Hitman Pro Support and Discussion Thread

Discussion in 'other anti-malware software' started by yashau, Mar 20, 2009.

  1. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    488
    Could they be false positives, as redwolfe_98 suggested?
     
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,346
    Location:
    the Netherlands
    A few weeks ago, July 1, HitmanPro detected the same item on my Windows Vista x86 system.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}\ (CouponBar)
    I let HMP delete the item.
    On my Windows 7 x64 system, HMP did not detect that item.
    Both my Windows Vista x86 and Windows 7 x64 system have SpywareBlaster installed and its protection enabled.

    How do you know that item is an ActiveX killbit?
    Assuming that it is an ActiveX killbit, and that it was set by SpywareBlaster, I disabled all SpywareBlaster's protections, and then re-enabled all SpywareBlaster's protections - assuming that that might restore a killbit that was deleted by HMP, and I did a HMP scan. The mentioned item was not detected.
    What does this say? Nothing for sure.
    Perhaps the item is not an ActiveX killbit,
    or it was not set by SpywareBlaster,
    or disabling and re-enabling SpywareBlaster's protections did not restore the killbit,
    or it was no longer detected by HMP for another reason?
    Perhaps another possibility could be that the item was an ActiveX killbit, but that it wasn't set by SpywareBlaster, but by Spybot Search & Destroy 1.6.2, that was on my Windows Vista x86 system many years ago, but was never on my Windows 7 x64 system.

    Any other ideas, anyone?
    I look forward to Erik's or Mark's reply regarding this matter.
     
  3. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,346
    Location:
    the Netherlands
    The AdwCleaner info says "It runs with Windows XP, Vista, 7, 8 versions 32 & 64 bits."
    The Junkware Removal Tool info on Bleeping Computer, FossHub and Giga.de says "Windows XP, Vista, 7, 8."
     
  4. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    582
    Location:
    South Carolina, USA
    because i am familiar with activex-killbits.. the location of the regkey is for activex-killbits and the "value" that it has is "400", which is the appropriate "value" for activex-killbits..

    that was why i posted the screenshot, so that "surfright" could see that it was indeed an activex-killbit, which shouldn't be being flagged by "hitmanpro", and which shouldn't be removed..
     
  5. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,346
    Location:
    the Netherlands
    Thanks very much.

    I could locate the registry entry, but I couldn't determine whether it was a legitimate entry or not.
    The thing is, there's a 2008 Spybot forum post Manual Removal Guide for CouponBar that instructs to delete the mentioned entry,
    HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
    Was that an incorrect instruction, or is it a non-legitimate registry entry? I cannot tell.

    Therefore, I'm still looking forward to Erik's or Mark's reply regarding this matter.
     
  6. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    Fixed this detection on Windows 10. No update of HitmanPro is required, solved it via our cloud.

    Note: HitmanPro did not detect MRT.exe as malware. The detection is on a registry key underneath "Image File Execution Options", which is usually only set by malware to disable security software, including MRT.exe. HitmanPro removes these registry entries so e.g. the Microsoft Malicious Software Removal Tool can still function normally, even in the presence of malware. The erroneous detection of the registry key only happened on Windows 10. Inadvertent removal of this particular registry entry did not cause any issues with MRT.exe, Windows or any other software.
     
  7. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    HitmanPro 3.7.9 build 244 BETA

    Now many adware and PUPs are moving towards the use of random folder and file names, we have begun employing HitmanPro's forensic capabilities to correlate and flag this crap. We have started attacking the MultiPlug adware, which typically looks like this (I am sure some of you have encountered something similar):

    C:\Program Files\Happpy2Save\A2G7EvGyAZwKqV.dat
    C:\Program Files\Happpy2Save\A2G7EvGyAZwKqV.dll
    C:\Program Files\Happpy2Save\A2G7EvGyAZwKqV.exe
    C:\Program Files\Happpy2Save\A2G7EvGyAZwKqV.tlb

    C:\Program Files\AUTToDEaLsApp\3Ako8eug2kMV0m.dat
    C:\Program Files\AUTToDEaLsApp\3Ako8eug2kMV0m.dll
    C:\Program Files\AUTToDEaLsApp\3Ako8eug2kMV0m.exe
    C:\Program Files\AUTToDEaLsApp\3Ako8eug2kMV0m.tlb

    C:\Program Files\DownSiave\dIIIj8iFr0QQS5.dat
    C:\Program Files\DownSiave\dIIIj8iFr0QQS5.dll
    C:\Program Files\DownSiave\dIIIj8iFr0QQS5.exe
    C:\Program Files\DownSiave\dIIIj8iFr0QQS5.tlb


