HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    73
    Location:
    Long Beach, WA
    Build 737 did this on two computers

    Code:
    Intruder
    
    PID          14756
    Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description  Google Chrome 64
    
    Detour Report
    #  Address             Owner                    Disassembly
    -- ------------------  ------------------------ ------------------------
    HttpOpenRequestA *
     1 0x00007FFE21FA9500  WININET.dll              JMP QWORD [RIP+0x237afa]
     2 0x00007FFE221D000E  (anonymous)            
    
    HttpOpenRequestW *
     1 0x00007FFE21E81580  WININET.dll              JMP QWORD [RIP+0x33fa7a]
     2 0x00007FFE221B000E  (anonymous)            
    
    HttpSendRequestA
     1 0x00007FFE21EFD3D0  WININET.dll              JMP QWORD [RIP+0x3a3c2a]
     2 0x00007FFE2229000E  (anonymous)            
    
    HttpSendRequestExA *
     1 0x00007FFE21E67AF0  WININET.dll              JMP QWORD [RIP+0x47950a]
     2 0x00007FFE222D000E  (anonymous)            
    
    HttpSendRequestExW *
     1 0x00007FFE21F00620  WININET.dll              JMP QWORD [RIP+0x3c09da]
     2 0x00007FFE222B000E  (anonymous)            
    
    HttpSendRequestW
     1 0x00007FFE21E91D10  WININET.dll              JMP QWORD [RIP+0x3ef2ea]
     2 0x00007FFE2227000E  (anonymous)            
    
    InternetOpenUrlA *
     1 0x00007FFE21F84570  WININET.dll              JMP QWORD [RIP+0x29ca8a]
     2 0x00007FFE2221000E  (anonymous)            
    
    InternetOpenUrlW *
     1 0x00007FFE21F85090  WININET.dll              JMP QWORD [RIP+0x27bf6a]
     2 0x00007FFE221F000E  (anonymous)            
    
    InternetReadFile *
     1 0x00007FFE21E90390  WININET.dll              JMP QWORD [RIP+0x3b0c6a]
     2 0x00007FFE2223000E  (anonymous)            
    
    InternetReadFileExW *
     1 0x00007FFE21EF16A0  WININET.dll              JMP QWORD [RIP+0x36f95a]
     2 0x00007FFE2225000E  (anonymous)            
    
    URLDownloadToCacheFileA
     1 0x00007FFE2AEE5DB0  urlmon.dll               JMP QWORD [RIP+0x15b24a]
     2 0x00007FFE2B03000E  (anonymous)            
    
    URLDownloadToCacheFileW
     1 0x00007FFE2AE5CBC0  urlmon.dll               JMP QWORD [RIP+0x1c443a]
     2 0x00007FFE2B01000E  (anonymous)            
    
    URLDownloadToFileA
     1 0x00007FFE2AEE5F30  urlmon.dll               JMP QWORD [RIP+0x11b0ca]
     2 0x00007FFE2AFF000E  (anonymous)            
    
    URLDownloadToFileW
     1 0x00007FFE2AE5CD20  urlmon.dll               JMP QWORD [RIP+0x1842da]
     2 0x00007FFE2AFD000E  (anonymous)            
    
    URLOpenBlockingStreamA
     1 0x00007FFE2AEE6080  urlmon.dll               JMP QWORD [RIP+0x1daf7a]
     2 0x00007FFE2B0B000E  (anonymous)            
    
    URLOpenBlockingStreamW
     1 0x00007FFE2AEE6160  urlmon.dll               JMP QWORD [RIP+0x1bae9a]
     2 0x00007FFE2B09000E  (anonymous)            
    
    URLOpenStreamA
     1 0x00007FFE2AEE6420  urlmon.dll               JMP QWORD [RIP+0x19abda]
     2 0x00007FFE2B07000E  (anonymous)            
    
    URLOpenStreamW
     1 0x00007FFE2AEE64F0  urlmon.dll               JMP QWORD [RIP+0x17ab0a]
     2 0x00007FFE2B05000E  (anonymous)            
    
    CreateProcessA
     1 0x00007FFE39E5D810  KernelBase.dll           JMP QWORD [RIP+0x3837ea]
     2 0x00007FFE3A1D000E  (anonymous)            
    
