Hitman Pro Support and Discussion Thread

Anyone else getting this,reost #5080...part of K-Lite Codec Pack....
When will it be corrected??

Thanks

 

If you post the hash of the file they can fix it faster, from the results in HMP, click more info and it will show the hash and more.

 

Thanks for that...
This is from the saved log file...

C:\Program Files\K-Lite Codec Pack\Filters\vsfilter.dll
Size . . . . . . . : 1,566,720 bytes
Age . . . . . . . : 2.2 days (2013-02-07 08:49:56)
Entropy . . . . . : 6.6
SHA-256 . . . . . : BAEE0AEC53B49A981FD4505323D0ECB539168C2EF21DAC5EB8505C7C6E1DBA05
Product . . . . . : VSFilter
Publisher . . . . : xy-VSFilter Team
Description . . . : VobSub & TextSub filter for DirectShow/VirtualDub/Avisynth
Version . . . . . : 3,0,0,211
Copyright . . . . : Copyright (C) 2001-2012 Yu Zhuohuang, Gabest et. al.
> HitmanPro . . . . : Win32/Ransomware.Behavior
Fuzzy . . . . . . : 15.0

 

Can you post also the forensic cluster (i.e. more from the log file)?

 

Hi Erik,
Here is what you are asking for..
Forensic Cluster
-3.6s C:\Program Files\K-Lite Codec Pack\unins000.dat
-3.6s C:\Program Files\K-Lite Codec Pack\unins000.exe
-3.6s C:\Program Files\K-Lite Codec Pack\Tools\
-3.6s C:\Program Files\K-Lite Codec Pack\Tools\CodecTweakTool.exe
-3.5s C:\Program Files\K-Lite Codec Pack\Info\
-3.5s C:\Program Files\K-Lite Codec Pack\Tools\CodecTweakTool-0.bin
-3.5s C:\Program Files\K-Lite Codec Pack\Tools\CodecTweakTool-1.bin
-3.5s C:\RECYCLER\S-1-5-21-861567501-1326574676-1801674531-1004\Dc3.rtf
-3.5s C:\Program Files\K-Lite Codec Pack\Info\faq.htm
-3.5s C:\Program Files\K-Lite Codec Pack\Info\faq_64bit.htm
-3.5s C:\Program Files\K-Lite Codec Pack\Info\faq_configuration.htm
-3.5s C:\Program Files\K-Lite Codec Pack\Info\faq_display_issues.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_dxva.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_general.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_installation.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_miscellaneous.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_mpc.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_playback_issues.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_subtitles.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_thumbnails.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq.css
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_troubleshooting.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_windows_issues.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Info\faq_wmp.htm
-3.4s C:\Program Files\K-Lite Codec Pack\Icons\
-3.4s C:\Program Files\K-Lite Codec Pack\Icons\config.ico
-3.4s C:\Program Files\K-Lite Codec Pack\Icons\delete.ico
-3.4s C:\Program Files\K-Lite Codec Pack\Media Player Classic\
-3.4s C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe
-3.4s C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.ini
-3.0s C:\Program Files\K-Lite Codec Pack\Media Player Classic\D3DX9_43.dll
-2.9s C:\Program Files\K-Lite Codec Pack\Media Player Classic\D3DCompiler_43.dll
-2.8s C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpciconlib.dll
-2.7s C:\Program Files\K-Lite Codec Pack\Media Player Classic\toolbar.bmp
-2.3s C:\Program Files\K-Lite Codec Pack\Filters\
-2.3s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\
-2.3s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\ffmpeg.dll
-2.1s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\ffdshow.ax
-1.9s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\ff_libdts.dll
-1.9s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\ffdshow.ax.manifest
-1.8s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\ff_libfaad2.dll
-1.8s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\ff_libmad.dll
-1.8s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\ff_unrar.dll
-1.7s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\libmpeg2_ff.dll
-1.7s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\ff_wmv9.dll
-1.7s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\ff_samplerate.dll
-1.5s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\ff_kernelDeint.dll
-1.5s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\TomsMoComp_ff.dll
-1.5s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\FLT_ffdshow.dll
-1.5s C:\Program Files\K-Lite Codec Pack\Filters\ffdshow\openIE.js
-1.5s C:\Program Files\K-Lite Codec Pack\Filters\LAV\
-1.5s C:\Program Files\K-Lite Codec Pack\Filters\LAV\lavaudio.ax
-1.5s C:\Program Files\K-Lite Codec Pack\Filters\LAV\lavvideo.ax
-1.4s C:\Program Files\K-Lite Codec Pack\Filters\LAV\lavsplitter.ax
-1.3s C:\Program Files\K-Lite Codec Pack\Filters\LAV\libbluray.dll
-1.3s C:\Program Files\K-Lite Codec Pack\Filters\LAV\avcodec-lav-54.dll
