HitmanPro.ALERT Support and Discussion Thread

Yes there is. You have to do it via Global Settings and the go to Excludes or something named like that. I am unfamiliar with the Central interface.

 

@erikloman
Thanks for the reply. Since it's still flagging, we'll escalate to Sophos Support as the exception not working properly.

 

Hello! Nice to meet you all! I need you help!

I have an issue the past few days and I need your help! I may sound a little long winded, but I am detailed in descriptions to help you out to in turn help me. I am a novice when it comes to computers, but do know the basics of computers. I am using Windows 7 Professional SP1 64-bit. It is arising from new “Attack Intercepted” messages that fill my screen with messages from various applications from my paid license of HitManPro. Alert installed on this operating system. It is random, but there are times when I am using an application now, that randomly, but more often now as it will generate these “Attack Intercepted” messages. Is my computer hacked now? Let me explain.

It all started a couple of days ago, when I upgraded my already installed and trusted program FastStone Photo Resizer from version 3.7 to 3.8. I downloaded the *.exe file and when I did, at the end of the download; I received that that digital signature was not valid which surprised me form a true and trusted program for years. I installed it anyways feeling this was a non-issue. Well, after that, everything from HitManPro.Alert started happing with that “Attack Intercepted” messages randomly for various applications, especially for FastStone Photo Resizer [FSPR] when I ran the program on several instances. For fear I may have some form of malware in my computer, I tried to use Free Revo Uninstaller for a complete uninstall of FSPR, and in the midst of the programming beginning to uninstall FSFR, I get another “Attack Intercepted” again applicable to Free Revo Uninstaller. So the only thing I could do in haste is delete the FastStone Photo Resizer file in the Program Files (x86) file. Things calmed down for a few minutes. Then I went ahead and downloaded an alternate file, the zip file of the FastStone Photo Resizer this time. The *.exe file inside the zip file downloaded without issue with a signature this time when verified and I installed from the zip file without issues. I used FSPR without issues. Now, things with HitManPro.Alert started to happen with other applications giving me an “Attack Intercepted” messages randomly to some of my installed programs. It is when I am using the application it MAY happen early on for that application I would get a "Attack Intercepted". It is usually a “Mitigation” with a “Lockdown”. Applications like my Internet Explorer 11 (iexplorer.exe), Windows Live Photo Gallery, Windows Explorer 6.1, Windows Command Processor 6.1 (cmd.exe) to name a few.

Then I used known anti-malware programs to try and find and kill any possible infection in my computer. However, I found none except some cookies that were found by some applications and deleted. The anti-malware programs’ scanning features I used included are: HitmanPro.Alert, Malwarebytes Free, Adware Cleaner Free, Rogue Killer Free, Emsisoft Emergency Kit Starter Free, JRT Junkware Removal Tool, and even CCleaner to clean most of the temp files on the system I did first. I even used powerful ComboFix after turning off my lasted Norton Security Deluxe that would of killed something if it did?

Below, I have added a few of my number of alerts or a few of my HitmanPro.Alert Events from my Windows Event Viewer to help you give you some technical data that may assist you with what is going on with my system:

Code:

NO. 1:

Log Name:      Application

Source:        HitmanPro.Alert

Date:          2/24/2017 11:19:49 PM

Event ID:      911

Task Category: Mitigation

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      PC

Description:

Mitigation   Lockdown


Platform     6.1.7601/x64 v573 06_25

PID          2980

Application  C:\Windows\explorer.exe

Description  Windows Explorer 6.1


Filename     C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe

Created By  C:\Users\Administrator\Desktop\FSResizerSetup38.exe


Command line:

"C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe"


Process Trace

1  C:\Windows\explorer.exe [2980]

2  C:\Windows\System32\userinit.exe [2904]

3  C:\Windows\System32\winlogon.exe [848]

winlogon.exe


Thumbprint

18ed067a263c48ff1bf04595b8fd6f65a8a2a8c535257bfe4bfd6604a2e65f0a

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="HitmanPro.Alert" />

    <EventID Qualifiers="0">911</EventID>

    <Level>2</Level>

    <Task>9</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2017-02-25T04:19:49.000000000Z" />