    CreateProcessInternalA
     1 0x00007FFE39E5DC20  KernelBase.dll           JMP QWORD [RIP+0x3433da]
     2 0x00007FFE3A19000E  (anonymous)            
    
    CreateProcessInternalW
     1 0x00007FFE39E5EBF0  KernelBase.dll           JMP 0x7ffe3a14000e
     2 0x00007FFE3A14000E  (anonymous)            
    
    CreateProcessW
     1 0x00007FFE39E5D790  KernelBase.dll           JMP QWORD [RIP+0x36386a]
     2 0x00007FFE3A1B000E  (anonymous)            
    
    HeapCreate
     1 0x00007FFE39EBDFB0  KernelBase.dll           JMP QWORD [RIP+0x3e304a]
     2 0x00007FFE3A29000E  (anonymous)            
    
    VirtualAlloc
     1 0x00007FFE39EAE040  KernelBase.dll           JMP QWORD [RIP+0x352fba]
     2 0x00007FFE3A1F000E  (anonymous)            
    
    VirtualAllocEx
     1 0x00007FFE39EBE1D0  KernelBase.dll           JMP QWORD [RIP+0x382e2a]
     2 0x00007FFE3A23000E  (anonymous)            
    
    VirtualProtect
     1 0x00007FFE39EB4090  KernelBase.dll           JMP QWORD [RIP+0x36cf6a]
     2 0x00007FFE3A21000E  (anonymous)            
    
    VirtualProtectEx
     1 0x00007FFE39EC18E0  KernelBase.dll           JMP QWORD [RIP+0x39f71a]
     2 0x00007FFE3A25000E  (anonymous)            
    
    WriteProcessMemory
     1 0x00007FFE39ECA0B0  KernelBase.dll           JMP QWORD [RIP+0x3b6f4a]
     2 0x00007FFE3A27000E  (anonymous)            
    
    GetMessageA
     1 0x00007FFE3B2906E0  USER32.dll               JMP 0x7ffe26fd0d18
     2 0x00007FFE26FD0D18  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CCC8C0  hmpalert.dll            
    
    GetMessageW
     1 0x00007FFE3B293F50  USER32.dll               JMP 0x7ffe26fd0cd4
     2 0x00007FFE26FD0CD4  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CCC980  hmpalert.dll            
    
    PeekMessageA
     1 0x00007FFE3B290040  USER32.dll               JMP 0x7ffe26fd0c98
     2 0x00007FFE26FD0C98  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CCC720  hmpalert.dll            
    
    PeekMessageW
     1 0x00007FFE3B290170  USER32.dll               JMP 0x7ffe26fd0c58
     2 0x00007FFE26FD0C58  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CCC7F0  hmpalert.dll            
    
    WSAStartup
     1 0x00007FFE3B552220  WS2_32.dll               JMP QWORD [RIP+0x171edda]
     2 0x00007FFE3CC6000E  (anonymous)            
    
    CopyFileA
     1 0x00007FFE3B61A140  kernel32.dll             JMP QWORD [RIP+0x1536eba]
     2 0x00007FFE3CB4000E  (anonymous)            
    
    CopyFileW
     1 0x00007FFE3B5E2BF0  kernel32.dll             JMP QWORD [RIP+0x154e40a]
     2 0x00007FFE3CB2000E  (anonymous)            
    
    MoveFileA
     1 0x00007FFE3B61B590  kernel32.dll             JMP QWORD [RIP+0x14f5a6a]
     2 0x00007FFE3CB0000E  (anonymous)            
    
    MoveFileW
     1 0x00007FFE3B5CFB00  kernel32.dll             JMP QWORD [RIP+0x15114fa]
     2 0x00007FFE3CAD000E  (anonymous)            
    
    SetProcessDEPPolicy
     1 0x00007FFE3B5DFFC0  kernel32.dll             JMP QWORD [RIP+0x16b103a]
     2 0x00007FFE3CC8000E  (anonymous)            
    
    WinExec
     1 0x00007FFE3B61E660  kernel32.dll             JMP QWORD [RIP+0x155299a]
     2 0x00007FFE3CB6000E  (anonymous)            
    
    ShellExecuteExW
     1 0x00007FFE3B6D1800  SHELL32.dll              JMP QWORD [RIP+0x157f7fa]
     2 0x00007FFE3CC4000E  (anonymous)            
    
