HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Can you provide me with a screenshot? and how many exclusions do you have on there?
     
  2. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    What kind of setup are your running? afaik there is only support for Win XP POS and that one isn't on our supported list.
     
  3. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    A problem after today’s Norton Live Update and beta 746 (Norton 22.14.2.13). Beta 746 cpu usage of 20% and taskmanager takes 1-2 minutes to appear. To shutdown W10 1803 1734.112 it also takes minutes (Afsluiten...). After several reboots same behaviour. The taskmanager tells me that Hmp.Alert’s status is “onderbroken”.
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Have you excluded HMP.A in Norton like I mentioned to you many months ago? No issue here today.
     
  5. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Krusty, how to exclude? Cant find it searching the forum.
     
  6. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Uninstalled beta 746. Even Norton’s mainscreen did not appear anymore.
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Open Norton and go to Settings > Antivirus > Scans and Risks tab > scroll down to Items to Exclude from Auto-Protect, SONAR and Download Intelligence Detection > Configure > Add Files > now navigate to hmpalert.exe. On my machines that is in the Program Files (x86) folder, Apply > OK.

    Done! :)

    FYI, I found long ago that it is updates to SONAR that cause the high CPU.
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Something else is going on with your machine, deugniet. No problems here on two Win10 x64 1803 machines.
     
  9. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Reinstalled beta 746 and it seems ok now. Ill exclude Hmp.Alert in Norton. Edit: done. Thanks Krusty ;)
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    You're very welcome. Good luck!
     
  11. emil emil

    emil emil Registered Member

    Joined:
    May 5, 2016
    Posts:
    28
    samsung data migration uninstall issue

    Mitigation Anti-VM

    Platform 6.1.7601/x64 v746 06_1e
    PID 5772
    Application C:\Users\Emil\AppData\Local\Temp\{A28166A9-802C-49EF-A1B3-994C36F1C2E2}\setup.exe
    Description InstallScript Setup Launcher Unicode 3.1

    VMware
    Process Trace
    1 C:\Users\Emil\AppData\Local\Temp\{A28166A9-802C-49EF-A1B3-994C36F1C2E2}\setup.exe [5772]
    C:\Users\Emil\AppData\Local\Temp\{A28166A9-802C-49EF-A1B3-994C36F1C2E2}\setup.exe -runfromtemp -l0x0419 -removeonly /z "UNINSTALL" -media_path:"C:\Program Files (x86)\InstallShield Installation Information\{3B304604-0BF5-488E-AB95-F2F2E31206F3}\" -tempdis
    2 C:\Program Files (x86)\InstallShield Installation Information\{3B304604-0BF5-488E-AB95-F2F2E31206F3}\setup.exe [7848]
    "C:\Program Files (x86)\InstallShield Installation Information\{3B304604-0BF5-488E-AB95-F2F2E31206F3}\setup.exe" -runfromtemp -l0x0419 -removeonly /z "UNINSTALL"
    3 C:\Windows\SysWOW64\dllhost.exe [9040]
    C:\Windows\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
    4 C:\Windows\System32\svchost.exe [936]
    C:\Windows\system32\svchost.exe -k DcomLaunch

    Thumbprint
    1fce7edbf180ed72f50d12643292a827e1a01163d3a8b953c57faa6b57e7132b
     
  12. emil emil

    emil emil Registered Member

    Joined:
    May 5, 2016
    Posts:
    28
    Malware found:
    App/Generic-MP
    C:\Users\Emil\AppData\Local\Temp\FreemakeVideoDownloaderFull.exe
    Mitigation MalwareBlocked

    Platform 6.1.7601/x64 v746 06_1e
    PID 5996
    Application C:\Users\Emil\AppData\Local\Temp\FreemakeVideoDownloaderFull.exe
    Description App/Generic-MP

    SHA256: b5c2ac003b3e1077465332a234607e8e5caeaa699fabf5a0351f780f701cf3a3
     
  13. emil emil

    emil emil Registered Member

    Joined:
    May 5, 2016
    Posts:
    28
    D-link wireless uninstall false alert

    Mitigation Anti-VM

    Platform 6.1.7601/x64 v746 06_1e
    PID 6448
    Application C:\Users\Emil\AppData\Local\Temp\{106D677B-20FD-4285-A473-4EC98929E4C5}\setup.exe
    Description InstallScript Setup Launcher 1.0

