Spyware, Viruses, & Security forum

General discussion

Nov.1st Avira Update: False Pos. for HP?

I had a look at Avira Forum but no mention of this.
Scanned today (Nov.2nd )using Nov.1 updated def file.
Heuristics for "scan" at Medium ("Guard" set for High).

Traditionally (8 months w/ Avira) their scan shows NO Objects & 3 "warnings" about files unable to open, always the same 3 incl. sys page file.
Tonight got 10 findings of adware gen. all in HP files & sys.restore files.
Note: There has been NO Contact by this machine to HP Home for 2 years & no new HP files added. Further, Full daily scans w MBAM & SAS & 2 T /week full scans w/ Avira have never flagged these files. First Flag after Nov.1st defs added. False positives?? Here's report. Sandy Confused

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '53' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\hp\drivers\printers\deskjet\hpzglu08.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b69aaa0.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\hp\drivers\printers\deskjet\hpzglu09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4a054751.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\hp\drivers\printers\deskjet\util\common\hpfpdi09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b55aab3.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\hp\tmp\src\psptr\hpzglu09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b69aab4.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hpzglu09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b69acf9.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\Swsetup\MSWorks\REDIST\IE6\TEMPFILE.CAB
[0] Archive type: CAB (Microsoft)
--> msoe.hlp
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066923.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b1fb1a1.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066924.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4a777f72.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066925.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b1fb1a3.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066926.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4a777f74.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066927.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b1fb1a5.qua' ( QUARANTINE )
[NOTE] The file was deleted!


End of the scan: Monday, November 02, 2009 23:39
Used time: 46:39 Minute(s)

The scan has been done completely.

4966 Scanned directories
349830 Files were scanned
10 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
10 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
349819 Files not concerned
10636 Archives were scanned
3 Warnings
11 Notes
37776 Objects were scanned with rootkit scan
0 Hidden objects were found

Machine behaving normally (no printers attached since new). What do you think? Thanks in advance. Grin

Discussion is locked
You are posting a reply to: Nov.1st Avira Update: False Pos. for HP?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Nov.1st Avira Update: False Pos. for HP?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
C:\hp\drivers\printers\deskjet\hpzglu09.exe

In reply to: Nov.1st Avira Update: False Pos. for HP?

What is hpzglu09.exe?
hpzglu09.exe is an executable from the software HP DeskJet version 2.245.0 by HP. hpzglu09.exe version 2.245.0 has a file size of 270,336 bytes, and is most commonly found under the directory "photosmart 7760" with a creation date of January 14, 2006. This is not a known spyware, adware, or trojan executable. The HP DeskJet software contains drivers for Hewlett-Packard DeskJet printers.

http://processlist.com/info/hpzglu09.html


I found a threat at Avira Antivir:

"Yes, I also think that it's a false positive.

False Positive

Friday, October 30th 2009, 1:57pm

http://forum.avira.com/wbb/index.php?page=Thread&threadID=100775

Collapse -
Thanks So Much, Lady M! I Thought

In reply to: C:\hp\drivers\printers\deskjet\hpzglu09.exe

it must be. When I entered the item in their search at the forum 3 different ways & all came back w/ no finding. Amazing that you could find! Thanks again. Guess I'll re-install from Quarantine later tonight.
Great help as always! LoveGrin Sandy

Collapse -
(NT) You Are Very Welcome, Sandy :)

In reply to: Thanks So Much, Lady M! I Thought

Collapse -
As Of Nov. 4TH Def. Update 6.185...

In reply to: Nov.1st Avira Update: False Pos. for HP?

false positives from HP drivers still not corrected! After restoring them all yesterday, updated & rescanned today & refound & quarantined
them all again! Sigh!

Also discovered, I can't add them to "ignore list", as option not offered unless I use Expert Interactive mode for scan which requires I spend the scanning hour sitting , watching & waiting for pop-up of detection due to "allow stopping of scan" & then can use " add to ignore list button".

Is there a better way? At this point, I just don't want to scan at all knowing the result in advance! Sigh! ConfusedSad

Collapse -
Did you have a look under....

