HitmanPro.ALERT Support and Discussion Thread

I believe there is a box in Ccleaner you can uncheck so they don't get deleted.

 

for surfright, for what it is worth, i found a conflict when running IE 6 in "sandboxie build 4.18".. when i tried to run IE 6 in "sandboxie", HMPA would flag it and kill it, every time, the instant i tried to run it..

HMPA didn't flag IE 6 when it was run outside of "sandboxie"..

it is not a problem for me since i usually don't run IE 6 in sandboxie..

i only use IE 6 to install windows updates at the "microsoft update" website (and i wouldn't have IE 6 running in "sandboxie" while installing windows updates)..

here is one of the logs from HMPA, from when IE 6 was killed by HMPA:

Mitigation ROP

Platform 5.1.2600/x86 0f_02
PID 1744
Application C:\Program Files\Internet Explorer\iexplore.exe
Description Internet Explorer 6

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 7C81045B kernel32.dll SetEnvironmentVariableW +0x1cd
2 7C810560 kernel32.dll CreateRemoteThread +0x64
3 7C812F3C kernel32.dll GetDiskFreeSpaceExW +0x1c1
4 7C9293F2 ntdll.dll RtlFormatMessage
5 7C929457 ntdll.dll RtlFormatMessage
6 7C92949A ntdll.dll RtlFormatMessage
7 7C927FA5 ntdll.dll RtlQueueWorkItem
8 7C928171 ntdll.dll RtlQueueWorkItem
9 7C90E457 ntdll.dll KiUserApcDispatcher +0x7
10 0800003B (unknown)

Process Trace
1 C:\Program Files\Internet Explorer\iexplore.exe [1744]
2 C:\WINDOWS\explorer.exe [1516]
3 C:\WINDOWS\system32\userinit.exe [1452]
----------------------------------------------

 

while i am here i will mention that HMPA killed "firefox 38.0.5" twice on me.. both times, it was when i clicked a link to download a file, and it didn't repeat when i went back and tried to download the files, the second time..

one time was when i clicked the link, here in the forum, for downloading HMPA b190 (i already had HMPA b190 installed..i was just checking to make sure the link still worked)..

the second time happened today when i tried to download "adwcleaner", at "toolslib.net":

https://toolslib.net/downloads/viewdownload/1-adwcleaner/

when it happened the first time, i just figured that HMPA was sensitive, which i figured was good, and i didn't worry about...

in case you are wondering, yes, i was running "firefox" in "sandboxie".. (i am starting to wonder if there isn't an issue with running HMPA along with sandboxie)..

also, i have downloaded many files without getting any HMPA-alerts.. i just happened to get HMPA-alerts the two times that i mention here, when i was trying to download a file..

here are the HMPA logs from the two times that HMPA killed firefox:

Mitigation ROP

Platform 5.1.2600/x86 0f_02
PID 1688
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 38.0.1

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 7C81045B kernel32.dll SetEnvironmentVariableW +0x1cd
2 7C810560 kernel32.dll CreateRemoteThread +0x64
3 7C812F3C kernel32.dll GetDiskFreeSpaceExW +0x1c1
4 7C9293F2 ntdll.dll RtlFormatMessage
5 7C929457 ntdll.dll RtlFormatMessage
6 7C92949A ntdll.dll RtlFormatMessage
7 7C927FA5 ntdll.dll RtlQueueWorkItem
8 7C928171 ntdll.dll RtlQueueWorkItem
9 7C90E457 ntdll.dll KiUserApcDispatcher +0x7

10 0800003B fastprox.dll
00f0 ADD AL, DH
0000 ADD [EAX], AL
000e ADD [ESI], CL
1f POP DS
ba0e00b409 MOV EDX, 0x9b4000e
cd21 INT 0x21


Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [1688]
2 C:\WINDOWS\explorer.exe [1536]
3 C:\WINDOWS\system32\userinit.exe [1448]
------------------------------------------------
------------------------------------------------

Mitigation ROP

Platform 5.1.2600/x86 0f_02
PID 2328
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 38.0.5

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 7C81045B kernel32.dll SetEnvironmentVariableW +0x1cd
2 7C810560 kernel32.dll CreateRemoteThread +0x64
3 7C812F3C kernel32.dll GetDiskFreeSpaceExW +0x1c1
4 7C9293F2 ntdll.dll RtlFormatMessage
5 7C929457 ntdll.dll RtlFormatMessage
6 7C92949A ntdll.dll RtlFormatMessage
7 7C927FA5 ntdll.dll RtlQueueWorkItem
8 7C928171 ntdll.dll RtlQueueWorkItem
9 7C90E457 ntdll.dll KiUserApcDispatcher +0x7