    <EventRecordID>64711</EventRecordID>

    <Channel>Application</Channel>

    <Computer>PC</Computer>

    <Security />

  </System>

  <EventData>

    <Data>C:\Windows\explorer.exe</Data>

    <Data>Lockdown</Data>

    <Data>Mitigation   Lockdown


Platform     6.1.7601/x64 v573 06_25

PID          2980

Application  C:\Windows\explorer.exe

Description  Windows Explorer 6.1


Filename     C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe

Created By  C:\Users\Administrator\Desktop\FSResizerSetup38.exe


Command line:

"C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe"


Process Trace

1  C:\Windows\explorer.exe [2980]

2  C:\Windows\System32\userinit.exe [2904]

3  C:\Windows\System32\winlogon.exe [848]

winlogon.exe


Thumbprint

18ed067a263c48ff1bf04595b8fd6f65a8a2a8c535257bfe4bfd6604a2e65f0a</Data>


NO. 2:

Log Name:      Application

Source:        HitmanPro.Alert

Date:          2/24/2017 11:39:16 PM

Event ID:      911

Task Category: Mitigation

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      PC

Description:

Mitigation   Lockdown


Platform     6.1.7601/x64 v573 06_25

PID          4696

Application  C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Description  Revo Uninstaller 2.0.2


Filename     C:\Program Files (x86)\FastStone Photo Resizer\uninst.exe

Created By   C:\Users\Administrator\Desktop\FSResizerSetup38.exe


Command line:

C:\Program Files (x86)\FastStone Photo Resizer\uninst.exe


Process Trace

1  C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe [4696]

2  C:\Windows\explorer.exe [3232]

explorer.exe

3  C:\Windows\System32\winlogon.exe [848]

winlogon.exe


Thumbprint

371f64016abb47ff756355e69dd23f5983cfba0fb3f3d23957de23cf8a82c4d6

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="HitmanPro.Alert" />

    <EventID Qualifiers="0">911</EventID>

    <Level>2</Level>

    <Task>9</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2017-02-25T04:39:16.000000000Z" />

    <EventRecordID>64717</EventRecordID>

    <Channel>Application</Channel>

    <Computer>PC</Computer>

    <Security />

  </System>

  <EventData>

    <Data>C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe</Data>

    <Data>Lockdown</Data>

    <Data>Mitigation   Lockdown


Platform     6.1.7601/x64 v573 06_25

PID          4696

Application  C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Description  Revo Uninstaller 2.0.2


Filename     C:\Program Files (x86)\FastStone Photo Resizer\uninst.exe

Created By  C:\Users\Administrator\Desktop\FSResizerSetup38.exe


Command line:

C:\Program Files (x86)\FastStone Photo Resizer\uninst.exe


Process Trace

1  C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe [4696]

2  C:\Windows\explorer.exe [3232]

explorer.exe

3  C:\Windows\System32\winlogon.exe [848]

winlogon.exe


Thumbprint

371f64016abb47ff756355e69dd23f5983cfba0fb3f3d23957de23cf8a82c4d6</Data>

 

NO. 3:

Log Name:      Application

Source:        HitmanPro.Alert

Date:          2/24/2017 11:41:36 PM

Event ID:      911

Task Category: Mitigation

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      PC

Description:

Mitigation   Lockdown


Platform     6.1.7601/x64 v573 06_25

PID          3232

Application  C:\Windows\explorer.exe

Description  Windows Explorer 6.1


Filename     C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe

Created By  C:\Users\Administrator\Desktop\FSResizerSetup38.exe


Command line:

"C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe"


Process Trace

1  C:\Windows\explorer.exe [3232]

explorer.exe

2  C:\Windows\System32\winlogon.exe [848]

winlogon.exe


Thumbprint

18ed067a263c48ff1bf04595b8fd6f65a8a2a8c535257bfe4bfd6604a2e65f0a

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="HitmanPro.Alert" />

    <EventID Qualifiers="0">911</EventID>

    <Level>2</Level>

    <Task>9</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2017-02-25T04:41:36.000000000Z" />

    <EventRecordID>64720</EventRecordID>

    <Channel>Application</Channel>

    <Computer>PC</Computer>

    <Security />

  </System>

  <EventData>

    <Data>C:\Windows\explorer.exe</Data>

    <Data>Lockdown</Data>

    <Data>Mitigation   Lockdown


Platform     6.1.7601/x64 v573 06_25

PID          3232

Application  C:\Windows\explorer.exe

Description  Windows Explorer 6.1


Filename     C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe

Created By  C:\Users\Administrator\Desktop\FSResizerSetup38.exe


Command line:

"C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe"


