Hitman Pro Support and Discussion Thread

HitmanPro 3.6 Build 160 Released

Changelog

• ADDED: Detection and removal of ZeroAccess/Sirefef services.exe variant.
  More info in our blog.
• ADDED: Detection of ASLR stripped files (cause by malware infection).
• ADDED: Detection of TLS callback on system files (caused by malware infection).
• IMPROVED: Removal of ZeroAccess/Sirefef related files and folders.
• IMPROVED: Remnant scan.

All users are automatically updated.

 

Thank you, Erik. Download and scan went smooth as silk.

 

thanks alot

 

I keep seeing this in the event log on Win7 32-bit on every boot:
Application Error EventID 1000

Code:

Faulting application name: hmpsched.exe, version: 1.0.1.3, time stamp: 0x4fd1d0d5
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x520
Faulting application start time: 0x01cd52f41e3a6f50
Faulting application path: C:\Program Files\HitmanPro\hmpsched.exe
Faulting module path: unknown

--a-- W32i APP - 1.0.1.3 shp 105,832 06-25-2012 hmpsched.exe
----- W32i DLL - 1.0.1.1 shp 114,536 06-21-2012 hmpshext.dll

 

Good file detected as suspicious with newest build. Files is a Punkbuster file from Battlefield 3, but I understand why it was flagged since I believe it acts like a rootkit to detect hacking programs. I did report it as safe.

 

All the tekst in the ''show information'' screen isn't translated to Dutch. Are you going to do this or isn't it possible?

And is it possible to make an option in the results screen that you can export the log to an txt-file?
Many users doesn't know anything about XML.

 

Most texts in the 'More information' screen are geared towards security professionals, who are likely able to read English as well. That's why it itsn't translated. We might add translations but it isn't a priority at the moment, sorry.

A lot of people requested TXT export so you can expect this feature pretty soon

 

That's good to hear Erik!

 

Hi Eric

Here is another File for the Withelist for you

SHA256: e4e69c8b8b8aaa6833e3f60a1215a23e828fff6e78ed14d5d616542b16dd97ca
SHA1: 1cd6cf2d5274124fb3e170b6ad7d4fb93d1627d2
MD5: aaf101900a23d75ae1ae00840fa6f3b8
File size: 11.0 MB ( 11586048 bytes )
File name: C:\Windows\System32\shell32.dll
File type: Win32 DLL
Detection ratio: 0 / 41
Analysis date: 2012-07-14 18:00:51 UTC ( 2 Minuten ago )

 

Since build 160 if I do a right-click scan, once it scans the requested file HMP suddenly closes automatically.

 

Any Infos about it

 

Hope its a FP

 

i think maybe another thread or PM is a better way of querying false positives found from an 'Early Warning Scan' as it's saturating this thread. is it only me that thinks this?

 

I think the same, EWS is a scan for experts that by definition shows more files that have a higher heuristic rating, it is a bit pointless to report all files flagged by EWS.

 

Yes, me too...when a user has been told this many times that the EWS is for experts and yet insists on using the EWS option then perhaps it is much better to send these directly to surfright instead of bumping threads, it would be much better to mail or use PM IMHO.

 

If you run with EWS it is NOT a false positive. EWS lists files that are recent and new. The blue shield is not a malware classification.

That said, I white listed the file manually. We have a continues WSUS import running but somehow a lot of these files to do not appear in the WSUS stream

 

Any Infos about it

 

Thank you for your co-operation and understanding..........

 

This is a new shell32.dll that was distributed 3 days ago through Windows Update.

 

Hi Eric

Thank you very much need you the File for check or analyse

 

I like to say I just bought a 2 year license for HitmanPro (64bit). This software is absolutely great as fas as I can tell/judge that of course.
It went through the scans very fast. I'm running the stable/official release and not the beta version.

I've been reading some blogs from Surfright (mr. Loman) and I am not a security expert whatsoever. But reading along I found the information very overwhelming and sometimes I have to read it very carefully or twice to be able to understand it a bit.
The blogs are very well written and illustrated with pictures, that is not the problem. Just the info about how malware works/operates, what to look for, etc. It's just mindblowing sometimes, from an average user point of view. I mean malware using extended streams like ADS and now something not related to ADS in the NTFS filesystem.

Nice to see that people like Mr. Loman are very active in investigating such threats. Also very cool that you keep a blog about such things. very interesting to read, although it is for me a bit hard to understand or at least it takes longer for me to understand. But nevertheless a very good read.

The very fact that you keep or maintain blogs about malware or suspicious processes is very reassuring and gives an overall feeling of "This person really knows his stuff".
Thanks.

 

Agreed. Hitman Pro is absolutely amazing. Its detection rates are excellent (near perfect)... but what's most stunning is its malware removal capabilities.

 

Very nicely said, jna99.
Makes me want to stop and go back and read Erik's blogs.
Thanks for reminding us about them.

These two posts are prime examples of why I recently paid for a 3 PC-1 Year license. I know there is a free 30-day activation policy, but whenever possible, it's a good thing to get behind a dev and purchase their product. I didn't feel like waiting for an infection to do it.

 

Few FP'sin AT-Destroyer (http://www.infospyware.com/antispyware/at-destroyer/)
(I think)

 

Hi eric

Can you whitelisted the Files please

SHA256: 93b7a91cdaf502a5994de9486a614a592f12b683bdf9f6f84d6083ff3f414bc7
SHA1: 9efa2583168798d32439ddf842f5f90408c04256
MD5: 9afcf85708576f3ef6fb868b6c604c01
File size: 13.8 KB ( 14160 bytes )
File name: C:\Windows\System32\drivers\asdws.sys
File type: Win32 EXE
Detection ratio: 0 / 42
Analysis date: 2012-07-21 18:10:06 UTC ( 1 Minute ago )

SHA256: c0057587bf4b9ce79bd1c351ed97339123583b93946bd449e7849857f2129915
SHA1: 319f805f30b13960ff41d9df1c35d181e9e35182
MD5: 50a1c8922d0b487a7083490dbd50dafc
File size: 43.5 KB ( 44592 bytes )
File name: C:\Windows\System32\drivers\oahlp32.sys
File type: Win32 EXE
Detection ratio: 1 / 42
Analysis date: 2012-07-21 18:13:22 UTC ( 0 Minuten ago )

SHA256: 836ac2a2cbb12a55ec2ad0661a61dd0915fc39c832c191a39b4c41da62ac5366
SHA1: 75f13e036e2ff194a328624b31a41ad5dec6aabd
MD5: 1ab8fcf4eb6826efd68edf807ee914e6
File size: 203.4 KB ( 208312 bytes )
File name: C:\Windows\System32\drivers\OADriver.sys
File type: Win32 EXE
Detection ratio: 0 / 42
Analysis date: 2012-07-21 18:15:19 UTC ( 0 Minuten ago )