HPAware

  • Thread starter Thread starter Steve Zygote
  • Start date Start date
S

Steve Zygote

From seemingly out of nowhere an application called HPAware.exe (I have an
HP) keeps trying to establish a connection over my Cable ISP. When I do a
search on the net for what this is (Whatsrunning, for instance), I'm told
that it's from HP-A company, whoever they are. I keep deleting the file and
it keeps returning. I think it's an illegitimate process. Has anyone any
advice regarding this?
 
Steve said:
From seemingly out of nowhere an application called HPAware.exe (I
have an HP) keeps trying to establish a connection over my Cable ISP.
When I do a search on the net for what this is (Whatsrunning, for
instance), I'm told that it's from HP-A company, whoever they are. I
keep deleting the file and it keeps returning. I think it's an
illegitimate process. Has anyone any advice regarding this?
Click to expand...

First google hit may help:
http://forums.techguy.org/security/568056-hpaware.html
 
From: "Steve Zygote" <[email protected]>

| From seemingly out of nowhere an application called HPAware.exe (I have an
| HP) keeps trying to establish a connection over my Cable ISP. When I do a
| search on the net for what this is (Whatsrunning, for instance), I'm told
| that it's from HP-A company, whoever they are. I keep deleting the file and
| it keeps returning. I think it's an illegitimate process. Has anyone any
| advice regarding this?
|

This is a new infector with few vendors detecting it. I submitted a sample to the various
vendors last night.

This is what I got when I sent it to Virus Total before I sent out my submission
distribution.

Complete scanning result of "HPAware.exe", processed in VirusTotal at 05/02/2007 01:21:35
(CET).

[ file data ]
* name: HPAware.exe
* size: 223252
* md5.: 958b3a4d9dbb7a636e26adfb235afb39
* sha1: b8dcc1bf4fa3718465fddd58c378160edfce9408

[ scan result ]
AhnLab-V3 2007.4.30.1/20070430 found nothing
AntiVir 7.4.0.15/20070501 found nothing
Authentium 4.93.8/20070430 found nothing
Avast 4.7.997.0/20070501 found nothing
AVG 7.5.0.467/20070501 found nothing
BitDefender 7.2/20070502 found nothing
CAT-QuickHeal 9.00/20070430 found [(Suspicious) - DNAScan]
ClamAV devel-20070416/20070501 found nothing
DrWeb 4.33/20070501 found nothing
eSafe 7.0.15.0/20070501 found nothing
eTrust-Vet 30.7.3609/20070501 found nothing
Ewido 4.0/20070501 found nothing
F-Prot 4.3.2.48/20070430 found nothing
F-Secure 6.70.13030.0/20070501 found nothing
FileAdvisor 1/20070502 found nothing
Fortinet 2.85.0.0/20070501 found nothing
Ikarus T3.1.1.5/20070501 found [Trojan-Spy.Win32.Banker.to]
Kaspersky 4.0.2.24/20070502 found nothing
McAfee 5021/20070501 found nothing
Microsoft 1.2405/20070501 found nothing
NOD32v2 2233/20070501 found nothing
Norman 5.80.02/20070501 found [W32/Malware.RJY]
Panda 9.0.0.4/20070501 found [Trj/Downloader.MRO]
Prevx1 V2/20070502 found nothing
Sophos 4.17.0/20070501 found nothing
Sunbelt 2.2.907.0/20070501 found [VIPRE.Suspicious]
Symantec 10/20070502 found nothing
TheHacker 6.1.6.095/20070415 found nothing
VBA32 3.11.4/20070430 found nothing
VirusBuster 4.3.7:9/20070501 found nothing
Webwasher-Gateway 6.0.1/20070501 found nothing

[ notes ]
packers: PETITE
packers: Petite
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed
suspicious through heuristics.
 
From: "David H. Lipman" <[email protected]>

Updated Info:

Complete scanning result of "HPAware.exe", processed in VirusTotal at 05/03/2007 00:14:46
(CET).

[ file data ]
* name: HPAware.exe
* size: 223252
* md5.: 958b3a4d9dbb7a636e26adfb235afb39
* sha1: b8dcc1bf4fa3718465fddd58c378160edfce9408

[ scan result ]
AhnLab-V3 2007.5.3.0/20070502 found nothing
AntiVir 7.4.0.15/20070502 found [TR/Dldr.Delf.bjv]
Authentium 4.93.8/20070502 found nothing
Avast 4.7.997.0/20070501 found nothing
AVG 7.5.0.467/20070502 found nothing
BitDefender 7.2/20070502 found nothing
CAT-QuickHeal 9.00/20070430 found [(Suspicious) - DNAScan]
ClamAV devel-20070416/20070502 found nothing
DrWeb 4.33/20070502 found nothing
eSafe 7.0.15.0/20070502 found [Win32.Delf.bjv]
eTrust-Vet 30.7.3611/20070502 found nothing
Ewido 4.0/20070502 found [Downloader.Delf.bjv]
F-Prot 4.3.2.48/20070502 found nothing
F-Secure 6.70.13030.0/20070502 found [Trojan-Downloader.Win32.Delf.bjv]
FileAdvisor 1/20070503 found nothing
Fortinet 2.85.0.0/20070502 found nothing
Ikarus T3.1.1.7/20070502 found [Trojan-Spy.Win32.Banker.to]
Kaspersky 4.0.2.24/20070502 found [Trojan-Downloader.Win32.Delf.bjv]
McAfee 5022/20070502 found nothing
Microsoft 1.2405/20070502 found nothing
NOD32v2 2235/20070502 found nothing
Norman 5.80.02/20070502 found [W32/Malware.RJY]
Panda 9.0.0.4/20070502 found [Trj/Downloader.MRO]
Sophos 4.17.0/20070501 found nothing
Sunbelt 2.2.907.0/20070501 found [VIPRE.Suspicious]
Symantec 10/20070502 found nothing
TheHacker 6.1.6.104/20070415 found nothing
VBA32 3.11.4/20070502 found nothing
VirusBuster 4.3.7:9/20070502 found nothing
Webwasher-Gateway 6.0.1/20070502 found [Trojan.Dldr.Delf.bjv]