Process Trace

1  C:\Windows\explorer.exe [3232]

explorer.exe

2  C:\Windows\System32\winlogon.exe [848]

winlogon.exe


Thumbprint

18ed067a263c48ff1bf04595b8fd6f65a8a2a8c535257bfe4bfd6604a2e65f0a</Data>


NO. 4:

Log Name:      Application

Source:        HitmanPro.Alert

Date:          2/24/2017 11:42:19 PM

Event ID:      911

Task Category: Mitigation

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      PC

Description:

Mitigation   Lockdown


Platform     6.1.7601/x64 v573 06_25

PID          6592

Application  C:\Windows\explorer.exe

Description  Windows Explorer 6.1


Filename     C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe

Created By  C:\Users\Administrator\Desktop\FSResizerSetup38.exe


Command line:

"C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe" "C:\Users\Administrator\Desktop\FastStone Capture Attack - 2-24-17 PM.JPG"


Process Trace

1  C:\Windows\explorer.exe [6592]

explorer.exe

2  C:\Windows\System32\winlogon.exe [848]

winlogon.exe


Thumbprint

18ed067a263c48ff1bf04595b8fd6f65a8a2a8c535257bfe4bfd6604a2e65f0a

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="HitmanPro.Alert" />

    <EventID Qualifiers="0">911</EventID>

    <Level>2</Level>

    <Task>9</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2017-02-25T04:42:19.000000000Z" />

    <EventRecordID>64722</EventRecordID>

    <Channel>Application</Channel>

    <Computer>PC</Computer>

    <Security />

  </System>

  <EventData>

    <Data>C:\Windows\explorer.exe</Data>

    <Data>Lockdown</Data>

    <Data>Mitigation   Lockdown


Platform     6.1.7601/x64 v573 06_25

PID          6592

Application  C:\Windows\explorer.exe

Description  Windows Explorer 6.1


Filename     C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe

Created By  C:\Users\Administrator\Desktop\FSResizerSetup38.exe


Command line:

"C:\Program Files (x86)\FastStone Photo Resizer\FSResizer.exe" "C:\Users\Administrator\Desktop\FastStone Capture Attack - 2-24-17 PM.JPG"


Process Trace

1  C:\Windows\explorer.exe [6592]

explorer.exe

2  C:\Windows\System32\winlogon.exe [848]

winlogon.exe


Thumbprint

18ed067a263c48ff1bf04595b8fd6f65a8a2a8c535257bfe4bfd6604a2e65f0a</Data>

 

NO. 5:

Log Name:      Application

Source:        HitmanPro.Alert

Date:          2/25/2017 2:22:22 PM

Event ID:      911

Task Category: Mitigation

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      PC

Description:

Mitigation   ROP


Platform     6.1.7601/x64 v573 06_25

PID          6212

Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe

Description  Internet Explorer 11


Branch Trace                      Opcode  To                            

-------------------------------- -------- --------------------------------

RtlEnterCriticalSection +0x37        RET  0x63F749B7 msmpeg2adec.dll    

0x77C12307 ntdll.dll                                                    


RtlEnterCriticalSection +0x37        RET  0x63F76106 msmpeg2adec.dll    

0x77C12307 ntdll.dll                                                    


0x63F1031B msmpeg2adec.dll        ~ RET* 0x63FD5F81 msmpeg2adec.dll    

            e85d01faff               CALL         0x63f760e3

            85c0                     TEST         EAX, EAX

            e89ecaf3ff               CALL         0x63f12a2b

            97                       XCHG         EDI, EAX

            c3                       RET        



0x63F8F17C msmpeg2adec.dll        ~ RET* 0x63FC3D23 msmpeg2adec.dll    

            893e                     MOV          [ESI], EDI

            e8f5bff4ff               CALL         0x63f0fd1f

            3400                     XOR          AL, 0x0

            00d0                     ADD          AL, DL

            e710                     OUT          0x10, EAX

            04a0                     ADD          AL, 0xa0

            85c0                     TEST         EAX, EAX

            e83a29feff               CALL         0x63fa6673

            ed                       IN           EAX, DX

            e001                     LOOPNZ       0x63fc3d3d

            309ca4d645ede0           XOR          [ESP-0x1f12ba2a], BL

            01f0                     ADD          EAX, ESI

            ad                       LODSD      

            40                       INC          EAX

            a273000000               MOV          [0x73], AL

            800e00                   OR           BYTE [ESI], 0x0

                                (947726F4BB981CB:cool:



