Avast WEBforum

Other => Viruses and worms => Topic started by: willcook on August 25, 2010, 11:04:08 PM

Title: HP\BIN\EndProcess.exe
Post by: willcook on August 25, 2010, 11:04:08 PM
I could not find the answer to this question in my search of the forums:

I got a virus detected warning for EndProcess.exe when I ran a scan.  However, I cannot remove to chest or repair.  Is this because the file is actually not a virus, or is it a particularly difficult problem to fix.

Thanks.
Title: Re: HP\BIN\EndProcess.exe
Post by: Pondus on August 25, 2010, 11:15:41 PM
the file can be in use, have you tried avast boot scan?
http://sites.google.com/site/spg20scottsweb/home/avast-5-boot-time-scan

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have latest database before you scan
click the remove selected button to quarantine anything found
you may post the scan log here if anything is found
Title: Re: HP\BIN\EndProcess.exe
Post by: Pondus on August 25, 2010, 11:18:59 PM
Prevx file info
http://www.prevx.com/filenames/764538377451594578-X1/ENDPROCESS.EXE.html
Title: Re: HP\BIN\EndProcess.exe
Post by: bcress on September 13, 2010, 06:14:04 PM
Quote from: willcook on August 25, 2010, 11:04:08 PM
I could not find the answer to this question in my search of the forums:

I got a virus detected warning for EndProcess.exe when I ran a scan.  However, I cannot remove to chest or repair.  Is this because the file is actually not a virus, or is it a particularly difficult problem to fix.

Thanks.

I ran a boot-time scan (selecting the option to "Move all to chest"), immediately after updating Avast and the virus definition file.  Upon booting up, I had a message in the lower right-hand corner of my screen.  It read as follows:

Windows Vista (TM)
Build 6002
This copy of Windows is not genuine

However, my copy of Windows is surely genuine, purchased new from Best Buy.  I checked the Avast Virus Chest to see what files were moved.  On this boot-time scan, the only file moved to the chest was C:\HP\BIN\EndProcess.exe (last changed 9/16/1999).  It was categorized by Avast as Win32:KillApp-W [PUP].  This file appears legit...why would Avast categorize it as a Potentially Unwanted Program?

With little working knowledge regarding viruses and anti-virus software, I am going to restore this file and reboot my computer per the following thread to see if the problem is remediated:  http://forum.avast.com/index.php?topic=51790.msg521118#msg521118

Any additional information or an official statement from Avast regarding this issue?

Edit:  Also of note...I have run the boot-time scan before without Avast moving EndProcess.exe to the Virus Chest.  Could this imply that the file has been modified despite indicating that it was last changed on 9/16/1999?  And yes, my Windows time and calendar are current.

Edit 2:  Just decided to shutdown and boot up normally rather than restore EndProcess.exe.  Sure enough, the "not genuine" message was no longer in the bottom right-hand corner of my screen.  I am not going to restore the file unless I hear otherwise, but I would still like some information regarding the file.  Thanks!
Title: Re: HP\BIN\EndProcess.exe
Post by: mkis on September 13, 2010, 07:58:06 PM
Are or were you also running Avira as a resident or even on demand scanner?
Mostly the KillApp detection is found by Avira where it is identified as APPL/KillApp.A and is considered a false positive unless rated as Fraudulent Software (an Avira categorisation - I dont use Avira so dont know much about the category).

That said, avast do have the categorisation Win32:KillApp-W [PUP], so we could have a similar type detection here from avast. Once detections have been made and definitions set, there is likelihood of overlap amongst different brand databases so regardless avira or avast, we are probably looking at much the same thing and possibly enough to upset Windows license or validation data. Mostly (I mean, lots and lots) with Avira, many users have even bought new licenses on account of the mixup. I'm unsure of the extent of the problem with avast. Perhaps they are following the Avira lead.

The best start point for sorting any license/validation error is to run the SFC /SCANNOW command
If you dont know how to do this --go to Start -> Run, then type 'sfc /scannow' (without the quotations) in the box provided and press OK.
Post the results here.


