HitmanPro.ALERT Support and Discussion Thread

Hello CookieGuard is preventing me from updating the internet download maneger program. It closes the program.

Code:

Mitigation   CookieGuard
Timestamp    2024-02-24T07:41:27

Platform     10.0.22621/x64 v979 af_61
PID          8724
WoW          x86
Feature      00FD2E70000000A6
Application  C:\Program Files (x86)\Internet Download Manager\IDMan.exe
Created      2023-12-06T19:59:48
Description  Internet Download Manager (IDM) 6.42.3

Attempt to read protected Edge data
SHA-256      8eeddaa5d3b04ce46ee4dbe6b5b875ddb186af00260d63a148e8b366e28b40e4
SHA-1        e2d6983d646ceb5a5d85ce2626dc7b99cb270f61
MD5          18dec5a7201493e8ad02259edcc92cf6

Process is marked as signed
Certhash could be obtained
CertHash: 74a673ff

Loaded Modules (97)
-----------------------------------------------------------------------------
00090000-00658000 IDMan.exe (Tonec Inc.),
                  version: 6, 42, 3, 3
77160000-77311000 ntdll.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
75B50000-75C40000 KERNEL32.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
739F0000-73B34000 hmpalert.dll (Sophos B.V.),
                  version: 3.8.26.979
756E0000-75954000 KERNELBASE.dll (Microsoft Corporation),
                  version: 10.0.22621.3155 (WinBuild.160101.0800)
76B40000-76CE8000 USER32.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
75FD0000-75FEA000 win32u.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
75B20000-75B43000 GDI32.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
75090000-75172000 gdi32full.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
76510000-76589000 msvcp_win.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
76CF0000-76E02000 ucrtbase.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
74FD0000-75081000 COMDLG32.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
75D40000-75FBD000 combase.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
75350000-7540A000 RPCRT4.dll (Microsoft Corporation),
                  version: 10.0.22621.2792 (WinBuild.160101.0800)
767D0000-76891000 shcore.dll (Microsoft Corporation),
                  version: 10.0.22621.2715 (WinBuild.160101.0800)
75AD0000-75B1B000 SHLWAPI.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
75C70000-75D34000 msvcrt.dll (Microsoft Corporation),
                  version: 7.0.22621.2506 (WinBuild.160101.0800)
74930000-74FC8000 SHELL32.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
766A0000-7671F000 ADVAPI32.dll (Microsoft Corporation),
                  version: 10.0.22621.3007 (WinBuild.160101.0800)
755B0000-75635000 sechost.dll (Microsoft Corporation),
                  version: 10.0.22621.3007 (WinBuild.160101.0800)
75FF0000-7600A000 bcrypt.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
72430000-72658000 COMCTL32.dll (Microsoft Corporation),
                  version: 6.10 (WinBuild.160101.0800)
75C40000-75C65000 IMM32.DLL (Microsoft Corporation),
                  version: 10.0.22621.2792 (WinBuild.160101.0800)
03180000-0386C000 windows.storage.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
740D0000-74197000 wintypes.dll (Microsoft Corporation),
                  version: 10.0.22621.2792 (WinBuild.160101.0800)
76730000-767CC000 OLEAUT32.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
75440000-75590000 ole32.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
731E0000-7321D000 CFGMGR32.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
74040000-74053000 kernel.appcore.dll (Microsoft Corporation),
                  version: 10.0.22621.2715 (WinBuild.160101.0800)
748C0000-74922000 bcryptPrimitives.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
76AC0000-76B3F000 uxtheme.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
76640000-76698000 wintrust.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
769B0000-76AB3000 CRYPT32.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
74060000-7406E000 MSASN1.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
73F90000-73FA5000 CRYPTSP.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
73F60000-73F90000 rsaenh.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
740A0000-740AB000 CRYPTBASE.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
75180000-7519B000 imagehlp.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
73F30000-73F51000 gpapi.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
769A0000-769A8000 version.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
73560000-7357C000 olepro32.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
73530000-7355F000 oledlg.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
764B0000-7650F000 ws2_32.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
72860000-72CE8000 wininet.dll (Microsoft Corporation),
                  version: 11.00.22621.2506 (WinBuild.160101.0800)
734B0000-7352C000 netshell.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
73DF0000-73E14000 IPHLPAPI.DLL (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
73490000-734AE000 NetSetupApi.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
73470000-7347A000 nlaapi.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
723E0000-72423000 Connect.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
76070000-764AD000 SETUPAPI.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
72270000-723DE000 gdiplus.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
74070000-74094000 USERENV.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
71790000-71889000 RASAPI32.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
72250000-72262000 rtutils.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
740B0000-740CD000 profapi.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
71FE0000-7200E000 RASMAN.DLL (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
733C0000-733E9000 ntmarta.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
768B0000-76912000 coml2.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
72080000-72096000 asycfilt.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
76590000-76612000 clbcatq.dll (Microsoft Corporation),
                  version: 2001.12.10941.16384 (WinBuild.160101.080
77050000-7714E000 MSCTF.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
73250000-73317000 PROPSYS.dll (Microsoft Corporation),
                  version: 7.0.22621.2506 (WinBuild.160101.0800)
755A0000-755A7000 NSI.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
73DD0000-73DE6000 dhcpcsvc6.DLL (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
73DB0000-73DC7000 dhcpcsvc.DLL (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
716A0000-71783000 Windows.System.Launcher.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
71630000-71697000 msvcp110_win.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
71F90000-71FA3000 windows.staterepositorycore.dll (Microsoft Corporation),
                  version: 10.0.22621.2792 (WinBuild.160101.0800)
71590000-71625000 TextShaping.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
72240000-7224A000 idmnmcl.dll (Internet Download Manage),
                  version: 6, 41, 18, 1
71540000-7158C000 dataexchange.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
71350000-7153C000 twinapi.appcore.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
711F0000-71350000 WindowsCodecs.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
710E0000-711BA000 MrmCoreR.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
76E10000-77048000 iertutil.dll (Microsoft Corporation),
                  version: 11.00.22621.3085 (WinBuild.160101.0800)
710C0000-710D2000 napinsp.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
710A0000-710B6000 pnrpnsp.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
73CC0000-73D11000 mswsock.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
73B60000-73C1D000 DNSAPI.dll (Microsoft Corporation),
                  version: 10.0.22621.3155 (WinBuild.160101.0800)
720E0000-720EE000 winrnr.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
71080000-71091000 wshbth.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
73FB0000-73FC8000 nlansp_c.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
711C0000-711E1000 mdnsNSP.dll (Apple Inc.),
                  version: 3,0,0,10
70F80000-71079000 textinputframework.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
733F0000-7344D000 fwpuclnt.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
70EB0000-70F7E000 CoreMessaging.dll (Microsoft Corporation),
                  version: 10.0.22621.3007 (WinBuild.160101.0800)
73B50000-73B58000 rasadhlp.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
70350000-705E1000 CoreUIComponents.dll (Microsoft Corporation),
                  version: 10.0.22621.2506
70E50000-70EA3000 thumbcache.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
73220000-73244000 dwmapi.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
73C80000-73CA6000 SspiCli.dll (Microsoft Corporation),
                  version: 10.0.22621.3007 (WinBuild.160101.0800)
73730000-7373A000 secur32.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
73330000-733B4000 schannel.dll (Microsoft Corporation),
                  version: 10.0.22621.3085 (WinBuild.160101.0800)
73130000-73155000 ncrypt.dll (Microsoft Corporation),
                  version: 10.0.22621.3007 (WinBuild.160101.0800)
73100000-73128000 NTASN1.dll (Microsoft Corporation),
                  version: 10.0.22621.1 (WinBuild.160101.0800)
73090000-730B0000 ncryptsslp.dll (Microsoft Corporation),
                  version: 10.0.22621.2506 (WinBuild.160101.0800)
70DE0000-70E4C000 idmindex.dll (Tonec Inc.),
                  version: 6, 23, 21, 1

