Hitman Pro Support and Discussion Thread

Can you DM me the scan details, there must be a reason for raising to suspicious.
I don't think the exclude list works for this.

re: hosts file I'll have a chat with the devs to see what we can do there.

 

HitmanPro v3.8.44 build 340

Changelog

• Fixed: Detection and removal of cookies on latest Microsoft Edge Browser when process was in --no-startup-window
  
• Fixed: Detection of suspicious files signed by Microsoft (happened after Windows Updates)
• Fixed: Some FP's on "Backdoor.Behaviour" detections
  
• Added: Option to exclude the host file for scanning (you can add "c:\windows\system32\drivers\etc\hosts" to the excudelist to ignore detection).

 

New build working fine here

 

+1.

 

Hi Folks,

My HitmanPRo Alert gave an alert yesterday saying wipeguard blocked an attack. On reading the logs it seemed it was hitman pro itself that tried to change the MBR!! I ignored it thinking it must be a bug, however,

Today I turned on my PC and didnt log on for most of the day. When I logged on about 20 minutes ago I was presented with anotehr hitman pro alert. This time it is saying a program attmepted to change/modify the MBR. The logs say it is Windows search protocol host:

I put the details below of both alerts- hitman pro alert of itself first and then the one that seems to be linked to windows update and yes the pc did do a windows update on reboot but my otehr two PC's have not raising my suspicion that something might be amiss.

Can anyone ready this data below and give us an idea please? Virustotal saying that no virus vendors detected any issues.

Code:

Mitigation   WipeGuard
Timestamp    2025-05-27T16:23:19

Platform     10.0.19045/x64 v2019 06_9e
PID          12112
Feature      00FD2E70000001A6
Application  C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
Created      2025-05-20T21:49:53
Description  HitmanPro.Alert 3.20.2

Reason       Volume Boot Record (VBR)
Volume         \Device\HarddiskVolume4
BusType        Nvme
LBA            81154
Length         1
PartitionType  0xEE

0000  46 49 4C 45 30 00 03 00 D0 BD 03 14 01 00 00 00  FILE0...........
0010  01 00 01 00 38 00 01 00 A0 01 00 00 00 04 00 00  ....8...........
0020  00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00  ................
0030  0A 01 00 00 00 00 00 00 10 00 00 00 60 00 00 00  ............`...
0040  00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00  ........H.......
0050  00 D6 94 0F B8 C9 DB 01 00 D6 94 0F B8 C9 DB 01  ................
0060  00 D6 94 0F B8 C9 DB 01 00 D6 94 0F B8 C9 DB 01  ................
0070  06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0080  00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00  ................
0090  00 00 00 00 00 00 00 00 30 00 00 00 68 00 00 00  ........0...h...
00A0  00 00 18 00 00 00 03 00 4A 00 00 00 18 00 01 00  ........J.......
00B0  05 00 00 00 00 00 05 00 00 D6 94 0F B8 C9 DB 01  ................
00C0  00 D6 94 0F B8 C9 DB 01 00 D6 94 0F B8 C9 DB 01  ................
00D0  00 D6 94 0F B8 C9 DB 01 00 40 00 00 00 00 00 00  .........@......
00E0  00 40 00 00 00 00 00 00 06 00 00 00 00 00 00 00  .@..............
00F0  04 03 24 00 4D 00 46 00 54 00 00 00 00 00 00 00  ..$.M.F.T.......
0100  80 00 00 00 50 00 00 00 01 00 40 00 00 00 06 00  ....P.....@.....
0110  00 00 00 00 00 00 00 00 7F 77 01 00 00 00 00 00  .........w......
0120  40 00 00 00 00 00 00 00 00 00 78 17 00 00 00 00  [USER=27952]@.....[/USER]....x.....
0130  00 00 78 17 00 00 00 00 00 00 78 17 00 00 00 00  ..x.......x.....
0140  33 20 C8 00 00 00 0C 43 60 AF 00 6C E0 88 00 00  3 .....C`..l....
0150  B0 00 00 00 48 00 00 00 01 00 40 00 00 00 05 00  ....H.....@.....
0160  00 00 00 00 00 00 00 00 0C 00 00 00 00 00 00 00  ................
0170  40 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00  [USER=27952]@.....[/USER]..........
0180  08 C0 00 00 00 00 00 00 08 C0 00 00 00 00 00 00  ................
0190  21 0D 39 0E 00 00 00 00 FF FF FF FF 00 00 00 00  !.9.............
01A0  FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00  ................
01B0  FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00  ................
01C0  FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00  ................
01D0  FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00  ................
01E0  08 10 00 00 00 00 00 00 08 10 00 00 00 00 00 00  ................
01F0  31 01 FF FF 0B 31 01 26 00 F4 00 00 00 00 0A 01  1....1.&........


