0

I recently downloaded a packaged application, accidentally installing a dozen unwanted programs. They are literally causing pop ups to randomly happen and it seems that over half of the unwanted programs are actually downloading and installing their own software packages without even asking me. These are eating up my CPU, making my computer games unplayable and the extensive ad windows that are popping up everywhere really annoying me.

It got to the point that I was furious and ready to heave the computer out the window, so I opened up the task manager and began to look for suspicious programs. I found a dozen or so with wierd names like "GrubbWorm" and many others that I did not recognize. I know for the most part what is supposed to be running in the background (I spend a lot of time at the task manager because some of my larger games like Crusader Kings 2 and Stellaris freeze pretty regularly and the only way to quit after they freeze is to end them via the task manager).

I right clicked on each suspicious looking file and followed it to its folder. These were found in the C:\ProgramData folder:

timal

timals

Zoobam

Zoobams

install_clap

hpdlo

hpdlos

gnikn

Originally I thought hpdlos, hpdlo, timal, and timals might be okay. The problem was that when I opened timal, I found Hottrax.exe and HotBam.exe as well as ff.HP and ff.NT. I recognized the last two because my computer is infected with the SafeFinder browser hijacker and the url in the address bar points to various folders in ProgramData, though all the files end in the extension .HP or .NT. I opened them both in Notepad++ and not surprisingly the HTML there redirected the user to the SafeFinder sites. I backed out. After further inspection in the following folders:

ProgramData\Zoobams, ProgramData\timals, ProgramData\hpdlos

I found a copy of ff.HP and ff.NT in all of them! I knew that these were cons and deleted them all as well as terminating their processes in Task Manager and deleting their executables (no uninstall executables in their folders).

In C\58535902506c3e70b2 (suspicious folder name) I found MPSigStub.exe (suspicious file name) and tried to delete it. I have administrator access and tried to delete MPSigStub.exe. It denied my request, saying:

"You need permission to perform this action. You require permission from the computers' administrator to make changes to this file."

I am the fricking Administrator!

I continued on, looking at more malicious program files:

C:\a\winonit

C:\Program Files\isomer\teicher.exe and its accompanying DLL's

C:\Program Files\coyne\pepi.exe (on Task manager it is displayed as "nine")

C:\Program Files\isomer\neurosurgeon.exe

C:\Program Files\7ba6c700c05858a9f4cacf6d\mrt.exe

C:\Program Files\7ba6c700c05858a9f4cacf6d\mrtstub.exe

C:\Program Files\gnikn\Mathflex.exe

C:\Program Files\gnikn\gnikn.exe

C:\Program Files\alys\grubb.exe (labelled as "corrector" in the Task Manager)

C:\Program Files\Windows\groin.exe (labelled as "sextuplets" in Task Manager)

I also got a program by the name of (MPC Driver Updater) that was obviously a con (I opened it and it had a cheezy blue background and well over half of the English was misspelled or misformated.

Furthermore an "Ads Tool Bar" was forcefully installed on my PC at C:\Program Files\Windows\adstoolbar.exe

I decided to run Windows Defender (up to date) and be done with it, but when I tried to click Windows Defender, I got a pop up message saying "Windows Defender has been turned off by group policy. To activate it please contact your system administrator. I googled the message and found that whatever is screwing with my PC (and mind) also changed the system registry to disable all antivirus, antimalware, adware detectors, etc. I found a tutorial on how to fix this and followed it. ‘!Problem solved’.

I run Windows Defender and it detects absolutely nothing! I search for free antimalware tools (free because I am a broke teenager as I said before) and decide to run both Malwarebytes and ADWCleaner to fix everything. I successfully run ADWCleaner which detects and removes roughly half of the crud. I try to run Malwarebytes next, hoping it will get rid of the other ****, but as it starts, the window abruptly closes, I get a brief message saying "No, no, no!", and the downloaded Malwarebytes executable is erased from its folder in C:\Program Files(x86)\Malwarebytes.

I went through and delete all of the malware but timal (I was not entirely sure it was malware). Everything worked well except a popup installer kept showing up telling me that it was installing more software. I turned the wifi off to stop this, and it froze the download (thankfully). I could not find the popup on task manager (it just wasn't there, I had three windows open but only 2 were showing up). I decided to delete timal.exe and did. The intrusive window closed and I thought I had won. I opened up one of my games and noticed the sound was not working. At all, despite my volume being raised up full blast and my sound settings set on high. I exited the game and tried to play an mp3 on an external drive - it failed and the following message popped up;

"Can't play. Make sure your computers' sound and video cards are working and have the latest drivers, then try again. [Error code] 0xc00d11d1 (0x8007007e)."

I am on the verge of refreshing my PC. Do you think this might help, assuming I accidentally deleted something important to the audio or video? Or should I do a factory reset? Do I need internet to do a factory reset? Is this definitely software and not a hardware problem? I have all of my most important information, games, movies, images, and documents backed up to an external SD Card that I usually use with my Kindle Fire. Should simply refreshing my PC work, or do I need to factory reset it?

