HPAware

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
From seemingly out of nowhere an application called HPAware.exe (I have an
HP) keeps trying to establish a connection over my Cable ISP. When I do a
search on the net for what this is (Whatsrunning, for instance), I'm told
that it's from HP-A company, whoever they are. I keep deleting the file and
it keeps returning. I think it's an illegitimate process. Has anyone any
advice regarding this?



Re: HPAware

Steve Zygote wrote:

Quoted text here. Click to load it

First google hit may help:
http://forums.techguy.org/security/568056-hpaware.html

--
   -bts
   -Motorcycles defy gravity; cars just suck

Re: HPAware


| From seemingly out of nowhere an application called HPAware.exe (I have an
| HP) keeps trying to establish a connection over my Cable ISP. When I do a
| search on the net for what this is (Whatsrunning, for instance), I'm told
| that it's from HP-A company, whoever they are. I keep deleting the file and
| it keeps returning. I think it's an illegitimate process. Has anyone any
| advice regarding this?
|

This is a new infector with few vendors detecting it.  I submitted a sample to
the various
vendors last night.

This is what I got when I sent it to Virus Total before I sent out my submission
distribution.

Complete scanning result of "HPAware.exe", processed in VirusTotal at 05/02/2007
01:21:35
(CET).

[ file data ]
* name: HPAware.exe
* size: 223252
* md5.: 958b3a4d9dbb7a636e26adfb235afb39
* sha1: b8dcc1bf4fa3718465fddd58c378160edfce9408

[ scan result ]
AhnLab-V3 2007.4.30.1/20070430 found nothing
AntiVir 7.4.0.15/20070501 found nothing
Authentium 4.93.8/20070430 found nothing
Avast 4.7.997.0/20070501 found nothing
AVG 7.5.0.467/20070501 found nothing
BitDefender 7.2/20070502 found nothing
CAT-QuickHeal 9.00/20070430 found [(Suspicious) - DNAScan]
ClamAV devel-20070416/20070501 found nothing
DrWeb 4.33/20070501 found nothing
eSafe 7.0.15.0/20070501 found nothing
eTrust-Vet 30.7.3609/20070501 found nothing
Ewido 4.0/20070501 found nothing
F-Prot 4.3.2.48/20070430 found nothing
F-Secure 6.70.13030.0/20070501 found nothing
FileAdvisor 1/20070502 found nothing
Fortinet 2.85.0.0/20070501 found nothing
Ikarus T3.1.1.5/20070501 found [Trojan-Spy.Win32.Banker.to]
Kaspersky 4.0.2.24/20070502 found nothing
McAfee 5021/20070501 found nothing
Microsoft 1.2405/20070501 found nothing
NOD32v2 2233/20070501 found nothing
Norman 5.80.02/20070501 found [W32/Malware.RJY]
Panda 9.0.0.4/20070501 found [Trj/Downloader.MRO]
Prevx1 V2/20070502 found nothing
Sophos 4.17.0/20070501 found nothing
Sunbelt 2.2.907.0/20070501 found [VIPRE.Suspicious]
Symantec 10/20070502 found nothing
TheHacker 6.1.6.095/20070415 found nothing
VBA32 3.11.4/20070430 found nothing
VirusBuster 4.3.7:9/20070501 found nothing
Webwasher-Gateway 6.0.1/20070501 found nothing

[ notes ]
packers: PETITE
packers: Petite
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that
are deemed
suspicious through heuristics.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: HPAware


Updated Info:

Complete scanning result of "HPAware.exe", processed in VirusTotal at 05/03/2007
00:14:46
(CET).

[ file data ]
* name: HPAware.exe
* size: 223252
* md5.: 958b3a4d9dbb7a636e26adfb235afb39
* sha1: b8dcc1bf4fa3718465fddd58c378160edfce9408

[ scan result ]
AhnLab-V3 2007.5.3.0/20070502 found nothing
AntiVir 7.4.0.15/20070502 found [TR/Dldr.Delf.bjv]
Authentium 4.93.8/20070502 found nothing
Avast 4.7.997.0/20070501 found nothing
AVG 7.5.0.467/20070502 found nothing
BitDefender 7.2/20070502 found nothing
CAT-QuickHeal 9.00/20070430 found [(Suspicious) - DNAScan]
ClamAV devel-20070416/20070502 found nothing
DrWeb 4.33/20070502 found nothing
eSafe 7.0.15.0/20070502 found [Win32.Delf.bjv]
eTrust-Vet 30.7.3611/20070502 found nothing
Ewido 4.0/20070502 found [Downloader.Delf.bjv]
F-Prot 4.3.2.48/20070502 found nothing
F-Secure 6.70.13030.0/20070502 found [Trojan-Downloader.Win32.Delf.bjv]
FileAdvisor 1/20070503 found nothing
Fortinet 2.85.0.0/20070502 found nothing
Ikarus T3.1.1.7/20070502 found [Trojan-Spy.Win32.Banker.to]
Kaspersky 4.0.2.24/20070502 found [Trojan-Downloader.Win32.Delf.bjv]
McAfee 5022/20070502 found nothing
Microsoft 1.2405/20070502 found nothing
NOD32v2 2235/20070502 found nothing
Norman 5.80.02/20070502 found [W32/Malware.RJY]
Panda 9.0.0.4/20070502 found [Trj/Downloader.MRO]
Sophos 4.17.0/20070501 found nothing
Sunbelt 2.2.907.0/20070501 found [VIPRE.Suspicious]
Symantec 10/20070502 found nothing
TheHacker 6.1.6.104/20070415 found nothing
VBA32 3.11.4/20070502 found nothing
VirusBuster 4.3.7:9/20070502 found nothing
Webwasher-Gateway 6.0.1/20070502 found [Trojan.Dldr.Delf.bjv]