0x63F0E5FB msmpeg2adec.dll          RET  0x63F8F166 msmpeg2adec.dll    


0x63F130D9 msmpeg2adec.dll          RET  0x63F0E5F8 msmpeg2adec.dll    


0x63F4B4DD msmpeg2adec.dll        ~ RET* 0x63FC3AF3 msmpeg2adec.dll    

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

                                (411C9A94D3A96D6:cool:



0x63A20A63 mf.dll                    RET  0x63A3E3C0 mf.dll              


0x63961DFC mf.dll                    RET  0x63A20A5E mf.dll              


Stack Trace

#  Address  Module                   Location

-- -------- ------------------------ ----------------------------------------

1  63F749DE msmpeg2adec.dll        

            85c0                     TEST         EAX, EAX

            0f8492090000             JZ           0x63f75378

            c7854cffffff01000000     MOV          DWORD [EBP-0xb4], 0x1

            85f6                     TEST         ESI, ESI

            0f8480090000             JZ           0x63f75378

            f7431c00000020           TEST         DWORD [EBX+0x1c], 0x20000000

            0f8450090000             JZ           0x63f75355

            8bb538ffffff             MOV          ESI, [EBP-0xc8]

            8b851cffffff             MOV          EAX, [EBP-0xe4]

            83c604                   ADD          ESI, 0x4

            c645ab00                 MOV          BYTE [EBP-0x55], 0x0

            89bd24ffffff             MOV          [EBP-0xdc], EDI


2  63F76110 msmpeg2adec.dll        

3  639C4BF0 mf.dll                   MFGetService +0x27

4  63A3E3DF mf.dll                

5  63A32B40 mf.dll                

6  63A2C866 mf.dll                

7  63A48E12 mf.dll                

8  63A49CE0 mf.dll                

9  63A43085 mf.dll                

10 63A43628 mf.dll                


Process Trace

1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [6212]

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4916 CREDAT:275457 /prefetch:2

2  C:\Program Files\Internet Explorer\iexplore.exe [4916]

3  C:\Windows\explorer.exe [2996]

4  C:\Windows\System32\userinit.exe [2760]

5  C:\Windows\System32\winlogon.exe [908]

winlogon.exe


Thumbprint

88b247fa75f3307914e0c27fa40d56d1c55959795ec5dbff19e1ea0e3b4a8c8f

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="HitmanPro.Alert" />

    <EventID Qualifiers="0">911</EventID>

    <Level>2</Level>

    <Task>9</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2017-02-25T19:22:22.000000000Z" />

    <EventRecordID>64932</EventRecordID>

    <Channel>Application</Channel>

    <Computer>PC</Computer>

    <Security />

  </System>

  <EventData>

    <Data>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>

    <Data>ROP</Data>

    <Data>Mitigation   ROP


Platform     6.1.7601/x64 v573 06_25

PID          6212

Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe

Description  Internet Explorer 11


Branch Trace                      Opcode  To                            

-------------------------------- -------- --------------------------------

RtlEnterCriticalSection +0x37        RET  0x63F749B7 msmpeg2adec.dll    

0x77C12307 ntdll.dll                                                    


RtlEnterCriticalSection +0x37        RET  0x63F76106 msmpeg2adec.dll    

0x77C12307 ntdll.dll                                                    


0x63F1031B msmpeg2adec.dll        ~ RET* 0x63FD5F81 msmpeg2adec.dll    

            e85d01faff               CALL         0x63f760e3

            85c0                     TEST         EAX, EAX

            e89ecaf3ff               CALL         0x63f12a2b

            97                       XCHG         EDI, EAX

            c3                       RET        



0x63F8F17C msmpeg2adec.dll        ~ RET* 0x63FC3D23 msmpeg2adec.dll    

            893e                     MOV          [ESI], EDI

            e8f5bff4ff               CALL         0x63f0fd1f

            3400                     XOR          AL, 0x0

            00d0                     ADD          AL, DL

            e710                     OUT          0x10, EAX

            04a0                     ADD          AL, 0xa0

            85c0                     TEST         EAX, EAX

            e83a29feff               CALL         0x63fa6673

            ed                       IN           EAX, DX

            e001                     LOOPNZ       0x63fc3d3d

            309ca4d645ede0           XOR          [ESP-0x1f12ba2a], BL

            01f0                     ADD          EAX, ESI

            ad                       LODSD      

            40                       INC          EAX

            a273000000               MOV          [0x73], AL

            800e00                   OR           BYTE [ESI], 0x0

                                (947726F4BB981CB:cool:



