LabTech Plugin: Hitman Helper
Posted on December 19, 2014
I’ve created a plugin to help with malware detection and removal without interrupting the user. Upon installing the script, needed sql tables and permissions should get set, so only the DLL is included. The plugin allows you to:
– Run a free HMP scan (no licensing needed)
– View the current and past results
– Delete files/registry entries that are found
– Whitelist items so that other techs know not to delete those items
– Run a TDSSKiller rootkit check
Download and install using our plugin installer!
Version 1.3 changes
-Fixed a permission issue that didn’t allow some users to use the plugin.
-Cleaned up record loading so the tab loads more quickly.
Version 1.2 changes
-Corrected an issue that prevented systems from getting scanned because the wrong 32bit/64bit version of HMP was downloaded.
-Corrected an issue where TDSSKiller scans sometimes didn’t complete properly.
Download of http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe fails.
I get the following error when trying to see the results from a Hitman scan on a machine:
There was an error loading that result.
There is an unclosed literal string. Line 1, position 65536.
Contents of logfile:
Morten, can you copy the results of %windir%\ltsvc\packages\hitmanpro\%computername%.xml to pastebin.com or a similar site? I’d like to see what is failing. Odds are the log file is just too large to be read, but I’m not sure. I’d like to do some testing and find a fix for it.
Also, I just re-tested the TDSSKiller scan and it’s working fine here. I tested on multiple machines on separate networks. Is there some firewall or something in place that would prevent downloading this file?
Thanks!
This is awesome however I can’t see the results 🙁
Patrick,
Are you running the scan from the Hitman Helper tab? Are you getting any kind of error? After the scan runs, do you see the date in the drop down list in the top-left?
Thanks,
Tim
Yes I do see the date just no data =( Everything looks like it runs. I can copy the log here
No license C:\ProgramData\HitmanPro\HitmanPro.lic
No license C:\ProgramData\HitmanPro\HitmanPro.lic
No license C:\ProgramData\HitmanPro\HitmanPro.lic
No license C:\ProgramData\HitmanPro\HitmanPro.lic
No license C:\ProgramData\HitmanPro\HitmanPro.lic
No license C:\ProgramData\HitmanPro\HitmanPro.lic
No license C:\ProgramData\HitmanPro\HitmanPro.lic
\\.\C: MaximumTransferLength: 128KB
Driver started
DriveAccessUseScsiPassThrough
SPTI:
46 49 4C 45 30 00 03 00 0E 31 2A 0E 10 00 00 00
01 00 01 00 38 00 01 00 B0 01 00 00 00 04 00 00
00 00 00 00 00 00 00 00 0C 00 00 00 00 00 00 00
25 02 00 00 00 00 00 00 10 00 00 00 60 00 00 00
SRB:
46 49 4C 45 30 00 03 00 0E 31 2A 0E 10 00 00 00
01 00 01 00 38 00 01 00 B0 01 00 00 00 04 00 00
00 00 00 00 00 00 00 00 0C 00 00 00 00 00 00 00
25 02 00 00 00 00 00 00 10 00 00 00 60 00 00 00
FSD (low):
46 49 4C 45 30 00 03 00 0E 31 2A 0E 10 00 00 00
01 00 01 00 38 00 01 00 B0 01 00 00 00 04 00 00
00 00 00 00 00 00 00 00 0C 00 00 00 00 00 00 00
25 02 00 00 00 00 00 00 10 00 00 00 60 00 00 00
FSD (high):
46 49 4C 45 30 00 03 00 0E 31 2A 0E 10 00 00 00
01 00 01 00 38 00 01 00 B0 01 00 00 00 04 00 00
00 00 00 00 00 00 00 00 0C 00 00 00 00 00 00 00
25 02 00 00 00 00 00 00 10 00 00 00 60 00 00 00
C: -> SRB
### $MFT consists of 1 fragment(s)
C: = \Device\HarddiskVolume1
D: = \Device\CdRom0
C: = SRB
DriverObject: FFFFE001CFADC060
DriverName : \Driver\storahci
DriverPath : \SystemRoot\System32\drivers\storahci.sys
StartIo : 0000000000000000 +0
IRP_MJ_SCSI : FFFFF8017B32C3C0 \SystemRoot\System32\drivers\storport.sys+9152
\\.\C: MaximumTransferLength: 128KB
C: -> FsdHigh
### $MFT consists of 1 fragment(s)
Waiting for enumerating threads…
SecurityCenterThread started…
EnumFiles=busy:9776 EnumProcesses=busy:6040 EnumRegistry=busy:1712
@@@ crypserv.exe
ServicesEnumerator completed (0.099 sec)
