HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,240
    Location:
    the Netherlands
    If was the way you put your post at Erik, together with the used emoticon, that made it seem rather disgruntled. That is why I replied the way I did.
    Sometimes it may be better not to use an emoticon. Even plain text alone can be misinterpreted sometimes, certain emoticons can make it worse.
     
  2. Alkajak

    Alkajak Registered Member

    Joined:
    Mar 6, 2016
    Posts:
    125
    Lmfao, really? Should I over-analyze my use of internet abbreviations too? I'm not trying to be a dick, but I tagged Erik (not you, so I don't even know why I'm having this discussion to begin with) because that's how one communicates with another in a forum post. My use of an emoticon was really none of your concern.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    When you post it becomes public and fair game.
     
  4. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,240
    Location:
    the Netherlands
    Well, see it as you like, but if you post on a forum, even if you tag someone specific, others may feel the need to respond, for various reasons. Even (or in particular) regarding differences over etiquette. But as this is very off-topic, I will end my contribution to this debate.
     
  5. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    853
    Location:
    USA
    All good here with HMPA 3.6.3 Build 586, Win 10 Pro x64 v1607, and Avira Pro 15.0.24.146 :)

    I did notice the earlier comments about C:\Windows\CryptoGuard not being accessible for file deletion until the CryptoGuard protection is disabled. I have been using the CCleaner Custom Files and Folders cleanup to address the old files in this location, and can confirm that CCleaner no longer sees any CryptoGuard files. I have 6 files in this folder currently. Not a problem for me, just wanted to mention this point.

    To test this, I disabled Cryptoguard, re-ran CCleaner, and it picked up the old files. Re-started CryptoGuard, and all is well.
     
  6. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    All working on Windows 10 Pro x64, Insider Preview, Build 15031 (Redstone 2). Thanks guys :thumb:
     
  7. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    HitmanPro.Alert 3.6.3 Build 586 RC2
    W7-x64 Professional:
    Installed HitmanPro.Alert 3.6.3 build 586 RC2 over build 582 RC1, running it now for a few day's, no issues what so ever.
     
  8. mrhex1

    mrhex1 Registered Member

    Joined:
    Jul 2, 2016
    Posts:
    19
    Location:
    Timbuktu
    I can report that I got almost exactly the same IAF trigger with HMPA thrice. I haven't been to get it to trigger everytime though. HMPA has triggered about three times now for this though. Perhaps I may roll back to build 582 since I don't use openoffice or any of its variants.
     
  9. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    Probable false positive:

    Code:
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          14/02/2017 8:19:42 PM
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Krusty-PC
    Description:
    Mitigation   ROP
    
    Platform     10.0.14393/x64 v586 06_37*
    PID          6212
    Application  C:\Program Files\Cyberfox\Cyberfox.exe
    Description  Cyberfox 51.0.3
    
    Callee Type  LoadLibrary
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFF7899CD7F KernelBase.dll           LoadLibraryExW +0x16f
    2  00007FFF789C606A KernelBase.dll           UnhandledExceptionFilter +0x21a
    3  00007FFF7C3BED1B ntdll.dll               
    4  00007FFF7C3A6BD6 ntdll.dll                __C_specific_handler +0x96
    5  00007FFF7C3BAB9D ntdll.dll                __chkstk +0x11d
    6  00007FFF7C359913 ntdll.dll               
    7  00007FFF7C3B9CBA ntdll.dll                KiUserExceptionDispatcher +0x3a
    
    8  0000015FE63D55BC xul.dll                 
                        cc                       INT 3       
    
    9  00007FFF53BBE7E9 nss3.dll               
    10 00007FFF53BAF462 nss3.dll               
    
    Process Trace
    1  C:\Program Files\Cyberfox\Cyberfox.exe [6212]
    2  C:\Windows\explorer.exe [1112]
    3  C:\Windows\System32\userinit.exe [304]
    4  C:\Windows\System32\winlogon.exe [720]
    winlogon.exe
    
