HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    Somebody with W8.1 Dutch asked me for help, because he could not download anymore.
    Even the automatic update of hitmanpro3.7.9.241 to hitmanpro3.7.9.242 did not work.
    His antivirus program was PC Veilig from de Dutch provider KPN.
    Some looking around I found, that his HitmanPro Alert was out-of-date.
    So I tried to download HitmanPro Alert 3.0.48.196, but the download did not start.
    After that, I decided to remove the out-of-date HitmanPro Alert.
    After the requested reboot, I started HitmanPro and the automatic update of HitmanPro 3.7.9.241 to HitmanPro 3.7.9.242 was done.
    I tried to download HitmanPro Alert 3.0.48.196 again and that worked.
    I installed the just downloaded HitmanPro Alert and it started without problems.
    I started other downloads, but all of them again did not work anymore.
    I removed the now up-to-date HitmanPro Alert again and after reboot all downloads worked again.

    So I think there is a bug in HitmanPro Alert or in PC Veilig.
    Eric can you simulate this bug and/or find a solution.
     
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,140
    Location:
    the Netherlands
    If I am not mistaken, KPN PC Veilig is F-Secure.
    F-Secure's DeepGuard had or has issues with EMET 5.x. Because of that, one would need to set F-Secure's DeepGuard to "compatibility mode".
    Could there be any chance that the same issue applies to F-Secure (and thus KPN PC Veilig) and HitmanPro.Alert, and that setting DeepGuard to "compatibility mode" would resolve the issue?
     
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,436
    Location:
    .
    Curious, is "failed to install new version" from Admin user account (default Admin user account).
     
  4. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    105
    Location:
    Netherlands
    That is correct.
     
  5. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    76
    Location:
    Long Beach, WA
    Why do I still see most computers with version 187 or 190 that do not auto update? Is auto update broken?
     
  6. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    354
    Location:
    Canada
    not this time - SUA. But i believe the first time it happened i was in an Admin account. why, has there been issues with updates in a SUA?
     
  7. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,140
    Location:
    the Netherlands
    July 5, Erik wrote,
    Perhaps ESET still didn't fix that FP,
    and HMPA's auto-update mechanism is (still) disabled?
     
  8. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    76
    Location:
    Long Beach, WA
    I installed Windows 10 Home 64 bit Build 10240 . After I let HMPA 196 do a scan I get two Trojan.fakeAV on mrt.exe
    these are false positives
    Like in this picture I copied from hmp forum. Mine was En_US version though

    http://i.imgur.com/bCeBoT2.jpg
     
  9. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,140
    Location:
    the Netherlands
    So that is the same issue that Andra reported in the HMP thread (although this time with the HMP scan started from HMPA). That means it's not only Andra getting those HMP false positives.
     
  10. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    Actually, this detection is caused by one of HitmanPro's many heuristics. On systems infected with particular malware, the malware sets a Debugger entry in the Windows Registry, specifically for all security programs that a user could download and run to get rid of the infection.
    MRT.exe is Microsoft's Malicious Software Removal Tool. The MRT.exe tool is automatically updated and started every month when you get Windows Updates. When the Debugger registry value is set and when MRT.exe is executed, the Debugger entry will cause Windows to start a *different* program instead of MRT.exe. In case of malware, the Debugger entry will launch the malware instead of the security software, which is a clever way to get the malware started.

    But in this case there is no Debugger entry in the Windows Registry. We will update HitmanPro to fix this detection, although no harm is caused when the registry entry is removed by HitmanPro - MRT.exe will still work without limitations.
     
  11. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    HitmanPro.Alert 3 build 187 should update to build 196 - all versions are automatically update. Maybe the update notification is not shown on these machines but after a reboot build 196 should be installed. Could you check?
     
  12. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    We'll look into it! Thanks for reporting!
     
