Every so often my PC starts getting slow. In the task manager there are dozens of processes that I don’t recognize. It’s a real pain to clean these out. But, …, I guess this is just basic maintenance that needs to be done. Here are my notes for today. I doubt this makes good reading, unless you land here via a search engine and want to see how I got rid of something.
The first lesson here is that removing crap is best done in the Administrator account, and not just in an ID with administrator privileges. Some utilities (sc for example) test for user ID and not just privileges. If you use Windows Vista, 7, or 8, this account is “hidden”. Sigh. If you’ve ever wondered what the option “run as Administrator” is, now you need it.
On the site windowsvc.com, I found this helpful way to remove crap installed as a service. In this case, I wanted to remove BrsHelper:
Open a command prompt by right clicking its icon and selecting “run as Administrator”. Copy the lines in red respectively to stop, disable auto-start, and to delete the service entirely. For example,
sc stop “BrsHelper”
sc config “BrsHelper” start=disabled
sc delete “BrsHelper”
I note on the web that others get “Access Denied” with sc even when running it as Administrator. I didn’t have that problem, but beware. This seems like a nice utility. It does have a side effect of staying in memory after using it. I had to kill its process tree from the task manager when I was done with it.
The Administrator account isn’ t just hidden, it isn’t enabled at all. To enable it, run the command prompt as Administrator as above, then type:
net user administrator /active:yes
Now the Administrator account is active, and you’ll see it when you want to log in or just change user accounts. BEWARE, initially it has no password. Be sure to set a good one if you want to leave it active. To disable it, repeat the above command with “no” instead of “yes”.
I was trying to remove the crapware YTdownloader, and ran into the above Administrator problem. There is an interesting utility autoruns.exe which lists all of the programs that are set to auto run. You must run this program as Administrator, but you can tune the autoruns without messing directly with the registry. You can also submit whatever you find to VirusTotal. My local McAfee claims there is a trojan inside YTdownloader.exe. There are other reports that it is malware. My early attempts to remove it got trapped by McAfee which claimed that the program was moved to a quarantine area. But going to McAfee’s interface for its quarantined files showed no sign of YTdownloader. I could find it using the file explorer, and there was a directory of the same name, which I could delete but only as Administrator. This didn’t get rid of a companion program BrsHelper, which I killed as above.
Incidentally, YTdownloader is sometimes called YouTube downloader. Beware of being tricked into installing YTdownloader by trying to download videos! I don’t understand the relationship here.
I also got rid of a couple Dell programs with bad reputations: dkab1err.exe (the character after the “b” is the digit one.) and DKADGmon.exe. They must have gotten installed when I used a Dell printer at one of my consulting client’s sites. With Administrator active, I had no trouble deleting them. I did have to deal with an extra prompt to continue however. Just click it and move on.www-searching.com
The program biomonitor.exe was always running. The utility autoruns.exe didn’t list it. Apparently it is part of HP’s SimplePass fingerprinting tool. To delete it, kill the process tree for biomonitor from the task manager, and then uninstall HP SimplePass from the control panel.
I came across a program WindowexeAllkiller.exe. While it looked interesting, it required the .Net framework, thus I didn’t try it. CNET warns that while safe, an inexperienced user can get into trouble. The author recommends checkpointing Windows before using it. The apparent goodness of this tool is that you can eliminate several bad programs at once. I suppose this is why it is such a dangerous tool. Some feedback on this tool would be welcome.
As I was thinking I was done, I noticed an unexpected tab in Chrome for www-searching.com. (Note the hyphen.) I don’t know how it got there. As I was on a roll looking for strangeness, I quickly found that this program was a search engine of sorts that was designed to track you and steal your personal information. The only damage it did to me was to install a shortcut to its site on my task bar. Of course I deleted the task bar item and the tab in Chrome, and then I did all the due diligence to get rid of potential infection elsewhere. I searched the registry, checked for Chrome add-ons and for a hijacked home page, checked the Chrome history and was very surprised to find nothing, checked the scheduled tasks, searched the file system, and looked for ads by it. I couldn’t find anything else. Malwarebytes was reputed to find and remove it, but a complete scan found nothing. Maybe I was lucky that I didn’t try out this bogus search engine!
I noticed on the web that www-searching.com was also similar to ohtgnoenriga.com (Gads, what language is that?) as well as search.conduit.com “Conduit Search”. I also looked for ohtgnoenriga and conduit.com on my system, and fortunately found nothing.
Finally, I deactivated my Administrator account as above.