I recently downloaded a packaged application, accidentally installing a dozen unwanted programs. They are literally causing pop ups to randomly happen and it seems that over half of the unwanted programs are actually downloading and installing their own software packages without even asking me. These are eating up my CPU, making my computer games unplayable and the extensive ad windows that are popping up everywhere really annoying me.
It got to the point that I was furious and ready to heave the computer out the window, so I opened up the task manager and began to look for suspicious programs. I found a dozen or so with wierd names like "GrubbWorm" and many others that I did not recognize. I know for the most part what is supposed to be running in the background (I spend a lot of time at the task manager because some of my larger games like Crusader Kings 2 and Stellaris freeze pretty regularly and the only way to quit after they freeze is to end them via the task manager).
I right clicked on each suspicious looking file and followed it to its folder. These were found in the C:\ProgramData folder:
Originally I thought hpdlos, hpdlo, timal, and timals might be okay. The problem was that when I opened timal, I found Hottrax.exe and HotBam.exe as well as ff.HP and ff.NT. I recognized the last two because my computer is infected with the SafeFinder browser hijacker and the url in the address bar points to various folders in ProgramData, though all the files end in the extension .HP or .NT. I opened them both in Notepad++ and not surprisingly the HTML there redirected the user to the SafeFinder sites. I backed out. After further inspection in the following folders:
ProgramData\Zoobams, ProgramData\timals, ProgramData\hpdlos
I found a copy of ff.HP and ff.NT in all of them! I knew that these were cons and deleted them all as well as terminating their processes in Task Manager and deleting their executables (no uninstall executables in their folders).
In C\58535902506c3e70b2 (suspicious folder name) I found MPSigStub.exe (suspicious file name) and tried to delete it. I have administrator access and tried to delete MPSigStub.exe. It denied my request, saying:
"You need permission to perform this action. You require permission from the computers' administrator to make changes to this file."
I am the fricking Administrator!
I continued on, looking at more malicious program files:
C:\Program Files\isomer\teicher.exe and its accompanying DLL's
C:\Program Files\coyne\pepi.exe (on Task manager it is displayed as "nine")
C:\Program Files\alys\grubb.exe (labelled as "corrector" in the Task Manager)
C:\Program Files\Windows\groin.exe (labelled as "sextuplets" in Task Manager)
I also got a program by the name of (MPC Driver Updater) that was obviously a con (I opened it and it had a cheezy blue background and well over half of the English was misspelled or misformated.
Furthermore an "Ads Tool Bar" was forcefully installed on my PC at C:\Program Files\Windows\adstoolbar.exe
I decided to run Windows Defender (up to date) and be done with it, but when I tried to click Windows Defender, I got a pop up message saying "Windows Defender has been turned off by group policy. To activate it please contact your system administrator. I googled the message and found that whatever is screwing with my PC (and mind) also changed the system registry to disable all antivirus, antimalware, adware detectors, etc. I found a tutorial on how to fix this and followed it. ‘!Problem solved’.
I run Windows Defender and it detects absolutely nothing! I search for free antimalware tools (free because I am a broke teenager as I said before) and decide to run both Malwarebytes and ADWCleaner to fix everything. I successfully run ADWCleaner which detects and removes roughly half of the crud. I try to run Malwarebytes next, hoping it will get rid of the other ****, but as it starts, the window abruptly closes, I get a brief message saying "No, no, no!", and the downloaded Malwarebytes executable is erased from its folder in C:\Program Files(x86)\Malwarebytes.
I went through and delete all of the malware but timal (I was not entirely sure it was malware). Everything worked well except a popup installer kept showing up telling me that it was installing more software. I turned the wifi off to stop this, and it froze the download (thankfully). I could not find the popup on task manager (it just wasn't there, I had three windows open but only 2 were showing up). I decided to delete timal.exe and did. The intrusive window closed and I thought I had won. I opened up one of my games and noticed the sound was not working. At all, despite my volume being raised up full blast and my sound settings set on high. I exited the game and tried to play an mp3 on an external drive - it failed and the following message popped up;
"Can't play. Make sure your computers' sound and video cards are working and have the latest drivers, then try again. [Error code] 0xc00d11d1 (0x8007007e)."
I am on the verge of refreshing my PC. Do you think this might help, assuming I accidentally deleted something important to the audio or video? Or should I do a factory reset? Do I need internet to do a factory reset? Is this definitely software and not a hardware problem? I have all of my most important information, games, movies, images, and documents backed up to an external SD Card that I usually use with my Kindle Fire. Should simply refreshing my PC work, or do I need to factory reset it?
Note, I am using an older version of Windows (8.1) on a HP Pavillion 10 TS Notebook because the updates require internet connection combined with a lot of time, and I am a broke teenager living in the middle of nowhere unable to get internet for longer than 1-2 an hours (an unusually long trip to Wendys), so I have neglected updating the computer except for a couple of times since I got it in 2014 on Christmas.
I am asking here to see if anybody has an idea as to what I could try. I am open to command line utilities if they can help as well, but am willing to do a factory reset if I need to.
I asked on the Microsoft forums but so far I have only gotten around 4 views and no support, and I only have a very narrow window to do anything before I lose internet connection for the weekend (I am ordering a burger at Wendys every hour to extend my stay as long as possible and will not be able to come back to town until next Monday).
Yes, I do realize that manually editing like that is not reccomended unless you know completely what you are doing, but you have (well, you don't have to, but I hope you will) to realize I was operating off of the "You hackers have no f****** right to mess with MY computer!" emotion and I wasn't, and probably still am not, thinking clearly.
Thanks in advance!
User contributions licensed under CC BY-SA 3.0