Process Trace
1  C:\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
2  C:\Windows\explorer.exe [16116]

Dropped Files
1  C:\Users\Osman\AppData\Local\Temp\~DF025118B0797D576B.TMP
     Dropped by \Device\HarddiskVolume3\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
2  C:\Users\Osman\AppData\Roaming\IDM\defextmap.dat
     Dropped by \Device\HarddiskVolume3\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
        Read by \Device\HarddiskVolume3\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
3  C:\Users\Osman\AppData\Roaming\IDM\urlexclist.dat
     Dropped by \Device\HarddiskVolume3\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
        Read by \Device\HarddiskVolume3\Windows\explorer.exe [16116]
4  C:\Users\Osman\AppData\Roaming\IDM\DwnlData\Osman\www_internetdownload_392\log_392.log
     Dropped by \Device\HarddiskVolume3\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
1  C:\Users\Osman\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x00000000000002b9.db
     Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [16116]

Thumbprints
1ee47f92107742ed1c2f5f43298e16b52adb0ea58b2b376574d09bb6cb0bd307 (crt)
fd4f33f55ae9a47e2eb35d9b0a42ef8f4ce0cbaff4ad1fa94bd7ad171ca9b97a (pfn)
55e414b49792c9a0c6fe9cba1029193e24f1b1fe6428ac1c8d1c785db0a050b0 (fhsh)

 

Last night suddenly we started having trouble streaming a show on our TV PC. I closed Firefox and reopened it, but FF could not load the home page or any other Web page. However, the network icon in the system tray appeared normal (no yellow triangle), and the network troubleshooter didn't report any problems.