The HP file EndProcess.exe apparently refers to an application they need in the setup process and is detected by Avira because in the hands of an inexperienced user it may pose a problem. This would also tie in with the avast detection.
Title: Re: HP\BIN\EndProcess.exe
Post by: Chaul on September 15, 2010, 08:28:11 PM
Avast found this EndProcess.exe on my HP laptop a week ago too and I let it move the file to the chest. Avast did detect it as Killapp-something. Considering how much useless apps most laptops contain, I didn't think too much about it and just let the EndProcess stay in the chest. This was on Windows 7 32b.
Title: Re: HP\BIN\EndProcess.exe
Post by: DavidR on September 15, 2010, 09:18:49 PM
Based on the location alone, HP\BIN\EndProcess.exe isn't this jusy one of the tools that HP use if you happen to do a a restoration to factory settings. If so then it isn't an issue, what is, is that you and others have chosen to scan for pups and not appreciated a) what a PUP is and b) the type of things that could be classed as a potentially unwanted program.

Quote from: bcress
It was categorized by Avast as Win32:KillApp-W [PUP].  This file appears legit...why would Avast categorize it as a Potentially Unwanted Program?

Since the EndProcess.exe file can be used to end/kill processes, it is a tool which can be used for good or evil purposes, an AV can't determine intent. If someone else installed this without your knowledge (not HP) then it would be unwanted, but having been installed by HP it is a tool which you may require if you do an HP restore, etc.

So if it is in the c:\HP\Bin location you want to keep it, so need to exclude it from on-demand scans, either that or stop doing custom scans searching for PUPs.
Title: Re: HP\BIN\EndProcess.exe
Post by: vander1 on April 22, 2011, 06:10:28 PM
I have just recently brought a hp laptop have avast antivirus have done boot scan and found end process.exe is infected with win32 killapp-w [PUP] no need to panic i have found it either comes in with hp games as i installed a game in hp games called crazy cart 2 avast found files it found harmfull i let it in and uninstalled from where it went to did a recovery
and found this virus later on 1 of 2 sinarios it either came in with the hp game or it was pre loaded when i brought hp system to fix all u have to do is put to chest as i have system runs fine no errors hope this helps
Title: Re: HP\BIN\EndProcess.exe
Post by: DavidR on April 22, 2011, 06:20:53 PM
It normally comes with the HP recovery data, in c:\HP\bin, or something like that, what was the location ?

It isn't a virus, as the suffix [PUP] Potentially Unwanted Program implies. This is a tool used to kill applications (killapp) and is a tool that can be used for good or evil and your AV is not making that determination.

What I find strange is that it is being detected at all as scanning for PUPs isn't enabled by default. So it looks like you have been tweaking avast or its scan settings without knowing the possible effect.
Title: Re: HP\BIN\EndProcess.exe
Post by: Navvy on December 17, 2011, 01:44:42 AM
I've just installed Avast, then did a boot-time scan. It detected EndProcess.exe in C:\hp\bin infected with Win32:KillApp-W[PUP].

Avast is using default settings, as this computer did not previously have avast on it.

The boot-time scan also found the same infection in one of the System Restore points.

Seems surprising that this is still a problem after so long.

Should I report it as a false positive?
Title: Re: HP\BIN\EndProcess.exe
Post by: Pondus on December 17, 2011, 01:49:25 AM
PUP is not false positive as it is not virus
http://searchsecurity.techtarget.com/definition/PUP

it is just telling you that you have a program that can be used for good or bad, depending on what it can do and who installed it
Title: Re: HP\BIN\EndProcess.exe
Post by: Navvy on December 17, 2011, 02:05:39 AM
OK, I've added it as an exclusion instead. If it normally never gets run, then it won't matter if it one day gets infected with something else.
Title: Re: HP\BIN\EndProcess.exe
Post by: punar on February 06, 2012, 10:15:48 AM
According to the site Pondus linked to, "PUPs include spyware, adware, and dialers, and are often downloaded in conjunction with a program that the user wants.".
EndProcess is neither a spyware, adware or dialer, and was not downloaded by the user, but came pre-installed with the os. So it's not a PUP and, as long as it's still the original file from HP, it's therefore a false positive.
Title: Re: HP\BIN\EndProcess.exe
Post by: AU4U on February 06, 2012, 12:57:06 PM
Quote from: willcook on August 25, 2010, 11:04:08 PM
I could not find the answer to this question in my search of the forums:

I got a virus detected warning for EndProcess.exe when I ran a scan.  However, I cannot remove to chest or repair.  Is this because the file is actually not a virus, or is it a particularly difficult problem to fix.

Thanks.

Dude, I have an HP HDX 18-1374CA with the HAD same issue.
This is a false positive, the "Endprocess" part is being detected as part of malware.
This file is needed for your HP OEM programs.

