HitmanPro.Alert BETA

Yes it may only be in the newer builds ... look at the bottom of the orange CTP enabled / disabled panel.

 

It was introduced with Build 723 (see screenshot):

 

HMPA 728 beta - FF 57.0.2 - Win 10 Pro x64 v1709 16299.125

Code:

Mitigation   ROP

Platform     10.0.16299/x64 v723 06_45
PID          36532
Application  C:\Program Files\Mozilla Firefox\firefox.exe
Description  Firefox 57.0.2

Callee Type  LoadLibrary

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFF57DA966D KernelBase.dll        
2  00007FFF5ACD8508 ntdll.dll              
3  00007FFF5ACC0F56 ntdll.dll                __C_specific_handler +0x96
4  00007FFF5ACD4C3D ntdll.dll                __chkstk +0x11d
5  00007FFF5AC4D1B8 ntdll.dll              
6  00007FFF5ACD3B6E ntdll.dll                KiUserExceptionDispatcher +0x2e

7  00007FFF1366E133 xul.dll                
                    cc                       INT 3      

8  00007FFF142F37DA xul.dll                
9  00007FFF142DCB4E xul.dll                
10 00007FFF140AABF8 xul.dll                

Code Injection
0000017D5DDBA000-0000017D5DDBB000    4KB C:\Program Files\Mozilla Firefox\firefox.exe [20196]
00007FFF5ACD0000-00007FFF5ACD1000    4KB
00007FFF5ACD2000-00007FFF5ACD3000    4KB
00007FFF5ACCF000-00007FFF5ACD0000    4KB
1  C:\Program Files\Mozilla Firefox\firefox.exe [20196]
2  C:\Program Files\Mozilla Firefox\firefox.exe [36748]
3  C:\Windows\explorer.exe [11072]
4  C:\Windows\System32\userinit.exe [7988]

Process Trace
1  C:\Program Files\Mozilla Firefox\firefox.exe [36532]
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="20196.20.838565459\1300654183" -childID 3 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53:400|54:1|55:0|56:0|61:0|62:120|63:120|98:2|99:1|114:5000|124
2  C:\Program Files\Mozilla Firefox\firefox.exe [20196]
3  C:\Program Files\Mozilla Firefox\firefox.exe [36748]
4  C:\Windows\explorer.exe [11072]
5  C:\Windows\System32\userinit.exe [7988]

Thumbprint
fc3a5387fcdd473596ed531b9cf808ec8d9f63394765f3c1640dc3f2d3444647

 

Do you really have 728 installed? Because:
"Platform 10.0.16299/x64 v723 06_45"

Btw.: The mitigation above looks nearly exactly the same as this: #710 (Build 721 - Nov 4, 2017)

 

Yes I do have 728 beta installed now.

I see that alert is from just a minute before I posted that I had updated to 728 (#882) ... so I guess my post can be ignored.

Edit: Maybe it happened during the restart ...

 

About 728:

- Windows Backup's issue with EFI/ESP locked, fix is confirmed, now it works again properly.

 

Been running build 728 now for a couple of days. So far it seems much more stable (no IE crashes) than 723.

 

It's pretty stable for me, too, on Win10, as long as I resist the temptation to enable SAM...

 

HMP.A Build 728 just saved me in real life.

Thank you dev' team.

 

You sound joyful and triumphant! Would be interesting to know the details ...

 

Well, maybe not a real infection but... I clicked on an image in a Google search and Norton started blocking JsCoinminer Download 8. I opened Task Manager and killed Firefox, then HMP.A blocked a ROP attack in FF Plugin Container.

I don't know if it would have run anyway as NoScript should have blocked the JavaScript, right?

Many scans later I'm satisfied my machine is clean.

 

W7-x64, upgraded from build 723 to build 728 BETA a few days ago, NO issues what so ever!

 

I needed to make an exception for Dropbox desktop app. Besides that, all's fine.

 

OK, installed 728 beta and disabled the Network Lockdown as I did with the 723. I'm still having problems with the network adapter in Fall CU--every day it's a hassle, either with the frozen Start/apps on taskbar and/or failure to connect to Internet. So far, it's been good w/startup. Realtek PCIe Family Controller current version 9.1.406 2015. I have tried them all.

Krusty, that's interesting--it takes a real-life episode for something to prove its real value, right? Alert proved its merits to me long ago.

Edit: problem w/start/taskbar returned after a hiatus . So, back to the drawing board.

 

@RonnyT 728 still crashes when using the battle.net updater (sent you logs + crash dump(s) from that crash in the stable support thread)

 

Win 10 Pro x64 v1709 16299.125, HMPA build beta 728

Code:

Mitigation   ROP

Platform     10.0.16299/x64 v728 06_45
PID          27856
Application  C:\Program Files\Mozilla Firefox\firefox.exe
Description  Firefox 57.0.3

Callee Type  ProtectVirtualMemory
             0x000002F0B95D4000 (4096 bytes)

Branch Trace                              Opcode  To                                    
---------------------------------------- -------- ----------------------------------------
0x00007FFF8946C34E xul.dll                 ~ RET* SleepEx()                              
                                                  0x00007FFFD23324D0 kernel32.dll        
                    ff25ca340500             JMP          QWORD [RIP+0x534ca]


Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFFD0CE4065 KernelBase.dll           VirtualProtect +0x35

