In the 1st part of our workshop “HitmanPro.Kickstart” we have created a bootable USB flash-drive, which we will use to scan and clean a PC in this part of the workshop.
It´s important that the BIOS supports booting from USB devices, you will probably have to go to your BIOS settings and change the boot order, so that USB devices are checked before the CD-ROM and harddrives in your PC. Otherwise the PC will not boot from the attached USB flash-drive but from its internal harddisk.
The PC is booting from the USB flash-drive, showing HitmanPros boot options. You can choose to bypass the Master Boot Record, using HitmanPros boot code or to process the regular boot sequence, which can be necessary if you have any alternative Boot-Loader like GRUB installed on your PC. Thereafter Windows boots up as normal and you have the opportunity to enter the Windows Start menu, in case you need to start Windows in safe mode (with network support as HitmanPro requires access to its cloud-based database).
On one of our PC´s it was necessary to leave the BIOS settings untouched, so that the hard-drive would be the first in the boot sequence. Then we had to hit F12 at bootup-time to get to a Boot-Menu, where we could choose the USB flash-drive for just this startup, otherwise the PC just would boot to a black screen. Watch the screen at the startup time for brief messages, play with the settings until the machine will start.
The computer will now boot until it asks for your user login credentials, or just up to the desktop if your system is configured to logon automatically, and HitmanPro will start after a short break. In case that Malware is already started at this time, HitmanPro will try to end all processes of unwanted software. It´s possible, that your screen is now flickering, in that case leave Hitman alone and wait until the screen turns to normal again.
To find the different options of HitmanPro, you´ll just have to click on “settings” and you can change the settings, language, scan behavior or you can get a license for your copy of HitmanPro. HitmanPro also offers a 30 day free license to cleanup an infected PC without having to buy HitmanPro.
Within the settings you can also activate the EWS (early warning score). Unlike the standard Scan, which sends suspicious files into the “Scan cloud” to get them scanned with various anti virus products, the EWS can be performed without network connection and uses a scoring which is based on the behavior of the file it evaluates. This is also a very effective way to detect zero-day malware / ransomware, because the EWS is not dependent on signatures. In the case that new ransomware is not yet discovered via signatures by the scanners in the Surfrights scan cloud, EWS can still be a good way to detect the ransomware by the score and the informations it provides about suspicious files. So the interested user can evalute the threat potential of a suspicious, unknown file by analyzing it with HitmanPros EWS.
So back to the start screen in HitmanPro, let´s start a scan by hitting [next] on the main screen. HitmanPro will show you a blue window with an overview on the files it analyzes. It will show you the usual progress bar and a list of files – mostly cookies – that it has classified for your further evaluation. To get more information on a specific file, you can just click on it and you´ll be given an explanation about Hitmans outfindings on it.
If HitmanPro finds a threat, the blue windows will change to red, notifying you, that something possibly harmful has been found. You can evaluate it by yourself, with a click on the file in the list and you´ll be given an explanation about the file and its dependencies in windows.
The analysis shows you the name and location of the file and its dependencies, when it was first recognized as malware by HitmanPro and its associated scan cloud. You can see the names it is known for in other AV-Products and you will get a scoring for the malware. The higher the score, the greater the potentional threat that comes from the malware.
In our example the file “Offene Rechnung 13 Jan 2013.com” was found to be dangerous and HitmanPro tells us, that the file is detected as a Trojan by G-Data and Ikarus. It also shows some details on the files propertys itself. If the malware was new for HitmanPro, the file is uploaded to the “Scan cloud” and scanned by 5 different Anti-Virus products. The outcome of the analysis is stored into the Scan cloud, so that the results are directly accessible by other users. This ensures, that unknown files are analyzed by the first finding, classified by threat potential and the results are accessible in the Scan Cloud for every HitmanPro-user.
After finishing the scan, you can choose what to do with the listed files. You can individually choose to delete them, keep them in quarantine or ignore them. “delete” is the preselected option . If you find some wanted elements in this list, like cookies you want to keep, then you should choose to ignore them in the dropdown menu.
To proceed, just click on next and HitmanPro will perform the chosen actions and will give you an overview on what actions have been performed. You have also the possibility to save a log-file here for your records.
Just klick on “next” again and you will see a final statistic on what has been done so far. After closing the program, windows will need to reboot, to perform cleanups of remants of the found malware, which HitmanPro cannot access during windows runtime, so that the system is clean from malware by reaching the Windows logon screen.
A new scan with HitmanPro should now show a clean system, you can see the blue window color here, showing that everything is fine.
Hopefully the PC is now malwarefree. It is always a good idea to perform a scan a few windows starts after a system-cleanup, just to ensure that no malicious code, which would eventually be able to reload some code parts from the internet, was overseen. It cannot hurt eihter, to double check your scan results by other tools like Malwarebytes Antimalware or ESET´s Onlinescanner.