Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

DyFuCa Removal [RESOLVED]


  • This topic is locked This topic is locked

#1
H8sDyFuca

H8sDyFuca

    Member

  • Member
  • PipPip
  • 17 posts
Hi. I have recently been infected with Spyware. my homepage got changed, some junk got added to my favorites folder/desktop. i found a wp.exe and wp.bmp in My Computer. my wallpaper was changed to a blue error screen, right clicking the desktop, i noticed that the desktop tab was missing.. just the screen saver and settings tabs were there. I ran Adaware, Spybot Search and Destroy, that got rid of it, but i couldn't get my old desktop back. i opened regedit, edited the wallpaper/currenentwallpaper/originalwallpaper the correct jpg, instead of the wp.bmp from the spyware, but it didn't work.

i found out it was DyFuCa. I was told this is one of the worst, so if i could get any help removing it, i would appreciate it.


I booted in safe mode, deleted the Popuper.exe but am still having problems.


--------- here is the HijackThis.log ---------
Logfile of HijackThis v1.99.1
Scan saved at 3:37:42 AM, on 4/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\helper.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Evil Acid\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {57339764-FBAE-4CE5-9520-CCE07EE3212F} - C:\WINDOWS\system32\ahbi.dll (file missing)
O2 - BHO: VCS3IESupport Class - {B9D6B3C2-09AD-464A-8162-8C55114C808A} - C:\Program Files\AV VCS 3.0\Vcs3RT.dll (file missing)
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Startup: trillian.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {353D8C7F-F439-4F58-9A2D-3AD392E5B5EC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {353D8C7F-F439-4F58-9A2D-3AD392E5B5EC} - (no file) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097433477093
  • 0

Advertisements


#2
H8sDyFuca

H8sDyFuca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Popup.exe is gone. i took out some suspicous stuff with HJT. i think i got rid of the popups and the dialers. i still can't change my desktop wallpaper. im guessing the virus changed something in the registry... right clicking desktop, going into properties. i still only have the Screen Saver and Settings tabs. missing the others.

(EDIT) still getting error icons on the toolbar, saying im infected with a virus. asking me to click on it. (wich bring up popups)
just removed F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

regedit-current user-controll panel-desktop shows the correct .jpg as my wallpaper. but it's still black.

new HJT log-
Logfile of HijackThis v1.99.1
Scan saved at 10:36:41 PM, on 4/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msole32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Evil Acid\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: trillian.lnk = ?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

removed F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe


lines i deleted in HJT
C:\WINDOWS\system32\ahbi.dll (file missing)
C:\Program Files\AV VCS 3.0\Vcs3RT.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {353D8C7F-F439-4F58-9A2D-3AD392E5B5EC} - (no file) (HKCU
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {353D8C7F-F439-4F58-9A2D-3AD392E5B5EC} - (no file) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097433477093

Edited by H8sDyFuca, 15 April 2005 - 11:50 PM.

  • 0

#3
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ad-Aware - Download, install, and update. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run a scan. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now". Don't run it yet

Launch Notepad, and copy/paste the box below into a new notepad file. Change the "save as" type to "All Files". Save it as Unreg.bat on your Desktop.

regsvr32 /u C:\WINDOWS\system32\ahbi.dll

Locate Unreg.bat on your Desktop and double-click on it.

Then, Press CTRL ALT DELETE and click on the Processes tab. End the following process:

msole32.exe

Make sure you are disconnected from the Internet and that all programs and windows are closed. Place a check next to the following item and click FIX CHECKED:

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

Close HiJack This.

Click on this link to be sure you're able to VIEW HIDDEN FILES <- make sure you know how to do this!

Reboot into Safe mode by restarting your computer and continually tapping the F8 key until a menu appears, highlight safe mode and hit enter.

Delete the following files (in bold) - go into Windows Explorer to find them, they won't show up on search:

C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\ahbi.dll
C:\wp.exe

While in safe mode, run Ad-Aware - but configure it for a full system scan first by following the instructions below:

In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

Reboot into normal mode.

Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

Post a new HiJackThis log and let me know if you're still having problems.

Edited by bananafanafo, 16 April 2005 - 12:20 AM.

  • 0

#4
H8sDyFuca

H8sDyFuca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
thanks for the reply. everything went smoothly. MSN messenger loaded on start up, didn't before.

here is the new HJT log
Logfile of HijackThis v1.99.1
Scan saved at 11:51:03 PM, on 4/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Evil Acid\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: trillian.lnk = ?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab


Any ideas on how to fix the wallpaper issue?

Edited by H8sDyFuca, 16 April 2005 - 12:56 AM.

  • 0

#5
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Have you already tried right-clicking to see if the tabs are still grayed-out?

Please run this online virus scan:
ActiveScan

Copy the results from ActiveScan and paste them here.
  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I also need you to reboot into Safe Mode and delete the following file (it was on your first log, but not on the latest logs), but it may still be there:

C:\WINDOWS\system32\helper.exe

These files are associated with the Trojan and need to be deleted:

C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\System32\intmonp.exe (if this file is still there then popupers.exe is still there because they monitor each other and popupers will regenerate if deleted)

So we may have to get out the big guns (a program called Killbox) to kill those files at the same time.

What you have is a fairly new Trojan Dropper.

Edited by bananafanafo, 16 April 2005 - 01:56 AM.

