Arrrgh - what is this and how do I get rid of it?
 

Recently I have been trying to save energy (and stresses on my PC) by leaving my PC in hibernate mode. However, it has suddenly come to life, beeped, flashed "E-Mail" on the screen in green, and tried (without success) to open Internet Explorer and access something like Redirect.Pavilliondownload.com.

Argh! I am running anti virus checks again, but I do not think it is that. It keeps doing this again and again. Even powered up it has seems to do it now and then. It really is annoying.

Any suggestions?

You realise you've just given us your ID on AARSE? top two hits on Groogle are both yours...

Sounds like an attempt at a browser hijack - or maybe even a trojan

Usual attempt at curing these -
Clear out all temp/temp internet files
Use Autoruns to weed out any unwanted startup programs
Hunt through the program files / prgram data folders and the user profiles (ALL of them) looking from "wrong" stuff
Scan with Hitman Pro and Kaspersky's TDSSKIller
Then scan with Combofix
The finally scan with Spybot S&D AND Malwarebtyes

Do them all - they're not alternatives

Just one. Go to System Restore and choose a few days before when this didn't happen and let it restore to that day. Has always worked for me. It is quite refreshing when everything works again just as before.

doh - just did a bit more checking

Is your machine an HP or Compaq?
it looks like its not an "infection" but an "official" browser hijack installed by HP in an attempt to route you to their homepage...

try running this tool on it and blacklist it - http://www.browseerprotect.org

Just put Browser Protect on, but guess what, it beeped and once again tried to load:

http://redirect.paviliondownload.com...p://www.hp.com

Arrrgh!

Edit: I've downloaded and run RKill, it found three processes to terminate:

* C:\windows\system\hpsysdrv.exe (PID: 1988) [WD-HEUR]
* C:\WINDOWS\System32\hphmon05.exe (PID: 2012) [WD-HEUR]
* C:\WINDOWS\wanmpsvc.exe (PID: 3168) [WD-HEUR]

3 proccesses terminated!

Also downloaded Malwarebytes. See if this works.

"Heur" are trojan definitions
However the first two items detected are the same names as genuine HP files
However you don't need them -

I suggest you go through ALL the scans in my first post
RKILL doesn't actually delete malware - it just removes it from memory on that session. It would still be a very good idea to use Combofix and Hitman Pro (at least) before running Malwarebytes on it

Go into your HP software and set it to stop checking for updates (if it has such a setting). If you've got broadband through AOL, you don't want to stop the miniport service.

Last night I opened and ran RKill from the site, without downloading it. Within the last 30 minutes I have downloaded it to my desktop, and ran it again. The same three processes were found.

Do I need to make sure RKill runs every time I boot up (and if so, how?), or will that be enough to kill the Trojans?

Think I'll try Combofix too.... actually no, it the ww.bleepingcomputer.com website cautions not do so unless advised properly.

Doesn't Malwarebytes take a long time to run?

Rkill is only used to temporarily stop processes running while you use other tools to clean the machine
Its not intended as a fix in its own right. It simply stabilises the machine while you run other tools

As to Combofix. I'm advising you to run it. Run it in safe mode, after first running Hitman Pro and TDSSKiller. The run the other programs as I advised earlier
I do this kind of thing every day - its how I earn my crust

Hitman Pro Home - SurfRight
Combofix ComboFix Download
TDSSKiller How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
Spybot S&D Spybot - Search & Destroy from Safer Networking
Malwarebytes Malwarebytes : Free anti-malware download

Probably none of them are Trojans - heuristics are rather error prone as they're looking at program behaviour and characteristics, not a specific program signature.

As Milo says the first two are probably HP related and the third is probably an AOL program.

From Bleeping Computer:

hphmon05.exe: Hp Printer monitor that detects with flash cards are inserted into the printer and automatically starts HP Photosmart.

hpsysdrv.exe: This item keeps track of how many times the system has been recovered and the times of the first and last recoveries done on the system. Leaving unchecked will sometimes prevent the Keyboard Manager program from detecting that the computer is an HP. Since this program/driver was only made to run on HP, if it can't tell that it is an HP it will not run. If unchecked, it can prevent the running of the Application Recovery CDs, the use of the multimedia keys, and the HP Instant Support. Also seen that without it running, the Riptide Sound card that was installed on some older HP computers stops working

WanMPSvc.exe: An AOL component, the Wan miniport (ATW) service. If you delete this and logon, AOL reports a problem with your internet connection, and reinstalling AOL doesn’t help


I'd suggest uploading the three files in question to a service such as Virus Total that scans with multiple virus scanners: https://www.virustotal.com/

Thats an important point
Rkill may be picking those three up because they are non-standard TSR programs which could potentially interfere with other security scans - not because they are malware in their own right.
They may well not be related to the HP redirect issue at all.

le Pingoiun's suggestion is good, however I'd still also go through with the scans and see what happens - they can't cause any problems.

When I get a chance later I'll try to find just what files the HP redirect uses.

This page might be of use re the HP redirect - relates to the shortcut keys on a HP multimedia keyboard:
HP Multimedia Keyboard Drivers - AmazingTechs.com

I thought I had got rid of it last year when the computer got a new hard drive, but in the last week it seems to have come back.

It just goes crazy now and does strange things like going to random websites, opening e-mails, and so on....

Arrrgh!