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.

References
HKU\S-1-5-21-725345543-682003330-1801674531-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\Z:\@Software\@desktop\FSCapture\FSCaptureSetup77.exe

 

Whitelisted it. Thanks

 

Hi Erik

I have 3 Files for you please check and whitelisted the Files please

Properties
Name opr08RCJ.tmp
Location C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0078
Size 3.7 MB
Time 0.0 days ago (2014-02-21 16:50:55)
Entropy 8.0
SHA-256 4B172C2EFE0786E8135333B1AA431F53B0983E092CE9E2E498B4FAEFFF2DE2D5

Scoring (22.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The file name extension of this program is not common.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.

Forensic Cluster
-8.8s C:\$Recycle.Bin\S-1-5-21-911542882-2029379874-2294310465-1000\$RCB0QAC.exe
-8.8s C:\$Recycle.Bin\S-1-5-21-911542882-2029379874-2294310465-1000\$RCB0QAC.exe
* C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0078\opr08RCJ.tmp
* C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0078\opr08RCJ.tmp
2.0s C:\$Recycle.Bin\S-1-5-21-911542882-2029379874-2294310465-1000\$R0NWYF2.exe

SHA256: 4b172c2efe0786e8135333b1aa431f53b0983e092ce9e2e498b4faefff2de2d5
Dateiname: opr08RCJ.tmp
Erkennungsrate: 0 / 50
Analyse-Datum: 2014-02-21 16:51:52 UTC ( vor 1 Minute )

Properties
Name ie4uinit.exe
Location C:\Windows\system32
Size 170 KB
Time 7.0 days ago (2014-02-14 17:07:1
Entropy 7.3
Product Windows® Internet Explorer
Publisher Microsoft Corporation
Description IE Per-User Initialization Utility
Version 8.00.6001.19499
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 70F759D5F7515782C4C069B69C575533F3F1DB885E5E2F52DAE9BC3EEB63C084

Scoring (10.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Program starts automatically without user intervention.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Time indicates that the file appeared recently on this computer.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\

SHA256: 70f759d5f7515782c4c069b69c575533f3f1db885e5e2f52dae9bc3eeb63c084
Dateiname: ie4uinit.exe
Erkennungsrate: 0 / 48
Analyse-Datum: 2014-02-21 17:01:09 UTC ( vor 1 Minute )

Properties
Name NPSWF32_12_0_0_70.dll
Location C:\Windows\system32\Macromed\Flash
Size 15.5 MB
Time 0.0 days ago (2014-02-21 17:21:3
Authenticode Valid
Entropy 7.0
RSA Key Size 2048
SHA-256 908053FE4AAA8E8911A8683ED871DA9371145A517C1DF33264C1318E570B69F7

Scoring (6.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
Program is code signed with a valid Authenticode certificate.

Startup
HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\

References
C:\Windows\system32\Macromed\Flash\flashplayer.xpt

Forensic Cluster
* C:\Windows\System32\Macromed\Flash\NPSWF32_12_0_0_70.dll
0.2s C:\Windows\System32\Macromed\Flash\FlashUtil32_12_0_0_70_Plugin.exe
0.5s C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe
3.5s C:\Windows\Prefetch\INSTALL_FLASH_PLAYER.EXE-F60B424E.pf
7.9s C:\Windows\Prefetch\FLASHPLAYERUPDATESERVICE.EXE-0CF170F4.pf

SHA256: 908053fe4aaa8e8911a8683ed871da9371145a517c1df33264c1318e570b69f7
Dateiname: NPSWF32_12_0_0_70.dll
Erkennungsrate: 0 / 50
Analyse-Datum: 2014-02-21 17:04:24 UTC ( vor 1 Minute )

With best Regards
Mops21

 

Thanks, but I was wondering why the file comes up clean when I rescan it after it was flagged? Only a reboot resets the clean status to suspicious.

Al

 

I also have this installed (same hash for NPSWF32_12_0_0_70.dll) and HMP isn't flagging it on my system. Also ran a manual scan on it and it
comes up clean. This kind of erratic behavior makes me wonder how accurate these alerts really are. Another example of this unusual behavior in my post above.

Al

 

Mops21 is running with EWS.

In EWS HitmanPro lists recently added files witb blue shield (= not suspicious).

EWS is only needed when you suspect malware on your computer, but for some reason mops21 likes to run it continuously. Then you get these listings.

 

I scanned the computer twice with HMP, with EWS and without it, and always the same suspicious files:

All files from adobe flash player are suspicious !

There are more, but I paste only these two.

Im using bitdefender and mbam too, everything clean when I scanned.

What I should do ? I was install it from two different sites, instal - reinstall then install the new one, orginal: get.adobe and trusted software site - besides, I scanned them in VirusTotal - maybe one engine from 48 found something, (so propably FP).

 

They are suspicious because the authenticode signature is invalid! This means that the content of these files is NOT how Adobe has published them. Maybe your computer is using the wrong date? Anyhow, something is off, the listed files are correctly suspicious because of the invalid digital signature (authenticode).

 

Thanks, my date is correct, so what I should do besides downloading flash from orginal site and getting those alerts, when virustotal is free of them ?

 

Right click on those files in Windows Explorer and go to Properties > Digital Signature tab. You will see the authenticode is messed up. This means that the file is corrupt (not original) thus suspicious. And note that suspicious is not a malware classification!

 

All certificates two different installers are correct, the properties explorer and on VirusTotal. The problem starts after installation when it detects hmp suspicion and, in fact, when I check it expired certificates are February 26. But tell me, then what am I doing wrong? I installed all probably already adobe setups and I'm sick of constantly detects suspicion, still there is something wrong, can someone give me a link to adobe installer? oh wait, is not that get.adobe.com?

 

Nevermind, Flash Player 13 on board and everything works (no suspicious files)

 

btw the three av engines Ikarus,kis, and BD helps hitman pros detection rate out trust me i test hitman pro with a packs of malware files for a while until i got back to making av reviews

 

whats is your youtube user name or videos title ?
for the AV tests

 

I am using (bought) Hitman Pro 3.7.9 on a windows 7 machine - all updates up-to-date - and even though I do not have it set to run at startup, it does run shortly after I boot to the desktop and it freezes my computer. I reboot and then it runs fine; doesn't find anything or traces that need to be removed.

Kind of annoying. I have disabled any auto scans whatsoever and even manually, it will freeze the computer on the first run. Reboot and it runs fine.

Any help?

Love the program, BTW, helped me out of a jam last week with some nasty bug that nothing else could find, but it did.

Thanks.

 

I'm not sure if your question was ever answered, but I had the same issue on a pc I was servicing until I changed the screen text size back to 100%.

> control panel > appearance & personalization > display

 

You can try setting the disk access mode to Compatible under Settings > Advanced tab.

 

Thanks for the tip. This is indeed a problem and I've fixed it in the next build (code already tucked into source control)