Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hitman Pro Paid Ver.. Find/Issue


  • Please log in to reply
7 replies to this topic

#1 4B11TMR

4B11TMR

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 28 June 2016 - 06:57 AM

Hey guy's just had a question. Woke up this morning and started the computer up hitman pro was doing a scan [ love this program ] and it found a file WAX175B.Tmp labeled as a Remnant so i chose to remove it, it wanted a reboot so i did. Upon reboot it loaded like the computer was brand new with no apps no saved programs or anything just like a fresh new computer would look like, this would be the 2nd time this has done it to me. The first time if caught a file called  StateRepository-machine.srd-shm also labeled as a Remnant. Both times it loaded like a new computer,so after both reloads i just did a reboot and the computer went back to normal as if nothing happened. Did a Google search and comes up with nothing, odd to me.

 

 

This is the note from Hitman Pro.

 

WAX175B.Tmp - 

 

HitmanPro 3.7.14.265
www.hitmanpro.com
 
   Computer name . . . . : 4B11-PC
   Windows . . . . . . . : 10.0.0.10586.X64/8
   User name . . . . . . : 4B11-PC\4B11
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Paid (190 days left)
 
   Scan date . . . . . . : 2016-06-26 05:33:27
   Scan mode . . . . . . : Quick
   Scan duration . . . . : 3m 45s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : Yes
 
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 2
 
   Objects scanned . . . : 4,590
   Files scanned . . . . : 4,590
   Remnants scanned  . . : 0 files / 0 keys
 
Suspicious files ____________________________________________________________
 
   C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\WAX175B.tmp -> PendingDelete
      Size . . . . . . . : 1,798,144 bytes
      Age  . . . . . . . : -0.0 days (2016-06-26 05:33:24)
      Entropy  . . . . . : 3.0
      SHA-256  . . . . . : 6DA45CF39FC4CAC9EC913F1B3B8DFD94EE40C45736DA0A44D83266192F447611
      Fuzzy  . . . . . . : 22.0
         Time indicates that the file appeared recently on this computer.
         The file name extension of this program is not common.
         Program is running but currently exposes no human-computer interface (GUI).
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         The file is in use by one or more active processes.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
Hope this helps, I try and take every precaution but you know how that goes sometimes 


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:46 PM

Posted 28 June 2016 - 12:45 PM

When you see the file again leave it and get a second opinion, submit it to one of the following online services that analyzes suspicious files:In the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 radicalenzyme

radicalenzyme

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 28 June 2016 - 07:23 PM

I got something similar hitman found "WAX6E79.tmp" (also in the same folder as you) on startup anyone know what these wax.tmp files are? I have the free version of hitman pro so i could not delete from there and it appears to have disappeared its no longer in the folder and scanning with avast and MBAM came up with nothing. Im very surprised since i just did a clean w10 install on this pc and use the host only for steam and a few secure websites like YT and twitter everything else i do on a VM running ubuntu. Considering all this and that a have not installed anything new the last couple of days i am just confused and was wondering if anyone knows anything.

 

Please help


Edited by radicalenzyme, 28 June 2016 - 07:29 PM.


#4 4B11TMR

4B11TMR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 28 June 2016 - 08:05 PM

When you see the file again leave it and get a second opinion, submit it to one of the following online services that analyzes suspicious files:

In the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.

 

Awesome thanks, ill do that.



#5 4B11TMR

4B11TMR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 28 June 2016 - 09:00 PM

I got something similar hitman found "WAX6E79.tmp" (also in the same folder as you) on startup anyone know what these wax.tmp files are? I have the free version of hitman pro so i could not delete from there and it appears to have disappeared its no longer in the folder and scanning with avast and MBAM came up with nothing. Im very surprised since i just did a clean w10 install on this pc and use the host only for steam and a few secure websites like YT and twitter everything else i do on a VM running ubuntu. Considering all this and that a have not installed anything new the last couple of days i am just confused and was wondering if anyone knows anything.