    ShellExecuteW
     1 0x00007FFE3B77D930  SHELL32.dll              JMP QWORD [RIP+0x14b36ca]
     2 0x00007FFE3CB8000E  (anonymous)            
    
    KiUserApcDispatcher
     1 0x00007FFE3CD63A20  ntdll.dll                JMP 0x7ffe26fd0d56
     2 0x00007FFE26FD0D56  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38D3F890  hmpalert.dll            
    
    LdrLoadDll
     1 0x00007FFE3CCD5AF0  ntdll.dll                JMP 0x7ffe26fd0e15
     2 0x00007FFE26FD0E15  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA7A10  hmpalert.dll            
    
    LdrResolveDelayLoadedAPI
     1 0x00007FFE3CCE1CC0  ntdll.dll                JMP QWORD [RIP+0x1ef33a]
     2 0x00007FFE3CEC000E  (anonymous)            
    
    NtAllocateVirtualMemory
     1 0x00007FFE3CD60170  ntdll.dll                JMP 0x7ffe3cee000e
     2 0x00007FFE3CEE000E  (anonymous)            
    
    NtFreeVirtualMemory
     1 0x00007FFE3CD60230  ntdll.dll                JMP 0x7ffe26fd0f16
     2 0x00007FFE26FD0F16  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA5830  hmpalert.dll            
    
    NtMapViewOfSection
     1 0x00007FFE3CD60370  ntdll.dll                JMP 0x7ffe26fd0e96
     2 0x00007FFE26FD0E96  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA6CD0  hmpalert.dll            
    
    NtProtectVirtualMemory
     1 0x00007FFE3CD60870  ntdll.dll                JMP 0x7ffe3cf0000e
     2 0x00007FFE3CF0000E  (anonymous)            
    
    NtQueueApcThread
     1 0x00007FFE3CD60710  ntdll.dll                JMP 0x7ffe26fd0d96
     2 0x00007FFE26FD0D96  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA77D0  hmpalert.dll            
    
    NtUnmapViewOfSection
     1 0x00007FFE3CD603B0  ntdll.dll                JMP 0x7ffe26fd0e56
     2 0x00007FFE26FD0E56  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA7480  hmpalert.dll            
    
    NtWaitForDebugEvent
     1 0x00007FFE3CD63740  ntdll.dll                JMP 0x7ffe26fd0fd6
     2 0x00007FFE26FD0FD6  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CCF990  hmpalert.dll            
    
    RtlInstallFunctionTableCallback
     1 0x00007FFE3CD34250  ntdll.dll                JMP 0x7ffe26fd0f98
     2 0x00007FFE26FD0F98  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA9E50  hmpalert.dll            
    
    
    Backwards compatible thumbprint:
    668ef8bf2e78f88ea90c1b4e87d501bfbd26e1893d3e8b06926ef2abef51fb0f
    
    Thumbprint
    b579a32c03a09580153481505a8e476aec4658b4809cc549f336715d570ca4e7
     
    Last edited by a moderator: Mar 10, 2018
  2. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    73
    Location:
    Long Beach, WA
    Build 737
    Intruder

    PID 15132
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 64


    Code Injection
    0000025C026AC000-0000025C026AD000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [14756]
    00007FFE3CD60000-00007FFE3CD61000 4KB
    00007FFE3CD62000-00007FFE3CD63000 4KB
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [14756]
    2 C:\Windows\explorer.exe [7436]
    3 C:\Windows\System32\userinit.exe [6460]
    4 C:\Windows\System32\winlogon.exe [832]
    winlogon.exe

    Thumbprint
    b579a32c03a09580153481505a8e476aec4658b4809cc549f336715d570ca4e7
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,950
    Been doing some testing agains malware, and this latest version of HMPA is definitely much better on catching stuff. Well done.
     
  4. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,078
    I'm still getting BSODs shutting down when in shadow mode (Shadow Defender) on Win7 32-bit. Not going to bother testing on XP which has the same problem. Do BSODs count as being fixable? :thumbd:

    For me on Win7/XP 32-bit, HMPA has been broken on all versions released after v604, which I am rolling back to now. :rolleyes: The problem has been acknowledged, but no ETA in sight based on so many broken releases.:( Dump attached if anyone at Surfright is interested.
     

