HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. lyldz

    lyldz Registered Member

    Joined:
    Jun 4, 2016
    Posts:
    20
    Location:
    turkey
    I would like to ask an off-topic question. is this KeyboardGuard available in sophos home?
     
  2. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    680
    Location:
    Planet Earth
    Yes/No only as part of Home Premium license.
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,387
    Location:
    Among the gum trees
    I just got this on boot of my machine, even before the log in screen appeared:

    Code:
    Mitigation   HeapHeapProtect
    Timestamp    2023-11-24T18:48:24
    
    Platform     10.0.19045/x64 v971 06_5e
    PID          6912
    Service      XTU3SERVICE
    Feature      00FD2E70000001AE
    Application  C:\Windows\SysWOW64\XtuService.exe
    Created      2021-02-24T00:19:30
    Description  XtuService 7.3
    
    Callee Type  ProtectVirtualMemory
                 0x0000019A6E9F2000 (23004 bytes)
    
    Shellcode (HHP) (0x000059DC bytes : start at 0000019A6E9F2000)
    Target address info: XtuApplicationInterfaces.dll
    Owner of CALLER: (anonymous; allocated by 00007FFE04F9C0AA, clr.dll)
    
    OwnerModule
    Name         clr.dll
    Path         C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
    Thumbprint   11e3e707cf3877d15911a2bbc728858d0f18e53d18566ae5b42ad94d8cab8c56
    SHA-256      157ac3f5978f8561b9d3d0951e13501baeb8b0a7400d85b92878758ab2137b94
    SHA-1        dbd9928c7e19ec7842015482b56094602c4f5cff
    MD5          b53e50ccbb014395c303f0cda37ce44d
    
    Current process is signed
    OwnerModule is signed
    
    00007FFDA5831E86  ffd0                     CALL         RAX
    00007FFDA5831E88  488b5580                 MOV          RDX, [RBP-0x80]
    00007FFDA5831E8C  c6420c01                 MOV          BYTE [RDX+0xc], 0x1
    00007FFDA5831E90  833d7db6f45f00           CMP          DWORD [RIP+0x5ff4b67d], 0x0
    00007FFDA5831E97  7406                     JZ           0x7ffda5831e9f
    00007FFDA5831E99  ff1589d3f35f             CALL         QWORD [RIP+0x5ff3d389]
    00007FFDA5831E9F  894598                   MOV          [RBP-0x68], EAX
    00007FFDA5831EA2  837d9800                 CMP          DWORD [RBP-0x68], 0x0
    00007FFDA5831EA6  0f95c0                   SETNZ        AL
    00007FFDA5831EA9  0fb6c0                   MOVZX        EAX, AL
    00007FFDA5831EAC  89459c                   MOV          [RBP-0x64], EAX
    00007FFDA5831EAF  90                       NOP        
    00007FFDA5831EB0  90                       NOP        
    00007FFDA5831EB1  90                       NOP        
    00007FFDA5831EB2  90                       NOP        
    00007FFDA5831EB3  90                       NOP        
    
