I wanted to start a thread on this topic as I'm not sure anybody else has seen a connection with this issue. Yesterday I was able to successfully remove a virus from my father in law's computer that we have been after for some time. The problem began a couple of months ago when Spywareguard kept notifying us that something was attempting to change the Internet Explorer home page. It was being changed from www.google.com to http://qus10.hpwis.com
. I disallowed the change and thought the problem was solved. A couple of days ago my father-in-law called me and stated he was having major problems with his computer (running XP home with SP2). It had been slowed to a crawl and we could barely get the dial-up networking box to appear so as to get on the Internet. He had been running Avast antivirus, and I noticed his Avast icon was not in the system tray. I opened Windows Explorer and checked the program files, only to find that the program files for his security software (antivirus and other anti-spyware) had been either erased or altered. The Avast.exe program had been changed to Avast.E_E. I knew we were dealing with some type of viral application killer. I ran some scans from some antispyware I had on CD, and Microsoft Antispyware advised something had hijacked the hosts file. However, this virus locked up MS Antispyware before it could remove the thing. I then ran some other scans, but nothing seemed to be able to find this thing.
I then ran HijackThis and it showed the hijacker under the R0 and R1 sections as: http://qus10.hpwis.com
. And so I copied down the info and that evening proceeded to go online from my own computer to see if I could find out how to get rid of whatever this was. I entered the URL in Google and looked at approximately 50 posted HijackThis logs where people had this listed as a hijacker. The common denominator among them all was that, WITHOUT EXCEPTION, every person who had this little "friend" also had HP software or hardware of some kind. Also, the "hp" part in the hijack address made me a little suspicious. Anyway, to make a long story somewhat shorter, yesterday I ran a stand-along version of McAfee in DOS (after booting into Safe Mode), and it hunted the virus down and killed it. McAfee identified the virus as a "KillApp." That was true, as it had "killed" most of the security software by eating away at their program files. The file itself was called "Terminator.exe" and was in the following path:
After the McAfee antivirus killed it, I booted back into normal mode, and it was night and day. Also, having Zone Alarm firewall installed, we had noticed previously that several of the HP application were attempting to "call out" after we got online. And so, I don't exactly know what's going on, but there is definitely some connection between this qus10.hpwis.com hijacker and the HP software. Whether this virus is something that downloaded while the HP software was attempting to obtain updates or came through some other channel is unknown. At this point, since I have not seen anyone else notice the common denominator with all of these HijackThis logs and the prevelance of HP software involved in this problem, I wanted to give others some food for thought. Also, maybe this is something that really needs to be looked into by some people with much more technical skill than I possess. At any rate, I set Zone Alarm to block all communications by the HP programs. Personally, I do not see the need for them to be sending information back to the "mother ship" anyway. If a person needs an update, etc, they can always go to the company website and get what they need. I really don't like any of my applications doing things behind my back. In another forum I was reading that the hijacker might have something to do with the Backweb Light that is included with HP software (which we disabled some time back). Again, WHY does it need to "phone home?" Any replies or thoughts on this would be welcome.