Arrrgh - what is this and how do I get rid of it?
Thread Starter
Arrrgh - what is this and how do I get rid of it?
Recently I have been trying to save energy (and stresses on my PC) by leaving my PC in hibernate mode. However, it has suddenly come to life, beeped, flashed "E-Mail" on the screen in green, and tried (without success) to open Internet Explorer and access something like Redirect.Pavilliondownload.com.
Argh! I am running anti virus checks again, but I do not think it is that. It keeps doing this again and again. Even powered up it has seems to do it now and then. It really is annoying.
Any suggestions?
Argh! I am running anti virus checks again, but I do not think it is that. It keeps doing this again and again. Even powered up it has seems to do it now and then. It really is annoying.
Any suggestions?
Join Date: Jan 2012
Location: .
Posts: 2,173
Likes: 0
Received 0 Likes
on
0 Posts
You realise you've just given us your ID on AARSE? top two hits on Groogle are both yours...
Sounds like an attempt at a browser hijack - or maybe even a trojan
Usual attempt at curing these -
Clear out all temp/temp internet files
Use Autoruns to weed out any unwanted startup programs
Hunt through the program files / prgram data folders and the user profiles (ALL of them) looking from "wrong" stuff
Scan with Hitman Pro and Kaspersky's TDSSKIller
Then scan with Combofix
The finally scan with Spybot S&D AND Malwarebtyes
Do them all - they're not alternatives
Sounds like an attempt at a browser hijack - or maybe even a trojan
Usual attempt at curing these -
Clear out all temp/temp internet files
Use Autoruns to weed out any unwanted startup programs
Hunt through the program files / prgram data folders and the user profiles (ALL of them) looking from "wrong" stuff
Scan with Hitman Pro and Kaspersky's TDSSKIller
Then scan with Combofix
The finally scan with Spybot S&D AND Malwarebtyes
Do them all - they're not alternatives
Cool Mod
Join Date: Apr 1998
Location: 18nm N of LGW
Posts: 6,185
Likes: 0
Received 0 Likes
on
0 Posts
Just one. Go to System Restore and choose a few days before when this didn't happen and let it restore to that day. Has always worked for me. It is quite refreshing when everything works again just as before.
Join Date: Jan 2012
Location: .
Posts: 2,173
Likes: 0
Received 0 Likes
on
0 Posts
doh - just did a bit more checking
Is your machine an HP or Compaq?
it looks like its not an "infection" but an "official" browser hijack installed by HP in an attempt to route you to their homepage...
try running this tool on it and blacklist it - http://www.browseerprotect.org
Is your machine an HP or Compaq?
it looks like its not an "infection" but an "official" browser hijack installed by HP in an attempt to route you to their homepage...
try running this tool on it and blacklist it - http://www.browseerprotect.org
Thread Starter
Just put Browser Protect on, but guess what, it beeped and once again tried to load:
http://redirect.paviliondownload.com...p://www.hp.com
Arrrgh!
Edit: I've downloaded and run RKill, it found three processes to terminate:
* C:\windows\system\hpsysdrv.exe (PID: 1988) [WD-HEUR]
* C:\WINDOWS\System32\hphmon05.exe (PID: 2012) [WD-HEUR]
* C:\WINDOWS\wanmpsvc.exe (PID: 3168) [WD-HEUR]
3 proccesses terminated!
Also downloaded Malwarebytes. See if this works.
http://redirect.paviliondownload.com...p://www.hp.com
Arrrgh!
Edit: I've downloaded and run RKill, it found three processes to terminate:
* C:\windows\system\hpsysdrv.exe (PID: 1988) [WD-HEUR]
* C:\WINDOWS\System32\hphmon05.exe (PID: 2012) [WD-HEUR]
* C:\WINDOWS\wanmpsvc.exe (PID: 3168) [WD-HEUR]
3 proccesses terminated!
Also downloaded Malwarebytes. See if this works.
Last edited by WE Branch Fanatic; 14th Sep 2012 at 22:33.
Join Date: Jan 2012
Location: .
Posts: 2,173
Likes: 0
Received 0 Likes
on
0 Posts
"Heur" are trojan definitions
However the first two items detected are the same names as genuine HP files
However you don't need them -
I suggest you go through ALL the scans in my first post
RKILL doesn't actually delete malware - it just removes it from memory on that session. It would still be a very good idea to use Combofix and Hitman Pro (at least) before running Malwarebytes on it
However the first two items detected are the same names as genuine HP files
However you don't need them -
I suggest you go through ALL the scans in my first post
RKILL doesn't actually delete malware - it just removes it from memory on that session. It would still be a very good idea to use Combofix and Hitman Pro (at least) before running Malwarebytes on it
Hippopotomonstrosesquipidelian title
Join Date: Oct 2006
Location: is everything
Posts: 1,826
Likes: 0
Received 0 Likes
on
0 Posts
Go into your HP software and set it to stop checking for updates (if it has such a setting). If you've got broadband through AOL, you don't want to stop the miniport service.
Thread Starter
Last night I opened and ran RKill from the site, without downloading it. Within the last 30 minutes I have downloaded it to my desktop, and ran it again. The same three processes were found.