    VMware
    Process Trace
    1 C:\Users\Emil\AppData\Local\Temp\{106D677B-20FD-4285-A473-4EC98929E4C5}\setup.exe [6448]
    C:\Users\Emil\AppData\Local\Temp\{106D677B-20FD-4285-A473-4EC98929E4C5}\setup.exe -runfromtemp -l0x0419 -removeonly -media_path:"C:\Program Files (x86)\InstallShield Installation Information\{98B82958-1DCA-4504-BE88-C91F1C7A7225}\" -tempdisk1folder:"C:\Us
    2 C:\Program Files (x86)\InstallShield Installation Information\{98B82958-1DCA-4504-BE88-C91F1C7A7225}\setup.exe [7952]
    "C:\Program Files (x86)\InstallShield Installation Information\{98B82958-1DCA-4504-BE88-C91F1C7A7225}\setup.exe" -runfromtemp -l0x0419 -removeonly
    3 C:\Program Files\Uninstall Tool\UninstallTool.exe [8824]
    4 C:\Program Files\Uninstall Tool\UninstallToolExec.exe [8688]
    5 C:\Windows\explorer.exe [2184]
    6 C:\Windows\System32\userinit.exe [2936]

    Thumbprint
    1fce7edbf180ed72f50d12643292a827e1a01163d3a8b953c57faa6b57e7132b
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I just got this while trying to update the firmware on my PC.
    Code:
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          24/06/2018 8:39:27 AM
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      David-HP
    Description:
    Mitigation   Lockdown
    
    Platform     10.0.17134/x64 v746 06_5e
    PID          9780
    Application  C:\Users\David\Downloads\HP Downloads\HP Consumer Desktop   Notebook PC ME Firmware Update - sp87520.exe
    Description  Intel Platform ME Firmware Update 11.8.50
    
    Filename     C:\SWSetup\SP87520\SETUP.EXE
    Created By   C:\Users\David\Downloads\HP Downloads\HP Consumer Desktop   Notebook PC ME Firmware Update - sp87520.exe
    
    Command line:
    "C:\SWSetup\SP87520\SETUP.EXE" FLASH
    
    Process Trace
    1  C:\Users\David\Downloads\HP Downloads\HP Consumer Desktop   Notebook PC ME Firmware Update - sp87520.exe [9780]
    2  C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPDIA.exe [10008]
    "C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPDIA.exe" hpdia://RemoteFile=https://ftp.hp.com/pub/softpaq/sp87501-88000/sp87520.exe&FileTitle=HP+Consumer+Desktop+/+Notebook+PC+ME+Firmware+Update&LC=en&CC=AU&Source=IMEFW87520
    3  C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFViewer.exe [8672]
    "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFViewer.exe" online 00000080-3000-2000-4000-000000000002 "en-US" /Device:CNV6380RZB
    4  C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [9332]
    "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe" /actionsPending
    5  C:\Windows\System32\svchost.exe [1380]
    c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
    6  C:\Windows\System32\services.exe [848]
    7  C:\Windows\System32\wininit.exe [720]
    wininit.exe
    
    Thumbprint
    c66452e3ddc5ac30b04769928fbe88e502be4471c8720833ff6524a0a7208cd3
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2018-06-23T22:39:27.142607800Z" />
        <EventRecordID>18919</EventRecordID>
        <Channel>Application</Channel>
        <Computer>David-HP</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Users\David\Downloads\HP Downloads\HP Consumer Desktop   Notebook PC ME Firmware Update - sp87520.exe</Data>
        <Data>Lockdown</Data>
        <Data>Mitigation   Lockdown
    
    Platform     10.0.17134/x64 v746 06_5e
    PID          9780
    Application  C:\Users\David\Downloads\HP Downloads\HP Consumer Desktop   Notebook PC ME Firmware Update - sp87520.exe
    Description  Intel Platform ME Firmware Update 11.8.50
    
    Filename     C:\SWSetup\SP87520\SETUP.EXE
    Created By   C:\Users\David\Downloads\HP Downloads\HP Consumer Desktop   Notebook PC ME Firmware Update - sp87520.exe
    