Looking around, I noticed that the HMP.A icon in the notification area had a small "x" in the corner, like this:



Clicking on that icon didn't bring up the GUI for the program, nor could I kill its process in Task Manager (of course) in order to relaunch, so I ended up rebooting the PC, and then everything was fine again and we resumed the streamed show.

I've seen this "x" on the icon once before, a couple of months ago. That time, I remember being able to open the GUI and noticing that there was no information displayed for any of the categories in the advanced interface.

*** HMP.A version 3.8.26, build 979 on a Windows 7 Home Premium PC. More than two years to go on our current subscription. ***

Any idea what might cause this "x" to appear, and what can be done to fix it other than rebooting? The wife would be a lot happier if we didn't need to reboot the system to take care of this.

 

BTW Ronny, did you see Erik Loman boasting about the FudModule rootkit trying to disable HMPA?

And I have another question about CryptoGuard, does it make use of a back up folder in order to restore encrypted files? I noticed that AppCheck is using such a technique.

https://twitter.com/erikloman/status/1762847300542497181

 

"Bumping" the above post. To prevent the issue from recurring, we have since uninstalled HMP.A, but if possible I'd rather track down the problem and solve it so that we can keep using HMP.A.

 

Yes the red cross means the communication with the service has gone, seems like the service process crashed in the background.
You might want to set the postmortem debugger to catch a memory dump next time that happens.

Can you download this sysinternals tool http://live.sysinternals.com/procdump.exe
Create a folder c:\dumps, place the procdump.exe in there, open an administrative command-box and execute the command below:
c:\dumps\procdump -ma -i c:\dumps\

then reproduce the issue, this should record a memory dump of the crashing process.
Once you have that dump please send it to us via https://www.wetransfer.com and give us a hint in this ticket

If you want you can reset your Just in time debugger
procdump -u

 

And yes it does make a backup of attacked files/streams hence we can rollback (most of) the files after the attack is triggered.

 

Thank you, @RonnyT.

I've reinstalled HMP.A on that PC and have put procdump.exe on it. I will wait until it happens on its own and then send you the requested report.

EDIT: I figured out the following. [[Question: the part about resetting the Just in Time debugger -- I would be doing that after reporting a crash, correct?]]

 

But how does this work exactly? I never really understood it, because if HMPA only makes a backup when it believes the system is attacked, then you risk not being able to rollback all files, like you said yourself.

I also don't have a clue how it works in AppCheck Anti-Ransomware, in the newest versions it even warns about that if you disable the back up function, it might not be able to fully protect against ransomware. Then why give an option to disable it, know what I mean?

 

That's correct

 

Thanks @RonnyT.

BTW, I'm relieved to report that the issue hasn't recurred yet...

 

HitmanPro.Alert 3.8.26 Build 983

Changelog (compared to 979)

• Added UI - EventLog - Clear event data dialog, use right mouse click on "Last events"
• Added UI - EventLog - Show only Suppressed events
• Added UI - EventLog - Copy details to clipboard button
• Added Several code preparations for upcoming changes/additions
  
• Fixed Exclusions - UWP exclusions browser for Windows 11
  
• Fixed BSOD - CryptoGuard5
  
• Improved HeapHeapProtect
• Improved SoftwareRadar - No longer removes UWP Exclusions at startup
• Improved PrivGuard - Now also prints the current and expected userSID's
• Improved Kernel32Trap
• Improved SyscallX64

https://dl.surfright.nl/hmpalert3b983.exe
Auto-update will also be enabled from 979 -> 983
Note for testers this is the exact same version as 983 RC1 on the beta board.

 

OK, the issue has recurred. Launched Firefox, and can't open any new Web pages. The "x" is back in the corner of the HMP.A shield.

I followed the instructions given above, but nothing happened: no dump file was created!

What is known in the Home Theater online forums as "WAF" (Wife Approval Factor") has dropped to near zero, as she was looking forward to watching one of her favorite series. Rebooting was out of the question, as Windows Media Center was recording my favorite baseball team at the same time.

 

Not sure if anyone else has this problem - HitmanPro scan is initiated by HitmanPro Alert the resultant scan I cannot click on any of the links to open up the VirusTotal report.

----------------------------------------------------------------
Issue Sent to Support:
When HitmanPro scan has finished when I click on VirusTotal link no webpage opens, on previous builds a VirusTotal page would open, and I could see the scan results.
I’ve looked at the setting and cannot see any configuration I can make; the only option is to include my personal VirusTotal API key.

Please can you advise on how this issue can be resolved?
----------------------------------------------------------------
The engineer came back with the following:
Looks like somethings broken there, I'll pass that on to the devs so they can fix this in an upcoming release.

Hopefully a fix is deployed soon as like most people on this forum like to validate results.