    Thumbprint
    8d23be7a68fa86e40edf551a88db3e554ee00622a0d81efb127a7b750af00175
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-02-14T09:19:42.050226100Z" />
        <EventRecordID>33282</EventRecordID>
        <Channel>Application</Channel>
        <Computer>Krusty-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Program Files\Cyberfox\Cyberfox.exe</Data>
        <Data>ROP</Data>
        <Data>Mitigation   ROP
    
    Platform     10.0.14393/x64 v586 06_37*
    PID          6212
    Application  C:\Program Files\Cyberfox\Cyberfox.exe
    Description  Cyberfox 51.0.3
    
    Callee Type  LoadLibrary
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFF7899CD7F KernelBase.dll           LoadLibraryExW +0x16f
    2  00007FFF789C606A KernelBase.dll           UnhandledExceptionFilter +0x21a
    3  00007FFF7C3BED1B ntdll.dll               
    4  00007FFF7C3A6BD6 ntdll.dll                __C_specific_handler +0x96
    5  00007FFF7C3BAB9D ntdll.dll                __chkstk +0x11d
    6  00007FFF7C359913 ntdll.dll               
    7  00007FFF7C3B9CBA ntdll.dll                KiUserExceptionDispatcher +0x3a
    
    8  0000015FE63D55BC xul.dll                 
                        cc                       INT 3       
    
    9  00007FFF53BBE7E9 nss3.dll               
    10 00007FFF53BAF462 nss3.dll               
    
    Process Trace
    1  C:\Program Files\Cyberfox\Cyberfox.exe [6212]
    2  C:\Windows\explorer.exe [1112]
    3  C:\Windows\System32\userinit.exe [304]
    4  C:\Windows\System32\winlogon.exe [720]
    winlogon.exe
    
    Thumbprint
    8d23be7a68fa86e40edf551a88db3e554ee00622a0d81efb127a7b750af00175</Data>
      </EventData>
    </Event>
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Browser is crashing. In some cases this triggers an exploit mitigation as well.
     
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We will whitelist this shortly (per cloud).
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The component steals a pointer from another component.

    We will whitelist this particular component.
     
  13. Libraman

    Libraman Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    91
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    36,655
    Correct. Build 586 can now be downloaded from their website.
     
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,240
    Location:
    the Netherlands
    Hmm.. I see. So the previous RC2 is now the release version.

    Hmm.. I really wonder whether that is a smart thing to do, as the CryptoGuard and LibreOffice x86 on Win x64 issue is not fixed in HMPA 3.6.3.586 -- note that Erik was still working on that!

    I think it is not wise to offer this build as release version, for the reasons that I mentioned before.

    Perhaps this was a calculated decision, as most users won't do the thing that I do that triggers the CryptoGuard issue that I reported.
    Nevertheless, I think it would have been better to fix that issue before releasing HMPA 3.6.3.586.
     
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    Thanks. I realise now that VoodooShield also blocked Cyberfox's Plugin Container after I closed CF too, so maybe that is what happened and why CF crashed.
     
  17. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    647
    Location:
    Far East
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    36,655
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    36,655
    I'm sure they will fix it with one of the next beta-versions.

    And as you yourself said, the average user isn't doing such things so the issue isn't triggered for them.
    This might be a reason, why they have released it now instead of delaying it any further. :doubt:
     
  21. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,240
    Location:
    the Netherlands
    Yes, I suppose so.
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    I just found that keystrokes are scrambled in IE 11 on this machine. Disabling Keystroke Encryption solves it but enabling it scrambles key strokes again.

    Edit: Never mind. After a restart the keystrokes are no longer scrambled. Maybe related to an earlier false positive detection by Avast again this morning.
     
    Last edited: Feb 14, 2017
  23. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    954
    @erikloman

    Sent you a mail with a couple of hmpalert-dmps.
     
  24. Aura

    Aura Registered Member

    Joined:
    Mar 19, 2015
    Posts:
    107
    Location:
    Québec, Canada
  25. MtrXUser

    MtrXUser Registered Member

    Joined:
    Feb 15, 2017
    Posts:
    5
    Location:
    Solar System
    Hello everyone,
    I have Hitman Pro installed on my PC [trial version]
    as I started the Edge browser it came up with the alert -
    Intruder detected! Do not enter personal data or bank online.