Do as I did,
Exclude the file from Quick and Full System scans.
From 'SETTINGS>EXCLUSIONS> add the file here as well,
ALSO, add your Back Up Location here as well, this will stop it from being detected every timr you do a "Full Scan".



Title: Re: HP\BIN\EndProcess.exe
Post by: DavidR on February 06, 2012, 03:06:52 PM
It isn't a false positive as it is classed as a PUP (when you search for PUPs expect strange/unusual results), based on what it does (Ends Processes), so can be used for good or evil is why it is flagged as a PUP. An anti-virus program can't determine intent, that is something that only the user can determine.

The user has to know enough about their system, the files on it and what they do to determine if it is A) legit, B) something that they installed or C) would be installed by the manufactures, etc.

These are some of the very reasons why scanning for PUPs isn't enabled by default as most users don't know what a PUP is and even if they did may be unable to make the determination if it is legit or not.

Not included in this general definition by many PUP definitions are tools which can be used for good or evil, some have been legitimately installed for a specific good purpose, but could have been unknowing installed for a malicious purpose. In which case it would be considered unwanted.

Not all antivirus programs scan for PUPs and some will have a different definition on what falls under the heading PUP, avast has it turned of by default (an exception being the boot-time scan). So if you get this you have been tweaking the avast settings without knowing what the impact might be.

####
So for me the question based on the above is should there be an exclusion made or should the user be scanning for PUPs when the default setting is not to.
Title: Re: HP\BIN\EndProcess.exe
Post by: AU4U on February 07, 2012, 12:00:47 PM
OOPS, my bad,,,,, :P
Its a PUP, not a FP...........
You still need this for OEM programs,
Soooo,,,,
Don't forget to exclude it in the 2 locations and in your B/U file as well.
Title: Re: HP\BIN\EndProcess.exe
Post by: DavidR on February 07, 2012, 02:12:56 PM
As I said why exclude, decide if they want to scan for PUPs against the default settings.

Or they may be likely to get detections/decisions like this in the future that user has to know what they might be.
Title: Re: HP\BIN\EndProcess.exe
Post by: lakrsrool on July 12, 2012, 06:17:18 PM
Quote from: DavidR on April 22, 2011, 06:20:53 PM
It normally comes with the HP recovery data, in c:\HP\bin, or something like that, what was the location ?

It isn't a virus, as the suffix [PUP] Potentially Unwanted Program implies. This is a tool used to kill applications (killapp) and is a tool that can be used for good or evil and your AV is not making that determination.

What I find strange is that it is being detected at all as scanning for PUPs isn't enabled by default. So it looks like you have been tweaking avast or its scan settings without knowing the possible effect.

I have not "tweaked" Avast for ANY settings but still the full scan DID apparently scan for PUPS.

How can a user change this setting which appears to be the "default" even though you do not believe it to be this?
Title: Re: HP\BIN\EndProcess.exe
Post by: DavidR on July 12, 2012, 06:23:32 PM
The default action is NOT to scan for PUPs, so someone has changed this setting.

Full System Scan > Settings > Sensitivity PUP and suspicious files section 'Scan for potentially unwanted programs (PUPs).
Title: Re: HP\BIN\EndProcess.exe
Post by: true indian on July 12, 2012, 06:25:29 PM
I remember this was picked up when i installed avast for first time and ran a quick scan but it didnt cause any issues with windows activation etc... :)
Title: Re: HP\BIN\EndProcess.exe
Post by: lakrsrool on July 12, 2012, 06:54:02 PM
Quote from: DavidR on July 12, 2012, 06:23:32 PM
The default action is NOT to scan for PUPs, so someone has changed this setting.

Full System Scan > Settings > Sensitivity PUP and suspicious files section 'Scan for potentially unwanted programs (PUPs).

I am the ONLY USER and I know for a fact that I have never changed ANY settings on Avast.  Under the circumstances it would HAVE TO BE THE DEFAULT SETTING in my case. I don't even know HOW to make this change actually.

Can you tell me how I can change it back?

I do not know where to find "Full System Scan" in your path that you posted above.

Thanks.
Title: Re: HP\BIN\EndProcess.exe
Post by: lakrsrool on July 12, 2012, 07:06:01 PM
Quote from: lakrsrool on July 12, 2012, 06:54:02 PM
Quote from: DavidR on July 12, 2012, 06:23:32 PM
The default action is NOT to scan for PUPs, so someone has changed this setting.

Full System Scan > Settings > Sensitivity PUP and suspicious files section 'Scan for potentially unwanted programs (PUPs).

