?
Solved

How to find out which process is using file HPB025.DLL?

Posted on 2007-08-01
22
Medium Priority
?
2,611 Views
Last Modified: 2013-11-22
Hi,
McAfee reports virus on the file C:\windows\system32\HPB025.DLL (in Windows XP Pro). It can not remove or delete it. So I also try to rename this file in normal mode or safe mode, it fails because the file is used by another process.
The time stamp for the file is April 2, 2007.
Log entry from McAfee:
8/1/2007      10:13:01 AM      Move failed (Clean failed)       DOMAIN\user      IEXPLORE.EXE      C:\WINDOWS\system32\HPB025.dll      Downloader.gen.a (Trojan)
Q#1. Is this file a known virus? If yes, how dangerous is it?
Q#2. How to find out which process is using this file if windows says it is used by another process?
Q#3. If it is a virus, how to remove it?
Thanks.
0
Comment
Question by:richtree
  • 10
  • 9
  • 2
  • +1
22 Comments
 
LVL 6

Accepted Solution

by:
gjutras earned 1560 total points
ID: 19612046
go to microsft.com and search for sysinternals suite and get process explorer (or the whole suite).

It's the process tab on task manager on steroids.

use the menu and turn on the lower pane view.  use the menu again and set the lower pane view to dll mode.

Then you can select iexplore.exe (also check explorer.exe's) and find the dll and break the handle on it (right click on the dll).  You need to find all the handles to it and break them all, once they are all open then you mcafee should be able to get rid of it.
0
 
LVL 6

Assisted Solution

by:abuckheit
abuckheit earned 200 total points
ID: 19612059

sysinternals: filemon
process explorer


or this is great:
http://www.nirsoft.net/utils/opened_files_view.html
0
 

Author Comment

by:richtree
ID: 19612377
normally: sysinternal file monitor cannot find the process using hpb025.dll
when I run 'dir hpb025.dll' command, file monitor shows cmd.exe process request 'QUERY INFORMATION'
when I run 'ren hpb025.dll hpb025.dll.bak' command, rename failed with same error message. File monitor shows cmd.exe request 'OPEN' C:\WINDOWS\system32\HPB025.dll, Result: SHARING VIOLATION, Other: Options: Open Access:00110080.
Any ideas/advice on the above situation?
Thanks.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Assisted Solution

by:gjutras
gjutras earned 1560 total points
ID: 19612503
use sysinternals process explorer.  You can do a find and find all the exe's runnning the dll.  Then one by one you can click on them, find the dll in the lower pane, make sure the view is in handle mode, then right clicking on the handles will allow you to close the handle to the dll.
0
 

Author Comment

by:richtree
ID: 19612616
Thanks. I will check it out later and post here.
0
 

Author Comment

by:richtree
ID: 19612664
By the way, is HPB025.dll a known virus?
0
 
LVL 6

Expert Comment

by:gjutras
ID: 19616100
it's not widely known as google returns no hits at all.
0
 

Author Comment

by:richtree
ID: 19617070
OK, here is what I found:
When I boot into XP safe mode and normal mode, it report the same 3 processes that use the file at the moment:
Winlogon.exe, type=Handle, DLL or Handler=C:\windows\system32\HPB025.dll
winlogon.exe, type=DLL, DLL or Handler=HPB025.dll
explorer.exe, type=DLL, DLL or Handler=HPB025.dll
Note:
1. I am still unable to rename/remove the file.
2. I do not use explorer at the moment
3. No description, company name, version information for the file
4. when I close the winlogon.exe process, windows crashes and reboot.
any advice to continue?
0
 
LVL 6

Assisted Solution

by:gjutras
gjutras earned 1560 total points
ID: 19617155
you must remove the handle to each of the 3, then you can delete the file.  You can't close winlogon.  It's not permitted and you saw the behavior.  
FYI, the desktop runs an instance of explorer and that's you see it and if you kill it, your task bar goes away.
Once you've deleted it, go to the registry hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify and look through each of the keys there and find the folder that calls that dll and delete it.  If you want for safety to get it back, do a file export on the folder first.
If you delete this entry before you get rid of the file, the file will re-create the entry on you (damn ad/spy ware).
Then go get lava softs ad aware personal edition (free) and spybot search and destroy (free) and run both of them and update both, then scan for problems and remove all your problems.
0
 