2  00007FFF8972AB6F xul.dll                
                    85c0                     TEST         EAX, EAX
                    7447                     JZ           0x7fff8972abba
                    488b0ddee1d502           MOV          RCX, [RIP+0x2d5e1de]
                    483bd9                   CMP          RBX, RCX
                    0f827ed25d00             JB           0x7fff89d07e01
                    4881c100000040           ADD          RCX, 0x40000000
                    483bf9                   CMP          RDI, RCX
                    0f876ed25d00             JA           0x7fff89d07e01
                    b001                     MOV          AL, 0x1
                    488b5c2438               MOV          RBX, [RSP+0x38]
                    4883c420                 ADD          RSP, 0x20
                    5f                       POP          RDI
                    c3                       RET        

3  00007FFF8946C76A xul.dll                
4  00007FFF894666A8 xul.dll                
5  00007FFF8941487B xul.dll                
6  00007FFF894166BB xul.dll                
7  000002F0B948C2F5 (anonymous; xul.dll)  
8  0000006B1D5FAC58 (anonymous)            
9  000002F0B948C165 (anonymous; xul.dll)  

Code Injection
000001A781DD0000-000001A781DD1000    4KB C:\Program Files\Mozilla Firefox\firefox.exe [38424]
00007FFFD4920000-00007FFFD4921000    4KB
00007FFFD4922000-00007FFFD4923000    4KB
00007FFFD491F000-00007FFFD4920000    4KB
1  C:\Program Files\Mozilla Firefox\firefox.exe [38424]
2  C:\Program Files\Mozilla Firefox\firefox.exe [31468]
3  C:\Windows\explorer.exe [9428]
4  C:\Windows\System32\userinit.exe [9304]

Process Trace
1  C:\Program Files\Mozilla Firefox\firefox.exe [27856]
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="38424.1.1738086672\1666178497" -childID 1 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53:400|54:1|55:0|56:0|61:0|62:120|63:120|98:2|99:1|114:5000|124
2  C:\Program Files\Mozilla Firefox\firefox.exe [38424]
3  C:\Program Files\Mozilla Firefox\firefox.exe [31468]
4  C:\Windows\explorer.exe [9428]
5  C:\Windows\System32\userinit.exe [9304]

Thumbprint
a0adf432b5eb4964e4d59de16f674b8aa2cbb8eabe6afa1d6ba45354d95ce3b8

 

My Vista HP SP2 x64, which had been running build 604, was still not being offered any later build, so I went ahead and manually installed b728 and rebooted.

Two effects:

1. During startup I got two Windows errors saying something about Host Process for Windows Services being closed.
2. The HMP.A services (User and System) don't show up in Task Manager. Local Services does list the HMP.A service, and it says it's set to Automatic startup, but I have to start it manually in order for the two services to appear in Task Manager and for the HMP.A icon to show up in the notification area.

UPDATE: This is more serious than it seemed at first. Went to open Outlook 2007, and it threw up an error saying, "The application failed to initialize properly (0xc0000005). Click OK to terminate the application."

Can't be sure if this error is related to the two issues in the list above, but the timing is suspicious. Scans with HMP.A and N360 reveal no malware presence.

UPDATE 2: I also cannot open Spybot Search & Destroy 1.6, FlexiPDF, CCleaner -- this last one gave me an error saying that CCleaner only works on Windows 2000 or later (!?). Finally, after opening IE8, I can't close it.

In view of these effects, I'm uninstalling b728 from Vista and reinstalling 604.

UPDATE 3: After rebooting but before reinstalling 604, all of the above applications open normally.

UPDATE 4: Reinstalled 604, rebooted, and this time I promptly got the notice about 728 being available. So I rebooted -- and ended up at the following BSOD:

Code:

STOP: c000021a {Fatal System Error}
The NT Initial Command Process system process terminated unexpectedly with a status of 0xc0000001 (0x00000000 0x00000000).
The system has been shut down.

Now I rebooted and all I have is a black screen with a mouse pointer in the center, which I can move around.

UPDATE 5: Went into Safe Mode, uninstalled HMP.A b728, rebooted -- and got back fine into Vista.

Whereas previously I was wishing for a way to get HMP.A to update to the current build, now I'm hoping there is a way to PREVENT it from updating to the current build.

 

Could you please provide new dumps with 728 installed?

 

Was this a single occurrence? or is this reproducible?
Something seems to inject in to firefox, can you provide us with a list of dll's loaded in firefox by DM?

 

can you please rename hmpalert.dll in c:\windows\system32 and c:\windows\syswow64 and reboot to see if that makes a difference?

 

There is a way:

 

Are you sure that was 728?
Not 723?
HMPA 3.7.1.723 stable should be offered for automatic updating, not 3.7.3.728 beta.

 

At this point, I cannot say for sure. You're probably right that the automatic update was to 723. Maybe I still had 728 on the brain, but whichever version it was that was updated to, it was not a good outcome.

 

Great, thanks! I'll reinstall HMP.A, apply that registry fix, and see what happens.

 

That's an interesting idea. But I'm not sure that I want to run the risk of BSODing my computer again! I had some white-knuckle moments there...

I'll think about it. Maybe I'll image the drive and also set a restore point before trying this. Should I rename the "hmpalert" part of the filename (for example, "hmgalert.dll"), or the "dll" part (for example, "hmpalert.dgl")?