HitmanPro.ALERT Support and Discussion Thread

On at the sime time as me

I'm running XP/SP2 32 Bit FAT32 with NO updates & FFv3.6.14

Well i disabled everything & let it do whatever it wanted to try & do. I have a number of services disabled & things like wscript etc, if that makes Any difference ?

No flyout occurred !

 

You can verify infection by running a scan with GMER (only check Sections and click on Scan):

See that Tinba infects every process, also Firefox.

But if you don't see a flyout then Alert is not triggering on the browser. Can you create a folder called C:\Log\ . Then reinstall HitmanPro.Alert en start the Firefox browser. Can you send me the log that is created in that folder?

 

@ erikloman

Hi, i've only recently returned home since this mornings post. I ran the nasty again, but this time didn't see winver.exe running in Process Explorer ? Visted HSBC bank with Cookies /Scripting enabled & typed in fake data on the login page.

Ran GMER, please att. LOG with personel data REMOVED. View attachment gmer.log

Uninstalled & then Reinstalled HPA & created Log folder.

HPA C:\Log\ also Att. View attachment mitb.log

Just to let you know, i always see the Flyout on launching FF, but no alerts afterwards. I launch FF before i run the nasty, if that makes Any difference ?

TIA

 

If I read the log correctly you're running Zemana and Prevx SOL at the same time as HMP.A If so, that's the MITB equivalent of running three realtime AVs. Have you tried uninstalling (rather than just disabling) Zemana and Prevx SOL?

 

I've sent you a PM with a more recent build for you to see if the problems disappear.

 

Zemana and Prevx SOL Spyshelter are great against Key Loggers, Screen Grabbers, Clipboard Stealers and MITM attacks but they both do not do MITB.

EDIT: Prevx SOL does have MITB detection.

 

That's not correct Erik. They both have anti-ssl components which monitor for hooking of the relevant browser components by the likes of Zeus, Spyeye, Carberp et al.

 

https://www.wilderssecurity.com/showpost.php?p=1832451&postcount=3

 

I stand corrected. Prevx SOL does have MITB detection . It is an excellent product.

I meant to say Zemana and Spyshelter as we have been testing these recently. I will adjust the original post so that search engines will pickup the correction.

One note though, while confirming Prevx SOL does have MITB detection, I found out that it does not seem to detect the ZeroAcesss (aka Sirefef) MITB attack. ZeroAccess uses a neat DLL substitution trick (ie. no API hooks) that works on both 32 and 64-bit. HitmanPro.Alert Beta 2 does not detect this either but Beta 3 does (some of you already have this version). I will release it to the public this week.

 

Hi, actually it's not the same, although i know what you mean, as i noted that niether /PrevxWebroot or HMP have stated Any incompatabilities between them, so far anyway !

Good & not good !

My earlier test with the Tinba nasty, highlighted an "issue" with Beta 2 HitmanPro.Alert Beta 3 TEST V Now installed, which i'll be retesting it with various things shortly

 

@ erikloman

Very high CPU usage with this V !



It pulses between 0.01 to 45 every half a second or so, averaging about 30 !

 

Its a test build.

 

Yeah i know, but still

 

I know Must address it before release

 

I have every confidence that you will

 

Where can I find the log? I recently had something that popped up and said that my browser was compromised. I did a scan and found nothing. I wanted to upload it to the development.

 

You can copy/past the Details in an email.
But you can also create a folder called C:\Log\ . there a log file will be created.

 

Zemana's SSL logger protection module and Spyshelters AntiNetworkSpy module should both be able to block MitB attacks afaik, perhaps they need to update their modules to block the latest techniques? Did you test WSA Identity Shield as well? Prevx SOL is not being developed anymore.

 

Same symptoms in Beta2 on XP/SP3 - multiple /flyout processes and flyout still disappears after briefly showing itself.

Al

 

View attachment 233301

Just registered to post the log with lots of
OpenProcess xxxx failed with error 5

Running Win 7 x64

Need more info let me know.

 

@ erikloman

Are you planning to build in termination protection ? =

 

Yes

 

@ erikloman

Good

 

Thanks. I will have a look at it.

 

HitmanPro.Alert Beta 3a Released

Changelog

• Added support for 64-bit browsers (like Waterfox, Opera 12, etc.).
  Support for 64-bit Windows was already in previous beta's.
• Added detection of DLL substitution.
  ZeroAccess/Sirefef malware uses this technique to advertise its own malicious DLL as mswsock.dll so that other components bind up to the malicious DLL. This technique doesn't use API hooks.
• Improved CPU load of scanner.
• Added preliminary Dutch strings. More complete translations will be present in the next release.
• Added colors to the details: red marks possible malicious entries that triggered the alert.
• Changed the color of the Flyout to green.
• Fixed a problem in the updater.
• Several other improvements related to the GUI.
• Solved a false positive (Beta3a)

There is a bug in Beta 2 which prevents it from automatically updating to Beta 3
So please uninstall existing Beta versions before installing Beta 3.

32-bit: http://dl.surfright.nl/beta/hmpalert.exe
64-bit: http://dl.surfright.nl/beta/hmpalert_x64.exe

Please let me know how this version runs. Any problems like lingering hmpalert.exe processes or excessive CPU load > 3% .