\\.\C: MaximumTransferLength: 128KB
C: -> SRB
### $MFT consists of 1 fragment(s)
\\.\C: MaximumTransferLength: 128KB
C: -> FsdLow
### $MFT consists of 1 fragment(s)
\\.\C: MaximumTransferLength: 128KB
C: -> SRB
### $MFT consists of 1 fragment(s)
MBR @ 0 = a26dd554
\\.\C: MaximumTransferLength: 128KB
C: -> SRB
### $MFT consists of 1 fragment(s)
\\.\C: MaximumTransferLength: 128KB
C: -> FsdLow
### $MFT consists of 1 fragment(s)
Webroot SecureAnywhere = 1
Windows Defender = 1
Webroot SecureAnywhere = 1
Windows Defender = 1
@@@ \\LTSERVER\LtShare\LTNoc\LtNoc.exe
@@@ \\LTSERVER\LtShare\LTNoc\cam1 (Aston).exe
ProcessEnumerator completed (1.637 sec)
NetworkEnumerator completed (0.010 sec)
WindowEnumerator completed (0.000 sec)
EnumerateProcessesThread 6040 ends
AutoStartEnumerator completed (1.790 sec)
PolicyEnumerator completed (0.000 sec)
DirectoryIndex 97111 is corrupt (index overflow I)
UninstallEnumerator completed (0.377 sec)
EnumerateRegistryThread 1712 ends
DirectoryIndex 160299 is corrupt (index overflow I)
DirectoryIndex 214263 is corrupt (index overflow I)
DirectoryIndex 214719 is corrupt (index overflow I)
DirectoryIndex 192009 is corrupt (index overflow I)
DirectoryIndex 364392 is corrupt (index overflow I)
DirectoryIndex 77461 is corrupt (index overflow I)
DirectoryIndex 77459 is corrupt (index overflow I)
FilesEnumerator completed (3.431 sec)
FileClassifier running…
InternetCacheEnumerator completed (0.011 sec)
EnumerateFilesThread 9776 ends
Enumerating threads completed > start FuzzyClassifier
File=busy Auth=idle Fuzzy=idle Hash=busy Cloud=idle
AuthenticodeClassifier started
FuzzyClassifier started
File=busy Auth=idle Fuzzy=busy Hash=busy Cloud=idle
Lookup: stellarinfo.com.multi.surbl.org
Lookup: mozilla.org.multi.surbl.org
Lookup: videolan.org.multi.surbl.org
Lookup: intuit.com.multi.surbl.org
Lookup: quickbooks.com.multi.surbl.org
File=busy Auth=idle Fuzzy=busy Hash=busy Cloud=idle
File=busy Auth=idle Fuzzy=busy Hash=idle Cloud=idle
File=busy Auth=idle Fuzzy=busy Hash=idle Cloud=idle
File=busy Auth=idle Fuzzy=idle Hash=busy Cloud=idle
File=busy Auth=busy Fuzzy=idle Hash=busy Cloud=idle
Lookup: sourceforge.net.multi.surbl.org
Lookup: org.uk.multi.surbl.org
Lookup: notepad-plus-plus.org.multi.surbl.org
Lookup: infognition.com.multi.surbl.org
File=busy Auth=idle Fuzzy=idle Hash=busy Cloud=idle
> 1221ms : C:\Users\Eric\AppData\Local\LogMeIn Rescue\update\LMIRTechConsole.exe
File=busy Auth=idle Fuzzy=idle Hash=busy Cloud=idle
File=busy Auth=idle Fuzzy=idle Hash=busy Cloud=idle
File=busy Auth=busy Fuzzy=idle Hash=busy Cloud=idle
File too large upload
C:\Users\evan\Downloads\tc70147900j.exe
File=busy Auth=busy Fuzzy=idle Hash=busy Cloud=idle
File too large upload
C:\Users\Patrick\Downloads\nmap-7.12-setup.exe
File=busy Auth=idle Fuzzy=idle Hash=busy Cloud=idle
File=busy Auth=idle Fuzzy=idle Hash=busy Cloud=idle
File=busy Auth=idle Fuzzy=idle Hash=busy Cloud=idle
Reparse points: 183
Waiting for lookup thread to finish…
Lookup: cacetech.com.multi.surbl.org
Lookup: winpcap.org.multi.surbl.org
File=idle Auth=idle Fuzzy=idle Hash=idle Cloud=idle
FileClassifier finished (12164 processed out of 12073 files)
AuthenticodeClassifier finished
FuzzyClassifier finished
HashClassifier finished
CloudClassifier finished
No license C:\ProgramData\HitmanPro\HitmanPro.lic
No license C:\ProgramData\HitmanPro\HitmanPro.lic
PipeServer stopped (1).
No license C:\ProgramData\HitmanPro\HitmanPro.lic
Patrick,
The only results shown will be those of threats that Hitman Pro has found. I can’t see the entire log file, so I can’t tell, but are any of the items found in that log file actual malware?
Thanks!
Tim
From what I can tell just cookies no actual viruses. So does it only display if actual viruses were found like a trojan or does it display spyware or adware as well?
Patrick,
It will ignore cookies and pups. Everything else will show up.
Awesome thanks for the quick responses