Author Comment

by:richtree
ID: 19617242
when I right click 'winlogon.exe' process, all menus are greyed out;
when I right click 'hpb025.dll', I see only 'properties' and 'search online' menus.
can you show me how to 'remove the handle to each of the 3' processes?
thanks.
0
 
LVL 6

Assisted Solution

by:gjutras
gjutras earned 1560 total points
ID: 19617306
change the lower panel mode to handle mode, then when you right click on the hpb025.dll you get the close handle option.
0
 

Author Comment

by:richtree
ID: 19617458
In XP safe mode:
I switch to handle mode and found 13 threads for explorer.exe:
Thread, explorer.exe(1704):1732
Thread, explorer.exe(1704):1740
......
when I right click and choose close handle, it fails saying 'the handle is invalid'.
same result with winlogon.exe process.
Now what?
Is is possible to boot the pc from CD into 'DOS' mode and remove the file? If yes, how?
thanks a lot.
0
 
LVL 6

Assisted Solution

by:gjutras
gjutras earned 1560 total points
ID: 19617618
You need to do a find and find hpb025.dll while in handle mode then you should be able to get at it's handles and close them.
Other than that if spybot and adaware can't get rid of it, then the best thing is a tool call erd disk commander which allows you to boot to a cd based os that can write to the file system and has a regedit tool.  It's no longer sold(microsoft bought the company and stopped making it), so you'll have to find a copy to download somewhere.
0
 
LVL 6

Assisted Solution

by:gjutras
gjutras earned 1560 total points
ID: 19618546
you only want to close the handles to hpb025.dll, not the exe's running it or all the threads of the exe's running it.
0
 

Author Comment

by:richtree
ID: 19618674
i search hpb025.dll in dll mode, note down the process number, then switch to handle mode, locate the handle by the process number, right click it and choose 'close handle'. Is it right? If not, please write down the exact steps for me. i am new to the process explorer.
thanks.
0
 

Author Comment

by:richtree
ID: 19618786
Now I found NTFSBoot from bootdisk.com and use it to boot up my pc. when I try to delete the file, I run into the following situation:
At the current directory, 'dir' cmd see the file HPb025.dll (which is a virus file). I type in 'del HPB025.dll' , it prompts for confirmation and I enter 'y', it returns 'File not found'. 'dir' cmd see that file again. Maybe I did it wrong.
Does anyone ever use NTFSBoot? Please let me know how to delete the file (in NTFSBoot).
0
 
LVL 6

Assisted Solution

by:gjutras
gjutras earned 1560 total points
ID: 19618838
try reading this and then see if you can use this to clean your file.

http://www.codinghorror.com/blog/archives/000888.html
0
 
LVL 9

Assisted Solution

by:Jeff Brown
Jeff Brown earned 240 total points
ID: 19619531
That dll is for an HP printer or printer monitor.
0
 

Author Comment

by:richtree
ID: 19619881
I did have some HP printer driver installed on this pc, but that's long time ago. McAfee never complained about that file. So I am not sure if HPB025.dll is a 'true' HP printer file.
I use 'deltree' command to delete HPB025.dll and McAfee does not complain any more.
When I search the registry, I found two entries related to HPB025.dll:
HKEY-LM\software\classes\CLSID\{...}
HKEY-LM\software\Microsoft\Windows NT\currentversion\winlogon\notify\HPB025
Q#4. Does it still look like a virus?
Q#5. Can any virus make use of registry folders such as the above 'Microsoft...'?
0
 
LVL 9

Assisted Solution

by:Jeff Brown
Jeff Brown earned 240 total points
ID: 19620008
anything that goes int to the winlogon\notify   section is suspect because thats where alot of malware reinfectors live.   and any software can put things in any part of the registry they want.
0
 
LVL 6

Assisted Solution

by:gjutras
gjutras earned 1560 total points
ID: 19620023
Any program can hook itself in to the winlogo notify system (its a favorite method of current ad/spy ware), then it's really hard to get them out as you're finding out.  If it really were an hp file, I'd think that a google search would find it.  I suspect that it's just using the name hp..... to make it look like it's an hp file.
0
 

Author Comment

by:richtree
ID: 19620082
Thank you all for your creative advices.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question