 

Please help

Try what Boo said, see if you can find out what these files mean and give an update. I removed mine so i have no way to find out as well



#6 4B11TMR

4B11TMR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 30 June 2016 - 07:08 AM

Found another file and did the scans and everything came back as ok, should be safe to delete?
I do have the Anti-RansomWare installed Beta Version but had this installed for some time now so
why all of a sudden would it find it suspicious
 
 
 
 
Name farflt.sys
Location C:\WINDOWS\system32\drivers
Size 58.4 KB
Time 68.0 days ago (2016-04-23 06:43:46)
Entropy 5.9
Product Anti-RansomWare SDK
Publisher Malwarebytes
Description Anti-RansomWare SDK
Version 3.0.0.164
Copyright © Malwarebytes. All rights reserved.
Service farflt
LanguageID 1033
SHA-256 4C13625635A08FA0DCB7447A27E943F2F6D89CDFC621C8132A6F36B4A581DB6A
 
Scoring (45.0)
The file is hidden from Windows API. This is typical for malware.
The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
Starts automatically as a service during system bootup.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
 
Startup
HKLM\SYSTEM\CurrentControlSet\Services\farflt\
 
 
HitmanPro 3.7.14.265
www.hitmanpro.com
 
   Computer name . . . . : 4B11-PC
   Windows . . . . . . . : 10.0.0.10586.X64/8
   User name . . . . . . : 4B11-PC\4B11
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Paid (186 days left)
 
   Scan date . . . . . . : 2016-06-30 05:36:35
   Scan mode . . . . . . : Quick
   Scan duration . . . . : 8m 4s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 2
 
   Objects scanned . . . : 4,732
   Files scanned . . . . : 4,732
   Remnants scanned  . . : 0 files / 0 keys
 
Suspicious files ____________________________________________________________
 
   C:\WINDOWS\system32\drivers\farflt.sys
      Size . . . . . . . : 59,776 bytes
      Age  . . . . . . . : 68.0 days (2016-04-23 06:43:46)
      Entropy  . . . . . : 5.9
      SHA-256  . . . . . : 4C13625635A08FA0DCB7447A27E943F2F6D89CDFC621C8132A6F36B4A581DB6A
      Product  . . . . . : Anti-RansomWare SDK
      Publisher  . . . . : Malwarebytes
      Description  . . . : Anti-RansomWare SDK
      Version  . . . . . : 3.0.0.164
      Copyright  . . . . : © Malwarebytes. All rights reserved.
      Service  . . . . . : farflt
      LanguageID . . . . : 1033
      Fuzzy  . . . . . . : 45.0
         The file is hidden from Windows API. This is typical for malware.
         The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
         Starts automatically as a service during system bootup.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
      Startup
         HKLM\SYSTEM\CurrentControlSet\Services\farflt\
 
 
 


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:46 PM

Posted 01 July 2016 - 09:38 AM

Not sure why HitMan has not updated their database but the files are safe.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 4B11TMR

4B11TMR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 01 July 2016 - 05:13 PM

Not sure why HitMan has not updated their database but the files are safe.

that's what i was thinking, got another one today.

 

Getting a little upset now TBTH

 

They all show safe with no issues 

 

 

HitmanPro 3.7.14.265
www.hitmanpro.com
 
   Computer name . . . . : 4B11-PC
   Windows . . . . . . . : 10.0.0.10586.X64/8
   User name . . . . . . : 4B11-PC\4B11
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Paid (185 days left)
 
   Scan date . . . . . . : 2016-07-01 15:51:38
   Scan mode . . . . . . : Quick
   Scan duration . . . . : 4m 22s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 2
 
   Objects scanned . . . : 4,676
   Files scanned . . . . : 4,676
   Remnants scanned  . . : 0 files / 0 keys
 
Suspicious files ____________________________________________________________
 
   C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
      Size . . . . . . . : 217,328 bytes
      Age  . . . . . . . : 315.9 days (2015-08-20 17:30:41)
      Entropy  . . . . . : 6.6
      SHA-256  . . . . . : 8DD7FEA79A96FD68A88C80770DBF0DF35A61BCA3CBB0FDD2257C7C0B47829F6D
      Product  . . . . . : Swissarmy SDK
      Publisher  . . . . : Malwarebytes
      Description  . . . : Swissarmy SDK
      Version  . . . . . : 4.1.0.51
      Copyright  . . . . : © Malwarebytes. All rights reserved.
      Service  . . . . . : MBAMSwissArmy
      LanguageID . . . . : 1033
      Fuzzy  . . . . . . : 47.0
         The file is hidden from Windows API. This is typical for malware.
         The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
         Starts automatically as a service during system bootup.
         Program starts automatically without user intervention.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
      Startup
         HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\

Edited by 4B11TMR, 01 July 2016 - 05:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users