Root kit, malfunctioning printer driver, or something else?

C:\WINDOWS\SYSTEM32\HPZinw12.exe suddenly started showing up in NIS History as constantly trying to access the Internet on Windows XP systems. I’m almost certain that this file is part of my network printer software but it is not the update component. The properties show the file as being developed by Hewlett Packard and I have and have had no other HP equipment connected to any of the equipment that I presently have. Both of my Windows XP systems have had this file and my Vista system has a file C:\WINDOWS\SYSTEM32\HPZinw12.dll.

 

In addition to the constant attempts to connect to the Internet by this executable file, my Windows XP desktop system displays a message when I shut it down. It says, "The application failed to initialize because the window station is shutting down". There is an OK button, in the message box, centered and below the message. The message box also has a darker colored title strip across the top that says, "HPZinw12.exe - DLL Initialization Failed". This message sometimes only appears once but sometimes it will appear several times before the system completely shuts down. Also, sometimes, there is a short beeping noise, on the desktop system, before the system completely shuts down. The same file suddenly started trying to access the Internet on the netbook but I was not getting the message or the beeping noise on the netbook.

 

This may not even be related but I though I would mention it, just in case it is. For several days, last month, someone tried IP address spoofing attacks persistently on my network. They occurred about twice a day everyday for about a week. The spoofing attacks consistently used the same IP Addresses in each of the attempts and they were only a couple of numbers off in the last octet from hitting an actual address on my network.

 

I have the following networked equipment:

 

  • Older Dell Windows XP Home SP 3 desktop system with an older AIO printer directly connected and not shared
  • 64-bit Windows Vista Home Premium SP 2 laptop system
  • Windows XP Home SP 3 netbook system
  • HP Deskjet network printer, shared

 

Maybe I’m just being paranoid, maybe not but something that suddenly starts needing Internet access that hasn’t before is suspicious to me. Something that needs excessive Internet access is even more suspicious to me. If I understand correctly there are some root kits that affect system32 files. Then, it’s my understanding that root kits can trick Windows and your security software into thinking that everything is okay even when it’s infected. So, I’m not sure whether I have some sort of malware or if my printer software has somehow malfunctioned but I would greatly appreciate some help in figuring this out.

 

This started around the last of November, about 2 or 3 days after the "out of band" Windows Updates on the first of my Windows XP systems. Then, about 2 or 3 days after it started happening on the first of my systems, it started happening on my second Windows XP system. I could be wrong but if this had something to do with the Windows Updates, I would have expected it to occur sooner. My maintenance records show that there were no printer updates before or around the time this happened and I don’t remember any.

 

I have run full scans with NIS 2010 multiple times, on different days, with updates. I’ve scanned in regular mode and safe mode. I have also scanned with the free versions of MBAM and SAS and also with Ad-Aware, which was installed on my netbook, with the real time protection disabled. I downloaded and ran a full scan with November Malicious Software Removal Tool. I scanned with Microsoft Live OneCare online, on demand scanner. None of these applications have found anything, except NIS and the adware scanners found a few tracking cookies, at first. After that, I tried restoring the netbook back to a restore point before this started happening but restore failed. Then, I tried uninstalling the printer, on the netbook. The file remained and continued accessing the Internet, despite the fact that the printer had been uninstalled. That really scared me. At that point, I backed up my netbook system and restored it to "out of box" experience, since I use it frequently and have no substitute for the size and mobility of it. The netbook system seems to be fixed but I haven’t installed the printer back on it yet.

 

I have no external optical drive for my netbook and I was unable to run the Norton Bootable Recovery Tool, on the netbook, before I restored it. Also, the DVD/CD ROM drive died on my older Windows XP desktop system a couple of years ago and I haven’t replaced it. The BIOS of the desktop system will not permit me to boot from the working optical drive, which is a CD RW drive, which also prevents me from running the Norton Bootable Recovery Tool on the desktop system.

 

I went ahead and ran Windows Update on the Windows XP desktop system on December 8th and Malicious Software Removal Tool ran with it and it didn’t notify me of it finding anything.