    Intruder
    Code:
    PID          13236
    Application  C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
    Description  Microsoft Edge Content Process 11
    
    Detour Report
    #  Address             Owner                    Disassembly
    -- ------------------  ------------------------ ------------------------
    EncryptMessage *
     1 0x00007FFA70DB5880  SspiCli.dll              JMP 0x7ffa712d1568
     2 0x00007FFA712D1568  (anonymous)            
    
    FilterConnectCommunicationPort
     1 0x00007FFA70FF20A0  fltlib.dll               JMP 0x7ffa712d0180
     2 0x00007FFA712D0180  (anonymous)            
    
    FilterSendMessage
     1 0x00007FFA70FF22D0  fltlib.dll               JMP 0x7ffa712d01b8
     2 0x00007FFA712D01B8  (anonymous)            
    
    NtUserBlockInput
     1 0x00007FFA718D7870  win32u.dll               JMP 0x7ffa712d0d88
     2 0x00007FFA712D0D88  (anonymous)            
    
    NtUserClipCursor
     1 0x00007FFA718D7A50  win32u.dll               JMP 0x7ffa712d0f10
     2 0x00007FFA712D0F10  (anonymous)            
    
    NtUserGetKeyboardState
     1 0x00007FFA718D1F70  win32u.dll               JMP 0x7ffa712d0c00
     2 0x00007FFA712D0C00  (anonymous)            
    
    NtUserMoveWindow
     1 0x00007FFA718D1C30  win32u.dll               JMP 0x7ffa712d0d18
     2 0x00007FFA712D0D18  (anonymous)            
    
    NtUserRegisterHotKey
     1 0x00007FFA718D9090  win32u.dll               JMP 0x7ffa712d0df8
     2 0x00007FFA712D0DF8  (anonymous)            
    
    NtUserRegisterRawInputDevices
     1 0x00007FFA718D9110  win32u.dll               JMP 0x7ffa712d0ca8
     2 0x00007FFA712D0CA8  (anonymous)            
    
    NtUserSendInput
     1 0x00007FFA718D20B0  win32u.dll               JMP 0x7ffa712d0bc8
     2 0x00007FFA712D0BC8  (anonymous)            
    
    BitBlt
     1 0x00007FFA73502E80  GDI32.dll                JMP 0x7ffa712d0458
     2 0x00007FFA712D0458  (anonymous)            
    
    CreateDCA
     1 0x00007FFA735038A0  GDI32.dll                JMP 0x7ffa712d0260
     2 0x00007FFA712D0260  (anonymous)            
    
    CreateDCW
     1 0x00007FFA73504190  GDI32.dll                JMP 0x7ffa712d0298
     2 0x00007FFA712D0298  (anonymous)            
    
    DeleteDC
     1 0x00007FFA73502080  GDI32.dll                JMP 0x7ffa712d0378
     2 0x00007FFA712D0378  (anonymous)            
    
    GdiAlphaBlend
     1 0x00007FFA73505450  GDI32.dll                JMP 0x7ffa712d0340
     2 0x00007FFA712D0340  (anonymous)            
    
    GdiTransparentBlt
     1 0x00007FFA735054E0  GDI32.dll                JMP 0x7ffa712d0308
     2 0x00007FFA712D0308  (anonymous)            
    
    GetPixel
     1 0x00007FFA73504660  GDI32.dll                JMP 0x7ffa712d02d0
     2 0x00007FFA712D02D0  (anonymous)            
    
    MaskBlt
     1 0x00007FFA7350BE50  GDI32.dll                JMP 0x7ffa712d0490
     2 0x00007FFA712D0490  (anonymous)            
    
    PlgBlt
     1 0x00007FFA735056C0  GDI32.dll                JMP 0x7ffa712d04c8
     2 0x00007FFA712D04C8  (anonymous)            
    
    StretchBlt
     1 0x00007FFA73503010  GDI32.dll                JMP 0x7ffa712d0500
     2 0x00007FFA712D0500  (anonymous)            
    
    EnableWindow
     1 0x00007FFA737CA310  USER32.dll               JMP 0x7ffa712d0ea0
     2 0x00007FFA712D0EA0  (anonymous)            
    