    Attached Files:

    Last edited: Mar 11, 2018
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,063
    Location:
    Outer space
    New build, so far so good on 2 machines: Win7x64 and Win10x64 FCU.

    Do older versions of Windows also take advantage of this or is it limited to w10?
     
  6. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,078
    What is this all about? I don't want an update for HMPA. I need to stay at v604
    Is the AutoUpdate=0 registry setting no longer valid?

    Edit: I may have forgotten to shutdown/restart after installing 604 offline and applying the registry update. Seems HMPA only looks at those settings on boot. I will retry and see.
     

    Attached Files:

    • HMPA.png
      HMPA.png
      File size:
      537.9 KB
      Views:
      15
    Last edited: Mar 12, 2018
  7. Damnatus

    Damnatus Registered Member

    Joined:
    Dec 29, 2015
    Posts:
    16
    bump
     
  8. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    73
    Location:
    Long Beach, WA
    Update... this error could be related to HMPA licensing somehow. I had this same error on three computers that the license had just expired. As soon as I updated the program to build 737, this error happens everytime opening Chrome. After I activated a new license, the error is gone. By the way, HMPA does nothing to indicate an expired license, my customers rarely notice the expiration. There should be a notification and the tray icon should change to indicate an expired license don't you think?

     
    Last edited: Mar 11, 2018
  9. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    625
    Location:
    USA
    Just curious because I am running Glasswire too. What would be the reason for protecting a firewall application? In general is this advisable, and in a more general context the question might be what should we not protect with HMPA?
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,964
    Location:
    Among the gum trees
    I'm sure I read somewhere in this thread @erikloman posted not to add security programs, but in 590+ pages please don't ask me to find it.
     
  11. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    625
    Location:
    USA
    I believe you are correct. My assumption is that the priority would be for browsers, email, office programs, and media players. Things that are internet facing and open files that may contain payloads received externally. I would also assume that most every other exploit should be covered by the risk reduction and anti-malware modules.
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,065
    Location:
    Under a bushel ...
    +1. I have Glasswire, but didn't add it.
    Indeed, I have excluded all my security programs ...
     
  13. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    120
    Location:
    Canada
    I use Glasswire for the Usage and Alerts features. I use Comodo for my firewall. I chose to protect Glasswire because it is Internet facing and assumed that was a good practice for any program that is Internet facing (other than my Comodo security suite).

    Perhaps, I am wrong. I think your second question is a valid one.
     
  14. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    625
    Location:
    USA
    I guess that I am thinking that since Glasswire doesn't actually open files, and used the Windows Filtering Platform for accessing network traffic, there wouldn't be any risks involved in that activity.

    But I could be wrong about that.
     
  15. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    494
    Location:
    Hengelo
    HitmanPro.Alert 3.7.6 Build 738 Released

    Changelog (compared to build 737)
    • Improved Credential Theft Protection mitigation (LSASS shielding) so it no longers alerts on non-commited memory that caused false positive alerts
    • Added /qspectre compile flag on main hmpalert.exe binary
    Download
    https://dl.surfright.nl/hmpalert3.exe

    Users running build 737 are automatically updated to build 738. Other users will start receiving build 738 in a few days.
    Let us know how this version runs on your machine, thanks! :thumb:
     
    Last edited: Mar 13, 2018
  16. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    60
    Location:
    UK
    Rebooted after on-screen notification of upgrade awaiting reboot. Flawless upgrade from 737 to 738. Everything working well so far
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,065
    Location:
    Under a bushel ...
    +1
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,950
    Ditto on 738 here also.
     
  19. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,706
    Location:
    DC Metro Area
    738 showing "Anti-Malware Offline"

    AM is "Enabled" but GUI indicates AM is not functioning.
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    6,566
    It can take some time until it recognizes a connection to the cloud:
     
  21. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,706
    Location:
    DC Metro Area
    Thanks @mood :)

    That was it -- took over an hour to connect but all is OK now.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    6,566
    Ok, good to hear :thumb:
     
  23. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    288
    Location:
    Netherlands
    +1
     
  24. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    120
    Location:
    Canada
    Things are working fine for me as well.

    This was actually the first time the client automatically updated before I had a chance to manually apply the update.
     
  25. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,087
    Location:
    USA
    Anyone using this latest version with XP?
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.