Hitman Pro Support and Discussion Thread

Discussion in 'other anti-malware software' started by yashau, Mar 20, 2009.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Hmm scoring seems off. For now I've white listed it.
     
  2. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,142
    Location:
    Germany
    Here ios the scan log

    Code:
    HitmanPro 3.7.0.185
    www.hitmanpro.com
    
       Computer name . . . . : ALEXANDERROB-PC
       Windows . . . . . . . : 6.0.2.6002.X86/2
       User name . . . . . . : AlexanderRob-PC\Alexander Robrecht
       UAC . . . . . . . . . : Enabled
       License . . . . . . . : Free
    
       Scan date . . . . . . : 2012-12-22 17:07:30
       Scan mode . . . . . . : EWS
       Scan duration . . . . : 5m 5s
       Disk access mode  . . : Direct disk access (SRB)
       Cloud . . . . . . . . : Internet
       Reboot  . . . . . . . : No
    
       Threats . . . . . . . : 0
       Traces  . . . . . . . : 11
    
       Objects scanned . . . : 3.819.391
       Files scanned . . . . : 50.521
       Remnants scanned  . . : 2.282.632 files / 1.486.238 keys
    
    Suspicious files ____________________________________________________________
    
       C:\Users\Alexander Robrecht\AppData\Local\Temp\~nsu.tmp\Au_.exe
          Size . . . . . . . : 288.974 bytes
          Age  . . . . . . . : 19.1 days (2012-12-03 13:57:29)
          Entropy  . . . . . : 7.8
          SHA-256  . . . . . : 55C8C9D096769FEE4E0F0CFF30D3DF36546E08F868388374E9CEF34549549655
          Needs elevation  . : Yes
          Fuzzy  . . . . . . : 23.0
             Program has no publisher information but prompts the user for permission elevation.
             Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
             Authors name is missing in version info. This is not common to most programs.
             Version control is missing. This file is probably created by an individual. This is not typical for most programs.
             Time indicates that the file appeared recently on this computer.
          References
             HKU\S-1-5-21-911542882-2029379874-2294310465-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\ALEXAN~1\AppData\Local\Temp\~nsu.tmp\Au_.exe
    
    
    Potential Unwanted Programs _________________________________________________
    
       HKLM\SOFTWARE\Classes\AppID\secman.DLL\ (Babylon)
       HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\ (Babylon)
       HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
       HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ (Babylon)
       HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1\ (Babylon)
       HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager\ (Babylon)
       HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\ (Babylon)
    
    
    
     
  3. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,180
    The StatBar false positive I had earlier is back again. This time with a different score.
     

    Attached Files:

  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Strange issue, HMP not uploading, timing out, while Windows Firewall disabled, see pic

    Did an uninstall, downloaded latest HMP free for Win7 x32, clean install, no luck
     

    Attached Files:

  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Should be solved now. There was a hiccup in the cloud.
     
  6. Paul 32

    Paul 32 Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    1
    Location:
    usa
    I have Hitman Pro 3.7 build 185. I can not get my usb drive to make a kickstart drive, I am using XP Pro as my opearting system. I have one of those moneypak viruses and can't get to any of the safe modes. I need help on how to create a bootable disc with hitman or the usb version. I believe I can do either if I can just create a bootable for the flash drive or optic drives.
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Have you followed the video instructions here:
    http://www.surfright.com/hitmanpro/kickstart#create
    What is exactly your problem creating the Kickstart flash drive?
     
  8. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,538
    There is also this video on using Hitman Pro's Kickstart to remove Ransomware:

    "HitmanPro.Kickstart Can Remove Ransomware Easily"

    -http://www.youtube.com/watch?v=RW3PG0YDy3Y
     
  9. opcode

    opcode Registered Member

    Joined:
    Dec 19, 2011
    Posts:
    37
    Location:
    united states
    Does anyone know if Hitman Pro will still run under a system that's been booted into a PE? (Hiren's MiniXP for example)
     
  10. bembel

    bembel Registered Member

    Joined:
    Mar 13, 2012
    Posts:
    5
    Hmmm, since upgrading to Windows 8 Pro x64 I get occasional freezes when running Hitman Pro. :mad:
    In the change log for 181 it said "FIXED: On some systems a scan froze the computer.", but I'm using 185.
     