  13. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    76
    Location:
    Long Beach, WA
    I upgraded win 8.1 64 bit to Windows 10 build 10240 and hmpa 196 was still there and working. I put in the dvd and ran setup from the desktop. I selected keep programs and settings. Hmpa and mbam were fine after. I did have to re enter process exclusions in windows defender for mbam
     
  14. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,288
    Location:
    USA, MICHIGAN
    Mine hasn't auto updated either im still on 3.0.42 188, any ideao_O
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Try right clicking on the tray icon and choose "check for update".
     
  16. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,288
    Location:
    USA, MICHIGAN
    I've been doing that and it shows "no update" it's un clickable.
     
  17. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    I performed the scan from HMP.A (which is why I'd posted it here).

    I'm not sure that there is anything bad to clean up on my system. If anything, it looks like maybe something that was not bad (a FP?) got deleted, leading to the decreased Outlook functionality. No other scanner that I've tried finds these problems (Norton 360 resident, ESET Online Scanner, MRT, MSERT, Windows Defender, MBAM).
     
  18. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    FYI your post was moved to the HitmanPro thread together with PallMall's reply.
    Please continue here: https://www.wilderssecurity.com/thr...iscussion-thread.236732/page-267#post-2509625
     
  19. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    OK thanks, we'll stay on the HitmanPro thread.
     
  20. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    Fixed this detection for Windows 10. No update required, fix was applied via our cloud.
    Thanks for reporting!
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,008
    Location:
    USA
    Have you considered simply downloading the latest installer and updating manually?
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Clear Internet Explorer cache. Then see if it updates.
     
  23. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,288
    Location:
    USA, MICHIGAN
    K I'll try that when I get home.
     
  24. craiga_uk

    craiga_uk Registered Member

    Joined:
    Jul 28, 2015
    Posts:
    5
    Hi Erik,

    I have a couple of strange issues occurring on a new site that I've deployed HitmanPro at.
    They all involve Microsoft Office 2013.

    Issue 1)
    On at least 2 machines (I've not been able to test further) the users can no longer open up spreadsheets from e-mail. They double click the attachment and receive the following message when Excel opens:
    Microsoft Excel cannot open or save any more documents because there is not enough available memory or disk space.

    • To make more memory available, close workbooks or programs you no longer need.

    • To free disk space, delete files you no longer need from the disk you are saving to.
    If I remove HMP Alert the issue goes away. I've temporarily fixed it by disabling Protected View in Excel 2013 for files from Outlook.

    Issue 2)
    At least 3 people while I was on-site had false positives while opening up current good files (word documents and excel spreadsheets) from the server. Pressing close on the HitmanPro Alert 'gray' warning screen and re-opening the document (maybe a couple of times) seems to work, but it's not ideal. I've linked to one of the files causing a problem, if that helps you identify the issue. I'm happy to find/send logs if there is somewhere to look?
    The constant so far seems to be that these are older .doc/.xls files (2003 or older format).
    Link to a file that fails on site:
    http://www.1-fix.com/files/AS256TH 72mm 45m.doc

    I'll see if I can remote on to the machine and grab a screenshot of the error.

    The computers are all running Windows 8 or 8.1 64-bit, with Office 2013 retail 32-bit installed. The anti-virus engine in place is 'Managed Antivirus' which is part of our RMM package from LogicNow. The engine they use is currently Threattrack VIPRE. The machines are domain joined.
     
    Last edited by a moderator: Jul 28, 2015
  25. craiga_uk

    craiga_uk Registered Member

    Joined:
    Jul 28, 2015
    Posts:
    5
    Hi again,

    I've opened one of the Word documents from Issue 2 on the remote computer, and have the following error:
    Code:
    Mitigation   ROP
    
    Platform     6.2.9200/x64 06_3a
    PID          2532
    Application  C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE
    Description  Microsoft Word 15
    
    Branch Trace                      Opcode  To                             
    -------------------------------- -------- --------------------------------
    SLOpen +0x153                         RET _MsoFCreateITFCHwnd@20         
    0x6A455B30 sppc.dll                       0x6C06E6F5 MSO.DLL             
    
