C:\WINDOWS\SYSTEM32\HPZinw12.exe suddenly started showing up in NIS History as constantly trying to access the Internet on Windows XP systems. I’m almost certain that this file is part of my network printer software but it is not the update component. The properties show the file as being developed by Hewlett Packard and I have and have had no other HP equipment connected to any of the equipment that I presently have. Both of my Windows XP systems have had this file and my Vista system has a file C:\WINDOWS\SYSTEM32\HPZinw12.dll.
In addition to the constant attempts to connect to the Internet by this executable file, my Windows XP desktop system displays a message when I shut it down. It says, "The application failed to initialize because the window station is shutting down". There is an OK button, in the message box, centered and below the message. The message box also has a darker colored title strip across the top that says, "HPZinw12.exe - DLL Initialization Failed". This message sometimes only appears once but sometimes it will appear several times before the system completely shuts down. Also, sometimes, there is a short beeping noise, on the desktop system, before the system completely shuts down. The same file suddenly started trying to access the Internet on the netbook but I was not getting the message or the beeping noise on the netbook.
This may not even be related but I though I would mention it, just in case it is. For several days, last month, someone tried IP address spoofing attacks persistently on my network. They occurred about twice a day everyday for about a week. The spoofing attacks consistently used the same IP Addresses in each of the attempts and they were only a couple of numbers off in the last octet from hitting an actual address on my network.
I have the following networked equipment:
- Older Dell Windows XP Home SP 3 desktop system with an older AIO printer directly connected and not shared
- 64-bit Windows Vista Home Premium SP 2 laptop system
- Windows XP Home SP 3 netbook system
- HP Deskjet network printer, shared
Maybe I’m just being paranoid, maybe not but something that suddenly starts needing Internet access that hasn’t before is suspicious to me. Something that needs excessive Internet access is even more suspicious to me. If I understand correctly there are some root kits that affect system32 files. Then, it’s my understanding that root kits can trick Windows and your security software into thinking that everything is okay even when it’s infected. So, I’m not sure whether I have some sort of malware or if my printer software has somehow malfunctioned but I would greatly appreciate some help in figuring this out.
This started around the last of November, about 2 or 3 days after the "out of band" Windows Updates on the first of my Windows XP systems. Then, about 2 or 3 days after it started happening on the first of my systems, it started happening on my second Windows XP system. I could be wrong but if this had something to do with the Windows Updates, I would have expected it to occur sooner. My maintenance records show that there were no printer updates before or around the time this happened and I don’t remember any.
I have run full scans with NIS 2010 multiple times, on different days, with updates. I’ve scanned in regular mode and safe mode. I have also scanned with the free versions of MBAM and SAS and also with Ad-Aware, which was installed on my netbook, with the real time protection disabled. I downloaded and ran a full scan with November Malicious Software Removal Tool. I scanned with Microsoft Live OneCare online, on demand scanner. None of these applications have found anything, except NIS and the adware scanners found a few tracking cookies, at first. After that, I tried restoring the netbook back to a restore point before this started happening but restore failed. Then, I tried uninstalling the printer, on the netbook. The file remained and continued accessing the Internet, despite the fact that the printer had been uninstalled. That really scared me. At that point, I backed up my netbook system and restored it to "out of box" experience, since I use it frequently and have no substitute for the size and mobility of it. The netbook system seems to be fixed but I haven’t installed the printer back on it yet.
I have no external optical drive for my netbook and I was unable to run the Norton Bootable Recovery Tool, on the netbook, before I restored it. Also, the DVD/CD ROM drive died on my older Windows XP desktop system a couple of years ago and I haven’t replaced it. The BIOS of the desktop system will not permit me to boot from the working optical drive, which is a CD RW drive, which also prevents me from running the Norton Bootable Recovery Tool on the desktop system.
I went ahead and ran Windows Update on the Windows XP desktop system on December 8th and Malicious Software Removal Tool ran with it and it didn’t notify me of it finding anything.
So, I’ve been using my Vista laptop and my Windows XP netbook and I have booted the Windows XP desktop system once every week or two to update and scan. I have been hoping that with the new updates and detections being added in NIS, MBAM, and SAS that if it were malware, it would eventually be found but so far, no such luck. Still not finding anything with the malware scanners, I finally decided to run GMER.
During my first attempt at scanning with GMER, I disabled NIS auto protect and ran GMER as an administrator from my limited user account. I left everything checked and it appeared to be finding some things, then it blue screened on me. The BSOD message said the problem seemed to be with kwloapob.sys. So, that’s why it blue screened on me but I don’t know what that is or if it has any meaning but I wrote it down just in case.
During my second attempt at scanning with GMER, I did the same except I unselected everything but files and registry and while the scan completed without incident, it found nothing.
During my third attempt at scanning with GMER, I selected system, services, files, and registry and the scan completed without incident and this time it found some things. However, some of those things appear to be related to Norton. I am not skilled enough to know but they may actually all be related to Norton. It’s my understanding that security applications hook into your system similar to what a root kit would, so I don’t know if that’s what it found. I have attached the latest GMER log.
If it’s malware, I will restore it from the restore partition but I want to confirm that it is malware, before I do that. Also, if it is malware, I would like to know what it is so I can learn more about it. If the system is infected, learning more about the infection could possibly prevent it from happening again, which is why I haven’t just gone ahead and restored it and destroyed any possible evidence of it on the remaining affected system.
I want to start using the desktop system again, so I really need to get this resolved.
I would greatly appreciate assistance with this.
Thanks!