  11. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,180
    Another False Positive by IKARUS :D This is an old hotfix from Microsoft for XP
    here.

    Code:
    HitmanPro 3.7.0.185
    www.hitmanpro.com
    
       
       Scan date . . . . . . : 2013-01-01 16:15:24
       Scan mode . . . . . . : Normal
       Scan duration . . . . : 2m 19s
       Disk access mode  . . : Direct disk access (SRB)
       Cloud . . . . . . . . : Internet
       Reboot  . . . . . . . : No
    
       Threats . . . . . . . : 1
       Traces  . . . . . . . : 2
    
       Objects scanned . . . : 388,940
       Files scanned . . . . : 5,496
       Remnants scanned  . . : 44,654 files / 338,790 keys
    
    Malware _____________________________________________________________________
    
       C:\WINDOWS\system32\DRIVERS\tcpip.sys
          Size . . . . . . . : 361,600 bytes
          Age  . . . . . . . : 3.8 days (2012-12-28 20:22:23)
          Entropy  . . . . . : 6.2
          SHA-256  . . . . . : AFE18DBEAFA68F87E57FB23E447148372516A5A1152B31787E2EC3E199C8B0D6
          Product  . . . . . : Microsoft® Windows® Operating System
          Publisher  . . . . : Microsoft Corporation
          Description  . . . : TCP/IP Protocol Driver
          Version  . . . . . : 5.1.2600.6009
          Copyright  . . . . : © Microsoft Corporation. All rights reserved.
          Service  . . . . . : Tcpip
        > Ikarus . . . . . . : Trojan-Downloader.Win32.Agenttiny!IK
          Fuzzy  . . . . . . : 109.0
          Startup
             HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\
    
    VIRUSTOTAL
    
    SHA256: 	afe18dbeafa68f87e57fb23e447148372516a5a1152b31787e2ec3e199c8b0d6
    SHA1: 	2754ca0874252664fef48bbb8866603bef2a7722
    MD5: 	51e41f16acd80b8b39c0ae703a213f09
    File size: 	353.1 KB ( 361600 bytes )
    File name: 	tcpip.sys
    File type: 	Win32 EXE
    Detection ratio: 	3 / 46
    Analysis date: 	2013-01-01 15:23:53 UTC ( 1 minute ago )
    
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Solved. Thanks! :thumb:
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Does the whole computer freeze? What other security products do you run?
     
    Last edited: Jan 2, 2013
  14. gobbledog

    gobbledog Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    40
    Location:
    Everywhere

    platform = Winxp sp3 Using HMP 370 . 185 HMP works just fine. As soon as i click the KICKSTART icon the entire computer crashes. I need to do a brute force reboot in order to bring the computer back to life. Any ideas Erik? Other security - Panda AV and Outpost 8.0 All this platform is 32 bit.
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Hmmm thats odd because there is only GUI stuff going on and some listening on USB events (for the GUI). I'll try to reproduce in the lab when I get back from vacation on Monday.
     
  16. gobbledog

    gobbledog Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    40
    Location:
    Everywhere
    Thanks Erik. I should mention the above refers to a laptop circa 2005. I am almost running the exact same software on a desktop circa late 2008 and kickstart works with no problem. Should also mention that I use MBAM pro on both boxes. It is strange. Oh well... when you get a chance. PS Happy New Year to all the HMP team!
     
