HitmanPro

From aldeid
Jump to: navigation, search

Description

HitmanPro is a malware detection application developped by Surfright. HitmanPro is described as a second opinion scanner, designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti virus software, firewalls, etc.).

Three excellent characteristics you may appreciate:

  • it does not need to be installed (can be run as a standalone executable);
  • it supports the command line (CLI);
  • it is fast.

Download

Both 32bit and 64bit architectures are supported. To download the 32bit version, follow this link: http://get.hitmanpro.com/

Usage

GUI

Hitman-01.png Hitman-02.png

Hitman-03.png Hitman-04.png

CLI

Syntax

Usage: hitmanpro.exe [options] <file or folder>

Options

/scan
Immediately initiates a scan of the computer and the program will be visible to the user. The EULA is automatically accepted.
/quiet
Implies /scan but immediately initiates a silent scan of the computer. HitmanPro will be visible only in the system tray and a notification balloon is displayed, notifying the user his computer is scanned for malware. :When infections are found, the program will pop up for interaction with the user. The EULA is automatically accepted.
/scanonly
Immediately initiates a silent scan of the computer. HitmanPro will be visible only in the system tray. Does not show a notification balloon. Program will not be installed on the local computer (implies /noinstall). The EULA is automatically accepted.
/quick
This scan is faster than the regular scan and will only scan load point locations and in memory objects. You typically use the quick scan when you just want to check whether malware is active on the computer.
/log=<file or folder>
This will instruct HitmanPro to scan a system silently and export the results to an xml log file to the specified log file folder (typically a network location). No dialogs are displayed to the user.
Examples:
  • HitmanPro36.exe /scanonly /log="Z:\%USERNAME%.xml"
  • HitmanPro36.exe /scanonly /log="Z:\%COMPUTERNAME%.xml"
  • HitmanPro36.exe /scanonly /log="\\Server\Share\Logs\"
When specifying a folder as logfile it must end with a \
When logging to a folder, the file name is constructed using the computer name and a date/time stamp, example: WORKSTATION14_20100428114347.xml
/ews
Initiate a scan of the computer with Early Warning Scoring enabled. The results xml will now also contain files that are highly suspicious but are yet unknown to Hotman's Scan Cloud.
/noupload
HitmanPro only uploads unknown but suspicious files to the Scan Cloud for virus scanning by Hitman's Malware Analysis systems and their AV partners. If you do not wish to upload any files to the Scan Cloud (because of privacy issues or government policies) you can specify this command-line option.
Note: The /noupload option will cripple the detection of unique, zero-day or early-life malware.
/noupdate
Disable automatic update of the HitmanPro program.
/noinstall
Disable copying of the HitmanPro program to the local computer. Disables creation of shortcuts on the local computer.
/nostartboot
Disables the installation of the scan at startup component on the local computer.
/nostartmenushortcut
Disables the creation of the Start menu folder and shortcuts.
/nodesktopshortcut
Disables the creation of the shortcut to the HitmanPro program on the desktop.
/noremnants
Overrides and skips the scanning and detection of remnant malware objects. Remnants are files and registry objects that once belonged to a malware infection, but this malware is no longer active on the system.
/nocookies
Overrides and skips the scanning and detection of tracking cookies.
/lic=<product key>
Automatically activate HitmanPro for the user with the supplied product key.
/clean
Automatically quarantine verified malicious files. Implies /scan and /noupdate. If /lic= is not specified it will automatically activate a trial or an embedded license (when allowed and applicable).
/fb
Starts HitmanPro in Force Breach mode, which will terminate all non-essential processes – including malware that stops other programs from starting).
/renew
Reactivate the existing license to update e.g. the license duration after your Enterprise or Incident license has been extended.
/sr=<file>
For experts only! Replaces the first 2 bytes of a file on the disk with SR. This will render a PE file useless.
Example: HitmanPro36.exe /sr=C:\Windows\driver\malw.sys
Note: This is a raw write and should only be used on malware files.

Example

Given following architecture (botth machines are running Windows XP SP3):

  _____________           _____________
 /             \         /             \
| 192.168.56.2  | <---> | 192.168.56.3  |
 \_____________/         \_____________/
 infected machine             psexec

The following command is used from 192.168.56.3 to remotely scan the suspected machine with HitmanPro:

C:\PSTools>PsExec.exe \\192.168.56.2 -u unknown -c hitmanpro.exe /scanonly /log="c:\%COMPUTERNAME%.xml"

After a short while, the scan is finished and following file is generated on the infected machine:

- <Log computer="UNKNOWN-C39FEA7" windows="5.1.3.2600.X86/1" scan="Normal" version="3.7.6.201" date="2013-07-02T10:49:24" timeSpentInSecs="23" filesProcessed="5877">
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Application Data\Mozilla\Firefox\Profiles\xh6ie9cg.default\cookies.sqlite:atdmt.com" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Application Data\Mozilla\Firefox\Profiles\xh6ie9cg.default\cookies.sqlite:c1.atdmt.com" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Application Data\Mozilla\Firefox\Profiles\xh6ie9cg.default\cookies.sqlite:oracle.112.2o7.net" /> 
  </Item>
- <Item type="Malware" malwareName="Trojan" score="103.0" status="None">
- <Scanners>
  <Scanner id="Ikarus" name="Trojan-PWS.Win32.Zbot!IK" /> 
  </Scanners>
  <File path="C:\Documents and Settings\unknown\Bureau\1fa8159447d1629e2e703a9136403100-opomu.exe" hash="FC40BCDC2B5CE4B84C93CF01048F0715910AD25470D8F2799E3B85FB1A2BF264" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Cookies\[email protected][2].txt" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Cookies\[email protected][1].txt" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Cookies\[email protected][1].txt" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Cookies\[email protected][2].txt" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Cookies\[email protected][1].txt" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Cookies\[email protected][2].txt" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Cookies\[email protected][1].txt" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Cookies\[email protected][1].txt" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:atdmt.com" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:c1.atdmt.com" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:doubleclick.net" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:invitemedia.com" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:microsoftsto.112.2o7.net" /> 
  </Item>
- <Item type="Cookie" score="0.0" status="None">
  <File path="C:\Documents and Settings\unknown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:oracle.112.2o7.net" /> 
  </Item>
  </Log>

Comments

blog comments powered by Disqus