Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Problem Connected With Hp Software?


  • Please log in to reply
14 replies to this topic

#1 KDNeese

KDNeese

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 16 December 2005 - 01:04 PM

I wanted to start a thread on this topic as I'm not sure anybody else has seen a connection with this issue. Yesterday I was able to successfully remove a virus from my father in law's computer that we have been after for some time. The problem began a couple of months ago when Spywareguard kept notifying us that something was attempting to change the Internet Explorer home page. It was being changed from www.google.com to http://qus10.hpwis.com. I disallowed the change and thought the problem was solved. A couple of days ago my father-in-law called me and stated he was having major problems with his computer (running XP home with SP2). It had been slowed to a crawl and we could barely get the dial-up networking box to appear so as to get on the Internet. He had been running Avast antivirus, and I noticed his Avast icon was not in the system tray. I opened Windows Explorer and checked the program files, only to find that the program files for his security software (antivirus and other anti-spyware) had been either erased or altered. The Avast.exe program had been changed to Avast.E_E. I knew we were dealing with some type of viral application killer. I ran some scans from some antispyware I had on CD, and Microsoft Antispyware advised something had hijacked the hosts file. However, this virus locked up MS Antispyware before it could remove the thing. I then ran some other scans, but nothing seemed to be able to find this thing.

I then ran HijackThis and it showed the hijacker under the R0 and R1 sections as: http://qus10.hpwis.com and http://srch-qus10.hpwis.com. And so I copied down the info and that evening proceeded to go online from my own computer to see if I could find out how to get rid of whatever this was. I entered the URL in Google and looked at approximately 50 posted HijackThis logs where people had this listed as a hijacker. The common denominator among them all was that, WITHOUT EXCEPTION, every person who had this little "friend" also had HP software or hardware of some kind. Also, the "hp" part in the hijack address made me a little suspicious. Anyway, to make a long story somewhat shorter, yesterday I ran a stand-along version of McAfee in DOS (after booting into Safe Mode), and it hunted the virus down and killed it. McAfee identified the virus as a "KillApp." That was true, as it had "killed" most of the security software by eating away at their program files. The file itself was called "Terminator.exe" and was in the following path:
C:\hp\bin\terminator.exe.

After the McAfee antivirus killed it, I booted back into normal mode, and it was night and day. Also, having Zone Alarm firewall installed, we had noticed previously that several of the HP application were attempting to "call out" after we got online. And so, I don't exactly know what's going on, but there is definitely some connection between this qus10.hpwis.com hijacker and the HP software. Whether this virus is something that downloaded while the HP software was attempting to obtain updates or came through some other channel is unknown. At this point, since I have not seen anyone else notice the common denominator with all of these HijackThis logs and the prevelance of HP software involved in this problem, I wanted to give others some food for thought. Also, maybe this is something that really needs to be looked into by some people with much more technical skill than I possess. At any rate, I set Zone Alarm to block all communications by the HP programs. Personally, I do not see the need for them to be sending information back to the "mother ship" anyway. If a person needs an update, etc, they can always go to the company website and get what they need. I really don't like any of my applications doing things behind my back. In another forum I was reading that the hijacker might have something to do with the Backweb Light that is included with HP software (which we disabled some time back). Again, WHY does it need to "phone home?" Any replies or thoughts on this would be welcome.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:56 AM

Posted 16 December 2005 - 02:28 PM

This is a known issue with HP and Compaq computers. For example in compaq presarios you may see:

http://desktop.presario.net/scripts/redire...=consumer&i=enu

I dont this is a virus per se, but rather part of their update software or other software that gets installed. Whenever I see these in logs I always fix. Why do they hijackthis your IE to those pages? So they can track who is using what. Those links connect to a HP Server, log the instance of your opening IE, and then redirecting you to yahoo.

For the search pages, they use their own branded yahoo search. WHy ? They probably get paid by Yahoo or other type of kickback.

The calling back is probably a program checking for updates. Many hardware vendors include these annoying, worthless programs that waste bandwidth and slow down your computer.


Btw...here is the hpwis.com domain record:

Registrant:
Hewlett-Packard Company
(DOM-309202)
3000 Hanover St.
Palo Alto
CA
94304
US

Domain Name: hpwis.com

Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: http://www.markmonitor.com

Administrative Contact:
Domain Registration Manager
(NIC-1477322)
Hewlett-Packard Company
1000 Circle Blvd MS 413G
Corvallis
OR
97330
US
Hostmaster@hp.com
+1.5417152100
Fax- +1.5417156789
Technical Contact, Zone Contact:
HP Hostmaster
(NIC-1457890)
Hewlett-Packard Company
3404 East Harmony Rd. MS 20
Fort Collins
CO
80528
US
hostmaster@hp.com
+1.8005247638
Fax- +1.9708983793

Created on..............: 2000-Oct-23.
Expires on..............: 2006-Oct-23.
Record last updated on..: 2005-Jul-25 21:53:34.