I am the ONLY USER and I know for a fact that I have never changed ANY settings on Avast.  Under the circumstances it would HAVE TO BE THE DEFAULT SETTING in my case. I don't even know HOW to make this change actually.

Can you tell me how I can change it back?

I do not know where to find "Full System Scan" in your path that you posted above.

Thanks.

OK I found where.

And the PUP option is UNCHECKED.

So you are correct that is the "default setting"

But Avast still found that the "EndProcess.exe" PUP when I did a "full scan".

So apparently when you've been suggesting people are changing this setting because this PUP is found it is not the "setting" that has been changed but Avast is looking for and finding this PUP ANYWAY even though the "Scan for PUPS" is NOT CHECKED!!!!

It would appear to be an issue with Avast.
Title: Re: HP\BIN\EndProcess.exe
Post by: DavidR on July 12, 2012, 07:40:13 PM
Please stop posting in multiple topic, I can't keep up with the same questions and I have no idea why your Full System Scan is detecting PUPs when scan for PUPs isn't checked. But I can't see your settings of your scan as I'm sure there are other options which may still scan this (e.g. Scan All files).

I certainly haven't seen this where others with their settings on defaults get PUP detections.
Title: Re: HP\BIN\EndProcess.exe
Post by: lakrsrool on July 12, 2012, 08:13:52 PM
Quote from: DavidR on July 12, 2012, 07:40:13 PM
Please stop posting in multiple topic, I can't keep up with the same questions and I have no idea why your Full System Scan is detecting PUPs when scan for PUPs isn't checked. But I can't see your settings of your scan as I'm sure there are other options which may still scan this (e.g. Scan All files).

I certainly haven't seen this where others with their settings on defaults get PUP detections.

Sorry, I thought I was only posting  it two threads, one on how to restore the PUP from the chest as well as whether or not the PUP was a problem and the other thread on why the PUP was scanned in the first place.

You have posted that the Full System Scan > Settings > Sensitivity PUP and suspicious files section 'Scan for potentially unwanted programs (PUPs) needs to be UNCHECKED.

Here are my Sensitivity Settings (PUP is unchecked) attached I  will post the Scan Parameters setting which does NOT have "Scan All Files" checked either on my next post since both together are to large according to the board.

The main point is I've NEVER changed ANY DEFAULT settings yet Avast DID Scan for PUP's which I think you are saying should NOT happen if I've NEVER changed ANY settings.
Title: Re: HP\BIN\EndProcess.exe
Post by: lakrsrool on July 12, 2012, 08:16:47 PM
Here is the Scan Parameters setting which does NOT have "Scan All Files" checked.

So both the Sensitivity and the Parameters settings would not account for Avast scanning for PUPS.

The main point is I've NEVER changed ANY DEFAULT settings yet Avast DID Scan for PUP's which I think you are saying should NOT happen if I've NEVER changed ANY settings.
Title: Re: HP\BIN\EndProcess.exe
Post by: DavidR on July 12, 2012, 09:00:42 PM
I can't see why it would detect it, as I said if the scan for PUPs is off and if Scan All files is also off. I can see no logical reason why it would scan it and even if it did scan it I would think it wouldn't be using the PUP signatures.

I certainly haven't seen and instance of this in the forums, nor have I experienced it.
Title: Re: HP\BIN\EndProcess.exe
Post by: lakrsrool on July 13, 2012, 04:17:12 AM
Quote from: DavidR on July 12, 2012, 09:00:42 PM
I can't see why it would detect it, as I said if the scan for PUPs is off and if Scan All files is also off. I can see no logical reason why it would scan it and even if it did scan it I would think it wouldn't be using the PUP signatures.

I certainly haven't seen and instance of this in the forums, nor have I experienced it.

I've posted my settings for scanning PUPs and Scan All files and we can see they are both UNCHECKED. Which btw, is what we would expect since I've NEVER changed any scanning settings for Avast at ANY TIME and "unchecked" is the DEFAULT setting.

Here is the contents of my Virus Chest and as we can see it contains the PUP application "EndProcess.exe".

So I guess we can now say we HAVE seen an "instance of this" at this time.

And I guess since there is no explanation I'd have to conclude Avast DOES scan for PUPs even with the settings set to NOT scan for PUPs apparently.

Thanks for all the help David, I can deal with the scanning conundrum by "excluding" the program as you had suggested. 