    From our telemetry, we see that it takes weeks or months for the EXE and/or DLL to be recognized by antivirus software on victim machines. But the TLB and DAT files, as well as the INI files associated with this crap, were left to remain on the PC forever. Fortunately, the new beta of HitmanPro will now detect and remove this MutiPlug PUP based on how its e.g. laid out on the local disk (the detection is not based on binary contents or activity). This more forensics-based approach ensures immediate detection of MultiPlug:

    MultiPlug.PNG

    The beta is available from our Beta download page: http://www.surfright.nl/en/downloads/beta
     
    Last edited: Jul 27, 2015
  8. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,412
    Location:
    Germany
    Hi Erik and Hi Mark

    Can you check the 1 File and whitelisted the 1 File please. I use the FP function into the Programm to submit the File to you

    With best Regards
    Mops21
     

    Attached Files:

  9. schemer

    schemer Registered Member

    Joined:
    Dec 18, 2014
    Posts:
    8
    Had a Display Fusion update today and then HP hit on this:

    DFSSaver.scr
    HEUR:Trojan.Win32.Generic

    I think it may be a false positive
     
  10. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,511
    Erik, now that V3 of HMP.Alert has been released, would it be possible to take another look at this problem?

    XP drives still being flagged with bogus entries with the latest HMP version when running in Win8 32-bit.
     
  11. Just installed HMP on a PC of a relative. Just noticed something (akward), needed to set two firewall rules.

    When user chooses to install in folder (HMP does remember that), the update runs from temp folder (in stead of program files folder)
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Do you have a sha-256 of the files? Just double click the entry in the list.
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro only has port 80/443 outgoing connections. If you have a firewall that also filters outgoing traffic port 80/443 then you have to add two rules.

    The updater runs from the temp so that it can update the one in ProgramFiles. I think you do not need to create firewall rules for the updater in the temp as the updater does not do anything on the network.

    Hope this helps.
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I have no clue what this is. I am currently on vacation. When I am back I can have another look at it. Preferably with a remote session. Just send me a PM.
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I looked up the forensic cluster in our backend and the registry entry is actually created by CouponBar:

    Forensic-CouponBar2.png

    See this link on the CLSID:
    http://www.systemlookup.com/O16/350-cpbrkpie_cab.html

    Hope this helps.
     
    Last edited: Aug 2, 2015
  16. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,346
    Location:
    the Netherlands
    Thanks very much, Erik.

    I can't say anything about HMP's backend.
    If it is righ, that would be in line with the 2008 Spybot forum post instruction that I mentioned.

    However, the SystemLookup entry that you mention, that is about
    CLSID {9522B3FB-7A2B-4646-8AF6-36E7F593073C}
    which is
    HKEY_CLASSES_ROOT\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
    And that is not the same as
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

    So I still think perhaps redwolfe_98 could be right, who said the deleted ActiveX Compatibility key was an ActiveX killbit, guarding against CouponBar, not created by CouponBar.

    I can't tell who is right or wrong.

    P.S.
    Enjoy your vacation, Erik.
     
  17. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The forensic timeline comes from multiple end users with CouponBar. It is therefore right in that the key for certain is created by CouponBar.
    If other tools also create the key, then the key gets removed by HitmanPro.
     
  18. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,132
    HMP (Kapersky engine) complains about uTorrent 3.4.3.40760 (Riskware). It did not do this with previous builds of uTorrent.

    Is the Ignore selection only for the current scan? HMP complains about it again the next scan.
     
  19. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,049
    Location:
    Baden Germany
    This is not a FP!
    uTorrent is no longer trustworthy, because it installs a cryptocurrency miner....
     
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,346
    Location:
    the Netherlands
    Thank you very much, Erik.

    If redwolfe_98 was right about
    HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
    being an ActiveX killbit,
    then I wonder why CouponBar puts its own killbit there.

    I'm looking forward to both Erik's and redwolfe_98's thoughts regarding this matter.
     
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Meh, I'd rather they actually detect what's malicious (the optional bundled stuff) instead of legit programs. I for one use it with settings.dat with Pimp my uTorrent.

    @Stupendous Man: I use SpywareBlaster and HMP didn't detect anything regarding that entry.
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    redwolfe_98 assumes that the key is only used as a kill-bit. This is not the case. As a matter of fact there are a whole bunch of flags you can put there to control the loading of the ActiveX object. The CouponBar installer writes one or a combination of these flags: https://msdn.microsoft.com/en-us/library/aa768234(v=vs.85).aspx
    Note: 0x400 is the kill-bit.

    Hope this helps.
     
    Last edited: Aug 3, 2015
  23. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,132
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    What is the hash of the file that is listed?
     
  25. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,346
    Location:
    the Netherlands
    I don't know what value that key had on my system.
    redwolfe_98 said it had the 0x400 value.
    See redwolfe_98's posts #6672 and #6679.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.