Domain servers in listed order:

AM1.HP.COM
AM3.HP.COM



#3 KDNeese

KDNeese
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 16 December 2005 - 04:29 PM

Grinler,

Any idea how the virus is associated with the HP files? In one scan, Microsoft Antispyware stated that this little guy had hijacked the hosts file. We thought we had deleted it at that particular time, but apparently it had other friends that took over where it left off. Also, as I brought out in my post, there was definitely a virus present that was destroying the security software program files - and which was found to be in the hp/bin/ files. I went down the line in windows explorer looking at the program files for the security software I had placed on the computer, and many of them were simply eaten away. It appeared that only certain applications were susceptible (such as Avast, and several others), but the Ewido files were still intact. Also, I opened Ad-Aware and tried to update the definitions. It got to 5% and then then the virus froze Ad-Aware. It didn't seem to be able to affect Spybot or Winpatrol. All of those files were still intact and we were able to do scans. It didn't destroy the MS Antispyware files, but would lock it up every time we tried to run it. For some reason it also did away with the Opera browser I had installed on his system and deleted the desktop icon. Knowing how much more secure Opera is than Internet Explorer, I can understand why it would do that. I actually was able to delete the redirections with HijackThis, but the virus still remained.

Also it seemed to especially wreak havoc with the dial-up networking, as it was take forever to open and you could hear the heard drive rattling as it was attempting to open. After deleting the virus, I ran the LSP fix program from CEXX.org. Then, I clicked on the dial-up networking connections I had established and it was instananeous. I'm not saying that the virus was caused by the HP software, but their little program that hijacked the home page was as bad or worse than any other hijacker I've found. Plus, the simply fact that it attempted to alter and hijack the hosts file (with HostMan hosts manager installed and updated) makes me very suspicious. Also, since I know my father-in-law does not visit any malicious sites, I still wonder if the virus somehow sneaked into the system during one of the HP software's "behind the back" sessions? I'm not enough of a technical person to know how all of this works. All I can do is look at the evidence and try to deduce some sort of conclusion from that. Also, I don't really see the need for updates for printers. I've never had to update my printer, scanner or anything. To me, all these programs are doing is sending personal information and statistics back to HP, which, as far as I'm concerned, not any different than a tracking cookie or other spyware that also tracks a person's habits or information. That's the nice thing about having a two-way firewall, I guess - it rats on those apps that are always going behind your back. The bottom line is that, when we deleted the virus, the browser redirector also went away. So, I'm not unconvinced they are not connected in some way.

Also, your comment concerning Compaq computers was interesting, as that is exactly what he has. Some of the HP software he loaded on there himself after purchasing an HP printer. But I know there was a lot of HP malarkey pre-loaded on there when he bought the thing.

Also, do you think it is possible the virus could has sneaked its way through some kind of back-door hole or flaw during one of the communications the HP software had? Apparently, because he didn't know any better, my father-in-law was allowing all of these programs to communicate through the firewall, so I'm thinking that might have opened the door (with Zone Alarm's permission) for anything to just waltz on in and plant itself on the computer. I'm just trying to figure out how this happened so he doesn't make the same mistake again. He's an older gentleman who really doesn't know anything about computers and Internet and really shouldn't be on the Internet at all with all the malware out there today. But, until I can convice him to get rid of his computer, I want to try to at least make him as safe as possible. Any more thoughts on the info I've added?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:56 AM

Posted 16 December 2005 - 04:36 PM

All good questions and anything I say would be entirely assumptions or guesses. Do you still have this file? If you did I can take a look at it and see if I can determine what it does.

#5 KDNeese

KDNeese
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 21 December 2005 - 06:25 PM

I don't have the file anymore, as it was deleted when I ran the McAfee scan. However, I have a sneaking suspicion that if it is somehow connected with the HP software, there may be more problems. However, since we have Zone Alarm configured to block all of the HP software from calling out, I don't think there's a chance of downloading the program again. I notice, however, that since we got rid of the malware, the printer has been doing some strange things, such as attempting to print from the IMAP server rather than the downloaded email in Opera (which is only a POP3 account). I have never dealt with IMAP email accounts and so my knowledge is very limited as to why the printer has been trying to do this. It has never done it before. However, it could also be due to my father-in-law's unfamiliarity with the Opera browser. He's stuck with it, though, as I deleted his Internet Explorer icon from the desktop in an attempt to keep him somewhat safe. As long as he uses I.E. I always end up removing about 300 malware items from his computer (since Ad-Aware, Spybot, Ewido and MS Antispyware all seem to target different items). Anyway, if for some unknown reason this little friend of ours comes back (or something similar), I would be more than glad to send you whatever files you wish to examine. As far as I know, his computer is still running fine and it appears his security software program files are still intact.