0x63F0E5FB msmpeg2adec.dll          RET  0x63F8F166 msmpeg2adec.dll    


0x63F130D9 msmpeg2adec.dll          RET  0x63F0E5F8 msmpeg2adec.dll    


0x63F4B4DD msmpeg2adec.dll        ~ RET* 0x63FC3AF3 msmpeg2adec.dll    

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

            0000                     ADD          [EAX], AL

                                (411C9A94D3A96D6:cool:



0x63A20A63 mf.dll                    RET  0x63A3E3C0 mf.dll              


0x63961DFC mf.dll                    RET  0x63A20A5E mf.dll              


Stack Trace

#  Address  Module                   Location

-- -------- ------------------------ ----------------------------------------

1  63F749DE msmpeg2adec.dll        

            85c0                     TEST         EAX, EAX

            0f8492090000             JZ           0x63f75378

            c7854cffffff01000000     MOV          DWORD [EBP-0xb4], 0x1

            85f6                     TEST         ESI, ESI

            0f8480090000             JZ           0x63f75378

            f7431c00000020           TEST         DWORD [EBX+0x1c], 0x20000000

            0f8450090000             JZ           0x63f75355

            8bb538ffffff             MOV          ESI, [EBP-0xc8]

            8b851cffffff             MOV          EAX, [EBP-0xe4]

            83c604                   ADD          ESI, 0x4

            c645ab00                 MOV          BYTE [EBP-0x55], 0x0

            89bd24ffffff             MOV          [EBP-0xdc], EDI


2  63F76110 msmpeg2adec.dll        

3  639C4BF0 mf.dll                   MFGetService +0x27

4  63A3E3DF mf.dll                

5  63A32B40 mf.dll                

6  63A2C866 mf.dll                

7  63A48E12 mf.dll                

8  63A49CE0 mf.dll                

9  63A43085 mf.dll                

10 63A43628 mf.dll                


Process Trace

1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [6212]

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4916 CREDAT:275457 /prefetch:2

2  C:\Program Files\Internet Explorer\iexplore.exe [4916]

3  C:\Windows\explorer.exe [2996]

4  C:\Windows\System32\userinit.exe [2760]

5  C:\Windows\System32\winlogon.exe [908]

winlogon.exe


Thumbprint

88b247fa75f3307914e0c27fa40d56d1c55959795ec5dbff19e1ea0e3b4a8c8f</Data>


NO. 6:

Log Name:      Application

Source:        HitmanPro.Alert

Date:          2/25/2017 3:17:32 PM

Event ID:      911

Task Category: Mitigation

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      PC

Description:

Mitigation   Lockdown


Platform     6.1.7601/x64 v573 06_25

PID          6968

Application  C:\Windows\System32\cmd.exe

Description  Windows Command Processor 6.1


Filename     C:\Windows\ERUNT.exe

Created By  C:\Users\Administrator\Desktop\FRST64.exe


Command line:

ERUNT.exe  C:\FRST\HIVES silent sysreg curuser /noconfirmdelete /noprogresswindow


Process Trace

1  C:\Windows\System32\cmd.exe [6968]

C:\Windows\system32\cmd.exe /c ERUNT.exe C:\FRST\HIVES silent sysreg curuser /noconfirmdelete /noprogresswindow

2  C:\Users\Administrator\Desktop\FRST64.exe [3312]

3  C:\Program Files\Internet Explorer\iexplore.exe [7140]

4  C:\Windows\explorer.exe [2996]

5  C:\Windows\System32\userinit.exe [2760]

6  C:\Windows\System32\winlogon.exe [908]

winlogon.exe


Thumbprint

e133e01e37f834151073f4c5c19dff57ac129d5e729c2a29eecf5aa836b48661

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="HitmanPro.Alert" />

    <EventID Qualifiers="0">911</EventID>

    <Level>2</Level>

    <Task>9</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2017-02-25T20:17:32.000000000Z" />