Process Trace
1  C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [12112]
   "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /alert:3BF96626DA803477
2  C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1548]
   "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /service
3  C:\Windows\System32\services.exe [864]
4  C:\Windows\System32\wininit.exe [792]
   wininit.exe

Services
1548  hmpalertsvc

Dropped Files

Thumbprints
ba81acd07e265ce94018d3ab4ed3aa565bb3ca0bc1b7a9fccfa472be4f525990
9ac2c2be6ea3bc8db53c11c3dda901486080ddc8577ecde9a5a4b26d5db9c6a6 (crth-process)

.......................................................................................................................................................................................................................................................................................................................................................................................................................................
Mitigation   WipeGuard
Timestamp    2025-05-29T09:51:34

Platform     10.0.19045/x64 v2019 06_9e
PID          10204
Feature      00FD2E70000001A6
Application  C:\Windows\System32\SearchProtocolHost.exe
Description  Microsoft Windows Search Protocol Host 7

Reason       Volume Boot Record (VBR)
Volume         \Device\HarddiskVolume4
BusType        Nvme
LBA            81154
Length         1
PartitionType  0xEE

0000  46 49 4C 45 30 00 03 00 B0 B7 4B 3C 01 00 00 00  FILE0.....K<....
0010  01 00 01 00 38 00 01 00 B0 01 00 00 00 04 00 00  ....8...........
0020  00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00  ................
0030  17 01 00 00 00 00 00 00 10 00 00 00 60 00 00 00  ............`...
0040  00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00  ........H.......
0050  00 D6 94 0F B8 C9 DB 01 00 D6 94 0F B8 C9 DB 01  ................
0060  00 D6 94 0F B8 C9 DB 01 00 D6 94 0F B8 C9 DB 01  ................
0070  06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0080  00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00  ................
0090  00 00 00 00 00 00 00 00 30 00 00 00 68 00 00 00  ........0...h...
00A0  00 00 18 00 00 00 03 00 4A 00 00 00 18 00 01 00  ........J.......
00B0  05 00 00 00 00 00 05 00 00 D6 94 0F B8 C9 DB 01  ................
00C0  00 D6 94 0F B8 C9 DB 01 00 D6 94 0F B8 C9 DB 01  ................
00D0  00 D6 94 0F B8 C9 DB 01 00 40 00 00 00 00 00 00  .........@......
00E0  00 40 00 00 00 00 00 00 06 00 00 00 00 00 00 00  .@..............
00F0  04 03 24 00 4D 00 46 00 54 00 00 00 00 00 00 00  ..$.M.F.T.......
0100  80 00 00 00 58 00 00 00 01 00 40 00 00 00 06 00  ....X.....@.....
0110  00 00 00 00 00 00 00 00 3F 93 01 00 00 00 00 00  ........?.......
0120  40 00 00 00 00 00 00 00 00 00 34 19 00 00 00 00  [USER=27952]@.....[/USER]....4.....
0130  00 00 34 19 00 00 00 00 00 00 34 19 00 00 00 00  ..4.......4.....
0140  33 20 C8 00 00 00 0C 43 18 C8 00 6C E0 88 00 32  3 .....C...l...2
0150  08 03 84 FC 52 00 00 00 B0 00 00 00 50 00 00 00  ....R.......P...
0160  01 00 40 00 00 00 05 00 00 00 00 00 00 00 00 00  ..@.............
0170  0D 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
0180  00 E0 00 00 00 00 00 00 08 D0 00 00 00 00 00 00  ................
0190  08 D0 00 00 00 00 00 00 21 0D 39 0E 41 01 35 6C  ........!.9.A.5l
01A0  09 01 00 00 00 00 00 00 FF FF FF FF 00 00 00 00  ................
01B0  FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00  ................
01C0  FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00  ................
01D0  FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00  ................
01E0  08 10 00 00 00 00 00 00 08 10 00 00 00 00 00 00  ................
01F0  31 01 FF FF 0B 31 01 26 00 F4 00 00 00 00 17 01  1....1.&........


