HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    This means the service doesn't start. Are there entries in the event log?
     
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,841
    Location:
    the Netherlands
    You're right, you are not the only one with that problem.
    It's not so much a new bug as a variation to or even the same as was mentioned by others earlier.
    I had about the same issue twice before, see my Sunday, July 7th, and Wednesday, July 17th posts, and others had the same or similar experiences before.

    Did you check if the hmpalertsvc service was running?
    (I will check this next time the issue reoccurs.)

    Did you try to fix the issue by rebooting?
    Rebooting (twice, if needed) may fix the issue.

    Uninstalling and reinstalling will fix the issue,
    but it would be good to now whether the hmpalertsvc service was running or not.
     
  3. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,841
    Location:
    the Netherlands
    @ erikloman

    It would be helpful if you could reply to my July 18th post:

    Thank you very much
    and best regards
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    There "seem" to be more issues with this version, than previously, for some reason/s ?

    I submitted a bug/log file the other week, but never got a clear explanation as to what the problem was/is ?

    I won't bother trying it again, until they get sorted :(
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The service helps reducing double flyouts since a modern browser nowadays runs over multiple processes. If the service is not running you see double flyouts, can't start Alert by clicking on a flyout and if you start hmpalert.exe manually, you'd see greyed out settings. So the service is key in this issue.

    If you reboot, then the service is started upon boot. Restarting the service manually is the same (no reboot needed). So if the issue happens again, most likely the service has stopped.

    Thing is though, why is the service stopping on your computer? Are you running version 2.0.10? Maybe there is some clue in Windows Event Log?
     
  6. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,841
    Location:
    the Netherlands
    Thank you very much for the explanation, Erik.
    As I mentioned before, if the issue reoccurs, I will check whether the service is running or not.

    Yes, version 2.0.10 is running.
    If the issue reoccurs, I will not only check whether the service is running or not, but I will check Windows Event Log also.

    Older event logs have been cleared already, so I can't check those for clues now, but I will check if the issue reoccurs.


    Thanks very much
    and best regards
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Thanks! :thumb:
     
  8. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,841
    Location:
    the Netherlands
    I suppose that was your July 7th post #488 ?

     
  9. Ro4dRuNn3r

    Ro4dRuNn3r Guest

    Nah, next time i will.
    More than once.... Sometimes i'm not in the mood to restart my pc all the time just because of HitmanPro.Alert.... ;)
    I did that every time that "bug" appears. Next time i'm gonna check if hmpalertsvc Service is running or not.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ erikloman

    Any news about the new version which will include realtime protection? ;)

    Btw, I´ve read many bad things about Trusteer Rapport, making PC´s slow and crashing them and stuff.

    Perhaps it´s best to keep HitmanPro.Alert as simple as possible. :)
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ erikloman

    Btw, I would still like an answer about my question. :)

    How do trojans modify/hook into browser functions?

    Is it by injecting code, or by modifying .dll files, for example?
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Don't worry. It will not be like Trusteer. Alert 3 will be as light as a feather ;)
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Malware inject code in the browser process and detour critical network and cryptography functions (SSL) to themselves so that they can snoop and change the content of the page. Think of financial transactions or username & passwords on Facebook, Twitter or fora.

    Inject can be via browser addon, WriteRemoteMemory (from user or kernel mode) or via code proxy (ZeroAccess uses this trick). But these are only a few ways. There are tons more. Hooks are typically inline or EAT based.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Sounds cool. :)

    Ok, so basically in order to prevent this, you should try to block code injection, and monitor critical browser functions?
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    That last part is what Alert 2 currently does. Blocking code injection is hard because of the dozens of ways a browser can be invaded by malware, including exploits that originate from within the browser itself.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, but apparently Trusteer Rapport and some others like Kaspersky + Avast + Quarri Protect On Q are indeed able to block trojans from modifying the browser?

    So it should be possible? :)

    Also, if I´m correct standard HIPS always offer a feature to block code injection, I wonder if this will be enough to stop these banking trojans.

    The first link is stuff that Neoava Guard (Win XP HIPS) can block.

    http://s14.postimg.org/h866f9jlt/NG_Sonar.png

    http://www.mrg-effitas.com/test-archive/ (MRG Effitas Project 31)
     
  17. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,841
    Location:
    the Netherlands
    @ erikloman


    The issue that I mentioned before, July 7th and July 17th, that issue reoccurred.

    - HitmanPro.Alert's green flyout does not only appear with opening the browser,
    - but also with about half of all (multiple) new browser tabs that I open.
    - Also, each flyout is a double flyout,
    - and clicking the flyout does not open the HitmanPro.Alert Settings window.