-0.9s C:\Program Files\K-Lite Codec Pack\Filters\LAV\avformat-lav-54.dll
-0.8s C:\Program Files\K-Lite Codec Pack\Filters\LAV\avutil-lav-52.dll
-0.8s C:\Program Files\K-Lite Codec Pack\Filters\LAV\swscale-lav-2.dll
-0.8s C:\Program Files\K-Lite Codec Pack\Filters\LAV\avfilter-lav-3.dll
-0.8s C:\Program Files\K-Lite Codec Pack\Filters\LAV\avresample-lav-1.dll
-0.7s C:\Program Files\K-Lite Codec Pack\Filters\LAV\IntelQuickSyncDecoder.dll
-0.7s C:\Program Files\K-Lite Codec Pack\Icaros\
-0.7s C:\Program Files\K-Lite Codec Pack\Icaros\IcarosThumbnailProvider.dll
-0.7s C:\Program Files\K-Lite Codec Pack\Icaros\avcodec-ics-54.dll
-0.5s C:\Program Files\K-Lite Codec Pack\Icaros\avformat-ics-54.dll
-0.4s C:\Program Files\K-Lite Codec Pack\Icaros\avutil-ics-52.dll
-0.3s C:\Program Files\K-Lite Codec Pack\Icaros\swscale-ics-2.dll
-0.3s C:\Program Files\K-Lite Codec Pack\Filters\Haali\
-0.3s C:\Program Files\K-Lite Codec Pack\Filters\Haali\avi.dll
-0.3s C:\Program Files\K-Lite Codec Pack\Filters\Haali\mkx.dll
-0.2s C:\Program Files\K-Lite Codec Pack\Filters\Haali\mp4.dll
-0.2s C:\Program Files\K-Lite Codec Pack\Filters\Haali\ts.dll
-0.2s C:\Program Files\K-Lite Codec Pack\Filters\Haali\splitter.ax
-0.1s C:\Program Files\K-Lite Codec Pack\Filters\Haali\mkzlib.dll
-0.1s C:\Program Files\K-Lite Codec Pack\Filters\Haali\mkunicode.dll
-0.1s C:\Program Files\K-Lite Codec Pack\Filters\Haali\avs.dll
-0.0s C:\Program Files\K-Lite Codec Pack\Filters\Haali\avss.dll
-0.0s C:\Program Files\K-Lite Codec Pack\Filters\Haali\dxr.dll
0.0s C:\Program Files\K-Lite Codec Pack\Filters\vsfilter.dll
0.1s C:\Program Files\K-Lite Codec Pack\Filters\madVR\
0.1s C:\Program Files\K-Lite Codec Pack\Filters\madVR\madVR.ax
0.3s C:\Program Files\K-Lite Codec Pack\Filters\madVR\madHcCtrl.exe
0.4s C:\Program Files\K-Lite Codec Pack\Filters\madVR\madHcNet.dll
0.5s C:\Program Files\K-Lite Codec Pack\Filters\madVR\mvrSettings.dll
0.5s C:\Program Files\K-Lite Codec Pack\Filters\DCBass\
0.5s C:\Program Files\K-Lite Codec Pack\Filters\DCBass\DCBassSourceMod.ax
0.7s C:\Program Files\K-Lite Codec Pack\Filters\DCBass\bass.dll
0.8s C:\Program Files\K-Lite Codec Pack\Filters\DCBass\bass_aac.dll
0.8s C:\Program Files\K-Lite Codec Pack\Filters\DCBass\bass_ofr.dll
0.8s C:\Program Files\K-Lite Codec Pack\Filters\DCBass\OptimFROG.dll
0.8s C:\Program Files\K-Lite Codec Pack\Filters\DCBass\bass_tak.dll
0.8s C:\Program Files\K-Lite Codec Pack\Filters\DCBass\tak_deco_lib.dll
0.8s C:\Program Files\K-Lite Codec Pack\Filters\MpegVideo.dll
0.9s C:\Program Files\K-Lite Codec Pack\Filters\GenDMOProp.dll
0.9s C:\Program Files\K-Lite Codec Pack\Filters\vp7dec.ax
1.0s C:\Program Files\K-Lite Codec Pack\Tools\VobSubStrip.exe
1.0s C:\Program Files\K-Lite Codec Pack\Tools\mediainfo.exe
1.1s C:\Program Files\K-Lite Codec Pack\Tools\mediainfo.dll
1.3s C:\Program Files\K-Lite Codec Pack\Media Player Classic\mediainfo.dll
1.4s C:\Program Files\K-Lite Codec Pack\Tools\GraphStudioNext.exe
1.5s C:\Program Files\K-Lite Codec Pack\Tools\xmllite.dll
1.5s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\
1.9s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Media Player Classic.lnk
2.2s C:\Documents and Settings\All Users\Desktop\Media Player Classic.lnk
2.4s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Codec Tweak Tool.lnk
2.6s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Configuration\
2.6s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Configuration\DirectVobSub.lnk
2.8s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Configuration\ffdshow audio decoder.lnk
3.0s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Configuration\ffdshow video decoder.lnk
3.2s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Configuration\Haali Media Splitter.lnk
3.4s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Configuration\LAV Audio.lnk
3.6s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Configuration\LAV Video.lnk
3.8s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Configuration\LAV Splitter.lnk
4.0s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Configuration\Reset to recommended settings.lnk
4.2s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Tools\
4.2s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Tools\GraphStudioNext.lnk
4.4s C:\Documents and Settings\Arthur\SendTo\MediaInfo.lnk
4.6s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Tools\MediaInfo.lnk
4.8s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Tools\VobSubStrip.lnk
5.0s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Help\
5.0s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Help\Frequently Asked Questions.lnk
5.2s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Uninstall\
5.3s C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack\Uninstall\Uninstall K-Lite Codec Pack.lnk