Loaded Modules (47)
-----------------------------------------------------------------------------
00007FF77E370000-00007FF77E3DB000 SearchProtocolHost.exe (Microsoft Corporation),
                                  Version: 7.0.19041.5794
00007FFA4C470000-00007FFA4C668000 ntdll.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA4BA20000-00007FFA4BAE2000 KERNEL32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA49760000-00007FFA49899000 hmpalert.dll (Sophos B.V.),
                                  Version: 3.20.2.2019
00007FFA4A100000-00007FFA4A3F6000 KERNELBASE.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5848
00007FFA4C260000-00007FFA4C2FE000 msvcrt.dll (Microsoft Corporation),
                                  Version: 7.0.19041.3636
00007FFA4B3B0000-00007FFA4B47D000 OLEAUT32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFA4A400000-00007FFA4A49D000 msvcp_win.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFA49CF0000-00007FFA49DF0000 ucrtbase.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFA4BAF0000-00007FFA4BE43000 combase.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA4C300000-00007FFA4C423000 RPCRT4.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA4B8C0000-00007FFA4B96F000 advapi32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5737
00007FFA4B4E0000-00007FFA4B57F000 sechost.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA49F20000-00007FFA49F47000 bcrypt.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5438
00007FFA4C0F0000-00007FFA4C19D000 SHCORE.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA2F030000-00007FFA2F35A000 TQUERY.DLL (Microsoft Corporation),
                                  Version: 7.0.19041.5848
00007FFA47A70000-00007FFA48213000 windows.storage.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5848
00007FFA491D0000-00007FFA491E5000 cryptdll.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFA49400000-00007FFA4942B000 Wldp.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA4B970000-00007FFA4B99F000 imm32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5737
00007FFA4B080000-00007FFA4B21D000 USER32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5848
00007FFA49B10000-00007FFA49B32000 win32u.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA4B750000-00007FFA4B77B000 GDI32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5737
00007FFA49F50000-00007FFA4A06A000 gdi32full.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5848
00007FFA47870000-00007FFA47882000 kernel.appcore.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3758
00007FFA4A070000-00007FFA4A0F2000 bcryptPrimitives.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5438
00007FFA4C1A0000-00007FFA4C249000 clbcatq.dll (Microsoft Corporation),
                                  Version: 2001.12.10941.16384
00007FFA4B790000-00007FFA4B8BB000 ole32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA0F420000-00007FFA0F448000 mssprxy.dll (Microsoft Corporation),
                                  Version: 7.0.19041.5794
00007FFA0F870000-00007FFA0F8AA000 mssph.dll (Microsoft Corporation),
                                  Version: 7.0.19041.5794
00007FFA48730000-00007FFA48780000 AUTHZ.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA48C60000-00007FFA48C93000 ntmarta.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFA4B350000-00007FFA4B3A5000 shlwapi.dll (Microsoft Corporation),
                                  Version: 10.0.19041.4355
00007FFA44830000-00007FFA44924000 propsys.dll (Microsoft Corporation),
                                  Version: 7.0.19041.5794
00007FFA49B40000-00007FFA49B8E000 CFGMGR32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3996
00007FFA49A40000-00007FFA49A65000 profapi.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA0F1C0000-00007FFA0F23D000 ntshrui.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5794
00007FFA4A4A0000-00007FFA4AC0E000 SHELL32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5848
00007FFA499F0000-00007FFA49A22000 SspiCli.dll (Microsoft Corporation),
                                  Version: 10.0.19041.4239
00007FFA40A60000-00007FFA40A88000 srvcli.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFA31550000-00007FFA31562000 cscapi.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFA0F5A0000-00007FFA0F5C4000 edputil.dll (Microsoft Corporation),
                                  Version: 10.0.19041.4355
00007FFA035F0000-00007FFA03654000 Windows.FileExplorer.Common.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5848
00007FFA40A90000-00007FFA40D4F000 iertutil.dll (Microsoft Corporation),
                                  Version: 11.0.19041.5848
00007FFA48E30000-00007FFA48E3C000 netutils.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFA124F0000-00007FFA12512000 cldapi.dll (Microsoft Corporation),
                                  Version: 10.0.19041.5678
00007FFA2F8A0000-00007FFA2F8AB000 FLTLIB.DLL (Microsoft Corporation),
                                  Version: 10.0.19041.3636

Process Trace
1  C:\Windows\System32\SearchProtocolHost.exe [10204]
   "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Micr
2  C:\Windows\System32\SearchIndexer.exe [6816]
   C:\Windows\system32\SearchIndexer.exe /Embedding
3  C:\Windows\System32\services.exe [860]
4  C:\Windows\System32\wininit.exe [788]
   wininit.exe

Services
6816  WSearch

Dropped Files
1  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.10.gthr
     Dropped by \Device\HarddiskVolume3\Windows\System32\SearchIndexer.exe [6816]
2  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.10.Crwl
     Dropped by \Device\HarddiskVolume3\Windows\System32\SearchIndexer.exe [6816]

Thumbprints
5420818930a80df7d229b249c6699b66d03249f2ebe27761960f5563f53eadeb

 

@RonnyT

Any chance you can take a look at my logs attached please?
I'm a registered CISSP so a bit paranoid about this.

Any help here would be much appreciated!

Best regards

Deano

 

Hi Dean,

Would you mind shooting a ticket to support@hitmanpro.com so we can take it from there?
It looks like it misidentified the offending process, I would like to figure out what this "FILE0" / "@....." entries might be coming from.

btw this post probably should have ended up here:
https://www.wilderssecurity.com/threads/hitmanpro-alert-support-and-discussion-thread.324841/

 

Hi Ronny,

Great thanks I will post on that other thread. I figured out what it is.....was a corruption on C drive of some sorts. After a lot of wipeguard messages - one popped up from Windows saying need ot repair c drive. Rebooted and it repaired some blocks and then no more wipeguard messages.