    ----- SNIP HERE -----
    AAApAQAQg6X9fwAAhh6Dpf1/AAAAEIOl/X8AAABwAwAASGPJSANN4ItV2Ehj0kgDykiJTcBpjXz///9oFjNxgfF6H5bfiY1s////6Z75//9Ii41I/v//ug8AAABIO1EIcgXoeVKrX0iNTJEQiwlIi5VA/v//uA8AAABIO0IIcgXoW1KrX0iNVIIQMwqJjQj///9Ii41I/v//uA8AAABIO0EIcgXoN1KrX0iNTIEQi5UI////iRFpjXz////M74KLgfGE54sYiY1s////6R35//+LTbjBwRuJTbxpjXz///+Rk0o5gfGub2R5iY1s////6fn4//9Ii41I/v//uggAAABIO1EIcgXo1FGrX0iNTJEQiwlIi5VA/v//uAgAAABIO0IIcgXotlGrX0iNVIIQAwqJjfj+//9Ii41I/v//uAgAAABIO0EIcgXoklGrX0iNTIEQi5X4/v//iRFpjXz///8jkfe0gfGgShZLiY1s////6Xj4//9Ii41I/v//ugIAAABIO1EIcgXoU1GrX0iNTJEQiwlIi5VA/v//uAIAAABIO0IIcgXoNVGrX0iNVIIQAwqJjeT+//9Ii41I/v//uAIAAABIO0EIcgXoEVGrX0iNTIEQi5Xk/v//iRFIi41I/v//ugMAAABIO1EIcgXo7VCrX0iNTJEQiwlIi5VA/v//uAMAAABIO0IIcgXoz1CrX0iNVIIQMwqJjeD+//9Ii41I/v//uAMAAABIO0EIcgXoq1CrX0iNTIEQi5Xg/v//iRFIi41I/v//ugQAAABIO1EIcgXoh1CrX0iNTJEQiwlIi5VA/v//uAQAAABIO0IIcgXoaVCrX0iNVIIQD68KiY3c/v//SIuNSP7//7gEAAAASDtBCHIF6ERQq19IjUyBEIuV3P7//4kRaY18////5lfqIYHxnW9oPImNbP///+kq9///M8mJTYBpjXz///9ElFyQgfFbBKkYiY1s////6Qr3//9IuTJtRgP+fwAAuhAAAADoqO17X0iJhRj+//9Ii40Y/v//SImNSP7//2mNfP///7d3kQmB8TaIceiJjWz////pxvb//8dFvDpNIUHHRbiqiZhGaY18////jRwkfIHxUF4DIYmNbP///+md9v//i02UiU2waY18////LvMXvYHxWI9xLYmNbP///+l89v//M8mJTYTHhWz////g3Wsa6Wj2///HRbBsTz6kaY18////Xa6NXIHxvIZoZYmNbP///+lG9v//i02YO02ccxbHhRD////nhPgFx4UM////54T4BesUx4UQ////GmYnWseFDP///xpmJ1qLjRD///+JjWz////pA/b//0iLjVD+//8z0jkJ6PVu1l8Pt8iJjaD+//+DvaD+//88D5TBD7bJiY3U/v//6wgzwImF1P7//4uN1P7//w+2yYlN9EiLjVj+///op/sUXkiJhcj+//9Ii43I/v//6LSjHV5IiYXA/v//SIuNwP7//0iJTehIi03ouDwAAABIY8CLDAFIY8lIA03oSIlN4MeFbP/////TrS3pZ/X//0iLjUj+//+4CwAAAEg7QQhyBehCTqtfSI1MgRCLCUiLhUD+//+6CwAAAEg7UAhyBegkTqtfSI1EkBADCImNrP7//0iLjUj+//+6CwAAAEg7UQhyBegATqtfSI1MkRCLhaz+//+JAUiLjUj+//+4DAAAAEg7QQhyBejcTatfSI1MgRCLCUiLhUD+//+6DAAAAEg7UAhyBei+TatfSI1EkBAzCImNqP7//0iLjUj+//+6DAAAAEg7UQhyBeiaTatfSI1MkRCLhaj+//+JAWmNfP///4TL5SKB8Tabew+JjWz////pgPT//0iLjUj+//8zwEg7QQhyBeheTatfSI1MgRCLCUiLhUD+//8z0kg7UAhyBehDTatfSI1EkBAzCImNaP7//0iLjUj+//8z0kg7UQhyBegiTatfSI1MkRCLhWj+//+JAWmNfP///3wI/fqB8dA50lSJjWz////pCPT//4tNvMHBFYlNsGmNfP///6YNR2+B8VfduTOJjWz////p5PP//0iLTaBIiY3w/v//uQQAAABIY8lIA02gSIlNoItNvEiLhfD+//8zCANNuItFtA+vRbADyIlNlItNuIlNvItNtIlNuMeFbP///7xQ4iDpk/P//0iLTehIiY2A/v//SIuNgP7//0iJjXj+//+DffQAdSVIi414/v//SImNcP7//0iLTcC4BAAAAEhjwIsMAYmNbP7//+sjSIuNeP7//0iJjXD+//9Ii03AuAwAAABIY8CLDAGJjWz+//+LjWz+//9IY8lIA41w/v//SIlN0MeFbP///4jzlj7pCfP//zPJiU2QaY18////dhoHBIHxqdSXHImNbP///+np8v//x0WIQAAAAGmNfP///6RdK1KB8UxGB7OJjWz////px/L//0iLjUD+//+LRZBIO0EIcgXopEurX0iNTIEQi0W4iQFpjXz////H1q97gfH/L/eEiY1s////6Y3y//+QSI1l+F9dw0iLjUj+//+4CQAAAEg7QQhyBehgS6tfSI1MgRCLCUiLhUD+//+6CQAAAEg7UAhyBehCS6tfSI1EkBAzCImNLP///0iLjUj+//+6CQAAAEg7UQhyBegeS6tfSI1MkRCLhSz///+JAUiLjUj+//+4CgAAAEg7QQhyBej6SqtfSI1MgRCLCUiLhUD+//+6CgAAAEg7UAhyBejcSqtfSI1EkBAPrwiJjSj///9Ii41I/v//ugoAAABIO1EIcgXot0qrX0iNTJEQi4Uo////iQFpjXz///