Force Breach: Kill Rogue anti-malware before they kill you

Discussion in 'other anti-malware software' started by erikloman, Feb 11, 2010.

Thread Status:
Not open for further replies.
  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Hitman Pro just gained a new feature called: Force Breach.

    Most people in the security business have come across a couple of fake/rogue anti-malware infections that kills every application you are trying to run, including your favorite removal tool.

    If you run Hitman Pro (build 88 or newer) from a USB stick and start its EXE while holding down the left Ctrl-key, then Hitman Pro will kill every non-essential process running under the user's context, including the rogue infection.

    Everything becomes clear when you view the YouTube video.
     
  2. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    This is a great feature! :)
     
  3. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    What if the malware runs as a service?
     
  4. Sjoeii

    Sjoeii Registered Member

    Joined:
    Aug 26, 2006
    Posts:
    1,240
    Location:
    52?18'51.59"N + 4?56'32.13"O
    Nice new feature. Thanks
     
  5. Dr who

    Dr who Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    46
    Hi,

    Since you missed my question in your main Hit Man Pro topic and started a whole new topic announcing it(Spam ??) then i will replicate my question here in hope that you will reply:thumb:

    Hello erikloman,

    This is for a scenario of extra recovery when all of the clouds databases have been bypassed and the rogue has installed(in memory) past HMP3 realtime protections right ?

    Does the rogue(SecurityTool) not exit your process from memory as it does to so many others when it installs first or the infected computer is rebooted ?

    Also if someone wanted to fix a computer infected with this rogue installed, how would they achieve what you show on your youtube clip if HMP is not installed ?

    Please advise as some think it is great feature without even testing it first to see if it works in the realworld.
     
  6. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Hey Dr Who,
    Not sure if I understood you correctly, but Hitman is not on-access product, it operates on-demand. It also doesn't need to be installed, just run the exe you downloaded (via My Computer, "search" or "run" dialog or via SafeMode with Networking if everything else is blocked) and it will clean your system.
    On a separate note, it's hilarious to see the duration of Hitman video on YouTube is 1 minute 06 seconds to clean rogue A/Vs, while other similar how-to videos there are 10+ minutes!
     
    Last edited: Feb 11, 2010
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    I started a new thread so others may notice this feature outside the people monitoring the Hitman Pro specific thread.
    Force Breach is for the scenario when you can't start your on-demand removal tool because the infection is preventing you to start anything at all. As the video shows, the infection is literally killing new processes at a regular interval.

    You can copy the HitmanPro35.exe on a USB stick and start it from there, while holding the Ctrl-key down. The video does not actually illustrate the USB part though but you'll get the point, I hope.

    Also, it is not required to click Next to let Hitman Pro clean your PC. Once Hitman Pro performed the Force Breach you can start any removal tool you want.
     
  8. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Installed Antivirus Soft before Hitman.

    With AV Soft active I then executed HMP and even though AV Soft threw up it's usual infected warning HMP was still created on desktop.

    Left Ctrl and execute killed AV Soft allowing a scan which cleaned up the infection.

    Installed several rogues at once from a lovely little roguepack.exe that I picked up and left Ctrl execute HMP killed the lot.

    HMP seemed to clean up the XP VM and after a reboot I reinstalled the rogue pack to test again but left Ctrl didn't seem to work this time around.

    Does left Ctrl stop working after a coupla times?

    One.JPG

    Two.JPG

    Three.JPG
     
  9. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    What if hitman pro isn't allowed to execute at all? Does its ctrl function still work? This seems to be the case now a days, nothing wants to load, or work for that matter. lol
     
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    AV live and AV Soft are about the worst I've come across so far and Hitman did ok.

    Got anything more aggressive then please share. :)
     
  11. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    I cleaned out a few comps, i shoulda extracted the samples from them...but, this was a few days ago. Ill try to get my hands on them. I have an image from an infected state, maybe i can restore it and get at it.

    It wouldn't execute ANYTHING. you couldn't even open a removable drive.
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Sounds like my favourite type of malware. :D

    Be good if you could grab a sample.
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    for me it is the rootkits;)
     
  14. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    If you dont mind me asking, where do you get your samples from?

    I get mine directly from infected computers, and the image is on my external hard drive somewhere. God have mercy on it...where ever it may be.
     
  15. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    limewire:D and surf the web like always:D
     
  16. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    limewire is fun, and its easy to spot which particular one is a rouge, but, i want a source with NEW infections. The limewire ones have been around for a while...
     
  17. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    yeah and very easy to grab malware from:D
     
  18. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Hey Franklin,


    I think that Security Tool, Internet Security 2010 and Paladin Antivirus [the latter also drops Virut and TDSS Trojan] are as BAD as Antivirus Live and its cousin Antivirus Soft.

    Personally, I haven't had any experiences with this trio but a friend of mine who cleans computers from threats just for fun has told me so.

    Regards,

    Carlos
     
  19. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218

    Agreed. Had to deal with a few of them. I might have a copy...hm.
     
  20. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Analysis of Paladin AV with the virut embedded here:

    http://forums.malwarebytes.org/index.php?showtopic=39132

    Later installers don't have the virut.

    Internet Security 2010 and Security Tool don't seem that aggressive but may behave themselves in a vm and they usually target MBAM.

    MBAM.JPG

    MBAM3.JPG
     
  21. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Some solid developments happening in hitman pro. And good testing Franklin. :thumb:

    I agree, no harm in having the hitman pro thread to post developments and issues, and making another thread to announce a new feature to hear feedback, possibly from non-users.
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    We had to pull build 88 last night (CET) due to a problem causing Hitman Pro to crash on some systems which have Firefox installed. The problem was related to a particular state of the places.sqlite database where Hitman Pro choked on.

    This is why you experienced that the left Ctrl-key to stop working the second time as you received build 87 which did not have the Force Breach feature.

    Build 89 has just come online that addresses the mentioned crash.
     
  23. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    Tested against some rogues. Hitman pro detected and removed all problems:thumb:(Disabled windows functions etc)
     

    Attached Files:

  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Several posts removed. Do not post links to malware here. See the TOS.
     
  25. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Grabbed it thanks erikloman and it seemed to have no problems in killing/cleaning up AV Soft. :)
     
Loading...
Thread Status:
Not open for further replies.