Another tidbit of note - and I know this is only conjecture - but it still seems strange to me that this HP program was trying its best to avoid capture and kept fighting the antispyware when we tried to change the homepage back to his original desired setting. We also have Spywareguard installed, and for awhile it kept popping up incessantly alerting us that the home-page was being changed to that qus10.hpwis.com page. I ran HijackThis and it showed ONE entry with that hpwis mess. Later, after running a couple of antispyware programs, I ran HijackThis again and there were THREE entries under R01: qus10.hpwis.com, us10.hpwis.com, and another that I can't remember, but was similar and still had the hpwis.com server listed. I deleted all three of these entries with HijackThis (and this was BEFORE I had run McAfee and gotten rid of the file), and did not see them any more when I ran another HijackThis log later on. Also, after we got rid of the malicious file and all that good stuff I ran one more HijackThis log just for good measure, and all of the stuff it showed in the log were legitimate entries. I haven't been over to check his computer for over a week, but am going over there for Christmas dinner, so will check on it while I'm there. Also, if I find any discrepancies I will try to get those to you so you can look at them and see what you make of it. Thanks again.

#6 im_no_good_with_computers

im_no_good_with_computers

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 21 December 2005 - 10:30 PM

hey i have a compaq pc and in the hp folder it has the terminator thing. should i delete it?
o and under the description of the file it says "a ruthless killer of windows"
hmm im scared now.

Edited by im_no_good_with_computers, 21 December 2005 - 10:31 PM.


#7 KDNeese

KDNeese
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 21 December 2005 - 11:37 PM

im_no_good_with_computers:

I wouldn't want to tell you to go ahead and delete it, as I did some research on the program and found in some cases it is a permanent file. One thing I would like to know, however - looking at the file in Windows Explorer, can you tell what date it was installed? In other words, was it installed the same date as the rest of the files under that particular folder, or does it show it as being installed at a later date? Also, do you run a firewall to where you can ascertain when a certain application attempts or actually does contact HP or another server? As far as the file itself, I ran several different antiviruses and none of them detected it. Avast free was installed on the computer (which the virus destroyed), and I ran a stand-alone version of NOD32 (which full version I run on my computer), McAfee Stinger, Avast Cleaner and Microsoft Malicious Malware Remover. None of them found it. It was only after I ran the McAfee stand-alone scanner (from the Edkes Mirror Site), which runs in DOS mode, that it was detected - it tagged the file as a "KillApp" and deleted it. Also, which folder is it under? Is it under the c:\hp\bin\ folder? It does seem rather strange that the description itself tags itself as a "Killer of Windows." I know on my father-in-law's computer it ate right through the program files of several antispyware programs. It didn't affect Ewido, since Ewido runs at the kernel level and can actually repair its own files. It also didn't seem to affect the Microsoft Antispyware, Ad-Aware or Spybot Search & Destroy files, although it locked them all up as they were scanning. Grinler was asking me if I could send him the file so he could test it. Since the file was deleted, I don't have it any more. That being the case, he would probably be very interested in taking a look at the file you have on your computer. Also, if you have software support with your HP products, I personally would email them and ask them what the heck that program was doing on my computer! I don't know whether it was the program itself or if somehow a virus attached itself to the file during a download - but I do know that after McAfee deleted the file, the problems stopped. You might want to do some more research on the file before you delete it. If it turns out that you need to delete it, I would download the McAfee scanner from the following site: http://home.hccnet.nl/h.edskes/mirror.htm It was the only one of the antiviruses that detected and deleted it. I'm generally not a big McAfee fan, but in this case I have to give them their due.

Another curiosity question: Along with this file, have you had any instances of browser redirection? Also, have you run any HijackThis or other scans to see if it shows unwanted BHOs or browser hijacks? I would be interested to see if you have the same symptoms as my father-in-law's computer. The ironic thing is that I loaded the Opera browser on his computer, and the hijacker apparently could only operate with Internet Explorer, so even though it had hijacked the IE browser, it was having no effect on his web surfing. Anyway, I look forward to hearing what similarities there are between his problems and what you are experiencing.