[ notes ]
packers: PETITE
packers: Petite
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed
suspicious through heuristics.


The consensus is; Downloader.Delf.bjv
 
Sorry for top posting...but do you really want to read your output again,
Dave?

Where is it coming from? I have all sorts of protection yet it keeps popping
up. I keep deleting it and denying it access to the net. But when it does
appear, it wants to call home.
 
From: "Steve Zygote" <[email protected]>

| Sorry for top posting...but do you really want to read your output again,
| Dave?
|
| Where is it coming from? I have all sorts of protection yet it keeps popping
| up. I keep deleting it and denying it access to the net. But when it does
| appear, it wants to call home.

Top Posting or Bottom Posting... all I care about is content :-)

As the name infers, it is a Downloading Trojan.

If it keeps on "popping up" after you remove it, it must have a peer utility that replaces
it and its entry if it is not loaded.


Changes

HKLM\SOFTWARE\updater
"version" = 75
"Id" = C79D060B8A2540D4B3329BF7819E6883
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"HP Update Assistant" = C:\WINDOWS\System32\HPAware.exe

Where this came from I don't know. As of yet, that hasn't been identified.

Since Panda recognizes this I suggest Panda ActiveScan:
http://http://www.activescan.com/
 
Thanks for turning me on to Virus Total. I was unaware that that service was
available.
 
From: "Steve Zygote" <[email protected]>

| Thanks for turning me on to Virus Total. I was unaware that that service was
| available.
|

YW. It is a very handy tool!
In the coming months expect to see the list of vendors grow.
 
Sorry for top posting...but do you really want to read your output
again, Dave?
Click to expand...

That's why you use a PROPER Usenet client and SNIP what you don't need to
form a proper reply - so you can read the reply without having to scroll.

--
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/downloads/leythos.htm
http://www.pcbutts1.com/downloads/bughunter.htm
 
Leythos said:
That's why you use a PROPER Usenet client and SNIP what you don't need to
form a proper reply - so you can read the reply without having to scroll.
Click to expand...

Please define PROPER.
 
Default User said:
Proper = RFC compliant, text only newsreader. e.g. NOT Outlook Express
Click to expand...

Ok. I'm trying Thunderbird. Is THAT RFC compliant? And what is RFC?
 
From: "Steve Zygote" <[email protected]>


|
| Ok. I'm trying Thunderbird. Is THAT RFC compliant? And what is RFC?
|

It is a US Gov't. accronym for Request For Comment.

In the early days of the Internet (ARPANet) all suggestions modifications were made through
a RFC and they were numbered.

http://www.faqs.org/rfcs/
 
From: "KPax Thwogswallow" <[email protected]>

| What is the significance of my having that DLL? I'm searching for it
| while I reply....

It may the peer of the infection.
Loaded as a BHO such as...

O2 - BHO: (no name) - {E6280729-9251-41D7-BC1C-572C9548C962} - C:\WINDOWS\system32\HPI2.dll
 
David H. Lipman said:
From: "KPax Thwogswallow" <[email protected]>


| What is the significance of my having that DLL? I'm searching for it
| while I reply....

It may the peer of the infection.
Loaded as a BHO such as...

O2 - BHO: (no name) - {E6280729-9251-41D7-BC1C-572C9548C962} -
C:\WINDOWS\system32\HPI2.dll
Click to expand...


I don't have it on my system.
 
From: "Steve Zygote" <[email protected]>

| From seemingly out of nowhere an application called HPAware.exe (I
| have an HP) keeps trying to establish a connection over my Cable ISP.
| When I do a search on the net for what this is (Whatsrunning, for
| instance), I'm told that it's from HP-A company, whoever they are. I
| keep deleting the file and it keeps returning. I think it's an
| illegitimate process. Has anyone any advice regarding this?
|

This is a new infector with few vendors detecting it. I submitted a
sample to the various vendors last night.
Click to expand...

Hi Dave, for what it's worth, BugHunter now offers detection and removal.
It has several optional files it can download in order to keep coming back,
per say. If the process remains resident, it will regenerate it's host
file.



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
 
David H. Lipman said:
From: "Steve Zygote" <[email protected]>


| I don't have it on my system.
|

OK. How about; MLRQP.exe ?
Click to expand...
Nope. Don't have that file on my system either. I use F-Secure, the complete
package. It's licensed to my ISP and a "free" download when one has a
subscription. They rebrand it to their own.
 
Back
Top