What is Win32/Hopee

in32/Hopee.W is a trojan downloader that communicates with a remote web server in order to send information about the compromised system, and download additional malware.

Win32/Hopee Modifies Firewall Settings / Evades Firewall

Win32/Hopee disables the Windows firewall so that it can download and execute arbitrary files:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = dword:00000000

Hopee also includes its executable in the Authorized Applications List in order to evade the firewall:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\< trojan executable > = “<trojan executable>:*:Enabled:DHCP Client”

Additionally, it terminates the software Outpost Firewall Pro.

Win32/Hopee Downloads and Executes Arbitrary Files

At the time of publication, Win32/Hopee.W downloads and executes the following malware from IP address 78.109.16.218:

scan.exe – CA detects this file as Win32/FakeAlert.GY
robo1.exe – CA detects this file as Win32/Sipay.M

Win32/Hopee also Steals Sensitive Information

Win32/Hopee.W connects to the locations below:

78.109.16.218
zs0.info
v9j.info

and sends the following information about the infected system:

  • Windows operating system version
  • Infection ID
  • IP address
  • Port opened by trojan
  • Trojan version

Win32/Hopee Replaces Legitimate Files

Win32/Hopee.W replaces random active service files with a copy of the dropped file “<random letters >.syz“. CA Anti-Virus solutions detect this file as Win32/Hopee!generic.

For example, Hopee may replace the TELNET service file, referred to in the registry entry below:
HKLM\System\CurrentControlSet\Services\TlntSvr

Technical Details of Win32/Hopee

  • Full name: Win32/Hopee, Win32.Hopee, Backdoor.Win32.Dreamy.ac (Kaspersky)
  • Date Appeared:
  • Characteristic: Trojan Downloader
  • URL:

Do I need to remove Win32/Hopee

You can yourself search your computer manually, but it is not recommended unless you are a tech-geek. To save time and effort, we recommend you to download a FREE Scanner.

> > >Download< < <

Free Scanner for Win32/Hopee

.

How to Uninstall Win32/Hopee scam

remove-registry-doctor-2008

The best way for the removal of Win32/Hopee is to install a good quality Anti-spyware Program and scan your system for any Win32/Hopee infections.

Automatic removal of Win32/Hopee is always good and complete as compared to any attempts to manually remove Win32/Hopee, which may sometime lead to erroneous results. If you are not completely aware of all the files and registry entries used by this rogue anti-spyware, then we do not recommend you to attempt for the manual removal of Win32/Hopee.

Instructions to get rid of Win32/Hopee

If you really want to remove the Win32/Hopee infection on your system manually then proceed as follows.

Step 1: Kill the Win32/Hopee ProcessesLearn how to do that

cssrss.exe

Step 2: Remove Win32/Hopee files, folders and all associated Win32/Hopee DLL files: Learn how to do that

System\\cssrss.exe System\\.syz

Step 3: Uninstall Win32/Hopee registry entries: Learn how to do that

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = dword:00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\< trojan executable > = “:*:Enabled:DHCP Client”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMDM PMSP Service = “%System%\cssrss.exe”

Free Scan for Win32/Hopee