    <EventRecordID>64939</EventRecordID>

    <Channel>Application</Channel>

    <Computer>PC</Computer>

    <Security />

  </System>

  <EventData>

    <Data>C:\Windows\System32\cmd.exe</Data>

    <Data>Lockdown</Data>

    <Data>Mitigation   Lockdown


Platform     6.1.7601/x64 v573 06_25

PID          6968

Application  C:\Windows\System32\cmd.exe

Description  Windows Command Processor 6.1


Filename     C:\Windows\ERUNT.exe

Created By  C:\Users\Administrator\Desktop\FRST64.exe


Command line:

ERUNT.exe  C:\FRST\HIVES silent sysreg curuser /noconfirmdelete /noprogresswindow


Process Trace

1  C:\Windows\System32\cmd.exe [6968]

C:\Windows\system32\cmd.exe /c ERUNT.exe C:\FRST\HIVES silent sysreg curuser /noconfirmdelete /noprogresswindow

2  C:\Users\Administrator\Desktop\FRST64.exe [3312]

3  C:\Program Files\Internet Explorer\iexplore.exe [7140]

4  C:\Windows\explorer.exe [2996]

5  C:\Windows\System32\userinit.exe [2760]

6  C:\Windows\System32\winlogon.exe [908]

winlogon.exe


Thumbprint

e133e01e37f834151073f4c5c19dff57ac129d5e729c2a29eecf5aa836b48661</Data>

 

NO. 7:

Log Name:      Application

Source:        HitmanPro.Alert

Date:          2/27/2017 7:59:46 PM

Event ID:      911

Task Category: Mitigation

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      PC

Description:

Mitigation   ROP


Platform     6.1.7601/x64 v573 06_25

PID          7052

Application  C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe

Description  Photo Gallery 16.4


Branch Trace                      Opcode  To                            

-------------------------------- -------- --------------------------------

RtlEnterCriticalSection +0x37        RET  0x13B349B7 msmpeg2adec.dll    

0x76F62307 ntdll.dll                                                    


RtlEnterCriticalSection +0x37        RET  0x13B36106 msmpeg2adec.dll    

0x76F62307 ntdll.dll                                                    


0x13AD031B msmpeg2adec.dll        ~ RET* 0x13B95854 msmpeg2adec.dll    

            e88a08faff               CALL         0x13b360e3

            85c0                     TEST         EAX, EAX

            e8cbd1f3ff               CALL         0x13ad2a2b

            97                       XCHG         EDI, EAX

            c3                       RET        



0x13AD031B msmpeg2adec.dll        ~ RET* 0x13B83D72 msmpeg2adec.dll     

            8bff                     MOV          EDI, EDI

            53                       PUSH         EBX

            33db                     XOR          EBX, EBX

            56                       PUSH         ESI

            8bf1                     MOV          ESI, ECX

            57                       PUSH         EDI

            899e30c10000             MOV          [ESI+0xc130], EBX

            899e54c10000             MOV          [ESI+0xc154], EBX

            899ecc000000             MOV          [ESI+0xcc], EBX

            e88dbff4ff               CALL         0x13acfd1f

            3400                     XOR          AL, 0x0

            0070e7                   ADD          [EAX-0x19], DH

            1004e0                   ADC          [EAX], AL

            85c0                     TEST         EAX, EAX

            e8a6bcf9ff               CALL         0x13b1fa47

            dbc1                     FCMOVNB      ST0, ST1

                                (D4CB6D6E45013671)



Stack Trace

#  Address  Module                   Location

-- -------- ------------------------ ----------------------------------------

1  13B349DE msmpeg2adec.dll        

            85c0                     TEST         EAX, EAX

            0f8492090000             JZ           0x13b35378

            c7854cffffff01000000     MOV          DWORD [EBP-0xb4], 0x1

            85f6                     TEST         ESI, ESI

            0f8480090000             JZ           0x13b35378

            f7431c00000020           TEST         DWORD [EBX+0x1c], 0x20000000

            0f8450090000             JZ           0x13b35355

            8bb538ffffff             MOV          ESI, [EBP-0xc8]

            8b851cffffff             MOV          EAX, [EBP-0xe4]

            83c604                   ADD          ESI, 0x4

            c645ab00                 MOV          BYTE [EBP-0x55], 0x0

            89bd24ffffff             MOV          [EBP-0xdc], EDI


2  13B36110 msmpeg2adec.dll        

3  13B2AC28 msmpeg2adec.dll        

4  13B26AA1 msmpeg2adec.dll        

5  74A58C66 ole32.dll              

6  74A73128 ole32.dll              

7  74A58D8A ole32.dll              

8  74A58CFF ole32.dll              

9  74A58A82 ole32.dll              

10 74A58A33 ole32.dll             


Process Trace

1  C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe [7052]

"C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe" /PhotoViewerComServer {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} -Embedding

