TechSpot

Browser redirects & hpqthb08.exe causing problems

By wisconsindad
Dec 15, 2009
  1. Hi everyone. This is my first time posting here, and after reading through others' threads, I've tried to ensure I'm following all the instructions.

    A couple of days ago, my wife (who spends the most time on our PC) started complaining that she could not open HP Photosmart Premier, the program she uses to manage and edit our family digital photos. When I checked task manager processes, I found hpqthb08.exe running, but locked in at 25% of CPU usage. Each time I tried to open Photosmart Premier, another instance of hpqthb08.exe would show up, chewing up another 25 percent of the CPU memory. I ended those processes, and tried uninstalling all HP-related software from Add/Remove programs, then reinstalling Photosmart Premier, but the same problem remains.

    I ran several scans of Avast & MBAM and found a handful of trojans infecting the computer. All viruses were successfully quarantined or moved to the virus chest.

    So I Googled hpqthb08.exe file for more information, but when I clicked on any of the results, my browser was redirected to a website advertising antivirus software and popping up fake warnings that my computer was infected.

    I repeated the scans and found more trojans. Once they were isolated or removed, I tried opening Photosmart again - same problem. I tried Googling certain processes and got more redirects. To be clear, NOT every search result ends in a redirect. Only some. And for some strange reason, it only seems to be when I'm Googling .exe files. If I Google "Green Bay Packers," for instance, the links work fine.

    I was about to beat my head bloody, when i found this forum. I have followed the 8 Steps to the letter, and posted the logs from MBAM, SAS, and HJT. Both MBAM and SAS came up clean on the most recent scans, so I also included some of the earlier MBAM scans that found viruses.

    Please let me know if you see anything that will help!
     
  2. wisconsindad

    wisconsindad TS Rookie Topic Starter

    More on the Google redirect

    I tested my own example of searching "Green Bay Packers," to be sure it was accurate. The first click on a search result worked fine. The next result I clicked redirected me temporarily to "lightcooking.com" and then immediately to "luckyresults.com" a few seconds later.

    Back to the results list, a click on a link and it works fine. But the next try on another result and I'm redirected to "alibaba.com".

    It appears I'm being redirected when I click on every other Google search result.

    Hope that information is useful.
     
  3. wisconsindad

    wisconsindad TS Rookie Topic Starter

    Hi everyone. I realize it's a very, very busy time - so I'm trying to be patient. I just wondered if you know how long it might take to get a response. Sorry to bother.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- we're behind. this is a very busy forum.

    Mention to your wife that the Coupon Bar isn't a good place to visit! Full of adware.

    Please reopen HijackThis to 'do system scan only.' Check each of the following if present: Optional removals are in green:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll See Optional 1
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    See Optional 1

    Optional 1: Foistware: AskBar
    You have the Ask Toolbar installed, I would recommend you uninstall it - decide after taking a look at this article:
    http://www.benedelman.org/spyware/ask-toolbars/

    (If you choose to remove it, uninstall it and delete this folder C:\Program Files\AskBar}

    Close all Windows except HJT. Click on "Fix Checked."

    Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Rescan with HijackThis. Leave the following in your next reply:
    SDFix Report
    Eset log
    HJT log

    Thanking you in advance for your patience.
     
  5. wisconsindad

    wisconsindad TS Rookie Topic Starter

    Thanks, Bobbye.

    While performing the tasks you recommended, I ran into a big problem.

    I ran the HJT scan and removed the items you suggested (both black and green). I also uninstalled the Ask Toolbar.

    But when I tried to reboot in safe mode, I got the blue screen of death, with the following STOP message: 0x0000007e (0xc0000005, 0x80537009, 0xf789e508, 0xf789e204)

    It took me several hard reboots to finally get back into normal mode. So I tried rebooting into safe mode again, and got the same BSOD and STOP message.

    Any ideas? Can I run SDFix in normal mode instead?
     
  6. wisconsindad

    wisconsindad TS Rookie Topic Starter

    I'm still getting the BSOD when I try to restart in safe mode, and it takes about 4-5 hard reboot attempts to successfully get back into normal mode.

    Since I know you guys are extremely busy, I decided to run new scans of everything just to see where I am. I realized that I've been running an outdated version of MBAM. After the update, MBAM found several new infections. SAS came up clean, other than tracking cookies. I ran a fresh HJT scan as well, for good measure.

    I've attached the new MBAM, SAS and HJT logs here.

    I really appreciate what you guys do. I'm crossing my fingers you can help me clean up this mess soon! Thx
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    One problem is that you did not check the line in Mbam to remove the entries it finds> it shows No Action Taken.

    Please update Mbam and scan again, after doing this:
    Make sure that everything is checked, and click Remove Selected.

    After that, please run Combofix- it looks like it's up again:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    There has been a problem with Combofix, so if you get message that it's not available, let me know.

    When finished, do online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Include the following in next reply:
    Combofix report
    Eset log
    new scan with HijackThis

    Please make not to remind me to tell you how to reset the Cookies.
     
  8. wisconsindad

    wisconsindad TS Rookie Topic Starter

    Combofix down

    Tried the link to download Combo-fix, but I got the page saying it's down instead.
    Should I just sit tight and wait for it to come back up?

    p.s. I had already removed the items found by Mbam, I just mistakenly posted the wrong log.
     
  9. wisconsindad

    wisconsindad TS Rookie Topic Starter

    I found the ComboFix beta that was released on Wednesday on BleepingComputer's Facebook page. It worked.