    EndTask
     1 0x00007FFA73803370  USER32.dll               JMP 0x7ffa712d0228
     2 0x00007FFA712D0228  (anonymous)            
    
    ExitWindowsEx
     1 0x00007FFA737CB460  USER32.dll               JMP 0x7ffa712d0ed8
     2 0x00007FFA712D0ED8  (anonymous)            
    
    GetAsyncKeyState
     1 0x00007FFA737C4530  USER32.dll               JMP 0x7ffa712d0c70
     2 0x00007FFA712D0C70  (anonymous)            
    
    GetClipboardData
     1 0x00007FFA737D00D0  USER32.dll               JMP 0x7ffa712d0dc0
     2 0x00007FFA712D0DC0  (anonymous)            
    
    GetKeyState
     1 0x00007FFA737C4650  USER32.dll               JMP 0x7ffa712d0c38
     2 0x00007FFA712D0C38  (anonymous)            
    
    GetMessageA
     1 0x00007FFA737BE8B0  USER32.dll               JMP 0x7ffa557d0d4e
     2 0x00007FFA557D0D4E  (unknown)              
    
    GetMessageW
     1 0x00007FFA737C4840  USER32.dll               JMP 0x7ffa557d0d0e
     2 0x00007FFA557D0D0E  (unknown)              
    
    IsDialogMessage
     1 0x00007FFA738061F0  USER32.dll               JMP 0x7ffa712d06c0
     2 0x00007FFA712D06C0  (anonymous)            
    
    IsDialogMessageW
     1 0x00007FFA737B41F0  USER32.dll               JMP 0x7ffa712d06f8
     2 0x00007FFA712D06F8  (anonymous)            
    
    keybd_event
     1 0x00007FFA73837700  USER32.dll               JMP 0x7ffa712d0538
     2 0x00007FFA712D0538  (anonymous)            
    
    mouse_event
     1 0x00007FFA737CB030  USER32.dll               JMP 0x7ffa712d0570
     2 0x00007FFA712D0570  (anonymous)            
    
    PeekMessageA
     1 0x00007FFA737BE300  USER32.dll               JMP 0x7ffa557d0cce
     2 0x00007FFA557D0CCE  (unknown)              
    
    PeekMessageW
     1 0x00007FFA737BE430  USER32.dll               JMP 0x7ffa557d0c8e
     2 0x00007FFA557D0C8E  (unknown)              
    
    PostMessageA
     1 0x00007FFA737C8C20  USER32.dll               JMP 0x7ffa712d08b8
     2 0x00007FFA712D08B8  (anonymous)            
    
    PostMessageW
     1 0x00007FFA737BAFA0  USER32.dll               JMP 0x7ffa712d08f0
     2 0x00007FFA712D08F0  (anonymous)            
    
    PostThreadMessageA
     1 0x00007FFA737C8BA0  USER32.dll               JMP 0x7ffa712d0928
     2 0x00007FFA712D0928  (anonymous)            
    
    PostThreadMessageW
     1 0x00007FFA737C6760  USER32.dll               JMP 0x7ffa712d0960
     2 0x00007FFA712D0960  (anonymous)            
    
    SendDlgItemMessageA
     1 0x00007FFA73837F80  USER32.dll               JMP 0x7ffa712d0b58
     2 0x00007FFA712D0B58  (anonymous)            
    
    SendDlgItemMessageW
     1 0x00007FFA737A1A90  USER32.dll               JMP 0x7ffa712d0b90
     2 0x00007FFA712D0B90  (anonymous)            
    
    SendMessageA
     1 0x00007FFA737B8390  USER32.dll               JMP 0x7ffa712d0998
     2 0x00007FFA712D0998  (anonymous)            
    
    SendMessageCallbackA
     1 0x00007FFA738329D0  USER32.dll               JMP 0x7ffa712d0a78
     2 0x00007FFA712D0A78  (anonymous)            
    
    SendMessageCallbackW
     1 0x00007FFA737C6BB0  USER32.dll               JMP 0x7ffa712d0ab0
     2 0x00007FFA712D0AB0  (anonymous)            
    
