HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    On at the sime time as me :)

    I'm running XP/SP2 32 Bit FAT32 with NO updates & FFv3.6.14

    Well i disabled everything & let it do whatever it wanted to try & do. I have a number of services disabled & things like wscript etc, if that makes Any difference ?

    No flyout occurred !
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    You can verify infection by running a scan with GMER (only check Sections and click on Scan):
    GMER.png
    See that Tinba infects every process, also Firefox.

    But if you don't see a flyout then Alert is not triggering on the browser. Can you create a folder called C:\Log\ . Then reinstall HitmanPro.Alert en start the Firefox browser. Can you send me the log that is created in that folder?
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ erikloman

    Hi, i've only recently returned home since this mornings post. I ran the nasty again, but this time didn't see winver.exe running in Process Explorer ? Visted HSBC bank with Cookies /Scripting enabled & typed in fake data on the login page.

    Ran GMER, please att. LOG with personel data REMOVED. View attachment gmer.log

    Uninstalled & then Reinstalled HPA & created Log folder.

    HPA C:\Log\ also Att. View attachment mitb.log

    Just to let you know, i always see the Flyout on launching FF, but no alerts afterwards. I launch FF before i run the nasty, if that makes Any difference ?

    TIA
     
  4. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    If I read the log correctly you're running Zemana and Prevx SOL at the same time as HMP.Ao_O If so, that's the MITB equivalent of running three realtime AVs. Have you tried uninstalling (rather than just disabling) Zemana and Prevx SOL?
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I've sent you a PM with a more recent build for you to see if the problems disappear.
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Zemana and Prevx SOL Spyshelter are great against Key Loggers, Screen Grabbers, Clipboard Stealers and MITM attacks but they both do not do MITB.

    EDIT: Prevx SOL does have MITB detection.
     
    Last edited: Jun 12, 2012
  7. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    That's not correct Erik. They both have anti-ssl components which monitor for hooking of the relevant browser components by the likes of Zeus, Spyeye, Carberp et al.
     
  8. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I stand corrected. Prevx SOL does have MITB detection :oops: . It is an excellent product.

    I meant to say Zemana and Spyshelter as we have been testing these recently. I will adjust the original post so that search engines will pickup the correction.

    One note though, while confirming Prevx SOL does have MITB detection, I found out that it does not seem to detect the ZeroAcesss (aka Sirefef) MITB attack. ZeroAccess uses a neat DLL substitution trick (ie. no API hooks) that works on both 32 and 64-bit. HitmanPro.Alert Beta 2 does not detect this either but Beta 3 does (some of you already have this version). I will release it to the public this week.
     
    Last edited: Jun 12, 2012
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Hi, actually it's not the same, although i know what you mean, as i noted that niether /PrevxWebroot or HMP have stated Any incompatabilities between them, so far anyway !

    Good & not good !

    :thumb:

    My earlier test with the Tinba nasty, highlighted an "issue" with Beta 2 HitmanPro.Alert Beta 3 TEST V Now installed, which i'll be retesting it with various things shortly ;)
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ erikloman

    Very high CPU usage with this V !

    cpu.gif

    It pulses between 0.01 to 45 every half a second or so, averaging about 30 !
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Its a test build.
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Yeah i know, but still :p
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I know :) Must address it before release ;)
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    I have every confidence that you will :)
     
  16. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    Where can I find the log? I recently had something that popped up and said that my browser was compromised. I did a scan and found nothing. I wanted to upload it to the development.
     
  17. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    You can copy/past the Details in an email.
    But you can also create a folder called C:\Log\ . there a log file will be created.
     
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,910
    Location:
    Outer space
    Zemana's SSL logger protection module and Spyshelters AntiNetworkSpy module should both be able to block MitB attacks afaik, perhaps they need to update their modules to block the latest techniques? Did you test WSA Identity Shield as well? Prevx SOL is not being developed anymore.
     
    Last edited: Jun 13, 2012
  19. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,781
    Same symptoms in Beta2 on XP/SP3 - multiple /flyout processes and flyout still disappears after briefly showing itself.

    Al
     
  20. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    342
    Location:
    SE Asia
    View attachment 233301

    Just registered to post the log with lots of
    OpenProcess xxxx failed with error 5

    Running Win 7 x64

    Need more info let me know.
     
    Last edited: Jun 17, 2012
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ erikloman

    Are you planning to build in termination protection ? = :thumb:
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes ;)
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ erikloman

    Good :thumb:
     
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Thanks. I will have a look at it.
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert Beta 3a Released

    Changelog
    • Added support for 64-bit browsers (like Waterfox, Opera 12, etc.).
      Support for 64-bit Windows was already in previous beta's.
    • Added detection of DLL substitution.
      ZeroAccess/Sirefef malware uses this technique to advertise its own malicious DLL as mswsock.dll so that other components bind up to the malicious DLL. This technique doesn't use API hooks.
    • Improved CPU load of scanner.
    • Added preliminary Dutch strings. More complete translations will be present in the next release.
    • Added colors to the details: red marks possible malicious entries that triggered the alert.
    • Changed the color of the Flyout to green.
    • Fixed a problem in the updater.
    • Several other improvements related to the GUI.
    • Solved a false positive (Beta3a)

    There is a bug in Beta 2 which prevents it from automatically updating to Beta 3 :oops:
    So please uninstall existing Beta versions before installing Beta 3.

    32-bit: http://dl.surfright.nl/beta/hmpalert.exe
    64-bit: http://dl.surfright.nl/beta/hmpalert_x64.exe

    Please let me know how this version runs. Any problems like lingering hmpalert.exe processes or excessive CPU load > 3% .
     
    Last edited: Jun 15, 2012
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.