[ notes ]
packers: PETITE
packers: Petite
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that
are deemed
suspicious through heuristics.


The consensus is;  Downloader.Delf.bjv

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: HPAware

Sorry for top posting...but do you really want to read your output again,
Dave?

Where is it coming from? I have all sorts of protection yet it keeps popping
up. I keep deleting it and denying it access to the net. But when it does
appear, it wants to call home.


Quoted text here. Click to load it



Re: HPAware


| Sorry for top posting...but do you really want to read your output again,
| Dave?
|
| Where is it coming from? I have all sorts of protection yet it keeps popping
| up. I keep deleting it and denying it access to the net. But when it does
| appear, it wants to call home.

Top Posting or Bottom Posting... all I care about is content :-)

As the name infers, it is a Downloading Trojan.

If it keeps on "popping up" after you remove it, it must have a peer utility
that replaces
it and its entry if it is not loaded.


Changes

HKLM\SOFTWARE\updater
  "version" = 75
  "Id" = C79D060B8A2540D4B3329BF7819E6883
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "HP Update Assistant" = C:\WINDOWS\System32\HPAware.exe

Where this came from I don't know.  As of yet, that hasn't been identified.

Since Panda recognizes this I suggest Panda ActiveScan:
http://http://www.activescan.com /

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: HPAware

Thanks for turning me on to Virus Total. I was unaware that that service was
available.

Quoted text here. Click to load it



Re: HPAware


| Thanks for turning me on to Virus Total. I was unaware that that service was
| available.
|

YW.  It is a very handy tool!
In the coming months expect to see the list of vendors grow.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: HPAware

On Wed, 02 May 2007 23:57:24 +0000, Steve Zygote wrote:
Quoted text here. Click to load it

That's why you use a PROPER Usenet client and SNIP what you don't need to
form a proper reply - so you can read the reply without having to scroll.

--
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/downloads/leythos.htm
http://www.pcbutts1.com/downloads/bughunter.htm

Re: HPAware

Quoted text here. Click to load it

Please define PROPER.



Re: HPAware

wrote:

Quoted text here. Click to load it

Proper = RFC compliant, text only newsreader. e.g. NOT Outlook Express

Re: HPAware

Quoted text here. Click to load it

Ok. I'm trying Thunderbird. Is THAT RFC compliant? And what is RFC?



Re: HPAware



|
| Ok. I'm trying Thunderbird. Is THAT RFC compliant? And what is RFC?
|

It is a US Gov't. accronym for Request For Comment.

In the early days of the Internet (ARPANet) all suggestions modifications were
made through
a RFC and they were numbered.

 http://www.faqs.org/rfcs /

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: HPAware


BTW:  See if you have the following DLL;  HPI2.dll

Make you search for Hidden & System files.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: HPAware

David H. Lipman wrote:
Quoted text here. Click to load it

What is the significance of my having that DLL? I'm searching for it
while I reply....

Re: HPAware


| David H. Lipman wrote:
Quoted text here. Click to load it
| What is the significance of my having that DLL? I'm searching for it
| while I reply....

It may the peer of the infection.
Loaded as a BHO such as...

O2 - BHO: (no name) - -
C:\WINDOWS\system32\HPI2.dll


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: HPAware

Quoted text here. Click to load it


I don't have it on my system.



Re: HPAware



| I don't have it on my system.
|

OK.  How about;  MLRQP.exe  ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: HPAware

Quoted text here. Click to load it
Nope. Don't have that file on my system either. I use F-Secure, the complete
package. It's licensed to my ISP and a "free" download when one has a
subscription. They rebrand it to their own.



Re: HPAware

On Thu, 03 May 2007 12:45:23 +0000, Steve Zygote wrote:

Quoted text here. Click to load it

One that snipps signature lines, one that properly places the cursor at
the bottom of the message, one that warns you when you're about to violate
posting norms (long sigs, line width, posting to more than x groups)...


--
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/downloads/leythos.htm
http://www.pcbutts1.com/downloads/bughunter.htm

Site Timeline