+j+SfVgfGOG3YViY1s////6Z3x//+LTYD/wYlNgGmNfP///zg7+ieB8bP/NDKJjWz////pevH//8dFtKSlamRpjXz///9xTIjVgfEKkipkiY1s////6Vjx//9Ii03guAYAAABIY8APtwwBiU3caY18////uPoIaYHxAm1YAYmNbP///+kq8f//i02wiU24aY18////JlNhyYHxPKo9NYmNbP///+kJ8f//g32IQHUWx4VE////772DMseFQP///++9gzLrFMeFRP///7Y6MXPHhUD///+2OjFzaY18////efme9TONRP///4mNbP///+m+8P//SIuNUP7//zkJ6HJq1l+Jhdj+//+Dvdj+//8AD47I+v//aYV8////c5Dk+DVx87njiYVs////6YPw//+LRbTBwB2JRbiLRbDBwBmJRbRphXz////spwBRNYosRLeJhWz////pV/D//4N9qAB0FseFjP7//5zL+h7HhYj+//+cy/oe6xTHhYz+//8aZidax4WI/v//GmYnWouFjP7//4mFbP///+kW8P//gX2ofMkhHHUWx4Uk////fRmH6seFIP///30Zh+rrFMeFJP///yGQ4KHHhSD///8hkOChaYV8////RivyEjOFJP///4mFbP///+nI7///M8CJRaxphXz///8uYFjpNRRrTpeJhWz////pqe///0iLhUj+//+LVYSD4g+L0otICEg70XIF6H9Iq19IjUSQEIsASItV0DECSItF0EiJhTj///+4BAAAAEhjwEgDRdBIiUXQSIuFSP7//4tVhIPiD4vSi0gISDvRcgXoO0irX0iNRJAQiwBIi5U4////MwIFGSi7PYmFNP///0iLhUj+//+LVYSD4g+L0otICEg70XIF6ARIq19IjUSQEIuVNP///4kQx4Vs////NoJtPen27v//uCAAAABIY8BIA0XASIlFwItFrP/AiUWsx4Vs////bMW4VunP7v//SIuFSP7//7oNAAAASDtQCHIF6KpHq19IjUSQEIsASIuVQP7//7kNAAAASDtKCHIF6IxHq19IjVSKEA+vAomFBP///0iLhUj+//+5DQAAAEg7SAhyBehnR6tfSI1EiBCLlQT///+JEEiLhUj+//+6DgAAAEg7UAhyBehDR6tfSI1EkBCLAEiLlUD+//+5DgAAAEg7SghyBeglR6tfSI1UihADAomFAP///0iLhUj+//+5DgAAAEg7SAhyBegBR6tfSI1EiBCLlQD///+JEGmFfP///2VXUGg1qvR5PomFbP///+no7f//SItFwEiJhZj+//+4BAAAAEhjwEgDRcBIiUXASItFwEiJhZD+//+4BAAAAEhjwEgDRcBIiUXASIuFmP7//4sASIuVkP7//w+vAolFqMeFbP///2N1zXjpje3//5BIjWX4X13DAAAAAAAAAM8FAACOBgAAZA0AAP8DAADtCwAA4BIAANoMAABQBwAApRAAAKwBAAAWEAAAQw8AAIUSAADMAAAA8w4AAGMJAADxCQAA4A0AAGoKAABDCQAA2gEAAGUMAAAGCwAAhA0AAKYEAADQCQAA0QMAAC0FAACvDwAA9QcAAGMAAABbAgAAiQwAAOwAAAB0BwAANQMAAOkEAACeEQAA6g8AANAOAADPBgAApwkAACcKAACeAgAAFQ8AAHcRAABuBQAAkQUAAFcQAADoDQAAtgMAAIEEAACRAQAApg0AAO0CAAAFCgAAxBAAAGQPAAAPAQAABAYAABkJBAAJAUEAAnABUEAAAAAAAAAAAAAAAPgLi6X9fwAAVUFXQVZBVUFUV1ZTSIHsuAAAAEiNrCTwAAAATImVeP///zPbSIldoEiJTRCJVRhEiUUgTIlNKEiNjUD///9Ji9LoiidpX0iJRYBIi8xIiY1g////SIvNSImNcP///0iLTYBIjYVA////SIlBEEiLjXj////o1/t3X0UzyUSJTcSQTItNEEyJTbiQkESLTRhNY8lMiU2wkJBEi00gTWPJTIlNqJCQTItNKEyJTaCQkJBMi414////uSAAAABIY8lNiwwJTYsJTIlNkJBMi02gSItNuEiLVbBMi0WoRTPbSIuFeP///0iJhVD///9IjQUVAAAASImFaP///0iLRYDGQAwASItFkP/QSItVgMZCDAGDPX229F8AdAb/FYnT81+JRZiDfZgAD5XAD7bAiUWckJCQkJCQkJCQi0WciUWM6wCLRYwPtsBIi1WAxkIMAUiLVYBIi41I////SIlKEEiNZchbXl9BXEFdQV5BX13DAAAZEwoAEwEXAAwwC2AKcAnAB9AF4APwAVBAAAAAAAAAAAAAAAAAAAAAyAyLpf1/AABVV0iB7DgBAABIjawkQAEAAEiNveD+//+5RgAAADPA86uDPegm7/8AdAXoMRarX8dF9MAAAADHRdDnUkZCi0XQNQGN3QiJRcyLRcyJRdSLRcy5JwAAADPS9/GJlUj///+DvUj///8mdx6LlUj///+L0kiNDeAMAACLDJFIjQWf////SAPI/+GQ6cMMAABIi5U4////i03cSDtKCHIF6B5Dq19IjVSKEEiJlSD///+LVdhIi40g////MRFpVdRY8UKNgfIH4Ic3iVXQ6W7///+LVfTB4gKL0ki5yk9GA/5/AP4pAv+5RikDADPA86uDPegm7/8AdAXoMRarX8dF9MAp
    ----- END SNIP -----
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFE1CC5C976 KernelBase.dll           VirtualProtect +0x36
    
