HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    Hitmanpro Detected this
    is this good or badd

    Code:
    Properties
    Name	iexplore.exe
    Location	C:\Program Files (x86)\Internet Explorer
    Size	731 KB
    Time	-3816.0 days ago (2012-06-12 20:21:25)
    Authenticode	Valid
    Entropy	6.6
    Product	Windows® Internet Explorer
    Publisher	Microsoft Corporation
    Description	Internet Explorer
    Version	9.00.8112.16446
    Copyright	© Microsoft Corporation. All rights reserved.
    RSA Key Size	2048
    SHA-256	BE7A6B1D8C731A1DC4A5185E22901943EBA552246BA41AA30646B76EAAE3AE43
    
    Scoring (6.0)
    Program is impersonating a common Windows system file. This is typical for malware.
    Time indicates that the file appeared recently on this computer.
    Program starts automatically without user intervention.
    The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
    Program is code signed with a valid Authenticode certificate.
    
    Startup
    HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\
    HKLM\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\
    
    References
    C:\Users\Ad\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    C:\Users\Ad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
    C:\Users\Ad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    C:\Users\Stan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    C:\Users\Stan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
    C:\Users\Stan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    HKU\S-1-5-21-264504616-1712485042-3538728262-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files (x86)\Internet Explorer\iexplore.exe
    HKU\S-1-5-21-264504616-1712485042-3538728262-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files (x86)\Internet Explorer\iexplore.exe
    
     
  2. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    just a heads up, the fly out appears when opening adobe dreamweaver.
     
  3. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    698
    Location:
    Europe
    Yesterday, I was infected by Metropolitan Police Ukash Virus.

    I ran HMP to detect this infection and I was completely shocked that HMP Pro didn't detect anything. I can tell you that Metropolitan Police Ukash Virus is an infection very common and spread on the world. :eek: :eek:

    If you type Ukash virus on google, you will have 'About 371,000 results'.

    I doubt that HMP scanning detection is really reliable.
     
  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Do you have a hash of that file in question?

    Offtopic: you are posting in the wrong thread. This thread is about HitmanPro.Alert.
     
  5. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    698
    Location:
    Europe
    Last night, I cleaned my laptop from this infection. So I don't have anymore the infected file to check the hash file. Anyway, the infection was in the registry.

    Sorry, if I posted here, Erikloman.
     
  6. mrtnptrs

    mrtnptrs Registered Member

    Joined:
    May 17, 2012
    Posts:
    25
    Location:
    The Netherlands
    When will you release the next beta?
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    There will be a release candidate at the end of next week. A lot has changed internally. Hope you'll like it.
     
  8. mrtnptrs

    mrtnptrs Registered Member

    Joined:
    May 17, 2012
    Posts:
    25
    Location:
    The Netherlands
    But where is the beta of the past week? Or do you skip that beta?

    Which changes can we espect in the RC?
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Not many visual changes. Most of the changes are internal. There now will only be one hmpalert.exe and a hmpalert.sys and hmpalert.dll. CPU should be lower than Beta 3b.
     
  10. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    565
    I get this sort of warning with Comodo Dragon and IE:
    ntdll.dll
    NlsAnsiCodePage CBDA7159

    It's the only red text in the HPA list.
     
  11. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    cnet2_revosetup_exe.exe
    Hitman says this is malware infection. Google says its Cnet downloader
     
  12. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,398
    Location:
    Surrey, England.
  13. Barthez

    Barthez Registered Member

    Joined:
    Apr 28, 2010
    Posts:
    112
    Location:
    Poland
    It's download warper.
    People at Emsisoft did create a knowledge base article about those, you can read it here: http://www.emsisoft.com/en/kb/articles/tec120224/
     
  14. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Re: Hitma thingnPro.Alert Support and Discussion Thread

    Thanks guys. Seems I managed to "not accept" the Babylon thing. Just got the Revo Uninstaller I wanted.

    Avira says nothing about this file being a possible threat.
     
  15. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    coming soon?
     
  16. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    I want to use HitmanPro.alert Where do I download it from? Also will it work if my firefox is sandboxed by sandboxie?
     
  17. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,271
    Location:
    USA
  18. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
  19. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    Yes :thumb:
     
  20. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    Great. Thanks. :D
     
  21. mrtnptrs

    mrtnptrs Registered Member

    Joined:
    May 17, 2012
    Posts:
    25
    Location:
    The Netherlands
    And where's the RC Erik? :)
     
  22. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,850
    I think I will use this once it's out of beta, but will it prevent the browser from being compromised, or only alert you that it has been compromised?
     
  23. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,850
    Decided to give it a spin again. As soon as I launched Chrome, I got an alert:


    USER32.dll
    SetWinEventHook 002401F8
    SetWindowsHookExA 00240600
    SetWindowsHookExW 00240804
    UnhookWinEvent 002403FC
    UnhookWindowsHookEx 00240A08

    ntdll.dll
    LdrLoadDll 001801F8
    LdrUnloadDll 001803FC
    NtAllocateVirtualMemory 00180600
    NtCreateSection 00180E10
    NtFreeVirtualMemory 00180804
    NtProtectVirtualMemory 00180A08
    NtTerminateProcess 00180C0C
    ZwAllocateVirtualMemory 00180600
    ZwCreateSection 00180E10
    ZwFreeVirtualMemory 00180804
    ZwProtectVirtualMemory 00180A08
    ZwTerminateProcess 00180C0C

    Legitimate or not?

    EDIT: Removed again. ntdll.dll was 0/43 on VT. I reinstalled Chrome and it still gave an alert. :thumbd:
     
    Last edited: Aug 13, 2012
  24. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,875
    This FP needs to be whitelisted. ;)

    ScreenShot_HMP_CrystalHomeSecurity_detection_01.jpg
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    It is still Beta. We are aware of some incompatibilities which will be fixed in the next released. Hope you will give the next build another run.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.