2  C:\Windows\System32\svchost.exe [848]

C:\Windows\system32\svchost.exe -k DcomLaunch


Thumbprint

9f538d21366bcf29233a56904c7988b47c9519c14e2e066781a205474edc5b92

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="HitmanPro.Alert" />

    <EventID Qualifiers="0">911</EventID>

    <Level>2</Level>

    <Task>9</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2017-02-28T00:59:46.000000000Z" />

    <EventRecordID>65432</EventRecordID>

    <Channel>Application</Channel>

    <Computer>PC</Computer>

    <Security />

  </System>

  <EventData>

    <Data>C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe</Data>

    <Data>ROP</Data>

    <Data>Mitigation   ROP


Platform     6.1.7601/x64 v573 06_25

PID          7052

Application  C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe

Description  Photo Gallery 16.4


Branch Trace                      Opcode  To                            

-------------------------------- -------- --------------------------------

RtlEnterCriticalSection +0x37        RET  0x13B349B7 msmpeg2adec.dll    

0x76F62307 ntdll.dll                                                    


RtlEnterCriticalSection +0x37        RET  0x13B36106 msmpeg2adec.dll    

0x76F62307 ntdll.dll                                                    


0x13AD031B msmpeg2adec.dll        ~ RET* 0x13B95854 msmpeg2adec.dll    

            e88a08faff               CALL         0x13b360e3

            85c0                     TEST         EAX, EAX

            e8cbd1f3ff               CALL         0x13ad2a2b

            97                       XCHG         EDI, EAX

            c3                       RET        



0x13AD031B msmpeg2adec.dll        ~ RET* 0x13B83D72 msmpeg2adec.dll    

            8bff                     MOV          EDI, EDI

            53                       PUSH         EBX

            33db                     XOR          EBX, EBX

            56                       PUSH        ESI

            8bf1                     MOV          ESI, ECX

            57                       PUSH         EDI

            899e30c10000             MOV          [ESI+0xc130], EBX

            899e54c10000             MOV          [ESI+0xc154], EBX

            899ecc000000             MOV          [ESI+0xcc], EBX

            e88dbff4ff               CALL         0x13acfd1f

            3400                     XOR          AL, 0x0

            0070e7                   ADD          [EAX-0x19], DH

            1004e0                   ADC          [EAX], AL

            85c0                     TEST         EAX, EAX

            e8a6bcf9ff               CALL         0x13b1fa47

            dbc1                     FCMOVNB      ST0, ST1

                                (D4CB6D6E45013671)



Stack Trace

#  Address  Module                   Location

-- -------- ------------------------ ----------------------------------------

1  13B349DE msmpeg2adec.dll        

            85c0                     TEST         EAX, EAX

            0f8492090000             JZ           0x13b35378

            c7854cffffff01000000     MOV          DWORD [EBP-0xb4], 0x1

            85f6                     TEST         ESI, ESI

            0f8480090000             JZ           0x13b35378

            f7431c00000020           TEST         DWORD [EBX+0x1c], 0x20000000

            0f8450090000             JZ           0x13b35355

            8bb538ffffff             MOV          ESI, [EBP-0xc8]

            8b851cffffff             MOV          EAX, [EBP-0xe4]

            83c604                   ADD          ESI, 0x4

            c645ab00                 MOV          BYTE [EBP-0x55], 0x0

            89bd24ffffff             MOV          [EBP-0xdc], EDI


2  13B36110 msmpeg2adec.dll        

3  13B2AC28 msmpeg2adec.dll        

4  13B26AA1 msmpeg2adec.dll        

5  74A58C66 ole32.dll              

6  74A73128 ole32.dll              

7  74A58D8A ole32.dll              

8  74A58CFF ole32.dll              

9  74A58A82 ole32.dll              

10 74A58A33 ole32.dll            


Process Trace

1  C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe [7052]

"C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe" /PhotoViewerComServer {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} -Embedding

2  C:\Windows\System32\svchost.exe [848]

C:\Windows\system32\svchost.exe -k DcomLaunch


Thumbprint

9f538d21366bcf29233a56904c7988b47c9519c14e2e066781a205474edc5b92</Data>

So I am wondering what is going on here? Am I infected? If so, how do I eliminate the infection(s)? Please tell me what I need to do if I am indeed infected? What is going on here? It is strange after install FastStone Photo Resizer that HitManPro.Alert is now giving me random but consistent “Attack Intercepted” messages and stopping my work! Please explain. Again, I am not familiar with HitManPro.Alert.