    2  00007FFDA5831E88 (anonymous; clr.dll)  
                        488b5580                 MOV          RDX, [RBP-0x80]
                        c6420c01                 MOV          BYTE [RDX+0xc], 0x1
                        833d7db6f45f00           CMP          DWORD [RIP+0x5ff4b67d], 0x0
                        7406                     JZ           0x7ffda5831e9f
                        ff1589d3f35f             CALL         QWORD [RIP+0x5ff3d389]
                        894598                   MOV          [RBP-0x68], EAX
                        837d9800                 CMP          DWORD [RBP-0x68], 0x0
                        0f95c0                   SETNZ        AL
                        0fb6c0                   MOVZX        EAX, AL
                        89459c                   MOV          [RBP-0x64], EAX
                        90                       NOP        
                        90                       NOP        
                        90                       NOP        
                        90                       NOP        
                        90                       NOP        
                        90                       NOP        
    
    3  00007FFDA5866AF0 (anonymous; clr.dll)  
    4  00007FFDA5865F1B (anonymous; clr.dll)  
    5  00007FFE04FF12C3 clr.dll                
    6  00007FFE04EB961B clr.dll                
    7  00007FFE04EB95AF clr.dll                
    8  00007FFE04EB9445 clr.dll                
    9  00007FFE04EB931C clr.dll                
    10 00007FFE04EBBA21 clr.dll                
    
