HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

Page 27 of 91
  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,644
    Location:
    Under a bushel ...
    It does proceed.
     
    paulderdash, Oct 24, 2017
    #651
  2. guest

    guest Guest

    guest, Oct 24, 2017
    #652
  3. guest

    guest Guest

    in my case, it failed at the very beginning.
     
    guest, Oct 24, 2017
    #653
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I've been working with Ronny, but the Credential Protection is a killer. Kills all imaging I've tested against, and also kills things like Raxco Instant Recovery. You might want to test Rollback, no telling what will happen with it. The problem is in Windows\system32\config and the file is SAM. It's the credential file.
     
    Peter2150, Oct 24, 2017
    #654
  5. guest

    guest Guest

    I disabled it but no avail...
     
    guest, Oct 24, 2017
    #655
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,644
    Location:
    Under a bushel ...
    Thanks Pete for trying to solve this one. Hope they can find a work-around. Maybe it'll have to be hard-coded :eek:.
     
    paulderdash, Oct 24, 2017
    #656
  7. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Thanks for v720. All that wasn't working with 718 is now working fine. Well, except for the Macrium Reflect thing and Credential Theft Protection but you know about that one.
     
    focus, Oct 24, 2017
    #657
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That would be tough unless they change the approach. The version 720 has Macrium Reflect whitelisted so it runs fine, but nothing else will Whitelisting is workable, consider this. You would have to white list every imaging program, every disk backup, every rollback program like Instant Recovery. Care to guess how many that would be. I haven't a clue
     
    Peter2150, Oct 24, 2017
    #658
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    This is to inform other users of HitmanPro.Alert 3.7.0 build 720 BETA along with Macrium Reflect 7.1.2646 (UEFI) about a possible BSOD scenario when booting into the Recovery Environment using the Boot Menu Option. Note the following system environment that for me this occurs on:
    • Windows 10 Pro 64-bit Version 1709 (OS Build 16299.19) (UEFI)
    • Macrium Reflect Home 7.1.2646 64-bit (UEFI)
    • HitmanPro.Alert 3.7.0 build 720 BETA
    Any attempt to boot into the Recovery Environment using the Boot Menu Option would always result in a BSOD when the Recovery Environment starts to load. More details on this issue can be found in the thread SSD and IDE/AHCI? starting with post # 41.

    For those running a setup the same as or similar to mine, you may want to test booting into the Recovery Environment using the Boot Menu Option to see if you have any issues.

    @erikloman @markloman @RonnyT
    You can find copies of the support ticket with Macrium Support with a good bit of information available. I also have copies of all of the dump file that I was able to retrieve saved in 7z format if you need them.
    Edit to add: I have uploaded the above mentioned files and emailed you in reference to this post the download link along with the password.
     
    Last edited: Oct 24, 2017
    puff-m-d, Oct 24, 2017
    #659
  10. plat1098

    plat1098 Guest

    At times like this, I take pride to be lazy and neglectful of my image. As I'd declined the Macrium recovery option, the only recourse would have been to reinstall windows and start completely from scratch. :'(

    Very much appreciated, @puff-m-d. :)
     
    plat1098, Oct 24, 2017
    #660
  11. Sand

    Sand Registered Member

    Joined:
    Apr 28, 2016
    Posts:
    26
    With latest Zemana AntiMalware, I need to add "zam.exe" to exclusion in Mitigation Exploit section in order to allow the start of ZamSvc, otherwise also if I use it ondemand will not start.

    With latest CyberGhostVPN, I need to add "CG6Service" to exclusion in Mitigation Exploit section too, the service is set to always autostart and otherwise will be always stopped and don't allow VPN connection saying to reinstall the service.
     

    Attached Files:

    Sand, Oct 24, 2017
    #661
  12. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello @plat1098,

    You are most welcome ;) ...

    Of course this issue may or may not affect other users as it could be due to my specific setup here. I just wanted to let others know of the possible issue for them and let the Loman brothers know the issue that I was having.
     
    puff-m-d, Oct 24, 2017
    #662
  13. guest

    guest Guest

    Not only backup programs are affected. Simple utilities or other anti malware products which are scanning the registry are also affected (for example: Glary Utilities #549, Zemana AntiMalware #550, Hitman Pro #609,...)
     
    guest, Oct 24, 2017
    #663
  14. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    63
    Location:
    UK
    I'm getting exactly the same BSOD as puff-m-d with Macrium Reflect and Alert Build 720 Beta.
     
    newyorkjet, Oct 24, 2017
    #664
  15. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello @newyorkjet,

    I hate to say this as I hoped the issue was limited to my system but I was afraid others probably would be affected also :'( ...
     
    puff-m-d, Oct 24, 2017
    #665
  16. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    63
    Location:
    UK
    Had to revert to Beta 718. Macrium Reflect Recovery environment now works after a reboot.
     
    newyorkjet, Oct 24, 2017
    #666
  17. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    174
    Same Here.
     
    TheBear, Oct 24, 2017
    #667
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,644
    Location:
    Under a bushel ...
    I didn't know that. So MR will work with Credential Theft Protection enabled in 720?
    Same config except I have MR Home v6.3.1835. No BSOD issue. Looks like a MR v7 issue?
     
    Last edited: Oct 25, 2017
    paulderdash, Oct 25, 2017
    #668
  19. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    636
    Location:
    Planet Earth
    Hi puff-m-d,

    Thanks for sharing the dump, we have analyzed the crash and this issue will be fixed in the next release.
     
    RonnyT, Oct 25, 2017
    #669
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    test it and see if it works. Only problem is it doesn't solve a huge problem
     
    Peter2150, Oct 25, 2017
    #670
  21. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    63
    Location:
    UK
    Further to my post 666, I forgot to check whether 718 would boot in recovery environment to USB. It didn't (BSOD) so I have gone back to 3.6.7. build 604 and everything now works.
     
    newyorkjet, Oct 25, 2017
    #671
  22. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello @RonnyT,
    You are most welcome ;) ...
    I am just glad that Macrium Support and myself could figure out the cause of issue quickly so I could supply you with enough information to isolate the issue...
     
    puff-m-d, Oct 25, 2017
    #672
  23. CaptainLeonidasHMPA

    CaptainLeonidasHMPA Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    42
    Location:
    The Netherlands
    Some improments but not there (yet)

    Mitigation APCViolation

    Platform 10.0.16299/x64 v720 06_3f
    PID 12460
    Application C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
    Description Microsoft .NET Framework optimization service 4.7

    APC intercepted:
    00510080 55 PUSH EBP
    00510081 8bec MOV EBP, ESP
    00510083 8b4d08 MOV ECX, [EBP+0x8]
    00510086 83ec08 SUB ESP, 0x8
    00510089 85c9 TEST ECX, ECX
    0051008B 7439 JZ 0x5100c6
    0051008D 0fb711 MOVZX EDX, WORD [ECX]
    00510090 6685d2 TEST DX, DX
    00510093 7431 JZ 0x5100c6
    00510095 56 PUSH ESI
    00510096 8b7104 MOV ESI, [ECX+0x4]
    00510099 83fe18 CMP ESI, 0x18
    0051009C 7227 JB 0x5100c5
    0051009E 8b4108 MOV EAX, [ECX+0x8]
    005100A1 0b410c OR EAX, [ECX+0xc]
    005100A4 741f JZ 0x5100c5

    Process Trace
    1 C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe [12460]
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /StopEvent:1484
    2 C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe [8820]
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:920
    3 C:\Windows\System32\taskhostw.exe [11004]
    taskhostw.exe -RegisterDevice -Periodic
    4 C:\Windows\System32\svchost.exe [1672]
    c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule

    Thumbprint
    b68e94775e3a2b290eccf10af35454a41f6eb4a812c86cbc35bb7a88e67265b5

    and

    Mitigation APCViolation

    Platform 10.0.16299/x64 v720 06_3f
    PID 9344
    Application C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool\WindowsDeviceRecoveryTool.exe
    Description Windows Device Recovery Tool 3.12

    APC intercepted:
    01210080 55 PUSH EBP
    01210081 8bec MOV EBP, ESP
    01210083 8b4d08 MOV ECX, [EBP+0x8]
    01210086 83ec08 SUB ESP, 0x8
    01210089 85c9 TEST ECX, ECX
    0121008B 7439 JZ 0x12100c6
    0121008D 0fb711 MOVZX EDX, WORD [ECX]
    01210090 6685d2 TEST DX, DX
    01210093 7431 JZ 0x12100c6
    01210095 56 PUSH ESI
    01210096 8b7104 MOV ESI, [ECX+0x4]
    01210099 83fe18 CMP ESI, 0x18
    0121009C 7227 JB 0x12100c5
    0121009E 8b4108 MOV EAX, [ECX+0x8]
    012100A1 0b410c OR EAX, [ECX+0xc]
    012100A4 741f JZ 0x12100c5

    Process Trace
    1 C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool\WindowsDeviceRecoveryTool.exe [9344]
    2 C:\Windows\explorer.exe [12584]
    3 C:\Windows\System32\userinit.exe [6284]
    4 C:\Windows\System32\winlogon.exe [8392]
    C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    5 C:\Windows\System32\smss.exe [13572]
    \SystemRoot\System32\smss.exe 00000120 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

    Thumbprint
    1d904e3163b2645b8f5aa2bb1225d0a3b02bdf4d72ce039ebde062340a206c8d
     
    CaptainLeonidasHMPA, Oct 25, 2017
    #673
  24. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    heikwith, Oct 26, 2017
    #674
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,644
    Location:
    Under a bushel ...
    Win 10 Pro x64 v1709 16299.19, HMP.A 3.7.0 build 720 beta.

    Repeatedly, while trying to retrieve update from developer's site via SUMo in Sandboxie'd Firefox:

    Mitigation ROP

    Platform 10.0.16299/x64 v720 06_45
    PID 24532


    Application C:\Program Files\Mozilla Firefox\firefox.exe
    Description Firefox 56.0.2

    Callee Type LoadLibrary

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FFAB0EB966D KernelBase.dll
    2 00007FFAB4768508 ntdll.dll
    3 00007FFAB4750F56 ntdll.dll __C_specific_handler +0x96
    4 00007FFAB4764C3D ntdll.dll __chkstk +0x11d
    5 00007FFAB46DD1B8 ntdll.dll
    6 00007FFAB4763B6E ntdll.dll KiUserExceptionDispatcher +0x2e

    7 00007FFA6453AA01 xul.dll
    cc INT 3

    8 00007FFA64C8CAAA xul.dll
    9 00007FFA64C75F62 xul.dll
    10 00007FFA649C7D1E xul.dll

    Code Injection
    0000025DACA84000-0000025DACA85000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [21776]
    00007FFAB4760000-00007FFAB4761000 4KB
    00007FFAB4762000-00007FFAB4763000 4KB
    00007FFAB475F000-00007FFAB4760000 4KB
    1 C:\Program Files\Mozilla Firefox\firefox.exe [21776]
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://www.kcsoftwares.com/sumo/view.php?uid=xxxxxxxxx&ProductName=WinScan2PDF&Company=Nenad Hrg (SoftwareOK.com)&prot=2&redirect&pro
    2 C:\Program Files\Mozilla Firefox\firefox.exe [26728]
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://www.kcsoftwares.com/sumo/view.php?uid=xxxxxxxxx&ProductName=WinScan2PDF&Company=Nenad Hrg (SoftwareOK.com)&prot=2&redirect&pro"
    3 C:\Program Files\Sandboxie\SbieSvc.exe [4524]

    Process Trace
    1 C:\Program Files\Mozilla Firefox\firefox.exe [24532]
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="21776.13.1203227378\867131458" -childID 2 -isForBrowser -intPrefs 5:50|6:-1|28:1000|33:20|34:10|43:128|44:10000|49:0|51:400|52:1|53:0|54:0|59:0|60:120|61:120|92:2|93:1|107:5000|118:0|12
    2 C:\Program Files\Mozilla Firefox\firefox.exe [21776]
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://www.kcsoftwares.com/sumo/view.php?uid=xxxxxxxxx&ProductName=WinScan2PDF&Company=Nenad Hrg (SoftwareOK.com)&prot=2&redirect&pro
    3 C:\Program Files\Mozilla Firefox\firefox.exe [26728]
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://www.kcsoftwares.com/sumo/view.php?uid=xxxxxxxxx&ProductName=WinScan2PDF&Company=Nenad Hrg (SoftwareOK.com)&prot=2&redirect&pro"
    4 C:\Program Files\Sandboxie\SbieSvc.exe [4524]

    Thumbprint
    65b08153b6f661f989e3612ad52cf5c1192ecd4df327f9082c26b98b91b224b3
     
    Last edited: Oct 27, 2017
    paulderdash, Oct 27, 2017
    #675
Page 27 of 91
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...