    SendMessageTimeoutA
     1 0x00007FFA737CF2B0  USER32.dll               JMP 0x7ffa712d0a08
     2 0x00007FFA712D0A08  (anonymous)            
    
    SendMessageTimeoutW
     1 0x00007FFA737BF5D0  USER32.dll               JMP 0x7ffa712d0a40
     2 0x00007FFA712D0A40  (anonymous)            
    
    SendMessageW
     1 0x00007FFA737B0EF0  USER32.dll               JMP 0x7ffa712d09d0
     2 0x00007FFA712D09D0  (anonymous)            
    
    SendNotifyMessageA
     1 0x00007FFA737CF270  USER32.dll               JMP 0x7ffa712d0ae8
     2 0x00007FFA712D0AE8  (anonymous)            
    
    SendNotifyMessageW
     1 0x00007FFA737B9530  USER32.dll               JMP 0x7ffa712d0b20
     2 0x00007FFA712D0B20  (anonymous)            
    
    SetClipboardViewer
     1 0x00007FFA737D0480  USER32.dll               JMP 0x7ffa712d0d50
     2 0x00007FFA712D0D50  (anonymous)            
    
    SetParent
     1 0x00007FFA737CB740  USER32.dll               JMP 0x7ffa712d0ce0
     2 0x00007FFA712D0CE0  (anonymous)            
    
    SetSystemCursor
     1 0x00007FFA73836E50  USER32.dll               JMP 0x7ffa712d0f80
     2 0x00007FFA712D0F80  (anonymous)            
    
    SetWindowLongA
     1 0x00007FFA737CC0C0  USER32.dll               JMP 0x7ffa712d07d8
     2 0x00007FFA712D07D8  (anonymous)            
    
    SetWindowLongPtrA
     1 0x00007FFA737B97F0  USER32.dll               JMP 0x7ffa712d0848
     2 0x00007FFA712D0848  (anonymous)            
    
    SetWindowLongPtrW
     1 0x00007FFA737B7DB0  USER32.dll               JMP 0x7ffa712d0880
     2 0x00007FFA712D0880  (anonymous)            
    
    SetWindowLongW
     1 0x00007FFA737B1310  USER32.dll               JMP 0x7ffa712d0810
     2 0x00007FFA712D0810  (anonymous)            
    
    SetWindowsHookExA
     1 0x00007FFA737A2730  USER32.dll               JMP 0x7ffa712d0730
     2 0x00007FFA712D0730  (anonymous)            
    
    SetWindowsHookExW
     1 0x00007FFA737C7490  USER32.dll               JMP 0x7ffa712d0768
     2 0x00007FFA712D0768  (anonymous)            
    
    SetWinEventHook
     1 0x00007FFA737C7D70  USER32.dll               JMP 0x7ffa712d07a0
     2 0x00007FFA712D07A0  (anonymous)            
    
    SwitchDesktop
     1 0x00007FFA737CC210  USER32.dll               JMP 0x7ffa712d0f48
     2 0x00007FFA712D0F48  (anonymous)            
    
    SystemParametersInfoA
     1 0x00007FFA737C3700  USER32.dll               JMP 0x7ffa712d0e30
     2 0x00007FFA712D0E30  (anonymous)            
    
    SystemParametersInfoW
     1 0x00007FFA737BEB50  USER32.dll               JMP 0x7ffa712d0e68
     2 0x00007FFA712D0E68  (anonymous)            
    
    TranslateMessage
     1 0x00007FFA737B5330  USER32.dll               JMP 0x7ffa712d0688
     2 0x00007FFA712D0688  (anonymous)            
    
    
    Thumbprint
    b5e7d128298cf8bfd915a73fe742b51904afd7f1ea3bae69a26fa9905e71f976
    I scanned in normal and safe mode with the hitmanpro; Eset onlinescanner,Malwarebytes Antimalware, Avira, Zonealarm-antivirus scanner,Bitdefender, Superantispyware,Spybot search and destroy, Comodo Virusscanner, herd protect, trend micro housecall scanner, reason core security, security task manager,emisoft emergency kit scanner, kaspersky Tdsskiller -rootkitscanner. But found nothing!
    What should i do now ?
     
    Last edited by a moderator: Feb 15, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.