Do I need to make sure RKill runs every time I boot up (and if so, how?), or will that be enough to kill the Trojans?
Think I'll try Combofix too.... actually no, it the ww.bleepingcomputer.com website cautions not do so unless advised properly.
Doesn't Malwarebytes take a long time to run?
Do I need to make sure RKill runs every time I boot up (and if so, how?), or will that be enough to kill the Trojans?
Think I'll try Combofix too.... actually no, it the ww.bleepingcomputer.com website cautions not do so unless advised properly.
Doesn't Malwarebytes take a long time to run?
Last edited by WE Branch Fanatic; 15th Sep 2012 at 17:01.
Join Date: Jan 2012
Location: .
Posts: 2,173
Likes: 0
Received 0 Likes
on
0 Posts
Rkill is only used to temporarily stop processes running while you use other tools to clean the machine
Its not intended as a fix in its own right. It simply stabilises the machine while you run other tools
As to Combofix. I'm advising you to run it. Run it in safe mode, after first running Hitman Pro and TDSSKiller. The run the other programs as I advised earlier
I do this kind of thing every day - its how I earn my crust
Hitman Pro Home - SurfRight
Combofix ComboFix Download
TDSSKiller How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
Spybot S&D Spybot - Search & Destroy from Safer Networking
Malwarebytes Malwarebytes : Free anti-malware download
Its not intended as a fix in its own right. It simply stabilises the machine while you run other tools
As to Combofix. I'm advising you to run it. Run it in safe mode, after first running Hitman Pro and TDSSKiller. The run the other programs as I advised earlier
I do this kind of thing every day - its how I earn my crust
Hitman Pro Home - SurfRight
Combofix ComboFix Download
TDSSKiller How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
Spybot S&D Spybot - Search & Destroy from Safer Networking
Malwarebytes Malwarebytes : Free anti-malware download
Probably none of them are Trojans - heuristics are rather error prone as they're looking at program behaviour and characteristics, not a specific program signature.
As Milo says the first two are probably HP related and the third is probably an AOL program.
From Bleeping Computer:
hphmon05.exe: Hp Printer monitor that detects with flash cards are inserted into the printer and automatically starts HP Photosmart.
hpsysdrv.exe: This item keeps track of how many times the system has been recovered and the times of the first and last recoveries done on the system. Leaving unchecked will sometimes prevent the Keyboard Manager program from detecting that the computer is an HP. Since this program/driver was only made to run on HP, if it can't tell that it is an HP it will not run. If unchecked, it can prevent the running of the Application Recovery CDs, the use of the multimedia keys, and the HP Instant Support. Also seen that without it running, the Riptide Sound card that was installed on some older HP computers stops working
WanMPSvc.exe: An AOL component, the Wan miniport (ATW) service. If you delete this and logon, AOL reports a problem with your internet connection, and reinstalling AOL doesn’t help
I'd suggest uploading the three files in question to a service such as Virus Total that scans with multiple virus scanners: https://www.virustotal.com/
As Milo says the first two are probably HP related and the third is probably an AOL program.
From Bleeping Computer:
hphmon05.exe: Hp Printer monitor that detects with flash cards are inserted into the printer and automatically starts HP Photosmart.
hpsysdrv.exe: This item keeps track of how many times the system has been recovered and the times of the first and last recoveries done on the system. Leaving unchecked will sometimes prevent the Keyboard Manager program from detecting that the computer is an HP. Since this program/driver was only made to run on HP, if it can't tell that it is an HP it will not run. If unchecked, it can prevent the running of the Application Recovery CDs, the use of the multimedia keys, and the HP Instant Support. Also seen that without it running, the Riptide Sound card that was installed on some older HP computers stops working
WanMPSvc.exe: An AOL component, the Wan miniport (ATW) service. If you delete this and logon, AOL reports a problem with your internet connection, and reinstalling AOL doesn’t help
I'd suggest uploading the three files in question to a service such as Virus Total that scans with multiple virus scanners: https://www.virustotal.com/
Join Date: Jan 2012
Location: .
Posts: 2,173
Likes: 0
Received 0 Likes
on
0 Posts
Thats an important point
Rkill may be picking those three up because they are non-standard TSR programs which could potentially interfere with other security scans - not because they are malware in their own right.
They may well not be related to the HP redirect issue at all.
le Pingoiun's suggestion is good, however I'd still also go through with the scans and see what happens - they can't cause any problems.
When I get a chance later I'll try to find just what files the HP redirect uses.
Rkill may be picking those three up because they are non-standard TSR programs which could potentially interfere with other security scans - not because they are malware in their own right.
They may well not be related to the HP redirect issue at all.
le Pingoiun's suggestion is good, however I'd still also go through with the scans and see what happens - they can't cause any problems.
When I get a chance later I'll try to find just what files the HP redirect uses.
Thread Starter
I thought I had got rid of it last year when the computer got a new hard drive, but in the last week it seems to have come back.
It just goes crazy now and does strange things like going to random websites, opening e-mails, and so on....
Arrrgh!
It just goes crazy now and does strange things like going to random websites, opening e-mails, and so on....
Arrrgh!
Last edited by WE Branch Fanatic; 30th Aug 2015 at 10:40.