10 0800003B fastprox.dll ??0CWmiObjectFactory@@QAE@ABV0@@Z +0x18
58 POP EAX
13fd ADC EDI, EBP
07 POP ES
8365fc00 AND DWORD [EBP-0x4], 0x0
83c710 ADD EDI, 0x10
57 PUSH EDI
8d4e10 LEA ECX, [ESI+0x10]
c7061c2ffd07 MOV DWORD [ESI], 0x7fd2f1c
e88effffff CALL 0x7ffffe3
834dfcff OR DWORD [EBP-0x4], -0x1
8b4df4 MOV ECX, [EBP-0xc]
5f POP EDI
8bc6 MOV EAX, ESI
5e POP ESI
64890d00000000 MOV [FS:0x0], ECX
c9 LEAVE


Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [2328]
2 C:\WINDOWS\explorer.exe [1516]
3 C:\WINDOWS\system32\userinit.exe [1452]
----------------------------------------------

 

Sorry to bother you, but if you run IE6 then this means that you're running Windows XP SP2 or lower. Supporting every old browser is impossible.

 

after reading your post, i did a scan with ESET's "online-scanner" and i didn't have any problems with it.. i use the version that you install on your computer, not the one that runs in IE..

 

i hate IE 8.. that is why i don't have it installed, and i might avoid having some problems, too, by not having it installed..

 

I have indeed installed (the portable version of) CCleaner on that PC, but not in the Start Menu.

I'm pretty sure my family member has not run it.

 

Have a look at these settings pertaining to memory dumps. Note that small dumps and kernel dumps default to different folders, and of course it can be turned off. Also make sure there's a check in the "write an event in the system log" box, and if you uncheck "automatically restart" you get a chance to view the blue screen (I advise folks to pull out their digital cameras and take a picture so they can show me the error codes).

 

Does anybody know when the latest build of HMPA (190?) can be downloaded via the internal updater?

 

Since May 29, that information has not been changed, yet.
I can imagine that SurfRight could be working on a next bugfix build, and automatic updating is put on hold till such a next build proves to be fine.
But if you like, you can manually update to build 190, by downloading and installing that version.

 

This is also my guess. OK, let's just wait for the next bugfix build then.

 

Thanks, but I'm not sure what you mean by "the version that you install on your computer," as opposed to "the one that runs in IE." When you go to that page for the first time and want to run the online scanner, once you click on the blue "Run ESET Online Scanner" button you get something installed on your computer AND the program runs in your browser, isn't that right? In any case, I don't see an option to do one vs. the other, there's only the one choice for the online scanner. (I've never done the free 30-day trial as I have another AV on my machine.)

Here's the screenshot of HMP.A in action against the ESET Online Scanner:

​

 

Mitigation DEP
PID 7124
Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description Google Chrome 43
___________________________________
Update: never mind figured out what prompted DEP

 

if you go to the ESET online-scanner webpage with the "firefox" browser, when you click the button to run the online-scanner, a window pops up that allows you to download and install the online-scanner on your computer and run it from there..

if you are using "internet explorer" when you go to ESET's online-scanner webpage, an activex-control is installed and the online-scanner runs within "internet explorer"..

since activex-controls are not used with the "firefox" browser, that is why, when you try to run the online-scanner, when you are using the "firefox" browser, it allows you to install the online-scanner on your computer and run it from there..

apparently you use "internet explorer".. that explains why you had an issue with running ESET's online-scanner when i didn't, which is because you were running it within "internet explorer" and i wasn't..

 

my advice would be to go ahead and install HMPA b190..

 

Noticed as others reported. Firefox

Noticed this with F2 / F3 = dimmer / brighter

 

Yes, that's right -- I was using IE8 when that happened. Thanks for the explanation, hopefully this will give the developers some useful clues. (Devs: note that this issue was not happening before last week.)

When I get the chance to, I'll go to the ESET Online Scanner page via Firefox and see how that works on my PC. With any luck, it will work just as it did for you.

 

Did not have time to check this during my visit.

However, I also asked to take a picture, so I actually have some info. Just a few hex codes. Is that useful?