  17. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,142
    Location:
    Germany
    Hi Erik

    Can you whitelisted the two Files please

    Properties
    Name NPSWF32_11_5_502_146.dll
    Location C:\Windows\system32\Macromed\Flash
    Size 13.9 MB
    Time 1.1 days ago (2013-01-08 14:55:31)
    Authenticode Valid
    Entropy 7.1
    RSA Key Size 2048
    SHA-256 1D5F4A33C384F778F8E10C77185FD27BEE257DF91BC48218E7AF4D99017E61CB

    Scoring (6.0)
    Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
    Authors name is missing in version info. This is not common to most programs.
    Version control is missing. This file is probably created by an individual. This is not typical for most programs.
    Program starts automatically without user intervention.
    Time indicates that the file appeared recently on this computer.
    Program is code signed with a valid Authenticode certificate.

    Startup
    HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\

    References
    C:\Windows\system32\Macromed\Flash\flashplayer.xpt


    Properties
    Name KiesPDLR.exe
    Location C:\Program Files\Samsung\Kies\External\FirmwareUpdate
    Size 825 KB
    Time 17.2 days ago (2012-12-23 12:30:22)
    Authenticode Valid
    Entropy 7.8
    Product KiesPDLR
    Publisher Samsung
    Description KiesPDLR
    Version 1.0.0.1
    Copyright Copyright (c) 2012 Samsung Electronics Co.
    RSA Key Size 2048
    Desktop Default
    SHA-256 CDBE29B557A87EEECDDDF4A7D4871376F95A5700EB80573E07151C32DC538B90

    Scoring (21.0)
    The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
    Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
    Uses the Windows Registry to run each time the user logs on.
    Program starts automatically without user intervention.
    The file is in use by one or more active processes.
    Time indicates that the file appeared recently on this computer.
    Program is code signed with a valid Authenticode certificate.
    The file appears to be part of an installation package or setup program. This is typical for most programs.

    Memory
    PID 3600

    Startup
    HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    HKU\S-1-5-21-911542882-2029379874-2294310465-1000\Software\Microsoft\Windows\CurrentVersion\Run\@

    Virustotal Results

    SHA256: 1d5f4a33c384f778f8e10c77185fd27bee257df91bc48218e7af4d99017e61cb
    SHA1: 916e301e52d2320942361bac40aecf9f0c364cc7
    MD5: 9ac863fd5976316c29d4cb5e4c9efd9c
    File size: 13.9 MB ( 14586888 bytes )
    File name: NPSWF32_11_5_502_146.dll
    File type: Win32 DLL
    Detection ratio: 0 / 46
    Analysis date: 2013-01-09 17:22:23 UTC ( 0 Minuten ago )

    SHA256: cdbe29b557a87eeecdddf4a7d4871376f95a5700eb80573e07151c32dc538b90
    SHA1: b696e7f5a4db51b99d120512c0c1e6250110b755
    MD5: e20433dac42f0351f237f87d8adc4e8a
    File size: 824.5 KB ( 844296 bytes )
    File name: KiesPDLR.exe
    File type: Win32 EXE
    Detection ratio: 0 / 45
    Analysis date: 2013-01-09 17:25:30 UTC ( 0 Minuten ago )
     

    Attached Files:

  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Done. Thanks :thumb:
     
  19. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,142
    Location:
    Germany
    Thank you very much for your Information

    Here is the Log File

    Code:
    HitmanPro 3.7.0.185
    www.hitmanpro.com
    
       Computer name . . . . : ALEXANDERROB-PC
       Windows . . . . . . . : 6.0.2.6002.X86/2
       User name . . . . . . : AlexanderRob-PC\Alexander Robrecht
       UAC . . . . . . . . . : Enabled
       License . . . . . . . : Free
    
       Scan date . . . . . . : 2013-01-09 18:06:17
       Scan mode . . . . . . : EWS
       Scan duration . . . . : 6m 37s
       Disk access mode  . . : Direct disk access (SRB)
       Cloud . . . . . . . . : Internet
       Reboot  . . . . . . . : No
    