    I checked the hmpalertsvc service:
    The hmpalertsvc service is running.

    I checked the Windows Event Log.
    The only thing that I can find related to HitmanPro.Alert is this,
    in Dutch:

    De kopie-hash van een bestand is ongeldig. Mogelijk is het bestand beschadigd vanwege een onbevoegde wijziging of duidt de ongeldige hash op een schijffout.
    Bestandsnaam: \Device\HarddiskVolume2\Windows\System32\drivers\hmpalert.sys

    Translated to English:

    The copy-hash of a file is invalid. The file may be damaged due to unauthorized modification or the invalid hash indicates a drive failure.
    File Name: \Device\HarddiskVolume2\Windows\System32\drivers\hmpalert.sys

    Details:

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>5038</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-07-22T06:05:56.636Z" />
    <EventRecordID>266844</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="68" />
    <Channel>Security</Channel>
    <Computer>pc1</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="param1">\Device\HarddiskVolume2\Windows\System32\drivers\hmpalert.sys</Data>
    </EventData>
    </Event>

    NB
    Details also added as attachment:
    Windows Event Log details for hmpalert.log


    System information:

    Windows Vista SP2 x86
    IE9
    G Data IS 2014
    SpywareBlaster 5.0
    EMET 4.0 with all EMET mitigations for iexplore.exe and also "Deep Hooks" enabled in EMET\ Apps\ Application Configuration.


    I can reboot to correct the issue,
    or I can uninstall and reinstall HitmanPro.Alert,
    but before I do, I would like your opinion on the issue, as the hmpalertsvc service seems to be running correctly, unlike you expected.


    Thanks very much
    and best regards
     

    Attached Files:

  18. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,841
    Location:
    the Netherlands
    As there was no reply to my yesterday July 22nd report,
    and as even after reboots the issue reoccurred,
    I uninstalled and reinstalled HitmanPro.Alert.
    Let's see what this does.
    For now, HitmanPro.Alert works fine again, but I wonder for how long.
    If the issue should reoccur, then I will conclude HitmanPro.Alert should still be regarded as beta and I will uninstall again.
    This even more so as I think SurfRight does not sufficiently respond to reports of issues regarding HitmanPro.Alert. I notice several person's reports have not been replied to.
    Anyway, I'll see what's next.

    Best regards
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We have identified an issue with the connection to the Alert broker service leading to double flyouts (and greyed out settings). It seems to happen over time; we think that when computer is going to sleep or hibernation is triggering the issue.

    In addition we see that sometimes users don't see flyouts after reboot. We've already identified the issue with help of Wilders member Speedy.

    An update will hopefully be released in a few days to address these issues.
     
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,841
    Location:
    the Netherlands
    Thank you very much for that information, Erik.
    I hadn't noticed SurfRight already identified the issue, as recently you still asked for HitmanPro.Alert Service status and clues in the Windows Event Log.
    I supposed SurfRight was still looking for clues.

    My first assumption was that hybrid sleep mode triggered the flyout issue, as I suggested in my July 7th report, but as I also described in that report, I wasn't able to reproduce the issue in any connection to sleep mode.

    Is the Alert broker service the same as the hmpalertsvc HitmanPro.Alert Service?
    As I reported yesterday, July 22nd, the hmpalertsvc service was running nicely as the flyout issue occurred. There didn't seem to be anything wrong with that service.

    But perhaps you identified the issue in some way related to the service and related to sleep mode that I did not find.

    Anyway, I'm looking forward to the update and I hope it will fix the issue.


    Thank you very much
    and best regards
     
  21. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    It was by your reports (and a few others) that made me look into certain directions. We've found the Alert broker service (is same as hmpalertsvc) issue a few hours ago (reproducable). Now we have to come up with a fix.

    Thanks all for your patience as we are short on staff during summer holidays :thumb:
     
  22. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,841
    Location:
    the Netherlands
    Thanks very much for explaining, Erik.
    Good luck with the fix.
    I'm looking forward to the update.

    Thanks again
    and best regards
     
  23. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    How does one know when HitmanPro.Alert actually finds something? A red flyout I'm guessing.
     
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    See the screenshot at the bottom of this page:
    Http://www.hitmanpro.com/alert
     
  25. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    OK, thanks, and thanks for HMP Alert.
    One thing I have noticed since using HMP Alert is Opera no longer say "even though you are sending information from an encrypted page, the information can be read by anyone on the internet." That was when logging in to my e-mail at my Verizon.net account. It no longer says that after I installed your browser protection.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.