 

HMP scan is stalling. Attempts to upload two files to cloud, then does not complete scan. Scans with MBAM and EAM were negative.

 

There was a hiccup in the cloud that has been addressed. Upload should be up to speed again.

 

Yes back to normal today, thanks Erik.

 

Hi Erik

I have some FPs for you please check it

Properties
Name iedkcs32.dll
Location C:\Windows\System32
Size 379 KB
Time 0.9 days ago (2013-02-12 19:47:39)
Entropy 6.0
Product Windows® Internet Explorer
Publisher Microsoft Corporation
Description IEAK branding
Version 18.00.6001.19400
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 D7423B6D2FA0EB3489DD14DDC4507B0DD4878CFB87BDD265129F4F0152BAC8F2

Scoring (6.0)
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\

Properties
Name ie4uinit.exe
Location C:\Windows\system32
Size 170 KB
Time 0.9 days ago (2013-02-12 19:47:40)
Entropy 7.3
Product Windows® Internet Explorer
Publisher Microsoft Corporation
Description IE Per-User Initialization Utility
Version 8.00.6001.19400
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 F2820E0F802C798840DAC9FE62608B9EA111B4DD910A47A66494923BA5CFC1B8

Scoring (11.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\

Properties
Name ieframe.dll
Location C:\Windows\System32
Size 10.6 MB
Time 0.9 days ago (2013-02-12 19:47:40)
Entropy 6.4
Product Windows® Internet Explorer
Publisher Microsoft Corporation
Description Internet Explorer
Version 8.00.6001.19400
Copyright © Microsoft Corporation. All rights reserved.
SHA-256 3A1464E74ADDAB10A62FD9309958B46CAC4159BF145739A86AB5DAAC9A55CFE7

Scoring (8.0)
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

References
HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\

Properties
Name opr0VG5O.tmp
Location C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0047
Size 2.7 MB
Time 15.2 days ago (2013-01-29 12:14:14)
Needs Elevation Yes
Entropy 8.0
SHA-256 2E09F251C07B594314543BBAB6332144A7EB2683A495E5B5279F2DBCF07BAA4E

Scoring (27.0)
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The file name extension of this program is not common.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.

SHA256: d7423b6d2fa0eb3489dd14ddc4507b0dd4878cfb87bdd265129f4f0152bac8f2
SHA1: ea41b3aa82807a860ea62d1deaa6069aa461cc62
MD5: 2234016039c84629b8de82d7a69a28b7
Dateigröße: 378.5 KB ( 387584 bytes )
Dateiname: iedkcs32.dll
Datei-Typ: Win32 DLL
Erkennungsrate: 0 / 45
Analyse-Datum: 2013-02-13 17:08:24 UTC ( vor 0 Minuten )

SHA256: f2820e0f802c798840dac9fe62608b9ea111b4dd910a47a66494923ba5cfc1b8
SHA1: 3e25dd72c9ba26747dc17d89acc20eaeb89c1676
MD5: 6829d9fec372ffb29d61e86da54420a6
Dateigröße: 170.0 KB ( 174080 bytes )
Dateiname: IE4UINIT.EXE
Datei-Typ: Win32 EXE
Erkennungsrate: 0 / 45
Analyse-Datum: 2013-02-13 17:10:17 UTC ( vor 0 Minuten )