In reply to: As Of Nov. 4TH Def. Update 6.185...

"Help":

Configuration :: Guard :: Scan
Exceptions
With these options you can configure exception objects for the Guard (on-access scan). The relevant objects are then not included in the on-access scan. The Guard can ignore file accesses to these objects during the on-access scan via the list of processes to be omitted. This is useful, for example, with databases or back-up solutions.




and


Configuration :: Scanner :: Scan


Exceptions
File objects to be omitted for the Scanner

The list in this window contains files and paths that should not be included by the Scanner in the scan for viruses or unwanted programs.

Please enter as few exceptions as possible here and really only files that, for whatever reason, should not be included in a normal scan. We recommend that you always scan these files for viruses or unwanted programs before they are included in this list!

Collapse -
Thanks, Lady M! Have Attempted To Do

In reply to: Did you have a look under....

in BOTH exception groups (Scanner & Guard)now but tried using \* to cover all beyond. Example I entered like this:
c:\hp\drivers\printers\deskjet\*
to try to cover several down that same path. Should this use w/ wild card * work ok? Confused

I know little to nothing of path writing but hope that
all other FP findings containing the above path plus \ beyond (various) will be excluded as a group. Thanks again for your help! Sandy Grin

Collapse -
Sandy, why don't you........

In reply to: Thanks, Lady M! Have Attempted To Do

Collapse -
Virus

In reply to: Sandy, why don't you........

I have also been getting scan results like this :

DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen

Any ideas ?

Collapse -
Adware.gen

In reply to: Virus

Collapse -
Adware.gen

In reply to: Adware.gen

Thanks !! Yes it did !!

Collapse -
(NT) You Are Very Welcome :)

In reply to: Adware.gen

Collapse -
I Wil Do That To Spur Them

In reply to: Sandy, why don't you........

on. I have 1/2 registered & will pick up mail author. after leaving here
and post and submit copies of some of the HP files for analysis. In my case they get removed to quarantine but I suspect HP (manuf) re-installs them at next boot if I don't. Let you know of any progress. Thanks! Sandy Wink

Collapse -
(NT) Okiedokie :)

In reply to: I Wil Do That To Spur Them

Collapse -
Lady M: Thanks, Have Finished

In reply to: Sandy, why don't you........

registration and posted FP suspicion & have submitted the 3 HP files for further analysis waiting to hear back. Listed as under investigation.
Thanks again! Sandy LoveWink

Collapse -
Heard Back From SAS Labs...

In reply to: Lady M: Thanks, Have Finished

in a 2 day turn around (pretty good) and the results were:
2 files(of 3) "Clean" "no malicious content.
1 file "False Positive" no malicious content.

Not sure the difference but either way works for me!! Just F.Y.I.
Thanks again! Sandy WinkGrin

Collapse -
That Is Great News :)

In reply to: Heard Back From SAS Labs...

Thanks for letting us know Happy

Collapse -
I don't think they will be restored at boot.

In reply to: Nov.1st Avira Update: False Pos. for HP?

Operational drivers are in the windows-folders, so my guess is this are just install or setup files.

Rename them to something not scanned. My preference: change "exe" in "noexe" or in "exe.not". You might get a warning about changing extensions or filetypes, but that's OK.
If you still can print immediately after the rename, and also after a reboot, it's OK. If not, rename them back.

It's a poor men's way of excluding (unused!) files from a scan if for some reason it can't be done via the official way.

Kees

Collapse -
Thanks Mucho For The Tip, Kees!

In reply to: I don't think they will be restored at boot.

Useful thing to know. I don't actually have a printer attached to this
(current old printer uses large connector- NOT USB- which laptop doesn't
accept--gotta fix my desktop!). Yes they're HP setup files for Desk-jet printers rather than MS but they were also native to XP Pro & included in that OS). Still, if they're still in the next scan, I'll use your tip. Thanks again! Sandy Grin

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Enter to win* a free holiday tech gift!

CNET's giving five lucky winners the gift of their choice valued up to $250!