Hitman Pro Support and Discussion Thread

You are welcome my friend

 

Had machine that was badly infected and I assume latest variant of TDSS. Hitman pro detected that it had the infection but didn't find the driver with the infection. So after scan it removed some exe's and closed up explorer and when I pressed close on hitman pro it didn't reopen explorer so was left without a desktop to do anything. Had to restart. Even kaspersky's TDSS killer wouldnt run I guess it was blocking that. Only thing that worked was Norton power eraser with the rootkit scan that got rid of it.

 

Past 3 days we received word from the field that there is a new variant of TDL4. It works around Microsoft's x64 kernel patch that was released on April 12. The patch was specifically released to block Alureon/TDL4.

The new version also has an improved disk minifiler hook. This ensures that no tool is able to remove this new variant. This includes Hitman Pro. Hitman Pro does detect it though.

I have tried Norton Power Eraser on this new variant it and was not able to detect or remove.

We are working to add removal capability to Hitman Pro for this new variant. Stay tuned.

PM me if you need a sample.

 

I've encountered this malware as well. It's a real nasty piece of ****. I had to reset my VM because there was no way to get rid of it.

 

Nasty

So much for x64 kernel protection

@ erikloman

I see it's keeping you busy http://www.kernelmode.info/forum/viewtopic.php?f=16&t=19&start=410

Some nice info in there to try & get rid of it if you're infected, or know someone who might be.

 

same here...did it cause constant bsods ? and did it modify starport.sys ?

 

I had a hard time even getting information of infected areas at it rendered my VM useless. Freezes. A lot of disk activity. I sent an e-mail to my malware supplier and he confirmed it was indeed the new variant.

Fact is, I do not even dare to test it against AppGuard (which I cannot install on my VM, leaving only my ordinary machines which I use daily for important stuff) so if I want to really play around with it, I'd have to use Shadow Defender and AppGuard on a real machine... which I don't trust against new sample until I can collect more information about. I also can't rely on images back-ups, as they may be deleted... basically anything can happen; I just know to little about it to dare to test its behavior.

 

Hmm wish I could have gotten a sample or log for ya. But not sure what version of TDSS it was. NPE was able to get rid of it for me. Maybe because it was on 32 bit windows. Good to know that you guys are working on it

 

cool

 

Erik said

Just wanted to clarify

 

I'm trying to cure it but I think at this point, it's useless.

Pictures (HP and Kaspersky's TDSS killer)
http://www.upload.ee/image/1309412/tds4.PNG

http://www.upload.ee/image/1309415/tdss4.PNG

Edit:
Is it TDSS/TDL4? As seen from the Kaspersky's report, it is?

Edit2:
Seems like Kaspersky cured it! I did scans with both programs and they turned out clean. (PS: I didn't try to cure it with HP as Kaspersky was faster...I wanted to remove it quickly and then investigate further).

 

This is an older version of TDL4. TDSSKiller does not detect or remove the latest version that we are talking about in the posts above. Hitman Pro currently only detects the latest variant (cannot remove it yet).

 

Fixing the mbr from recovery console and scanning with a Rescue CD (tried only with Kaspersky) seems to be the only two things effective at removing this variant.
The variant seems to be a bit unstable, I had to kill/restart explorer on every bootup to get the desktop.

 

Thanks for the info!

 

I know what he said. I just wish I could have gotten log to show that NPE cleaned out the variant I had trouble with thats all. As opposed to the sample that Erik has that NPE doesn't clean it.

EDIT: Forgot to mention the machine that was infected was Win 7 32 bit and I 1st ran Hitman pro it detects it but doesn't remove it just some other malware exes. Desktop didn't come back up so shutdown computer restarted. Then logged in and desktop wouldn't show so restarted once more and was finally able to get to desktop. Ran TDSS killer and would crap out i forgot at what percentage. Then decided to try esage bootkit remover and it detects the infected MBR but couldn't remove it so then ran Norton power eraser and chose rootkit scan which restarts the computer and then did the scan and finds the infected MBR which after tells me to restart then checked MBR again and it was clean. Was able to run TDSS killer all the way through and said was clean. Ran Hitman pro again and didn't detect it no more. So the machine was clean after.

 

good job man and norton power eraser rocks

 

New TDSSKiller version 2.5 seems to be able to clean it (haven't tried myself).
http://forum.kaspersky.com/index.php?showtopic=207028&view=findpost&p=1648871
(sorry for OT in HP topic, but since we're on the subject... )

 

TDL4 bootkit reinstates 64-bit infection capability

I just blogged about the latest TDL4 variant:
TDL4 bootkit reinstates 64-bit infection capability

With the post we also released a new BETA:

Changelog (build 121)

• Added detection and removal of latest TDL4 bootkit
• Improved behavioral scan
• Improved removal engine
• Added Indonesian language
• Updated Czech language

32-bit: http://dl.surfright.nl/HitmanPro35beta.exe
64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe

Please report any problems you may find. Thank you

 

Re: TDL4 bootkit reinstates 64-bit infection capability

Just ran a scan no problems there to report except........
"Show scan with hitman pro on files and folders in windows explorer" is grayed out (not checkable) in the settings.

 

Normal scan and EWS were both fine, though I haven't tried against TDL4 infected system.

 

Hi

When did you release the next Final Version of Hitman Pro.

And how is your roadmap to Hitman Pro 4

 

We plan to move build 121 out of beta when enough people report it is working good. That should be tomorrow or the day after that.

Hitman Pro 4 is coming along quite nicely but we are still a few months from release. We are working on some new technology that will first be introduced in Hitman Pro 3.x.

 

Used the beta to remove new variant and Hitman reports it as TDL3. Other than that seems fine.

Hopefully this new technology is for the remnant removal you mentioned for 3.6. Or something else?

 

or active shielding