Hitman Pro Support and Discussion Thread

Thank you very much

 

problem with latest version
https://www.wilderssecurity.com/showpost.php?p=2024360&postcount=4123

 

No problem

 

Hi all

I need your help for this

 

Mops21,

Interesting that you pointed that out...I got the very same response on Tuesday night.

Unfortunately, it set off a bad series of events.

1. I activated my 30 day trial in order to remove the adware remnants.
(I wish I hadn't wasted it on this...I thought it might be "free" like removing tracking cookies.)

2. There was no option to "quarantine" so I chose to "delete" the exact 3 items as in your example.

3. In doing so, Hitman Pro left my system unstable and extremely slow and unresponsive. (Even after a couple of reboots which took forever.)

4. I had to restore an image from Sunday, March 4th which took over 3 hours due to my system being slowed down dramatically.

5. When I rescanned with HMP, the same 3 malware files were present. (Which means that when HMP scanned my system on Sunday evening and Monday it did not alert to them. So, either it's a new definition that was obtained since Monday night, or something else is going on here.)

6. Now that I have my system running properly again, I have deselected the option to scan for malware remnants via HMP as I fear attempting to remove them again.

7. A "full scan" with Malwarebytes Pro and a "Smart Scan" with Emsisoft Anti-Malware did not identify these alleged malware remnants.

Hope this info is useful to you, Erik and Mark and anyone else getting the same alerts.

 

Hi

Thank you very much for your Info i weit for Erik and Mark Info about it

 

You're welcome. I hope it prevents anyone else from experiencing a similar issue.

Hope to hear from Erik or Mark on this matter soon.

 

We are constantly adding remnants in our cloud based on malware profiles.

The zonemap keys are added by the Mirar Adware as can be seen in this trace log:
http://www.threatexpert.com/report.aspx?md5=601f46a9e1088db75d6bf3898b488bc5

or here:
http://www.securemost.com/support/rm_mirar.htm

So its not an FP, they belong to Adware.

Removing these 3 keys cannot lead to an unresponsive system as these keys belong to IE telling that IE should trust these sites.

There must be some other issue on your system.

Can you send me the C:\Windows\System32\.crusader file?

Maybe it holds clues.

 

Erik, I can only tell you what happened, exactly as it happened. Obviously I have no reason to indicate otherwise as you know I have always been a supporter here.

I don't want to jinx myself, but the system was running near flawlessly until I tried to remove the remnants. If something else accounted for the issue it's odd that it happened immediately after I used HMP to delete the three pieces of malware. And I mean immediately.

Please provide me with an email address you want the file sent to.

I don't see the "crusader" file at the moment, however. Is there somewhere else I can look for it?

 

I've also seen this of a few computers and think I know what's the problem as I've seen it before with other security tools. Some software like Spywareblaster and Spybot S&D's Immunize feature add lists of sites to browsers to block cookies, images etc. A lot of domains are then added to IE's restricted sites list and a security software somehow sees them as entries to the trusted sites list.

 

I think I'll just uninstall for now as I've lost a bit of confidence in the app especially in light of being told that what happened could not have been caused by HMP.

Perhaps I'll revisit HMP some time in the future.

 

Hi Blues7,

I just said that deleting these 3 keys could not cause the stability issues. The 3 keys belong to IE and are most certainly not critical to the system. I did not mean to state that the problem was not caused by HitmanPro.

What might have happened is that Crusader (the removal engine of HitmanPro) caused a side-effect resulting in the stability issues. That's why I requested for the .crusader file.

I am sorry if you got the impression that HitmanPro was not the source of the problem. You ran HitmanPro and then the problem happened. So its likely they are related. Perhaps in relation to SpyBot's Immunize as said by BoerenkoolMetWorst? Do you run Immunize? This to give clues what might have happened.

Erik

 

Hi Erik,

I haven't run Spybot in years and it was fully removed when I was done with it. (I can't say whether it left behind remnants or not with any certainty. In fact, I'm not even sure if I ever ran it on this particular machine.)

I didn't find the .crusader file you were asking about (nor did I see it on my wife's machine either. We both run XP Pro SP3).

In any case, I've removed HMP for the time being from my machine as I already have EAM and MBAM Pro in real-time but always liked running a HMP scan "just in case".

Perhaps I'll reinstall at a later date. As I said, it wouldn't have been as big a deal but for having to restore the image and due to the system being somewhat crippled, it took over 3 hours to do so. (But was fully restored back to its original state.)

 

Hi Erik,

Could you add an option in the next build to do the right-click scan in EWS mode?