    Loaded Modules (68)
    -----------------------------------------------------------------------------
    0000019A55510000-0000019A55526000 XtuService.exe (Intel(R) Corporation),
                                      version: 7.3.0.33
    00007FFE1F070000-00007FFE1F268000 ntdll.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1E9D0000-00007FFE1EA8D000 KERNEL32.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE05A60000-00007FFE05AC5000 MSCOREE.DLL (Microsoft Corporation),
                                      version: 10.0.19041.1 (WinBuild.160101.0800)
    00007FFE1CBF0000-00007FFE1CEE6000 KERNELBASE.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1C4B0000-00007FFE1C5F7000 hmpalert.dll (Sophos B.V.),
                                      version: 3.8.25.971
    00007FFE1EB80000-00007FFE1EC2F000 ADVAPI32.dll (Microsoft Corporation),
                                      version: 10.0.19041.3693 (WinBuild.160101.0800)
    00007FFE1D0D0000-00007FFE1D16E000 msvcrt.dll (Microsoft Corporation),
                                      version: 7.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1DA10000-00007FFE1DAAC000 sechost.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1EC60000-00007FFE1ED86000 RPCRT4.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE05850000-00007FFE058EB000 mscoreei.dll (Microsoft Corporation),
                                      version: 4.8.9093.0 built by: NET481REL1LAST_C
    00007FFE1EFB0000-00007FFE1F005000 SHLWAPI.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1A4E0000-00007FFE1A4F2000 kernel.appcore.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE17AF0000-00007FFE17AFA000 VERSION.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE04E60000-00007FFE05804000 clr.dll (Microsoft Corporation),
                                      version: 4.8.9181.0 built by: NET481REL1LAST_C
    00007FFE1DDD0000-00007FFE1DF6E000 USER32.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1CAC0000-00007FFE1CAE2000 win32u.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1EC30000-00007FFE1EC5C000 GDI32.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1C750000-00007FFE1C86A000 gdi32full.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1CA20000-00007FFE1CABD000 msvcp_win.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1CAF0000-00007FFE1CBF0000 ucrtbase.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE04E50000-00007FFE04E5C000 VCRUNTIME140_1_CLR0400.dll (Microsoft Corporation),
                                      version: 14.32.31326.0
    00007FFE04E30000-00007FFE04E4B000 VCRUNTIME140_CLR0400.dll (Microsoft Corporation),
                                      version: 14.32.31326.0
    00007FFE04D60000-00007FFE04E2D000 ucrtbase_clr0400.dll (Microsoft Corporation),
                                      version: 14.32.31326.0
    00007FFE1D8C0000-00007FFE1D8F0000 IMM32.DLL (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE03460000-00007FFE04A6F000 mscorlib.ni.dll (Microsoft Corporation),
                                      version: 4.8.9181.0 built by: NET481REL1LAST_C
    00007FFE1EDA0000-00007FFE1EECB000 ole32.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1E000000-00007FFE1E354000 combase.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1C990000-00007FFE1CA12000 bcryptPrimitives.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1BEC0000-00007FFE1BED8000 CRYPTSP.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1B600000-00007FFE1B634000 rsaenh.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1D0A0000-00007FFE1D0C7000 bcrypt.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1BEE0000-00007FFE1BEEC000 CRYPTBASE.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE03140000-00007FFE0326F000 clrjit.dll (Microsoft Corporation),
                                      version: 4.8.9181.0 built by: NET481REL1LAST_C
    00007FFE1BF70000-00007FFE1BF9D000 wldp.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE14490000-00007FFE144AF000 amsi.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1C640000-00007FFE1C66E000 USERENV.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1C680000-00007FFE1C6A5000 profapi.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE143E0000-00007FFE1448E000 symamsi.dll (Broadcom),
                                      version: 15.7.12.41
    00007FFE1C870000-00007FFE1C8D7000 WINTRUST.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1CF40000-00007FFE1D09D000 CRYPT32.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1D170000-00007FFE1D8B4000 SHELL32.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1E900000-00007FFE1E9CD000 OLEAUT32.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1C100000-00007FFE1C112000 MSASN1.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1F010000-00007FFE1F02D000 imagehlp.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1AE90000-00007FFE1AEB3000 gpapi.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE02520000-00007FFE0313C000 System.ni.dll (Microsoft Corporation),
                                      version: 4.8.9206.0 built by: NET481REL1LAST_B
    00007FFE02150000-00007FFE02196000 System.ServiceProcess.ni.dll (Microsoft Corporation),
                                      version: 4.8.9037.0 built by: NET481REL1
    00007FFDFAA50000-00007FFDFAA7D000 System.Configuration.Install.ni.dll (Microsoft Corporation),
                                      version: 4.8.9037.0 built by: NET481REL1
    00007FFE11560000-00007FFE11591000 cryptnet.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1B9C0000-00007FFE1B9FB000 IPHLPAPI.DLL (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE16AE0000-00007FFE16AEB000 WINNSI.DLL (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1EA90000-00007FFE1EA98000 NSI.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFDFA8E0000-00007FFDFAA46000 System.Management.ni.dll (Microsoft Corporation),
                                      version: 4.8.9037.0 built by: NET481REL1
    00007FFDFA800000-00007FFDFA82F000 wminet_utils.dll (Microsoft Corporation),
                                      version: 4.8.9037.0 built by: NET481REL1
    00007FFE1DB10000-00007FFE1DBB9000 clbcatq.dll (Microsoft Corporation),
                                      version: 2001.12.10941.16384 (WinBuild.160101.080
    00007FFE14530000-00007FFE14558000 wmiutils.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE14E50000-00007FFE14EE0000 wbemcomn.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE14F10000-00007FFE14F21000 wbemprox.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1E360000-00007FFE1E3CB000 WS2_32.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE14560000-00007FFE14574000 wbemsvc.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE14600000-00007FFE1470B000 fastprox.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE1A6E0000-00007FFE1AE7B000 windows.storage.dll (Microsoft Corporation),
                                      version: 10.0.19041.3693 (WinBuild.160101.0800)
    00007FFE1E840000-00007FFE1E8ED000 SHCORE.dll (Microsoft Corporation),
                                      version: 10.0.19041.3636 (WinBuild.160101.0800)
    00007FFE016C0000-00007FFE02146000 System.Core.ni.dll (Microsoft Corporation),
                                      version: 4.8.9200.0 built by: NET481REL1LAST_C
    00007FFDFFE50000-00007FFE016BC000 System.ServiceModel.ni.dll (Microsoft Corporation),
                                      version: 4.8.9037.0 built by: NET481REL1
    00007FFDFFB80000-00007FFDFFCB3000 System.Configuration.ni.dll (Microsoft Corporation),
                                      version: 4.8.9037.0 built by: NET481REL1
    00007FFDFF270000-00007FFDFFB20000 System.Xml.ni.dll (Microsoft Corporation),
                                      version: 4.8.9037.0 built by: NET481REL1
    
