Hundreds of hidden Chrome now IE processes after installing software

tacos team said:

Thanks again Borg. I went into Revo Autorun Manager and hit confirm on delete and there were no other options - I think they only appear for programs that have been installed normally. Anyhow, on restart it has stopped it loading although the exe is still there. I ran superantispyware and it just detected 1500+ tracking cookies, maybe I should monitor these a bit more carefully in the future!

I may well do a system restore, or even a clean install. I am wondering whether I should nuke the hard drive first, and run command line based AV scanners as well to detect hidden files etc?

I think a system restore to a point 2 or 3 points past the infection time would be a good idea and would definitely be easier then trying to hunt down all the bits & pieces that this infection has spread all over. I say 2 or 3 points past because some malware can embed itself in the 1st restore point, so when you try to roll back it's still present on the OS.

Just to cover all the bases, d/l & run TDSSKiller to confirm there are no rootkits on your system. Do this before you do a restore, being that if one is present, a restore won't delete it.

TDSSKiller Download

   Note

When running TDSSKiller, launch the program, click on the blue text "Change Parameters" & check the box marked "Detect TDLFS File system." Click OK & then run the scan.

You could try a restore 1st & then if the trouble persists, then consider the option of a clean install.

Starting over is a PIA, but it's the best option to ensure that you start with a clean system. It's usually a good idea to wipe the drive since some malware, particularly rootkits can survive a clean install.

Here is a list of disk erasers you can opt to use. Once you wipe the HDD you shouldn't have anything left on the drive to need a scan on.

Five hard disk cleaning and erasing tools - TechRepublic

tacos team said:

I looked in the strings for anything like keylogger, capture, but couldn't see anything obvious. If it can do the others presumably it could do that too though. It seems it probably disguises its activities as crash reporting, see the registry entries listed at the bottom of this bleeping computer removal guide (for the older non hidden exe with gui)

How to remove Inetstat or Interstart (Removal Guide)

I have malwarebytes, adwcleaner, hitmanpro, superantispyware but none detected it. I just ran RKill again and it did detect it using heuristics

AppData\Roaming\Interstatnogui\interstatnogui.exe (PID: 7436) [UP-HEUR]

I am now pretty sure it is a clone of the older Weatherman trojan as there is still a lot of weather related crap, same filenames, same creator name in the strings. I had a look to see if there was a virus submission form on eset, I couldn't see anything obvious, presume I would have to download and install it? It seems a tad frustrating there isn't more I can do to alert more AV vendors about this bar posting on each forum individually .

Yeah ESET would have to be installed, and run, for it to be submitted. I am not positive, but pretty sure that the major AVs share info on new threats. Trouble is, this is a PUP, not virus, so AVs don't really go there. You'll notice that BleepingComputer's cleaning instructions have no AV in sight.

tacos team said:

Thanks again Borg. I went into Revo Autorun Manager and hit confirm on delete and there were no other options - I think they only appear for programs that have been installed normally. Anyhow, on restart it has stopped it loading although the exe is still there. I ran superantispyware and it just detected 1500+ tracking cookies, maybe I should monitor these a bit more carefully in the future!

I may well do a system restore, or even a clean install. I am wondering whether I should nuke the hard drive first, and run command line based AV scanners as well to detect hidden files etc?

I would try the system restore first. Actually, I would have tried that a long time ago.
I could be wrong, but I thought you could clean a drive easily using diskpart - even hidden partitions from infections will be nuked that way. I recently did that on a few sticks that were infected with worms and hidden partitions.

Borg 386 said:

I think a system restore to a point 2 or 3 points past the infection time would be a good idea and would definitely be easier then trying to hunt down all the bits & pieces that this infection has spread all over. I say 2 or 3 points past because some malware can embed itself in the 1st restore point, so when you try to roll back it's still present on the OS.

Just to cover all the bases, d/l & run TDSSKiller to confirm there are no rootkits on your system. Do this before you do a restore, being that if one is present, a restore won't delete it.

TDSSKiller Download

   Note

When running TDSSKiller, launch the program, click on the blue text "Change Parameters" & check the box marked "Detect TDLFS File system." Click OK & then run the scan.