 

So, I’ve been using my Vista laptop and my Windows XP netbook and I have booted the Windows XP desktop system once every week or two to update and scan. I have been hoping that with the new updates and detections being added in NIS, MBAM, and SAS that if it were malware, it would eventually be found but so far, no such luck. Still not finding anything with the malware scanners, I finally decided to run GMER.

 

During my first attempt at scanning with GMER, I disabled NIS auto protect and ran GMER as an administrator from my limited user account. I left everything checked and it appeared to be finding some things, then it blue screened on me. The BSOD message said the problem seemed to be with kwloapob.sys. So, that’s why it blue screened on me but I don’t know what that is or if it has any meaning but I wrote it down just in case.

 

During my second attempt at scanning with GMER, I did the same except I unselected everything but files and registry and while the scan completed without incident, it found nothing.

 

During my third attempt at scanning with GMER, I selected system, services, files, and registry and the scan completed without incident and this time it found some things. However, some of those things appear to be related to Norton. I am not skilled enough to know but they may actually all be related to Norton. It’s my understanding that security applications hook into your system similar to what a root kit would, so I don’t know if that’s what it found. I have attached the latest GMER log.

 

If it’s malware, I will restore it from the restore partition but I want to confirm that it is malware, before I do that. Also, if it is malware, I would like to know what it is so I can learn more about it. If the system is infected, learning more about the infection could possibly prevent it from happening again, which is why I haven’t just gone ahead and restored it and destroyed any possible evidence of it on the remaining affected system.

 

I want to start using the desktop system again, so I really need to get this resolved.

 

I would greatly appreciate assistance with this.

Thanks!

Hi l_w:

 

The .sys file that you saw on GMER, is GMER so no need to worry about that one.  If you had a rootkit on your system for over a month, you would be buried in lesser malware, like trojans, and fake AV's and redirects, etc.  While the rootkit can remain hidden lately from most scans, their activities are not.

 

From some Google searches, it would appear that the particular file of interest is a network driver.

 

"HPZinw12.exe (IEEE-1284.4-1999 Network Driver (Windows)) is an executable from the software HP Dot4Net Windows version 7.0.0 by HP."

 

You should be able to go into your program rules, locate the .exe and specifically block it from accessing the net.

 


During my third attempt at scanning with GMER, I selected system, services, files, and registry and the scan completed without incident and this time it found some things. However, some of those things appear to be related to Norton. I am not skilled enough to know but they may actually all be related to Norton. It’s my understanding that security applications hook into your system similar to what a root kit would, so I don’t know if that’s what it found. I have attached the latest GMER log.

 

People who don't know how to read GMER, Of Course it should find Norton / Symantec, Some CD/DVD burning software, backup products etc.

 

Quads 

 

Message Edited by Quads on 01-07-2010 06:54 PM

Thanks for your replies and advice, Delphinium and Quads!

 

It not having any buddies along with it is what had me puzzled and doubting it was one of the recent root kits that I’ve read about but you never know if there is something different or older, which only someone that deals with malware everyday would know. If I’m not mistaken, the older root kits didn’t invite their buddies to join them but sometimes bad coding gave them away, if they made the systems unstable. I was almost certain that some of the hooks shown by GMER were legitimate but I wasn’t sure if they all were. When in doubt, it’s best to get advice from more knowledgeable people. There are some very knowledgeable gurus on this forum, including you, Delphinium and Quads. :-)

 

I was pretty sure the file itself was part of my printer driver but I didn’t know if it had somehow been altered or replaced by something malicious. I can force it to stop accessing the Internet. However, not knowing exactly what part that particular file plays in the network printer’s function, doing that could also stop communication between the computers and the printer server and result in the printer not working.

 

I will have to install the printer software back on the netbook again, since I restored that system back to "out of box". Since you (Delphinium and Quads) don’t think it’s a root kit or anything malicious that I should be concerned about, I will install the printer software back on the netbook and see if the file starts accessing the Internet, on the netbook, again. It’s always possible that the driver was somehow corrupted by something non malicious, such as some sort of software update. If the file doesn’t start connecting again, after I install the software back onto the netbook, I’ll uninstall and reinstall the printer on the desktop system. Otherwise, I’ll go with Delphinium’s advice and try forcing the file to not connect to the Internet.