Note, I am using an older version of Windows (8.1) on a HP Pavillion 10 TS Notebook because the updates require internet connection combined with a lot of time, and I am a broke teenager living in the middle of nowhere unable to get internet for longer than 1-2 an hours (an unusually long trip to Wendys), so I have neglected updating the computer except for a couple of times since I got it in 2014 on Christmas.

I am asking here to see if anybody has an idea as to what I could try. I am open to command line utilities if they can help as well, but am willing to do a factory reset if I need to.

I asked on the Microsoft forums but so far I have only gotten around 4 views and no support, and I only have a very narrow window to do anything before I lose internet connection for the weekend (I am ordering a burger at Wendys every hour to extend my stay as long as possible and will not be able to come back to town until next Monday).

Yes, I do realize that manually editing like that is not reccomended unless you know completely what you are doing, but you have (well, you don't have to, but I hope you will) to realize I was operating off of the "You hackers have no f****** right to mess with MY computer!" emotion and I wasn't, and probably still am not, thinking clearly.

Thanks in advance!

Vomit IT - Chunky Mess Style
  • 40,038
  • 27
  • 84
  • 117
Jax
  • 119
  • 4
  • The only sure solution is to burn and reinstall - especially when you are infected with so much cr@p. – DavidPostill Jun 30 '16 at 17:20
  • What a long post to state you have a virus! – Dave Jun 30 '16 at 17:32
  • Refreshing it might not help. Download (or get a copy) of Windows from Microsoft and nuke this machine completely. – Mokubai Jun 30 '16 at 17:37
  • 1
    You'd be surprised how many people will accept 5 dollars to allow you to use their internet for the day via wifi. (people are struggling).. I strongly don't recommend eating burgers as it can be very unhealthy and costly if you consume too many within a 24 hour period. But definately will need to reinstall. – NotAdmin Dave Jun 30 '16 at 17:41
  • @DavidPostill Should the included, built-in recovery parition (D:\\recovery) be enough to reset the computer? Never had to reset one before b/c I have never forgotten to use the custom install option before this ;) – Jax Jun 30 '16 at 17:49
  • @GuitarShoeDave The best thing at Wendys IMO, and I almost never eat out anyway, so I should be good. Should I alternate between fries and burgers :-)? – Jax Jun 30 '16 at 17:54
  • @Mokubai The computer has a built in recovery partition drive. I don't have the product keys that Microsoft would almost assuredly request (I lost them sometime last year). I can't "nuke the computer" as in completely wipe it of everything, and a complete factory reset is the best I can hope for (not to mention I don't have a disk drive in my laptop to boot Windows from even if I did get a copy, and I cannot get one today). – Jax Jun 30 '16 at 18:00
  • @DJMethaneMan Get a tool from the Internet to make sure you have your product key (such as Jellybean Key Finder) and then use the [Windows 8 download from Microsoft](https://www.microsoft.com/en-gb/software-download/windows8) to create a bootable USB from a known clean machine. If your machine is as badly infected as you say it is then I wouldn't trust the infection to have left your recovery partition alone. – Mokubai Jun 30 '16 at 18:06
  • @Mokubai The problem is, I guess, that this laptop is the only machine I have aside from my Android-based phone and Kindle Fire. I am not sure I could install Windows to my PC from an Amazon Kindle Fire, and I have no friends who will let me use their computers (they are afraid it will infect their computers to too). Could I boot Windows from a 16 gig SDCard? – Jax Jun 30 '16 at 18:23
  • "I don't have the product keys" - Unless the machine came with Windows 7, you don't need the product key, just download the version of Windows you were installing and it will automatically detect your license key stored in the firmware on the device. Just boot to a Linux environment stored on a flash device or a optical disk, download Windows, and then burn the .ISO to the optical disk or create a bootable flash device. – Ramhound Jun 30 '16 at 20:24
  • @Ramhound Do you know of a step-by-step tutorial on how to do that? I do not store anything truly important on my PC (even my financial information consists of a single debit card that NEVER has more than $20 on it at a time, so I will almost certainly try to do an automatic factory reset, but if it doesn't work it is always nice to know how to do it manually) aside from school work and my steam account information. – Jax Jun 30 '16 at 20:47
  • A tutorial to explain what exactly? What I describe has been documented by hundreds of websites. – Ramhound Jun 30 '16 at 20:54
  • @Ramhound The entire process of removing Windows 8.1 and reinstalling it... Doing that is way outside of my confort zone with computers, and I feel I should be taking (extra careful) baby steps lest I make a poor assumption or skip over something important and obvious to someone with more experience, but not to me and ruin it completely, considering that there is little to no chance that I will have access to another PC before I graduate High School in two years. – Jax Jun 30 '16 at 21:18
  • You boot to the Windows installation disk, you format the hdd, you install Windows. It's not complicated, I literally can't explain in detail how to do what I described, because it's that easy – Ramhound Jun 30 '16 at 21:41

0 Answers0