    Process Trace
    1  C:\Windows\SysWOW64\XtuService.exe [6912]
    2  C:\Windows\System32\services.exe [752]
    3  C:\Windows\System32\wininit.exe [1000]
       wininit.exe
    4  C:\Windows\System32\smss.exe [572]
       \SystemRoot\System32\smss.exe 000000a8 00000084
    5  C:\Windows\System32\smss.exe [432]
       \SystemRoot\System32\smss.exe
    6   [4]
    
    Services
    6912  XTU3SERVICE
    
    Dropped Files
    1  C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.23.5.106\CmnClnt\ccSetMgr\506848A311EE71F5E33007B7A176387A.DAT.log
         Dropped by  [4]
    2  C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.23.5.106\Product\Backup.dat.log
         Dropped by  [4]
    3  C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.23.5.106\SRTSP\SrtspSet.dat.log
         Dropped by  [4]
    
    Thumbprints
    4c28fef8ba7bdf053228228d788b6b56d3810d7c444179937a330ca07200a7ad (code)
    11e3e707cf3877d15911a2bbc728858d0f18e53d18566ae5b42ad94d8cab8c56 (hhp-ownermodule)
    47eda548bb173b4a61d8e830851e0805266d272daa77eb53f4a572d0e776c528 (hhp-fhsh-ownmod)
    
     
  4. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
    Mitigation HeapHeapProtect. Same as Krusty on boot. Suppressed.
     

    Attached Files:

    • 1.txt
      File size:
      21.1 KB
      Views:
      5
    Last edited: Nov 25, 2023
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,056
    Location:
    The Netherlands
    I have checked it out, but I do have a few questions. About Cookie Guard, can you tell me how it protects against infostealers? I mean does it simply protect the browser profile folder (with cookies and passwords) or does it also protect browser memory?

    And I had to disable the Local Privilege Mitigation and Unexpected system calls protections in order to make Sandboxie work. With that I mean, everytime I run a sandboxed process, HMPA will alert me about it. Is there any type of way to fix this problem?
     
  6. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    680
    Location:
    Planet Earth
    Hi @Krusty @deugniet
    Does this reproduce over every reboot?
    Can you produce this after reboot by stopping and starting the xtu3service ?
    And are you both running Norton?
     
  7. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
    @RonnyT

    Running Norton 360 v22.23.10.10 (Win10 22H2 build 19045.3693).

    Cannot reproduce on every reboot. As a matter of fact I unsuppressed the first mitigation a while ago and had no further alerts. After your post of today I suppressed the HeapHeapProtect again. Restarted the machine and unsuppressed and then restarted the machine again: a mitigation HeapHeapProtect.

    Have yet to check the stopping and starting of the xtu3service.
     

    Attached Files:

    • 1.txt
      File size:
      21.3 KB
      Views:
      1
  8. scip

    scip Registered Member

    Joined:
    Feb 13, 2020
    Posts:
    41
    Location:
    internet
    hello,

    emsisoft emergency kit flags Hitmanpro alert as

    29.11.2023 01:23:29
    Scanner-Fund: Malware "Gen:Variant.Jaik.199660 (B)" in "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" (SHA1: 4ce9be59f7ec5a5be982bd31cbe2c48a0e635f19)

    i guess that this is false positive but want to share it.

    cheers
     
  9. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    680
    Location:
    Planet Earth
    Doesn't reproduce on this end, also no hit on Virustotal of their engine.
    The SHA1 is our legit version so deffo an FP on their end.

    @scip If you run a new scan now does it still report it?
     
  10. scip

    scip Registered Member

    Joined:
    Feb 13, 2020
    Posts:
    41
    Location:
    internet
    @RonnyT
    hello,

    today after rescan i have no alert with EEK and also with NPE
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,387
    Location:
    Among the gum trees
    Also running Norton on this machine.
     
  12. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    680
    Location:
    Planet Earth
    @Krusty @deugniet can you reproduce this in any way? I can't on this end.
    I'd like to know if it's every boot?
    And what happens if you stop the XTU3service after boot and restart the service, does it alert then also?
     
  13. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
    Disabling XTU3service (via Services) and re-enabling it again triggers a mitigation. Tried it twice and twice a mitigation. Not on every (re)boot a mitigation.
     

    Attached Files:

    • 1.txt
      File size:
      19.2 KB
      Views:
      2
  14. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    680
    Location:
    Planet Earth
    Weird, did you tweak any settings? and was this installed deliberately or part of an OEM package install?
     
  15. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
    Tweak XTU3service? Not that I know of. Cant tell you if its installed deliberately or part of an OEM package install.
     
  16. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    680
    Location:
    Planet Earth
  17. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
    See date. Its not that new.

    2.JPG
     
  18. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
    Checked the SWsetup-map of this HP-laptop: the year starts with 2017. So no OEM.
     
  19. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
    Its an older version of XtuService.exe.

    3.JPG
     

    Attached Files:

  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,387
    Location:
    Among the gum trees
    Hi @RonnyT ,

    My machine is an HP as well. I have never installed Intel Extreme tuning utility / XtuService.exe, so it either came with some third-party software, or from HP itself at some point.

    @deugniet , have you ever had Norton Utilities Premium or Ultimate installed? I have uninstalled it from my machines. I wonder if it may of been left behind, but then it should not be running. Maybe Norton 360 installs it?

    Something worth noting, I and I think @deugniet have made exclusions in Norton for HMP.A because of an issue I found some time ago. When ever Norton received an update to SONAR my CPU would run high until I restarted my machine/s. With the exclusion in place that never happened.

    So, both running Norton on HP machines, and probably both with exclusions for HMP.A.
     
  21. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
    @Krusty

    Never Norton Utilities Premium or Ultimate installed.
     
  22. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,271
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,387
    Location:
    Among the gum trees
  24. Sir Percy

    Sir Percy Registered Member

    Joined:
    Apr 22, 2010
    Posts:
    294
    I have this infrequently (4 times after boot) and i am on a new HP as well. I have not tweaked anything yet & do not have Norton installed.

    So 4 times, but it does not happen on every boot
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,387
    Location:
    Among the gum trees
    Ah, that is interesting. @RonnyT , looks like HP machines are the common factor here.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.