    Command line:
    "C:\SWSetup\SP87520\SETUP.EXE" FLASH
    
    Process Trace
    1  C:\Users\David\Downloads\HP Downloads\HP Consumer Desktop   Notebook PC ME Firmware Update - sp87520.exe [9780]
    2  C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPDIA.exe [10008]
    "C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPDIA.exe" hpdia://RemoteFile=https://ftp.hp.com/pub/softpaq/sp87501-88000/sp87520.exe&amp;FileTitle=HP+Consumer+Desktop+/+Notebook+PC+ME+Firmware+Update&amp;LC=en&amp;CC=AU&amp;Source=IMEFW87520
    3  C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFViewer.exe [8672]
    "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFViewer.exe" online 00000080-3000-2000-4000-000000000002 "en-US" /Device:CNV6380RZB
    4  C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [9332]
    "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe" /actionsPending
    5  C:\Windows\System32\svchost.exe [1380]
    c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
    6  C:\Windows\System32\services.exe [848]
    7  C:\Windows\System32\wininit.exe [720]
    wininit.exe
    
    Thumbprint
    c66452e3ddc5ac30b04769928fbe88e502be4471c8720833ff6524a0a7208cd3</Data>
      </EventData>
    </Event>
     
  15. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi Krusty,

    Under with Exploit Mitigation profile do you have HPSF.exe?
    If it's under "Other" please disable 'application lockdown' and reboot the machine to try again.
     
  16. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    I'm suddenly unable to run a scan with either the beta version or the regular version. Windows 10, fully up to date. Issue persists even after full uninstall and reinstall using Revo. Protections still seem to be in place, just doesn't let me run a manual scan. Anyone else run into this?
     
  17. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Does it show 'Scan failed' immediately or does it show 'Downloading...' first?

    Can you reach http://get.hitmanpro.com with your browser? if so is your firewall blocking Hitmanpro.Alert (hmpalert.exe) access to the internet?

    If it shows 'scan failed' directly open explorer navigate to %temp% and delete the hitmanpro.exe that's located there and try again.
     
  18. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    Actually not able to reach that website using any browser at all on this system. It auto downloads another without a problem on a secondary system. Not sure what changed. Any suggestion for what to tweak?
     
  19. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Do you suspect the other machine to be infected?
    I'd download via the working system, copy to the infected one with a clean USB drive and scan the possible infected machine, mark that USB drive as unreliable until you are sure it hasn't been infected by the suspicious machine.

    On the infected machine can you try to see what a ping get.hitmanpro.com resolves?
    Open a command-box and type:

    ping get.hitmanpro.com

    This should generate ouput like this

    Pinging get.hitmanpro.com [213.189.27.250] with 32 bytes of data:
    Reply from 213.189.27.250: bytes=32 time=14ms TTL=118
    Reply from 213.189.27.250: bytes=32 time=14ms TTL=118
    Reply from 213.189.27.250: bytes=32 time=14ms TTL=118
    Reply from 213.189.27.250: bytes=32 time=18ms TTL=118

    if you get something else there is malware either tricking you via c:\windows\system32\drivers\etc\hosts file or you DNS got tricked.
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Hi Ronny,

    Yes, HP Support Assistant is protected by the "Other" profile.
    I'm sure disabling "Application Lockdown" would have worked but I temporarily uninstalled HMP.A until I had upgraded the firmware. I must remember that for next time.

    Thanks.
     
  21. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    I do not believe either machine to be infected. MBAM 3, Rogue Killer, and Windows Defender all seem to agree.

    I was able to ping the website after switching my VPN. Pinging and downloading a fresh copy of the file now work on and off VPN from all browsers. I am still unable to run a manual scan. The download bar never appears, and the status goes immediately to Failed.

    I deleted/restored the HOSTS file to default, and no change. Somewhat perplexed at this one.
     
  22. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    Finally figured it out, as I remembered this has actually happened before. Might be a known issue, but MBAM Premium 3 was responsible for this. Disabling the real time web protection allows HMPA to update and scan without a problem. So, there you have it.
     
  23. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Can you please add an exclusion like this and see if that resolves the issue?
     

    Attached Files:

  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    I had the same problem with MalwareBytes; after updating to the latest component package the web protection was blocking many legitimate websites without warning.
     
  25. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    I do not have any HMP files in my Temp folder, only in my Program Files, as far as I can tell. Adding that EXE to the exclusions does not allow for connectivity.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.