SHA256: 3a1464e74addab10a62fd9309958b46cac4159bf145739a86ab5daac9a55cfe7
SHA1: a19ff0594665365a28f3bab64c9486d1a9c52551
MD5: db4683ff94bf6b87a082c59d36115ba4
Dateigröße: 10.6 MB ( 11111424 bytes )
Dateiname: IEFRAME.DLL
Datei-Typ: Win32 DLL
Erkennungsrate: 0 / 44
Analyse-Datum: 2013-02-13 17:13:53 UTC ( vor 1 Minute )

SHA256: 2e09f251c07b594314543bbab6332144a7eb2683a495e5b5279f2dbcf07baa4e
SHA1: 1f22f136147c3edafd96f3dbc232eb9c566bdf36
MD5: c6b2eb8392e5ceab0f95fd45e1656eed
Dateigröße: 2.7 MB ( 2851784 bytes )
Dateiname: opr0VG5O.tmp
Datei-Typ: Win32 EXE
Erkennungsrate: 2 / 45
Analyse-Datum: 2013-02-13 17:17:21 UTC ( vor 0 Minuten )

 

Hi Erik

And here is the Scan Log for you

Code:

HitmanPro 3.7.2.188
www.hitmanpro.com

   Computer name . . . . : ALEXANDERROB-PC
   Windows . . . . . . . : 6.0.2.6002.X86/2
   User name . . . . . . : AlexanderRob-PC\Alexander Robrecht
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-02-13 17:52:53
   Scan mode . . . . . . : EWS
   Scan duration . . . . : 8m 12s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 15

   Objects scanned . . . : 3.888.170
   Files scanned . . . . : 56.063
   Remnants scanned  . . : 2.325.574 files / 1.506.533 keys

Suspicious files ____________________________________________________________

   C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0047\opr0VG5O.tmp
      Size . . . . . . . : 2.851.784 bytes
      Age  . . . . . . . : 15.2 days (2013-01-29 12:14:14)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 2E09F251C07B594314543BBAB6332144A7EB2683A495E5B5279F2DBCF07BAA4E
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 27.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The file name extension of this program is not common.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.


Early Warning Scoring _______________________________________________________

   C:\Windows\system32\ie4uinit.exe
      Size . . . . . . . : 174.080 bytes
      Age  . . . . . . . : 0.9 days (2013-02-12 19:47:40)
      Entropy  . . . . . : 7.3
      SHA-256  . . . . . : F2820E0F802C798840DAC9FE62608B9EA111B4DD910A47A66494923BA5CFC1B8
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : IE Per-User Initialization Utility
      Version  . . . . . : 8.00.6001.19400
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 11.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\

   C:\Windows\System32\iedkcs32.dll
      Size . . . . . . . : 387.584 bytes
      Age  . . . . . . . : 0.9 days (2013-02-12 19:47:39)
      Entropy  . . . . . : 6.0
      SHA-256  . . . . . : D7423B6D2FA0EB3489DD14DDC4507B0DD4878CFB87BDD265129F4F0152BAC8F2
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : IEAK branding
      Version  . . . . . : 18.00.6001.19400
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 6.0
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\

   C:\Windows\System32\ieframe.dll
      Size . . . . . . . : 11.111.424 bytes
      Age  . . . . . . . : 0.9 days (2013-02-12 19:47:40)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 3A1464E74ADDAB10A62FD9309958B46CAC4159BF145739A86AB5DAAC9A55CFE7
      Product  . . . . . : Windows® Internet Explorer
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Internet Explorer
      Version  . . . . . : 8.00.6001.19400
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Fuzzy  . . . . . . : 8.0
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is in use by one or more active processes.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
      Startup
         HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
         HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
         HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
      References
         HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
         HKU\S-1-5-21-911542882-2029379874-2294310465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\

 

Can you rescan now?

 

I've found the cause of this false positive. Will be fixed in build 189. Thanks for reporting

 

Hi Erik, it seems forensics cluster is not available in an EWS scan for files that aren't classified malicious or suspicious but only have a high EWS score.

 

Are you sure that there are additional files created around the same time as the file in question?

 

Not sure, but seems likely. I had a few new files listed by EWS after the last windows update round.(winsrv.dll and ieframe.dll twice(System32 and SysWOW64)) Given that there were quite a few updates this time it would seem very likely that there would be more files created around the same time, but none of them show a Forensic cluster under More info.