Please reply.

Thank you!

 

+1

 

https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-306#post-2543100

This is a continuation of the above old post by erikloman, Nov 20, 2015. At the time, in reply to my query about running HMPA 3.x on legacy computers with SSE only CPUs, Erik said "SSE2 isn't required".

Now, I tried to install build 586 on two XP Pro computers with SSE only and both failed. The installer crashed with an error (same error on both computers). As both run HMPA 2.6.5 together with MBAE 1.09.1.1334 I have no pressing need to upgrade if build 586 does indeed require SSE2. However, it would be nice if it worked. So, Erik, when you see this post, please comment! TIA.

PS: if I could unpack the installer file and run setup from there it may work. I have done this with other "problem" installers okay.

 

How did you determine that the crash is caused by a lack of SSE2 support?

 

Trial and error. On that basis there is a 99% likelihood the culprit is SSE2 if the install fails on both computers. I have faced this with other programs that suddenly changed to a compiler 'demanding' SSE2 support. But, note that I have not determined (!) anything and that's why I asked Erik to comment.

 

I think you are right. I will supply you with a newer build with no dependency on SSE2.

 

Automatic update to build 586 is rolling.

 

olè!

 

Update to 586 went fine. Mailwasher Pro (2017.7.9) would not start. Went through the mitigations and IAT Filtering needs to be off for Mailwasher Pro to start.

 

CAN'T UPDATE HERE

Still in Version 3.6.1 build 574

tray icon - right click - Check for update

"NO UPDATE AVAILABLE"

 

Same here, on the one Windows 7 x64 system on which there's HMPA 3.6.1.574.
If I remember correctly from previous times, auto update is offered in batches, not for all systems at once. I suppose our systems are still waiting in line.
I don't know how is decided which systems get the updated offered, and which are kept waiting some more.

 

Here's a question: for the installers/uninstallers that HMPA blocks because of their trying to initiate the MSI/EXE from the temp folders, disabling Process Protection is supposed to temporarily allow them.

The problem is the temp folders have the dropped (but not yet executed) MSI/EXE files and going back to the Uninstall/Update/Reinstall yields a "please wait until the current install/uninstall is finished" prompt.

Without clearing the temp folders and/or rebooting, or hunting out the specific MSI/EXE that was stopped, is there any way to proceed after temporarily disabling Process Protection?

 

Didn't knew it!

Thank you!

 

You can try restarting the HitmanPro.Alert service.

 

I did a few reboots today, and another one a moment ago - which also restarts the HitmanPro.Alert service, I suppose - but build 586 was not and still is not offered on that system.
Is it as I suggested earlier, that auto update is offered in batches, not for all systems at once, and that some systems are still waiting in line, or is something wrong if after some reboots build 586 is still not offered to update 574?

 

I download and installed 586 from the link in erikloman sig. After restart my sidebar gadgets crashed with a big dump. I restarted again and the sidebar gadgets came up good with no dump. Will see what happens with the next restart.​

 

I tried several times: stopping, restarting HMP.A service
Still no updates available!

Maybe you are right! Lets wait and see what's happen!

 

At this point, why not update manually?

 

Of course, and I'm using build 586 on my main system.
Another system I did not update manually, to see if auto update works as it should to update build 574 to 586.
Apart from us here at Wilders and similar tech forums, most users have little notion of versions and builds, and automatic update should work for them. If it doesn't, then there is an issue.

That is why I asked @erikloman,
is it as I suggested earlier, is auto update offered in batches, not for all systems at once, and are some systems still waiting in line, or is something wrong if after some reboots build 586 is still not offered to update 574?

 

off-topic

Hmm..
So you still use Windows Sidebar and Gadgets?
Do you know about the vulnerabilities?
See:
Gadgets have been discontinued
Microsoft Security Advisory 2719662 - Vulnerabilities in Gadgets Could Allow Remote Code Execution
Microsoft Security Advisory: Vulnerabilities in Gadgets could allow remote code execution

/end off-topic

 

I know all that stuff about the sidebar and gadgets. I want them anyway.....lmao

 

Maybe consider using something like Rainmeter?