Adware.HPDefender

Short bio

Adware.HPDefender is Malwarebytes’ generic detection name for a family of adware targeting Windows systems.

Type and source of infection

Adware.HPDefender is spread by bundlers. Its main focus is browser hijacking, using many different methods, including manipulating your browser(s) to change your startpage or searchscopes so that the affected browser visits their site or one of their choice.

Adware.HPDefender replaces many browser shortcuts and shows advertisements.

Protection

Malwarebytes blocks Adware.HPDefender using real-time protection.

block Adware.HPDefender

Malwarebytes blocks Adware.HPDefender

Remediation

Malwarebytes can detect and remove Adware.HPDefender without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Malwarebytes removal log

An example Malwarebytes removal log for a member of this family called QIPApp:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/1/17
Scan Time: 9:11 AM
Log File: mbamQIPApp.txt
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.122
Update Package Version: 1.0.2064
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 333477
Threats Detected: 11
Threats Quarantined: 11
Time Elapsed: 1 min, 56 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
Adware.HPDefender, C:\USERS\{username}\APPDATA\ROAMING\QIPAPP\QIPAPP.EXE, Quarantined, [21], [403763],1.0.2064

Module: 1
Adware.HPDefender, C:\USERS\{username}\APPDATA\ROAMING\QIPAPP\QIPAPP.EXE, Quarantined, [21], [403763],1.0.2064

Registry Key: 2
PUP.Optional.ICLoader, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\QIPApp, Delete-on-Reboot, [652], [403803],1.0.2064
Adware.QIPApp, HKCU\SOFTWARE\QIPApp, Delete-on-Reboot, [9346], [390812],1.0.2064

Registry Value: 1
Adware.HPDefender, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|QIPApp, Delete-on-Reboot, [21], [403763],1.0.2064

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
Adware.HPDefender, C:\Users\{username}\AppData\Roaming\QIPApp\QIPApp, Delete-on-Reboot, [21], [396014],1.0.2064
Adware.HPDefender, C:\USERS\{username}\APPDATA\ROAMING\QIPAPP, Delete-on-Reboot, [21], [396014],1.0.2064

File: 4
Adware.HPDefender, C:\USERS\{username}\APPDATA\ROAMING\QIPAPP\QIPAPP.EXE, Delete-on-Reboot, [21], [403763],1.0.2064
PUP.Optional.ICLoader, C:\USERS\{username}\DESKTOP\4617463.EXE, Delete-on-Reboot, [652], [403803],1.0.2064
PUP.Optional.ICLoader, C:\USERS\{username}\APPDATA\ROAMING\QIPAPP\UNINSTALLER.EXE, Delete-on-Reboot, [652], [403803],1.0.2064
Adware.HPDefender, C:\Users\{username}\AppData\Roaming\QIPApp\QIPApp\qipApp8.exe, Delete-on-Reboot, [21], [396014],1.0.2064

Physical Sector: 0
(No malicious items detected)


(end)

Removal guides for other examples:

Related blog content

File-in-the-middle hijackers
Adware the series, part 1 (browser extensions)