 

for surfright, i had another "issue" with HMPA, today, some "ROP" alerts when i was trying to attach a screenshot to a post in the "dslreport.com" forum..

this time, the alerts were repeating, every time that i tried to attach a screenshot to a post..

i tried running "firefox" outside of "sandboxie" and i didn't get the HMPA alerts in that case.. so, again, maybe the issue is with using HMPA along with "sandboxie"?

here are the HMPA-alert logs:

Mitigation ROP

Platform 5.1.2600/x86 0f_02
PID 2548
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 38.0.5

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 7C81045B kernel32.dll SetEnvironmentVariableW +0x1cd
2 7C810560 kernel32.dll CreateRemoteThread +0x64
3 7C812F3C kernel32.dll GetDiskFreeSpaceExW +0x1c1
4 7C9293F2 ntdll.dll RtlFormatMessage
5 7C929457 ntdll.dll RtlFormatMessage
6 7C92949A ntdll.dll RtlFormatMessage
7 7C927FA5 ntdll.dll RtlQueueWorkItem
8 7C928171 ntdll.dll RtlQueueWorkItem
9 7C90E457 ntdll.dll KiUserApcDispatcher +0x7

10 0800003B (anonymous)
085800 OR [EAX+0x0], BL
0008 ADD [EAX], CL
0100 ADD [EAX], EAX
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0b00 OR EAX, [EAX]
06 PUSH ES
0064010a ADD [ECX+EAX+0xa], AH
005f00 ADD [EDI+0x0], BL
49 DEC ECX
005700 ADD [EDI+0x0], DL


Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [2548]
2 C:\WINDOWS\explorer.exe [1552]
3 C:\WINDOWS\system32\userinit.exe [1440]
-------------------------------

Mitigation ROP

Platform 5.1.2600/x86 0f_02
PID 3116
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 38.0.5

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 7C81045B kernel32.dll SetEnvironmentVariableW +0x1cd
2 7C810560 kernel32.dll CreateRemoteThread +0x64
3 7C812F3C kernel32.dll GetDiskFreeSpaceExW +0x1c1
4 7C9293F2 ntdll.dll RtlFormatMessage
5 7C929457 ntdll.dll RtlFormatMessage
6 7C92949A ntdll.dll RtlFormatMessage
7 7C927FA5 ntdll.dll RtlQueueWorkItem
8 7C928171 ntdll.dll RtlQueueWorkItem
9 7C90E457 ntdll.dll KiUserApcDispatcher +0x7

10 0800003B (anonymous)
085800 OR [EAX+0x0], BL
0008 ADD [EAX], CL
0100 ADD [EAX], EAX
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0000 ADD [EAX], AL
0b00 OR EAX, [EAX]
06 PUSH ES
004c010a ADD [ECX+EAX+0xa], CL
005f00 ADD [EDI+0x0], BL
49 DEC ECX
005700 ADD [EDI+0x0], DL


Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [3116]
2 C:\WINDOWS\explorer.exe [1552]
3 C:\WINDOWS\system32\userinit.exe [1440]
--------------------------------------------------

 

Appcrash hmpalert build 189 (W7 64 bits).

Logboeknaam: Application
Bron: Application Error
Datum: 8-6-2015 16:21:51
Gebeurtenis-id:1000
Taakcategorie: (100)
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Naam van toepassing met fout: hmpalert.exe, versie: 3.0.42.189, tijdstempel: 0x5567184e
Naam van module met fout: hmpalert.exe, versie: 3.0.42.189, tijdstempel: 0x5567184e
Uitzonderingscode: 0x40000015
Foutoffset: 0x001ee483
Id van proces met fout: 0x328
Starttijd van toepassing met fout: 0x01d0a1ae789155b0
Pad naar toepassing met fout: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
Pad naar module met fout: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe

Logboeknaam: Application
Bron: Windows Error Reporting
Datum: 8-6-2015 16:21:56
Gebeurtenis-id:1001
Taakcategorie: Geen
Niveau: Informatie
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Foutbucket , type 0
Naam van gebeurtenis: APPCRASH
Antwoord: Niet beschikbaar
Id van CAB-bestand: 0

Handtekening van probleem:
P1: hmpalert.exe
P2: 3.0.42.189
P3: 5567184e
P4: hmpalert.exe
P5: 3.0.42.189
P6: 5567184e
P7: 40000015
P8: 001ee483
P9:
P10:

Logboeknaam: Application
Bron: Windows Error Reporting
Datum: 8-6-2015 16:22:08
Gebeurtenis-id:1001
Taakcategorie: Geen
Niveau: Informatie
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Foutbucket 1300926249, type 17
Naam van gebeurtenis: APPCRASH
Antwoord: Niet beschikbaar
Id van CAB-bestand: 0

Handtekening van probleem:
P1: hmpalert.exe
P2: 3.0.42.189
P3: 5567184e
P4: hmpalert.exe
P5: 3.0.42.189
P6: 5567184e
P7: 40000015
P8: 001ee483
P9:
P10:

Erik, sent you the dmp via mail.

 

No problems with Firefox 38.0.6 (W7 64 bits/build 189).

 

No problems with flash 18.0.0.160 (W7 64 bits/build 190).

 

How are you getting this encryption notifier?

Mine doesn't display on my machines

 

I get it just by scrolling in FF. I don't get any encryption while typing though.