You could try a restore 1st & then if the trouble persists, then consider the option of a clean install.

Agreed. TDSSKiller and then system restore.
Matter of fact, I would first go into Ccleaner and delete restore points that *could* be infected, and 2 or 3 more before that time. That way you're sure you don't use one you didn't mean to.

tacos team said:

I am not sure it is just a PUP though. If you look at the earlier Weatherman malware that was almost certainly made by the same person it is detected by multiple AV providers as a Trojan. I think the programmer just got better at disguising it.

https://www.virustotal.com/en/analis...f88d/analysis/

Malware scan of gpupd55f74af50.exe (WeatherMan) 27e51183a0b4284d492b1a5ecb611b703f98e10c - Reason Core Security Labs

Also softwebbar from the same programmer installs a backdoor IRC channel, but that is still not detected by many AV vendors

Malware scan of softwebbar.exe (UserMon) c881585af321a20d92a1d4e9d5043faf00de474d - Reason Core Security Labs

https://www.virustotal.com/en/file/7...e082/analysis/


But what's stopping a trojan writer from just infecting all restore points? It doesn't sound like just going back to 3 steps before you can really be sure of being free of it. One thing I am not sure about with a clean install is I have a 'system reserved' virtual drive with bootmgr, boot and recycle bin hidden folders on, would a disk cleaner just remove and detect that also? So after doing that I could just put in a DVD with Windows 10 iso on it and boot into this?

Trojans download stuff. They bring in the infections.
Use diskpart, or put the W10 ISO in and do a custom install and delete all partitions so you're clean installing to a completely unallocated drive.
Then, make regular images with something like Macrium Reflect Free, and you won't have to go through this again.

tacos team said:

Thanks for the tip. Sorry if a dumb question but how will Windows 10 then know I have a valid license, do I need to backup the serial number somewhere or can I use my original Windows 7 key?

Once a system has had W10 installed and activated, it's activation resides on the MS servers, and you can reinstall/clean install as often as you like/need. Just don't go changing the motherboard....If you'd like to see your keys:
Showkey - Windows 10 Forums
But don't enter one when reinstalling.

tacos team said:

Yeah, point taken .

:)
Macrium Reflect - Backup Restore - Windows 10 Forums

tacos team said:

Just a little extra point on the original software I installed, Stereo_Mix_Plus_Setup.exe (from REMOVETHIShttp://stereomixplus.com ), it seems to originate in China with a company named Shining Morning Inc. which has past form on installing adware at the very least with its 'magic camera' software

https://www.virustotal.com/en/file/c...1aad/analysis/

https://www.virustotal.com/en/file/4...5c74/analysis/

ESET AV Remover—List of removable applications and instructions to run the toolESET Knowledgebase

Yeah, have to be so careful downloading stuff these days....

Hi.
I will put your message here, in case it helps others in the future:

Hey guys
Finally got round to backing everything up and reinstalling , but have encountered a pretty major stumbling block. On using the Windows 10 install disk, I got into the installation process, up to where I wanted to install windows, I have various partitions showing up of both my drives - my 128GB Samsung Pro SSD and 3TB WD HDD - the SSD has three partitions:

Partition 1: System Reserved 100MB

Partition 2: Primary 118GB

Partition 3: OEM (Reserved) 450MB

The HDD has two partitions:

Partition 1 128MB

Partition 2 2794GB

I selected the primary partition of the SSD and selected format, but now when trying to install it shows error 0x80300024 - I found this thread on sevenforums suggesting it doesn't like other large hard drives connected - could this still be the same issue in Windows 10 and Microsoft haven't bothered to fix it, or could it be another issue? Do I also need to format the system reserved and OEM partitions on the SSD?? Would really appreciate advice on this, cheers.

Error (0x80300024) Solved - Page 6 - Windows 7 Help Forums

Correct, you must not have any other hard drives connected during install. The "custom install" option should be used, then delete all partitions on the SSD, and install to a completely unallocated drive, as shown in the tutorial.