    SLDepositStoreToken                   RET SLOpen +0x152                  
    0x6A461324 sppc.dll                       0x6A455B2F sppc.dll            
    
    SLpGetLicenseAcquisitionInfo        * RET SLOpen +0x143                  
    0x6A458581 sppc.dll                       0x6A455B20 sppc.dll            
                8b4df8                   MOV          ECX, [EBP-0x8]
                8bc7                     MOV          EAX, EDI
                5f                       POP          EDI
                5e                       POP          ESI
                33cd                     XOR          ECX, EBP
                5b                       POP          EBX
                e8edb70000               CALL         0x6a46131c
                c9                       LEAVE      
                c20400                   RET          0x4
                                     (AEC85E138CD5F873)
    
    
    0x6A452890 sppc.dll                 * RET SLOpen +0x132                  
                                              0x6A455B0F sppc.dll            
                e82b270000               CALL         0x6a45823f
                80a302208a0000           AND          BYTE [EBX+0x8a2002], 0x0
                306920                   XOR          [ECX+0x20], CH
                01908b4df88b             ADD          [EAX-0x7407b275], EDX
    
    
    SLDepositStoreToken                   RET SLOpen +0x121                  
    0x6A461494 sppc.dll                       0x6A455AFE sppc.dll            
    
    0x6A452CC5 sppc.dll                   RET SLDepositStoreToken            
                                              0x6A461492 sppc.dll            
    
    SLDepositStoreToken                   RET 0x6A452CC4 sppc.dll            
    0x6A461324 sppc.dll                                                      
    
    EtwEventEnabled +0x49                 RET 0x6A452C9B sppc.dll            
    0x7792B62D ntdll.dll                                                     
    
    RtlFreeHeap +0x8f                     RET SLDepositStoreToken            
    0x77961D99 ntdll.dll                      0x6A46148B sppc.dll            
    
    RtlAddAccessAllowedAce                RET RtlFreeHeap +0x7b              
    0x7797182F ntdll.dll                      0x77961D85 ntdll.dll           
    
    GetProcessHeap +0x9                   RET SLDepositStoreToken            
    0x7588C24B KernelBase.dll                 0x6A461484 sppc.dll            
    
    0x6A452CC5 sppc.dll                   RET SLOpen +0x116                  
                                              0x6A455AF3 sppc.dll            
    
    SLDepositStoreToken                   RET 0x6A452CC4 sppc.dll            
    0x6A461324 sppc.dll                                                      
    
    EtwEventEnabled +0x49                 RET 0x6A452C9B sppc.dll            
    0x7792B62D ntdll.dll                                                     
    
    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  6C012799 MSO.DLL                
                8bd8                     MOV          EBX, EAX
                85db                     TEST         EBX, EBX
                0f8474f37e00             JZ           0x6c801b17
                8b450c                   MOV          EAX, [EBP+0xc]
                8918                     MOV          [EAX], EBX
                a10080726d               MOV          EAX, [0x6d728000]
                85c0                     TEST         EAX, EAX
                0f85a7f37e00             JNZ          0x6c801b5c
                8bc3                     MOV          EAX, EBX
                5f                       POP          EDI
                5e                       POP          ESI
                5b                       POP          EBX
                c9                       LEAVE      
                c20800                   RET          0x8
    
    2  6C0126C1 MSO.DLL                
    3  6C06E744 MSO.DLL                  _MsoFCreateITFCHwnd@20
    4  6C06E593 MSO.DLL                  _MsoFCreateITFCHwnd@20
    5  03662058 (anonymous; wwlib.dll) 
    6  036662FE (anonymous; wwlib.dll) 
    7  6C06CCE9 MSO.DLL                  _MsoFSetComponentManager@4
    8  6C236A5E MSO.DLL                  _MsoFGetTbShowKbdShortcuts@0
    9  03669634 (anonymous; wwlib.dll) 
    10 6C25C8D1 MSO.DLL                  _MsoHrSetupHTMLImport@8
    
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.