I'm not sure if Spybot deletes the Immunizations after uninstall. You can easily check if they are still there by opening IE, going into internet options -> Security tab -> click Restricted sites -> click the Sites button -> if they aren't deleted with the uninstall you will see a long list of URL's in there.

 

EWS is might not be useful in right-click scan because EWS correlates running processes, file handles, loaded modules and registry load points to come up with a score.

The regular EWS also scans lots of other locations on disk. So basically you want to do the above scoring and relate that to the right-click file?

 

I can say it's 100% unrelated to Spybot - Search & Destroy. A relative of mine uses it, and I just ran HitmanPro and it didn't complain about anything.

 

I haven't used IE in years as I use Firefox. I can't even remember the last time.

However, there are quite a few sites listed there (within IE).

Is there a way to remove them without doing so one by one?
(Or perhaps I should just leave them in place as I don't actively use IE anyway.)

 

Ah yes, that makes it less usefull, I wanted to use it for right-click scanning new executables and installer before starting them, to get extra information about whether its suspiciously packed, valid digital sig etc.

 

Hi

Any New News for the Problem from Blues 7 and Mops21

I Scan again and it Found nothing it is fixed

 

I have nothing new to report other than what I've posted in reply to Erik and BoerenkoolMetWorst. I'm still waiting for more information from both gentlemen myself.

It is interesting that your scan is no longer picking up the same three malware remnants. (Perhaps it was perceiving something as remnants that actually weren't.)

Unfortunately, I'm unable at the moment to provide you additional info as I couldn't find the .crusader file that Erik asked me to submit to him (and which I haven't been told why it wasn't present on my system); and I subsequently removed HMP for fear of its causing future instability if I followed the program's recommendation to "delete" detected malware remnants.

Hopefully more information will be forthcoming.

 

Hi Blues7,

I didn't reply as I don't know if it's possible to remove more than 1 entry at a time(except for installing Spybot again to remove immunization.)
BTW I did another scan with Hitman Pro and it no longer detects those registry keys on my PC.

 

Thanks for clarifying. I won't bother reinstalling Spybot (as I didn't even recall having it on this machine but I do remember requesting the immunization to be "undone" back when it was removed).

And going through the lists one entry at a time is an exercise in futility that's not worth the effort. Especially since I don't use IE.

Seems the "detection issue" may have been addressed but my concern remains as to why electing to "delete" the detected malware remnants caused my system to become unstable.
That would be the only thing holding me back from using HMP again and relying on its advice to remove anything it might find in the future.

(This was the first time it had ever alerted to malware on my system and it appears it was a false alarm in any case.)

 

We hit a grey area here. After some further investigation it indeed seems that Immunize adds these 3 keys as well. Since it is impossible to tell which program added the keys we decided to disable the 3 remnants in our cloud.

Before concluding the problem about these 3 keys I want to tell you a bit how we collect remnants.

1. We execute confirmed malware binaries in our cloud (on special hardware in a controlled environment) and 2. record every file and key that is being created. 3. Some of these paths are processed by hand and 4. some are validated using a Google query on the path, like:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com

https://www.google.nl/search?q="HKL...ternet Settings\ZoneMap\Domains\getmirar.com"

Looking at the search results you can conclude that the remnants indeed belongs to the Mirar Adware.

So both the executed malware and the Google query gives us the confidence that the key belongs to Mirar.

But as BoerenkoolMetWorst said, it turns out that Immunize also uses this exact key to put the domain in the restricted zone of Internet Explorer. This pushes the path into a grey area and we decided to disable the path in our cloud.

We are in the process of adding relations to remnants so that certain keys are only detected when a related remnant (key or file) is also on the same system. This should prevent triggering on these grey remnants. But again, removing these keys should in no way lead to instability issues.

When the weekend is over we will try to replicate the problem by creating the keys and trying to remove them with HitmanPro. We might install some of the software on your signature and see if the combination causes the instability issue.

Hope this helps.

 

Erik,

Thank you for that comprehensive reply.

I know that I, for one, will be greatly looking forward to your findings.

I'm pretty careful to make relatively frequent images but the problem remains that if the system is somewhat "crippled", the communication between the external hard drive and the system is (or was in this case) greatly slowed down...thus the long time required to install the image.

I appreciate your efforts and thank you in advance for undertaking them.

 

Mark and Erik,

If you have more news about the infection at the Dutch news site nu[dot]nl, please let us know at:
https://www.wilderssecurity.com/showthread.php?t=320206