#8 KDNeese

KDNeese
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 21 December 2005 - 11:47 PM

Correction on my last post. I said in the first line that in some cases the terminator.exe was a "permanent file." Don't know why I typed that. I meant to say that in some case it was a "legitimate" file. Also, I forgot to mention that at the Edkes mirror site you can download a stand-alone version of NOD 32 (although it's not usually as current) as well as the McAfee scanner. I personally like to have several stand-alone scanners to catch what other antiviruses might not. Also, be aware that with the McAfee stand-alone scanner you cannot set any preferences, so if it finds something it thinks is nasty, it will delete it. Case in point is that when it deleted the terminator.exe program, it also deleted a legitimate DLL file that pertained to another program. At least with the NOD32 scanner you can set the same preferences as the regular version.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:56 AM

Posted 22 December 2005 - 12:56 AM

If you can submit the terminator file to http://www.bleepingcomputer.com/submit-malware.php that would be great.

#10 im_no_good_with_computers

im_no_good_with_computers

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 22 December 2005 - 03:35 PM

ok lemme see here. yes it was in my hp/bin folder. it does seem to be made around the same as all the other programs. in they ears between 1998-2001 or 02. i run the free sygate firewall and it doesnt seem to show any suspicious program trying to get access. and i just recently maybe a few weeks ago removed a couple of thing in a hjt log but none of which had to do with that file. although, i did have a lot of those http://qus10.hpwis.com
things but i experienced no redirections. but who knows i never use ie i only use mozilla. i guess the terminator.exe file is dormant just waiting to be awakened idk. o and ill try to submit it to you grinler but as you can tell by my name im not very smart :thumbsup:

#11 im_no_good_with_computers

im_no_good_with_computers

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 22 December 2005 - 03:37 PM

ok i sent the file

#12 KDNeese

KDNeese
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 23 December 2005 - 05:10 PM

im_no_good_with_computers said: "i did have a lot of those http://qus10.hpwis.com
things but i experienced no redirections. but who knows i never use ie i only use mozilla."

That is probably why you weren't redirected. The hijack only seems to work with Internet Explorer. Actually, it seems that all the crapola floating around the Internet seems to affect I.E. Guess that's why I quit using it a long time ago and use Opera, since it seems to be the least vulnerable browser around. I had also installed Opera on my father-in-law's computer, so the litte hijacker was basically wasting it's time. The only way we first observed the problem was because SpywareGuard kept coming up with a notification showing the qus10.hpwis.com redirection. It was after we attempted to remove the little fella with Microsoft Antispyware that the problems began and the computer began going haywire. java script:emoticon(':woot:', 'smid_23') I removed the entries with HijackThis and it took care of the redirection problem, but we had to go after the virus (or whatever it was) in order to get the computer back to normal. Also, I'm not familiar with Sygate (I tried it out by uninstalled it after it failed the stealth test at its own website) but use Kerio, so I'm not sure how permissions work in Sygate, but if these apps have permission to call out I don't know whether they could show up in the logs. Like I said, that is an assumption since I don't know how Sygate operates. With my father-in-law's computer nothing was attempting to make contact with the computer - it was the other way around - the Backweblite and other .EXE programs that were attempting to connect every time he went on line. Also, the fact that the terminator.exe program seems to be intentionally installed when the HP software was installed, that makes me really suspicious as to what is going on...

#13 im_no_good_with_computers

im_no_good_with_computers

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 23 December 2005 - 06:46 PM

ya i got rid of backweb/compaq connections as soon as i got my hands on this computer. lets just wait and see what grinler syas about the terminator file i sent him.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:56 AM

Posted 25 December 2005 - 11:04 PM

I just tested that file. That file simply terminates processes or windows that are currently open. I do not think this is the file that is hijacking the IE.

#15 dan o'd

dan o'd

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 17 January 2006 - 11:55 PM

After reloading an HP for the nth time, I got to poking around and came across the Terminator program in C:\hp\bin. I was concerned about this and did some checking, which lead me to this site. As I didn't find a definitive answer here, I continued looking.
I found the answer in another forum and would like to share that answer with you. Long story, short, the Terminator kills processes as part of the reinstallation of software. For a complete explanation, see the creator's comments at:
http://www.artima.com/forums/flat.jsp?foru...t=15&msRange=15
Scroll down a bit and look for the posts by Matt Gerans.
His advice about being careful in the choice of names for programs could apply to other things as well.
Hope this helps you all.
dan o'd


//Mod edit to clean up reference link

Edited by KoanYorel, 18 January 2006 - 12:33 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users