    Eset found 2 infected files, but I'm assuming you'll tell me what to do about them, as Eset did not take any action on those files.

    The logs you requested are attached.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't see any antivirus program running. I totally missed this in the first HJT log! You mentioned Avast in your post but where is it?

    MEMSWEEP2: Added by the Sophos Anti-Rootkit security a Trojan Remover. It does not have antivirus protection/

    Handle that first.

    Then remove the pirated program:
    ADOBE.CREATIVE.SUITE.4.MASTER.COLLECTON.DD.MULTILANGUAGE-ISO
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]


    hpqthb08.exe is process which improves the startup time of HP Image Zone. HP throws all the Digital Imaging processes on Startup-none of them need to be there! So take them all off!

    Regarding the Eset scan: it found the C:\Qoobox\Quarantine> Qoobox is where Combofix send the quarantined files. It off the system and it will be removed when I have you uninstall Combofix.

    P2P Warning:
    I notice that you have BitTorrent which is a P2P program. P2P (person to person) programs are also called 'file sharing' programs. In earlier computer days, these programs did not have much threat. But as they progressed, so did the dangers of using them. For that reason, we do not permit discussion of this type of program, not do we support it. The exception is to suggest you uninstall (c:\\Program Files\\DNA\\btdna.exe) P2P programs for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Let me know what you're going to do about the Adobe program so we can go on- or not.
     
  11. wisconsindad

    wisconsindad TS Rookie Topic Starter

    I could not figure out how to disable Avast, so I uninstalled it for the purposes of this cleanup process.

    Regarding "MEMSWEEP2," you said "Handle that first." What exactly should I do with it?

    For the Adobe program, I assume you mean to uninstall it through add/remove? If so, that's my next step.

    And finally, I don't know how to uninstall BitTorrent, since it doesn't show up in add/remove programs. (I didn't even know it was on the machine). Can you advise?

    Thanks. For what it's worth, the Google redirects seem to have stopped. I sincerely want to finish the job here, so I'll do whatever you instruct me to.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The first 3 cleaning program do not require you to disable the security. When you get to Combofix or Eset, yes, instructions are to disable it. But you are always told to enable it as soon as you are finished with the program. Please reinstall and update it now

    Regarding MEMSWEEP, I just left that with the comment that it did not have an AV program- in case you though it did. You don't need to do anything with it.

    We should finish completely to make sure all the malware is gone. sometimes the main problem-aka-Google direct- resolves, but the can be other malware entries.

    You should uninstall the Adobe C4 program either with it's own uninstaller or in Add/Remove Programs.

    I went back to reread all the posts and noticed this:
    An .exe file is what 'executes' a program. If you want to go to the Green Bay Packers site, and .exe files attachment isn't going to work because the site doesn't get 'executed' like a program does.

    For instance: hpqthb08.exe will bring up many sites because hpqth08 must be 'executed' to work. But if you entered hewlettepackard.exe, you're not going to find it because hewlettepackard isn't a program that need to be executed.

    BitTorrent shows starting up on 2009-05-16 17:38. So you need to take it off of startup. Do a search on the computer for it- look first in All Programs.

    I'll take you at your word on uninstalling the Adobe c4 program. You can have HijackThis remove the entries I left, then uninstall in Add/Remove, follow by deleting the program folder in Windows Explorer> C/Programs

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Run the Eset scan once more and if it's clean, I'll have you remove the cleaning tools and set new restore point.

    A tip for users on the system: stay away from the Coupon Sites!
     
  13. wisconsindad

    wisconsindad TS Rookie Topic Starter

    Adobe CS4 is gone. Combofix is uninstalled. Eset scan was clean.
    I attached new HJT and Eset logs.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You still don't have an antivirus program. Without that, what we have done was a waste of time!
     
  15. wisconsindad

    wisconsindad TS Rookie Topic Starter

    Actually, I do have an antivirus program now. Sorry, but the HJT log attached to the last email was prepared right before I installed Avira. I also enabled the Windows Firewall.

    There's a new HJT log which should verify this, for what it's worth.

    Is there anything more I need to do?
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I just had another member with this same program pirated. And he was full of malware.

    Part of my job is to tell members when they have either too many antivirus programs or none. If I don't see an antivirus entry in the HJT log, that means that at the time the scan was done, there was no AV running. That is not safe.

    Is the printer working yet?
    Has the search problem been resolved?
    What problem remain since you have run the scans?
     
  17. wisconsindad

    wisconsindad TS Rookie Topic Starter

    I understand why you mentioned the missing AV software. But I have it running now. Not sure what the point is in telling me again.

    My printer never stopped working. It was the Photosmart picture management software - and yes, it is working again (thank you!). Also (as I mentioned earlier), the Google redirects have also stopped.

    Everything seems to be in great working order. I dont know how to thank you enough.

    You mentioned a couple of posts ago that if the Eset scan was clean, you'd have me remove the cleaning tools and set a new restore point. I'm sure I can figure out how to do that on my own, but I didn't want to act without your direction.

    So let me know if you have specific instructions for doing this.

    Just in case you need it, I've attached the latest HJT log for good measure.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You really don't need to know this-but-I go back and read all the replies in a thread. Sometimes I repeat what I've said for emphasis. And occasionally I miss something.

    To remove the cleaning tools and set new clean restore point:
    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.


    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    If I can help you in the future, please let me know.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...