HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. LW19

    LW19 Registered Member

    Joined:
    Sep 19, 2016
    Posts:
    8
    Location:
    Germany
    Mitigation PowerPoint "False Positive"
    Typ: Fehler
    Quelle: HitmanPro.Alert
    Ereignis-ID: 911
    Ereigniszeit: 17.03.2017 09:02:00
    Benutzer: n/z
    Computer: PCKR003
    Beschreibung:
    Mitigation IAF
    Platform 5.1.2600/x86 v586 06_3a
    PID 1116
    Application C:\Programme\Microsoft Office\OFFICE11\POWERPNT.EXE
    Description Microsoft Office PowerPoint 11
    Violation 075F5762 is calling MSIMG32.dll IAT funcptr kernel32.dll!GetProcAddress
    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 075F5762 shimgvw.dll
    ff15f8115d07 CALL DWORD [0x75d11f8]
    8b4d08 MOV ECX, [EBP+0x8]
    8901 MOV [ECX], EAX
    eb06 JMP 0x75f5775

    2 075F586A shimgvw.dll
    3 075D8A6D shimgvw.dll
    4 075D93EB shimgvw.dll
    5 075DA1F2 shimgvw.dll
    6 075DADA0 shimgvw.dll
    7 075D6EE1 shimgvw.dll
    8 7E6B2FAE shell32.dll SHMapIDListToImageListIndexAsync +0x1fa
    9 7E6EC578 shell32.dll
    10 7E6EC502 shell32.dll
    Process Trace
    1 C:\Programme\Microsoft Office\OFFICE11\POWERPNT.EXE [1116]
    "C:\Programme\Microsoft Office\OFFICE11\POWERPNT.EXE" "\\MVBKR.dom\dfs1$\Users\Thoms\Eigene Daten\Bedienung 3401.ppt"
    2 C:\WINDOWS\explorer.exe [1756]
    3 C:\WINDOWS\system32\userinit.exe [1844]
    4 C:\WINDOWS\system32\winlogon.exe [664]
    winlogon.exe
    Thumbprint
    6da2ce07821a2750be632d3acba34cec3f084a36e15c6c467ac1e4bfa06073be
     
  2. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    Try emailing support@hitmanpro.com it can take a couple of days to get a reply as it is a team of one!
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I have one snapshot on my XP desktop, running HMPA. I hadn't been in that snapshot for the last 24 days, and was still running v3.5.5 build 570 which I got in November 2016. After the notification of an update, and reboot, I am now running v3.6.3 build 586.
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    What was the message when the action was blocked?

    Windows Media Player is protected by default, but you can modify the protection (or turn it off) to see if that solves the problem. Open the HMPA UI, click the gear icon and switch to advanced mode, click on the blue exploit mitigations tile, click applications, click Windows Media Player and then try disabling mitigations.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Shouldn't this be blocked by HMPA, because it's using process hollowing?
     
  6. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    That's a good question.

    This does look like a particularly nasty strain of malware, according to this detailed article.
    https://securityintelligence.com/dridexs-cold-war-enter-atombombing/

    But since this is a banking Trojan type malware, maybe it is best to not allow it to get on-board the PC to begin witho_O Probably opening email attachments is the biggest risk. Stay away from unsolicited email, especially be wary of attachments.
     
  7. SATA24

    SATA24 Registered Member

    Joined:
    Mar 16, 2017
    Posts:
    2
    Location:
    USA
    Thanks! I had heard that. I hope they get him some extra staff soon! The poor guy is doing everything he can.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes correct, if delivered by exploit then HMPA will stop it. However, HMPA is also designed to alert about an already infected system, so the question to Mark and Erik Loman is, will HMPA alert about a browser that's infected with Dridex v4? And of course, because Dridex is using process hollowing and a certain ROP method, HMPA might in certain cases block the attack sooner.
     
  9. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    Assuming that you have opened a trojan attachment and it executes, downloading the exploit ... the question that remains is can HMPA detect the process hollowing and ROP method used by Dridex V4 to place the malware payload?
     
  10. LW19

    LW19 Registered Member

    Joined:
    Sep 19, 2016
    Posts:
    8
    Location:
    Germany
    Mitigation "False Positive" PDF-XChangeViewer"

    Typ: Fehler
    Quelle: HitmanPro.Alert
    Ereignis-ID: 911
    Ereigniszeit: 14.03.2017 11:13:59
    Benutzer: n/z
    Computer: PCVH117
    Beschreibung:
    Mitigation IAF
    Platform 5.1.2600/x86 v586 0f_03
    PID 1108
    Application C:\Programme\Tracker Software\PDF Viewer\PDFXCview.exe
    Description PDF-XChange Viewer 2.5
    Violation 089CFB5A is calling x8560Wm.dll IAT funcptr kernel32.dll!GetModuleHandleW
    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 089CFB5A printui.dll
    ff1544129908 CALL DWORD [0x8991244]
    85c0 TEST EAX, EAX
    a3e8489d08 MOV [0x89d48e8], EAX
    740e JZ 0x89cfb77
    688cfb9c08 PUSH DWORD 0x89cfb8c
    50 PUSH EAX
    ff1528129908 CALL DWORD [0x8991228]
    eb02 JMP 0x89cfb79

    2 089CFC7B printui.dll
    3 0899779D printui.dll
    4 7C91118A ntdll.dll LdrInitializeThunk +0x24
    5 7C92D0F4 ntdll.dll
    6 7C80AC97 kernel32.dll FreeLibrary +0x19
    7 0175B4D9 winspool.drv EnumPrinterDriversW +0x220
    8 01758F5B winspool.drv GetPrinterDataExW +0x262
    9 040C12B6 compstui.dll
    10 040C13E1 compstui.dll
    Process Trace
    1 C:\Programme\Tracker Software\PDF Viewer\PDFXCview.exe [1108]
    "C:\Programme\Tracker Software\PDF Viewer\PDFXCview.exe" "U:\Eigene Daten\Berichte\Bericht Eigenüberwachung LVA\Bericht 2017\Eigenüberwachungsbericht\Bericht Teilewäsche 2016.pdf"
    2 C:\WINDOWS\explorer.exe [2916]
    3 C:\WINDOWS\system32\userinit.exe [2876]
    4 C:\WINDOWS\system32\winlogon.exe [468]
    winlogon.exe
    Thumbprint
    afa7cb8447e0d02b1b1770d2cd0381d934ff099dfd44f08c63c4bb8019303fcc
     
  11. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    lately is arised the usefulness of grabbing protected processes as a defensive measure of Anti-Malware services, can we expect such feature also for Alert?
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    You can expect a mitigation for the well-documented AppVerify code injection for all processes on your computer. Stay tuned.
     
  13. Joel Clendineng

    Joel Clendineng Registered Member

    Joined:
    Nov 2, 2016
    Posts:
    10
    Location:
    USA
    I just installed dr web security space and it really doesnt work at all with hitmanpro. Should I email them about it? I disabled all the conflicting items, but it totally broke every usb device, none of it worked. I had to disable hitmanpro service, reboot and uninstall drweb. I tried uninstalling without disabling the service but the pc crashed every time :D
     
  14. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    I don't think Dr. Web has any interest in getting their product to work with a competitor's. Why would they?
     
  15. guest

    guest Guest

    Does it work now after uninstalling Dr. Web?
    There are some other problems mentioned about Dr. Web products:
     
  16. Houley456

    Houley456 Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    195
    @erikloman,
    Just installed Zemana Antilogger and the only way for my keyboard to work is to disable encryption in HitmanPro.Alert....is there any other fix?
     
  17. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    No. That's a known issue. And the workaround is to disable ID Theft of ZAL or Keystroke Encryption of HMP.A. Preferably, you should disable HMP.A's. :)
     
  18. guest

    guest Guest

    The developer mentioned it some weeks ago, but i don't know what the current status is.
    Nevertheless it can lead to problems, if two programs which are encrypting keystrokes are running at the same time. Follow the advice in #13233 and your problem should be gone.
     
  19. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    they both seem to do the same thing. conflict would naturally arise. not sure why you would try to run both.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Just curious, any particular reason you prefer ZAL ID Theft Protection over HMPA Keystroke Encryption?
     
  21. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Because I assume that ZAL's Identity Theft is more than just keystroke encryption. :)
     
  22. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I didn't say that ZAL's ID Theft is more than the whole of HMP.A. I meant that ID Theft is more than the encryption ability of HMP.A. :)

    We can say that ZAL's ID Theft is more or less similar to HMP.A's Safe Browsing and Keystroke Encryption features combined. :)
     
  23. Houley456

    Houley456 Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    195
    Thanks all, I decided to disable ZAL's ID Theft and use HMP.A encryption....don't know why butt that may change, thanks again....
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Would be cool to know, but to be fair, HMPA isn't really designed to fully protect the system once malware is able to run.

    What about Dridex v4, does HMPA detect browser modification? I'm sure you guys are still testing real life malware against HMPA?
     
  25. mirage22

    mirage22 Registered Member

    Joined:
    Apr 20, 2016
    Posts:
    51
    Mitigation IAF

    Platform 10.0.14393/x64 v586 06_3a
    PID 31156
    Application C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe
    Description Adobe Acrobat DC 15.23

    Violation 7591B51C is calling coml2.dll IAT funcptr KernelBase.dll!GetModuleHandleW


    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 7591B51C coml2.dll
    ff152c419575 CALL DWORD [0x7595412c]
    85c0 TEST EAX, EAX
    7423 JZ 0x7591b549
    8b45fc MOV EAX, [EBP-0x4]
    8b00 MOV EAX, [EAX]
    ff30 PUSH DWORD [EAX]
    ff3594309575 PUSH DWORD [0x75953094]
    ff1550609575 CALL DWORD [0x75956050]
    8b4dfc MOV ECX, [EBP-0x4]
    85c0 TEST EAX, EAX
    74c6 JZ 0x7591b506
    c6059830957501 MOV BYTE [0x75953098], 0x1
    ebbd JMP 0x7591b506

    2 7590ACC2 coml2.dll
    3 7590970C coml2.dll StgOpenStorageOnILockBytes +0x1ac
    4 7505650B windows.storage.dll
    5 75056681 windows.storage.dll
    6 750562E4 windows.storage.dll
    7 74FF842A windows.storage.dll
    8 74FF737C windows.storage.dll
    9 74FB7798 windows.storage.dll
    10 74FB79FA windows.storage.dll

    Process Trace
    1 C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe [31156]
    2 C:\Windows\explorer.exe [7580]
    3 C:\Windows\System32\userinit.exe [7784]
    4 C:\Windows\System32\winlogon.exe [980]
    winlogon.exe

    Thumbprint
    e88eaefe56ee39204b24d59881d6441e0e5ba232f6e638de116bfc8e96288b39

    3.6.3.586
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.