  • 0

#7
H8sDyFuca

H8sDyFuca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
pic of desktop properties-
http://img98.echo.cx...image=dt7cz.jpg

ActiveScan log-

Incident Status Location

Adware:Adware/SearchRelevancy No disinfected Windows Registry
Adware:Adware/IGuard No disinfected C:\WINDOWS\system32\wldr.dll
Adware:Adware/SearchExe No disinfected C:\Documents and Settings\Evil Acid\Local Settings\Temp\temp.frA206
Adware:Adware/SearchExe No disinfected C:\Documents and Settings\Evil Acid\Local Settings\Temp\temp.frD0D9
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\0527K1UN\actalert[1].exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\85UNG1AJ\iraq.padbig[1].htm
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\85UNG1AJ\yorkshire.relaxi[1].htm
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTI3W5EV\bridge-c282[1].cab[DeskAdX.dll]
Spyware:Spyware/Zhopa No disinfected C:\RECYCLER\S-1-5-21-1177238915-515967899-725345543-1003\Dc235.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\DeskAdX.dll
Virus:Trj/Agent.OP Disinfected C:\WINDOWS\system32\helper.exe
Virus:Trj/Downloader.BXP Disinfected C:\WINDOWS\system32\wldr.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll

I also need you to reboot into Safe Mode and delete the following file (it was on your first log, but not on the latest logs), but it may still be there:

C:\WINDOWS\system32\helper.exe
C:\wp.bmp

What you have is a fairly new Trojan Dropper.

View Post

yes, i deleted the wp.bmp and wp.exe first thing. the wp.bmp was the blue screen error pic for my wallpaper(it is now all black.)

i will reboot in safe mode and see if helper.exe is still there.

Edited by H8sDyFuca, 16 April 2005 - 01:57 AM.

  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I edited my post so you have more files to look for and delete if found.
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Download, install, and run CleanUp! Then follow the instructions below:

Please read these instructions carefully

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\system32\wldr.dll
C:\Documents and Settings\Evil Acid\Local Settings\Temp\temp.frA206
C:\Documents and Settings\Evil Acid\Local Settings\Temp\temp.frD0D9
C:\RECYCLER\S-1-5-21-1177238915-515967899-725345543-1003\Dc235.exe
C:\WINDOWS\Downloaded Program Files\DeskAdX.dll
C:\WINDOWS\system32\xmlparse.dll
C:\WINDOWS\system32\xmltok.dll
C:\Windows\System32\intmonp.exe
C:\Windows\System32\popuper.exe
C:\Windows\sites.ini


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

Post a new HiJackThis log.

Edited by bananafanafo, 16 April 2005 - 10:20 AM.

  • 0

#10
H8sDyFuca

H8sDyFuca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
C:\Windows\sites.ini
C:\Windows\System32\intmonp.exe

both deleted.
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You'll have to still try to delete those with killbox since popupers and intmonp.exe monitor each other. We'll just get them all with killbox, don't worry about manually deleting them. Just follow the instructions in my previous post. I'll see what other files may be on your computer from these trojans.
  • 0

#12
H8sDyFuca

H8sDyFuca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Finished the killbox instructions. Everything went smoothly. Thanks again for taking the time to help me. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 1:15:08 AM, on 4/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Evil Acid\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: trillian.lnk = ?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Edited by H8sDyFuca, 16 April 2005 - 02:15 AM.

  • 0

#13
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're welcome :tazz:

Ok, I need you to find this folder:
C:\Program Files\Virtual Maid

It should have some BMP images and a dll file in it. Either way, delete the whole folder.

Then I need you to look for this folder:
C:\Windows\System32\LogFiles

This is where the Trojans were dropped. They are supposed to delete themselves after execution, but we're going to look anyway because I'm curious to see if they actually do (or any similar names):

T54111925.so
H53131712.so
A54102200.so
S53252000.so
A04111925.so
M54111925.so
P54111925.so

Delete this whole folder:
C:\Windows\System32\LogFiles

Did your computer restart after you ran Killbox?? Follow the same instructions above for killbox and put these 2 file paths in (I used the wrong file path for popupers so we have to delete them both again.) Your computer is supposed to restart automatically after putting them all in and clicking yes on both prompts. if it doesn't restart automatically you need to restart it after setting these file paths to be deleted on reboot:

C:\Windows\System32\intmonp.exe
C:\Windows\popuper.exe

Edited by bananafanafo, 16 April 2005 - 10:19 AM.

  • 0

#14
H8sDyFuca

H8sDyFuca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
i had previously deleted the virtual maid threw control panel-Add/Remove programs. so it wasnt there.

C:\Windows\System32\LogFiles
had 1 file
A04111925.so

deleted the folder.

using Killbox with
C:\Windows\System32\intmonp.exe
C:\Windows\popupers.exe

i get http://img189.echo.c...33/kbpop9ob.jpg saying they are already deleted. (wich sounds like a good thing)

Did your computer restart after you ran Killbox??

yes, i clicked Yes on "would you like to reboot now?" prompt after the last entry.

Edited by H8sDyFuca, 16 April 2005 - 02:49 AM.

  • 0

#15
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Go ahead and restart your computer, because I know one of the files wasn't deleted previously because I gave you the wrong file path. After you restart they should both be gone.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP