Hitman Pro Support and Discussion Thread

I have a minimal windows installation (just office) and run early warning mode. Sometimes installer files (windows update) do increase scanning time because their are a lot of new arrivals (Windows update). Yesterday (after windows update) it took 35 secs, now 28 secs on an old dual core (E5200@3GHz) with sata-2 SSD (with 140MB/s write 180MB/s read speed)

 

Hi Erik and Hi Mark

Can you check the 4 Files and whitelisted

Properties
Name FntCache.dll
Location C:\Windows\system32
Size 780 KB
Time 0.1 days ago (2013-10-11 16:37:33)
Entropy 6.3
Product Microsoft® Windows® Operating System
Publisher Microsoft Corporation
Description Windows Font Cache Service
Version 7.0.6002.23200
Copyright © Microsoft Corporation. All rights reserved.
Service FontCache
SHA-256 747FAF9B7F8291B83EE44B91E5708395E749DC87BD42CC3BF2CD41209C298F4D

Scoring (11.0)
Starts automatically as a service during system bootup.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SYSTEM\CurrentControlSet\Services\FontCache\

Properties
Name usbehci.sys
Location C:\Windows\system32\DRIVERS
Size 39.0 KB
Time 0.1 days ago (2013-10-11 16:37:14)
Entropy 6.2
Product Microsoft® Windows® Operating System
Publisher Microsoft Corporation
Description EHCI eUSB Miniport Driver
Version 6.0.6002.18465
Copyright © Microsoft Corporation. All rights reserved.
Service usbehci
SHA-256 0F1F79BA7C32ACAAE69184A56E67D6E18E2E2F07E0BE23F266401431169DAE14

Scoring (7.0)
Starts automatically as a service during system bootup.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SYSTEM\CurrentControlSet\Services\usbehci\

Properties
Name usbhub.sys
Location C:\Windows\system32\DRIVERS
Size 193 KB
Time 0.1 days ago (2013-10-11 16:37:14)
Entropy 6.4
Product Microsoft® Windows® Operating System
Publisher Microsoft Corporation
Description Default Hub Driver for USB
Version 6.0.6002.18875
Copyright © Microsoft Corporation. All rights reserved.
Service usbhub
SHA-256 7B2C0E8703D0275A620160E479166EB7AA31B0F146507603535CEBF0BA4684A4

Scoring (7.0)
Starts automatically as a service during system bootup.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SYSTEM\CurrentControlSet\Services\usbhub\

Properties
Name usbccgp.sys
Location C:\Windows\system32\DRIVERS
Size 71.5 KB
Time 0.1 days ago (2013-10-11 16:37:14)
Entropy 6.6
Product Microsoft® Windows® Operating System
Publisher Microsoft Corporation
Description USB Common Class Generic Parent Driver
Version 6.0.6002.18875
Copyright © Microsoft Corporation. All rights reserved.
Service usbccgp
SHA-256 7824AF6E2ADEA23F208526F3A62AD1BACDBBDB23E58EB5806890B0761529C50F

Scoring (7.0)
Starts automatically as a service during system bootup.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

Startup
HKLM\SYSTEM\CurrentControlSet\Services\usbccgp\

 

Hi, erik/Mark:

what about 8.1 support?

 

Hi Erik and Hi Mark

Can you check the 2 Files and whitelisted

Properties
Name opr06DNK.tmp
Location C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0015
Size 3.3 MB
Time 0.1 days ago (2013-10-11 17:21:16)
Entropy 8.0
SHA-256 997C1446142F6296908179705982FCB1E307A0D83C8ABB746DCE604B54C17EB1

Scoring (22.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The file name extension of this program is not common.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.

Forensic Cluster
* C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0015\opr06DNK.tmp
11.1s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0015\opr06DO1.tmp

Properties
Name opr06DO1.tmp
Location C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0015
Size 3.7 MB
Time 0.1 days ago (2013-10-11 17:21:27)
Entropy 8.0
SHA-256 81AB495A62174068C46EB5E44D2352C59A40C53F4AF05C1FCDCCFF3CFCCEA078

Scoring (22.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The file name extension of this program is not common.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.

Forensic Cluster
-11.1s C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0015\opr06DNK.tmp
* C:\Users\Alexander Robrecht\AppData\Local\Opera\Opera\cache\g_0015\opr06DO1.tmp

 

Good back up for my new WSA?

should i buy? it and Malware bytes found a bunch of old spy ware bits and cookies that WSA missed.

 

are they left overs?

 

If you can pay it, why not?
Its one of the best AM out there.

 

Thank you.

 

Always.

I say go for it. And you got first hand experience of how good it works.

 

HitmanPro 3.7.8 Build 206 BETA

Changelog

• FIXED: Kickstart now recognizes all 'SanDisk Cruzer' USB flash drives as removable drives; new SanDisk Cruzer USB-sticks have their fixed disk bit set instead of removable drive.
• FIXED: A problem related to outputting number of detected files and traces
• FIXED: Detection of Sophos SafeGuard MBR boot loader.
• IMPROVED: Forensics-based universal detection of the Sinowal/Torpig Trojan.

Download
http://www.surfright.nl/downloads/beta

Please let me know how this version runs your computer

 

lets see here 1.G Data and Ikarus still here checked 2.with kis checked 3.kis fps going up not checked 4.Ikarus fps going down checked 5. behavior blocker not checked needs more work.

 

Hi Erik,

HitmanPro 3.7.8 Build 206 BETA running great on Windows 8.1 64bit.
Got a warning from Avast 2014 RC3's hardenings mode.
After allowing HitmanPro to run I got 2 false positives about Avast.
See my screenshot.

 

Avast is a fake AV, I knew that all the time.

 

Fixed. Our remnants are stored in the cloud so this can be addresses instant. I wonder though why Avast choose to do something with Image Execution Options. Fake AV's usually piggy back on legit AV programs via this key; HitmanPro therefore is listing the entry. I will install myself to see that Avast 2014 writes in that key.

Thanks for reporting

 

Thanks for the great support on a rainy sunday here in The Netherlands.
Malwarebytes Anti-Malware had the same detection and also solved it for me:
https://forums.malwarebytes.org/index.php?showtopic=134539

 

Running fine on Win7 x64 & x86

Rainy indeed

 

Just finished a scan with the latest beta...

Code:

HitmanPro 3.7.8.206
www.hitmanpro.com

   Computer name . . . . :  xxxxxxxxxxxx
   Windows . . . . . . . : 5.1.3.2600.X86/4
   User name . . . . . . :  xxxxxxxxxxxx
   License . . . . . . . : Paid (778 days left)

   Scan date . . . . . . : 2013-10-14 07:42:13
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 8m 2s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 8

   Objects scanned . . . : 2,032,226
   Files scanned . . . . : 40,005
   Remnants scanned  . . : 1,417,335 files / 574,886 keys

Suspicious files ____________________________________________________________

   C:\Program Files\Sygate\SPF\smc.exe
      Size . . . . . . . : 2,532,576 bytes
      Age  . . . . . . . : 651.2 days (2012-01-02 01:49:56)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : 2F8823D5339BCBE5F8C198FC0619E555462BBB298ECDFFB9889584D9276E9814
      Product  . . . . . : Sygate® Security Agent and Personal Firewall
      Publisher  . . . . : Sygate Technologies, Inc.
      Description  . . . : Sygate Agent Firewall
      Version  . . . . . : 5.5.00.2710
      Copyright  . . . . : Copyright ©  1999 - 2004 Sygate Technologies, Inc. All rights reserved.
      RSA Key Size . . . : 1024
      Service  . . . . . : SmcService
      Parent Name  . . . : C:\WINDOWS\system32\services.exe
      Authenticode . . . : Valid
      Running processes  : 1964
      Fuzzy  . . . . . . : 10.0
         This file's reboot survivability is vigorously protected. This is typical to malware.
         Uses the Windows Registry to run each time the user logs on.
         Program starts automatically without user intervention.
         The file is in use by one or more active processes.
         Starts automatically as a service during system bootup.
         Program is code signed with a valid Authenticode certificate.
         The file appears to be part of an installation package or setup program. This is typical for most programs.
      Startup
         HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmcService
         HKLM\SYSTEM\CurrentControlSet\Services\SmcService\
      References
         C:\Documents and Settings\All Users\Start Menu\Programs\Sygate Personal Firewall\Sygate Personal Firewall.lnk
         HKU\S-1-5-21-1417001333-2049760794-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Sygate\SPF\smc.exe
         HKU\S-1-5-21-1417001333-2049760794-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\Sygate\SPF\smc.exe

 

The new Beta runs fine so far,but i guess i have a False Postive

please can you white list it.Hope i do it right.

https://www.virustotal.com/de/file/adaff0b3ccf52c7625351e0e1863a9f77896de4657503145bcefc5c20aea9568/analysis/

With Hitman Pro 3.7.7. - Build 205 this Casual 3 Match Game seems to be
ok,MalwareBytes Pro and Bidefender Antivirus Plus 2014 says no Problem.

Code:

HitmanPro 3.7.8.206
www.hitmanpro.com

   Computer name . . . . : xxxxxxxxxxxxxxx
   Windows . . . . . . . : 6.1.1.7601.X86/4
   User name . . . . . . : xxxxxxxxxxxxxxxxx
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Paid (218 days left)

   Scan date . . . . . . : 2013-10-14 12:25:00
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 3m 29s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 1
   Traces  . . . . . . . : 2

   Objects scanned . . . : 1.042.500
   Files scanned . . . . : 15.389
   Remnants scanned  . . : 416.317 files / 610.794 keys

Malware _____________________________________________________________________

   C:\Program Files\Spooky Bonus deutsch\SpookyBonus.exe
      Size . . . . . . . : 2.555.904 bytes
      Age  . . . . . . . : 3.0 days (2013-10-11 11:39:07)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : ADAFF0B3CCF52C7625351E0E1863A9F77896DE4657503145BCEFC5C20AEA9568
    > Ikarus . . . . . . : Trojan.Crypt!IK
      Fuzzy  . . . . . . : 117.0
      References
         C:\Users\Lucien Phoenix\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\SpookyBonus.exe.lnk

 

Whitelisted. Thanks

 

Fixed. Thanks!

 

Just updated to 207.

 

No issues with .207 (W7/64 Ult.)

 

Ran new build on windows 7 64 bit and vista 32 bit no problems.....

 

Everything good with XP Pro SP3 as well.

 

New build running fine on Windows 8 Pro x64.