 

Hi Eric

It is okay now.

Have you a contact from TrendMicro for submitting Files for me

Thank you very much

 

Hi Erik

I have another one FP for you

SHA256: 941d6c5d91f6419198f1a53bf7d33aa2d9118ceac028b6ed8e5308751810b9b5
SHA1: 8b3c61772bd4a8bed37fcb78d861486e85d11ec3
MD5: ddee99dc54efa20bd5a442cd733c4462
Dateigröße: 36.5 KB ( 37344 bytes )
Dateiname: FsUsbExDisk.Sys
Datei-Typ: Win32 EXE
Erkennungsrate: 0 / 46
Analyse-Datum: 2013-02-15 15:47:50 UTC ( vor 1 Minute )

Properties
Name FsUsbExDisk.SYS
Location C:\Windows\system32
Size 36.5 KB
Time 0.0 days ago (2013-02-15 15:52:24)
Entropy 6.2
Service FsUsbExDisk
SHA-256 941D6C5D91F6419198F1A53BF7D33AA2D9118CEAC028B6ED8E5308751810B9B5

Scoring (13.0)
Starts automatically as a service during system bootup.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is a device driver. Device drivers run as trusted (highly privileged) code.

Startup
HKLM\SYSTEM\CurrentControlSet\Services\FsUsbExDisk\

Forensic Cluster
-0.0s C:\Windows\system32\FsUsbExService.Exe
-0.0s C:\Windows\system32\FsUsbExDevice.Dll
0.0s C:\Windows\system32\FsUsbExDisk.Sy_
* C:\Windows\system32\FsUsbExDisk.SYS

 

Hi Erik

And here is the Scan Log for it

Code:

HitmanPro 3.7.2.188
www.hitmanpro.com

   Computer name . . . . : ALEXANDERROB-PC
   Windows . . . . . . . : 6.0.2.6002.X86/2
   User name . . . . . . : AlexanderRob-PC\Alexander Robrecht
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-02-15 16:24:26
   Scan mode . . . . . . : EWS
   Scan duration . . . . : 8m 20s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 2

   Objects scanned . . . : 3.775.139
   Files scanned . . . . : 54.197
   Remnants scanned  . . : 2.213.989 files / 1.506.953 keys

Early Warning Scoring _______________________________________________________

   C:\Windows\system32\FsUsbExDisk.SYS
      Size . . . . . . . : 37.344 bytes
      Age  . . . . . . . : 0.0 days (2013-02-15 15:52:24)
      Entropy  . . . . . : 6.2
      SHA-256  . . . . . : 941D6C5D91F6419198F1A53BF7D33AA2D9118CEAC028B6ED8E5308751810B9B5
      Service  . . . . . : FsUsbExDisk
      Fuzzy  . . . . . . : 13.0
         Starts automatically as a service during system bootup.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
      Startup
         HKLM\SYSTEM\CurrentControlSet\Services\FsUsbExDisk\
      Forensic Cluster
         -0.0s C:\Windows\system32\FsUsbExService.Exe
         -0.0s C:\Windows\system32\FsUsbExDevice.Dll
          0.0s C:\Windows\system32\FsUsbExDisk.Sy_
          0.0s C:\Windows\system32\FsUsbExDisk.SYS

 

mops is making hitmanpro better and better with all the fp

 

After updating to Pidgin 2.10.7, HPM says I have a virus. I'm assuming it's another FP from IKARUS. 3/46 on Virus Total

Code:

Properties
Name	exchndl.dll
Location	C:\Toolbx\Pidgin
Size	655 KB
Time	0.6 days ago (2013-02-15 22:38:30)
Entropy	6.5
SHA-256	C28DE3AFFBDDFF44EC321DA6B3DD3689312F09B81532503BE591AC5C2B5D7AF2

Detection Names
Ikarus	Trojan.Win32.Spy!IK

Scoring (108.0)
One or more antivirus vendors have indicated that the file is malicious.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.

Al

 

Hi

Oh yes i make Hitman Pro better and better

For that we're there or laughs

 

every time you report a FP or bug is good to us and for that i give some credit

 

Hi Erik.
I'm having a problem since Windows 7 and now Windows 8,the Bluescreen of Death.Today twice in a row.
During the scan....the computer freezes and the Bluescreen appears.

 

Hi

Yes i make Hitmanpro Pro bettet and better

For that we are there or laughs

 

When I helped a relative with their PC, HMP gave a message about a hook on the disk driver, but it doesn't fit the screen:

Haha lol, I have never seen the Windows 8 Bluescreen before, it's kinda funny, but too simplistic for my taste.