 

It’s always possible that HP is using that file to spy on its customers, which is very common with software, today. From what I understand, antimalware software doesn’t usually detect that sort of thing, since you have permitted it and it’s required for something legitimate, from a well known company. It always makes me a little uneasy when I have to disable my security software to install something, which this printer requires. But, what else are you going to do to get the printer working?

l_w:

 

It is apparently connected to a product updating utility for the printer.  This is a similar nuisance to Corel, and Adobe updating all the time.  They wanted more access to the net than I had.  I blocked them, and check for updates periodically myself.  Once you set it to blocked in the firewall, it is quite easy to go back into the rules and allow it again if you find that you need it.

 

Just for info, the older rootkits downloaded just as much malware, they were just much easier to find than these later ones.

 

It is good to be wary of anything that has access to the net.


delphinium wrote:

Hi l_w:

 

 . . . While the rootkit can remain hidden lately from most scans, their activities are not . . .

 


I'm supprised that rootkits can remain hiddenHow likely is it that NIS 2010 would not even detect a rootkit?  I'm not taliking about removal, just detection.


car825 wrote:

delphinium wrote:

Hi l_w:

 

 . . . While the rootkit can remain hidden lately from most scans, their activities are not . . .

 


I'm supprised that rootkits can remain hiddenHow likely is it that NIS 2010 would not even detect a rootkit?  I'm not taliking about removal, just detection.


I'm Not surprised by that comment as most people would say that."I'm supprised that rootkits can remain hidden"
 1. not all Rootkits are the same, like not all Trojans, Viruses, Adware etc are the same.
2. There would be no point in creating Malware that is easily found by all PC users and removed
3. Norton Detects Rootkits,  like "Tidserv, "Hacktool.Rootkit",  "Packed Generic 200"  and so on.
 
Quads 

 

Message Edited by Quads on 01-08-2010 12:07 PM

I think I got the printer and installed it sometime around June ‘09. HPZinw12.exe didn’t start connecting to the Internet like this until November, which is why I think the file has been changed or affected by something but I don’t know what.

 

I went in there, booted the Windows XP desktop system. I ran update for the printer and the file that is connecting and showing up in NIS History as the update component for the printer is HPWUCli.exe. The update file is not connecting excessively; it’s only connecting when it’s updating.

 

After that, I turned the printer on and let it get an IP address. After that, I blocked HPZinw12.exe in NIS firewall, under program access. Then, I tried to print something, to see what happened. When HPZinw12.exe is blocked, the computer won’t print and I get a message something to the effect that my computer thinks the printer has been turned off or disconnected. If I go back into NIS firewall and set the file back to auto, the printer prints, again. NIS firewall, under program access, does say HPZinw12.exe is a Windows IEEE network driver.

 

UH OH! When HPZinw12.exe is set to block, in program access, in NIS firewall, it is still filling my NIS History log with preparing to access the Internet. I rebooted the system just to see if it changed anything. I went back in to make sure it was still set to block, in program access and it was. Then, I looked at NIS History and it was still showing up in NIS History, as preparing to access the Internet excessively, despite being blocked.

 

It’s sort of like this driver/file has a mind of its own and shows up in my NIS History log no matter what. As I said earlier, uninstalling the printer software from the netbook didn’t eliminate the file or stop it from trying to access the Internet, either. But, I haven’t tried deleting the file or installing the printer software again to see if it would overwrite it.

NISFirewallProgramControl.JPG

 

 

NISFirewallProgramControl.JPG

 

[edit: re-arranged pictures to correct page formatting]

Message Edited by Tim on 01-08-2010 03:41 PM

l_w -

 

have you contacted HP about this? they may know what it is and be able to tell you if it should be disabled or not.

Yeah.  It looks like I will be going to HP with this because I installed the printer back on my netbook and reinstalled it on my desktop and it’s still doing it even if I block it in the firewall.  It could become a security problem but I really don’t think it’s a malware problem.