       Threats . . . . . . . : 0
       Traces  . . . . . . . : 17
    
       Objects scanned . . . : 3.835.256
       Files scanned . . . . : 52.034
       Remnants scanned  . . : 2.284.341 files / 1.498.881 keys
    
    Potential Unwanted Programs _________________________________________________
    
       HKLM\SOFTWARE\Classes\AppID\secman.DLL\ (Babylon)
       HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\ (Babylon)
       HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
       HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ (Babylon)
       HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1\ (Babylon)
       HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager\ (Babylon)
       HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\ (Babylon)
    
    Early Warning Scoring _______________________________________________________
    
       C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
          Size . . . . . . . : 844.296 bytes
          Age  . . . . . . . : 17.2 days (2012-12-23 12:30:22)
          Entropy  . . . . . : 7.8
          SHA-256  . . . . . : CDBE29B557A87EEECDDDF4A7D4871376F95A5700EB80573E07151C32DC538B90
          Product  . . . . . : KiesPDLR
          Publisher  . . . . : Samsung
          Description  . . . : KiesPDLR
          Version  . . . . . : 1.0.0.1
          Copyright  . . . . : Copyright (c) 2012 Samsung Electronics Co.
          RSA Key Size . . . : 2048
          Desktop  . . . . . : Default
          Authenticode . . . : Valid
          Running processes  : 3600
          Fuzzy  . . . . . . : 21.0
             The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
             Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
             Uses the Windows Registry to run each time the user logs on.
             Program starts automatically without user intervention.
             The file is in use by one or more active processes.
             Time indicates that the file appeared recently on this computer.
             Program is code signed with a valid Authenticode certificate.
             The file appears to be part of an installation package or setup program. This is typical for most programs.
          Startup
             HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
             HKU\S-1-5-21-911542882-2029379874-2294310465-1000\Software\Microsoft\Windows\CurrentVersion\Run\@
    
       C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_146.dll
          Size . . . . . . . : 14.586.888 bytes
          Age  . . . . . . . : 1.1 days (2013-01-08 14:55:31)
          Entropy  . . . . . : 7.1
          SHA-256  . . . . . : 1D5F4A33C384F778F8E10C77185FD27BEE257DF91BC48218E7AF4D99017E61CB
          RSA Key Size . . . : 2048
          Authenticode . . . : Valid
          Fuzzy  . . . . . . : 6.0
             Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
             Authors name is missing in version info. This is not common to most programs.
             Version control is missing. This file is probably created by an individual. This is not typical for most programs.
             Program starts automatically without user intervention.
             Time indicates that the file appeared recently on this computer.
             Program is code signed with a valid Authenticode certificate.
          Startup
             HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\
          References
             C:\Windows\system32\Macromed\Flash\flashplayer.xpt
    
    
    
    
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Why is this file being hidden?
    C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe

    Can you find that file in Windows Explorer?
     
  21. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,142
    Location:
    Germany
    Need you the File
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    No I need you to find the file using Windows Explorer because HitmanPro detects the file in NTFS (on disk) but the file does not exist in Windows (through Windows API).

    Can you make a screenshot, highlighting the file in Windows Explorer?
     
  23. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,142
    Location:
    Germany

    Hi

    Here is the screenshot for you Erik
     

    Attached Files:

  24. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,142
    Location:
    Germany
    Hi

    Is this the right One for you

    Any Infos about it
     
  25. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    What's with all these detections? For example, I have a secman.dll, but it's part of Samsung Kies.

    I have the latest stable version on Windows 7 64-bit.

    Malwarebytes, SUPERAntiSpyware, Avast, Comodo Cleaning Essentials, Norton Power Eraser, Trend Micro HouseCall, and Windows Defender detected nothing of the sort.
     

    Attached Files:

    Last edited: Jan 13, 2013
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.