That said, it is bewildering however that this is occurring in the first place however.  And of course your assumption in the past that people have changed the scanning "default" settings that produced this phenomena is apparently not the answer in at least some and probably most cases.
Title: Re: HP\BIN\EndProcess.exe
Post by: lakrsrool on July 13, 2012, 07:23:08 AM
^ David,

I hope you've read my post above for context.  After I posted that I thought of something.  Going over exactly what happened: I did a FULL SYSTEM SCAN which found the first item listed in the Virus Chest (arg178012.exe).  After the "FULL SCAN" I was recommended by Avast to do a "boot scan" (called something like that), so I said "OK" to that and Avast did a scan on boot-up which found a number of problems one of which apparently was the second item in the Virus Chest "EndProcess.exe".  (I'm not sure why more things didn't show up in the Virus Chest because there were a lot of problems found on the "boot-up scan").  I had been asked what to do on one of the items found and I requested it be moved to the Virus Chest.  After that I was asked again but it did not seem to do anything so I said to "delete" items instead.  One way or the other I ended up with the "EndProcess.exe" in my Virus Chest along with the other item found on the regular "Full System Scan" earlier.

So I was wondering if the "boot-up scan" that Avast does might actually check PUPs even though this type of scan is UNCHECKED.   Possibly for THIS specific type of scan IS UNIQUE (boot-up scan) thus the settings are ignored and ALL Files are scanned even if this option is NOT CHECKED.

Is this possible?
Title: Re: HP\BIN\EndProcess.exe
Post by: Pondus on July 13, 2012, 07:31:43 AM
i was just about to ask about that yesterday   sure it was a full scan and not a bootscan....anyway that explains it..... in Boot Scan PUP is default ON.


Quote
  (I'm not sure why more things didn't show up in the Virus Chest because there were a lot of problems found on the "boot-up scan")
what things......scan errors...if so they are not detections so have nothing to do in the chest
Title: Re: HP\BIN\EndProcess.exe
Post by: lakrsrool on July 13, 2012, 08:26:58 AM
So then you are saying that on "boot scans" the PUP setting is ignored even if unchecked and PUPs are always scanned for?

I don't recall what all the stuff that was listed was but there were a whole bunch of messages during the "boot scan" that appeared to me to be problems with my computer in some way or another.  If this is recorded anywhere I'll be happy to produce it.

I recall that I was asked what to do and I replied with "move to chest" but then I was later asked again and requested the same thing be done but for some reason I concluded that this was not the correct response so I replied with "delete".  There was way to much information for me to recall because it was numerous message lines that displayed during the entire scan and I don't recall why I changed my reply either.

All I can know for sure is my Virus Chest ended up with what you see there in my attachments.

I have attached to Scan Logs.

I am unable to attach the specific "boot scan" because of size constraints so I'll post this on my next post.


Title: Re: HP\BIN\EndProcess.exe
Post by: lakrsrool on July 13, 2012, 08:30:24 AM
^ Follow-up to attach the specific "boot scan" results:


I selected the "boot scan" on the Scan Log (see on prior page) and attached the "view scan" for the "boot scan log" which I presume is showing all that was found on the "boot scan".  Just the top item listed (EndProcess.exe) was put in the Virus Chest.  The other three items listed I would presume have been "deleted" I guess.  I'm not sure why all are listed as "deleted" since the "EndProcess.exe" was in the Virus Chest however.  It's all confusing to me, it seems to me I had a lot more messages displayed than just this number of problems.

This is the first time I've ever done a "boot scan" and I think it is probably the first time I've done ANY scan on this one year old computer actually.

I have to assume that these 3 items other than "EndProcess.exe" (which should be left alone) are some form of "maleware" of some kind and thus SHOULD BE DELETED?  I have to trust that Avast will get things right at least the vast majority of times and won't be taking out stuff that I need.  I'm also assuming that the "arg178012.exe" found on the "regular scan" (see previous page) was something that should be removed as well.

Thanks for the help.
Title: Re: HP\BIN\EndProcess.exe
Post by: DavidR on July 13, 2012, 11:45:52 AM
Quote from: lakrsrool on July 13, 2012, 08:26:58 AM
So then you are saying that on "boot scans" the PUP setting is ignored even if unchecked and PUPs are always scanned for?
<snip>

The boot-time scan has its own settings (PUPs and Archive files are scanned by default) when you schedule it you can change the settings.

So if you were doing a boot-time scan, the confusion arises on your calling it a Full scan, when there is a Full System Scan as a pre-defined scan for normal windows mode and as you have seen that has PUPs disabled by default. This setting doesn't apply to boot-time scans.