Hundreds of hidden Chrome now IE processes after installing software

Page 3 of 5 FirstFirst 12345 LastLast

  1. Posts : 39,789
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition, Win 11 Pro
       #21

    It would be good to follow the 1st guide you posted the link to. I notice they advise you to use RKill. A word about using this, the program terminates known malware/virus processes running in the background. This is needed due to the fact that some malware cannot be removed while it is running.

    Once you have run RKill, do not reboot your OS. This will only enable the malware to run again upon start up. Instead, once you run RKill, immediately stasrt scanning with the recommended software. It might be a good idea not to be connected to the net while doing the scans since this nuisance has a habit of trying to connect to home.
      My Computer


  2. Posts : 32
    Windows 10 64 bit Home
    Thread Starter
       #22

    Hey Borg:) thanks for your comments, I actually did this but Rkill did not detect it, I did then do another malwarebytes and adwcleaner scan, but nothing found. It seems like it really is out in the wild with only a few vendors detecting it so far. Is there an easy way, or do I basically have to post at all these vendors different forums or virus submission forms to get this info out there to other providers?

    I also tried Revo but it would not even find the program.

    OK, I tell a lie, it is listed in autorun manager, under HKCU Run, although I have it suspended in process explorer. Presumably if I right click and click remove selected, it will remove the prog and the registry entry?
      My Computer


  3. Posts : 39,789
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition, Win 11 Pro
       #23

    RKill doesn't remove anything, it only attempts to stop malicious processes from running. After it does that, the other scanners can remove anything malicious. Most times when a malware process is running, it can't be removed. Once stopped with RKill, it is usually detected & can be removed.

    If you found the offending reg key & you are sure it's linked to that malware, go ahead & back up your registry & then remove it. Removing the reg key may cripple the malware but the program is still in your files somewhere. If you can find the location & remove that as well then that might solve the problem.

    How to Backup and Restore the Windows Registry

    Meanwhile, if you want to let the malware scanners try again after running RKill, then go ahead.
      My Computer


  4. Posts : 32
    Windows 10 64 bit Home
    Thread Starter
       #24

    Hi Borg, sorry if I wasn't clear I meant Revo found it in its Autorun Manager function. Weirdly it does not show up at all in msconfig? If I select in Revo the Remove button goes active, I presume if I click it it will remove both the registry key and program?
      My Computer


  5. Posts : 39,789
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition, Win 11 Pro
       #25

    Oh, OK, if Revo found it then go ahead & use that to remove it. Choose the advanced setting & it will also show the reg keys linked to the program that you are removing & give you the chance to select & remove those also.

    Please read this guide 1st & make sure to remove only the bolded reg keys. Removing anything else will possibly hose the OS completely. Revo make a restore point if it has not been disabled in settings, but making one before running Revo would be a good idea. .

    http://www.revouninstaller.com/manua...are%20Help.pdf
      My Computer


  6. Posts : 32
    Windows 10 64 bit Home
    Thread Starter
       #26

    Hi, I went to delete it and I can't see an advanced option, it just asks OK to delete this item? Meanwhile I have been looking at process explorer (with the process suspended), and I found some info in the strings that seems to:

    1. confirm links to other malware processes inetstat.exe interstat.exe speedtray.exe isup.exe UserMon.exe

    What is speedtray.exe?

    2. confirms link to REMOVETHIShttp://interstat.eu

    3. suggests it has screenshot video and emailing ability.

    4. The programmer of the adware / trojans seems to be named Ozrenko (yugoslavian name) which links it to an older more widely detected trojan Weatherman ( exes inter_weather_v320 interstat gpupd55f74af50 inter_weather2 )

    Malware scan of gpupd55f74af50.exe (WeatherMan) 27e51183a0b4284d492b1a5ecb611b703f98e10c - Reason Core Security Labs

    https://www.virustotal.com/en/file/6...fb9a/analysis/

    https://www.virustotal.com/en/analis...f88d/analysis/

    also User Monitor UserMon.exe aka softwebbar.exe sftwbbr_v333.exe

    https://www.virustotal.com/en/file/7...e082/analysis/

    Malware scan of softwebbar.exe (UserMon) c881585af321a20d92a1d4e9d5043faf00de474d - Reason Core Security Labs


    NetworkMonitor NetworkMonitor.exe

    https://virustotal.com/it/file/a3476...1a72/analysis/

    BandwidthMon BandwidthMon.exe aka bandwidthstat.exe speedmon.exe inter_bandwidth_v339.exe

    https://www.virustotal.com/en/analis...f9a8/analysis/

    Code:
    HTTPRequest
    POST
    HTTP/1.0
    GET
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    Accept - Encoding: gzip, deflate
    Interstat
    reinstall_started
    reinstall_started
    Interstat\Interstat.exe
    Interstat
    gInterstat\Interstat.exe
    \InetStat\inetstat.exe
    .exe
    \SpeedTray\speedtray.exe
    .\isup.exe
    DisplayIcon
    DisplayName
    Publisher
    DisplayVersion
    NoModify
    UninstallString
    NoRepair
    isup.exe
    mention of screenshots
    Code:
    true;
    window.ises.isAlexaToolbarInstalled = 
    false;
    URL set
    :Javascript called
    Internet Explorer deleted, owner delete
    Internet Explorer deleted,for closing tabs
    Failed to fetchIID_IDispatchEx
    event:
    event:
    event:
    savesshot.php
    Failed to getElementById
    Failed to take screenshot on IE:
    noc
    /uninstall
    Unsupported OS
    taskkill /f /im 
    Are you sure you want to uninstall 
    tempRun123.lnk
    %TEMP%\
    Failed to delete shortcut lnk
    event.html?n=
    .exe
    Code:
    >>> Performing actions with error report: '%s'
    Error opening file %s.
    Copying file %s.
    Couldn't get file size of %s
    CrashSender%d.exe
    Error creating file %s.
    Start video recording.
    Local\CrashRptEvent_%s_2
    Error opening event.
    Looking for files using search template: %s
    Error initializing video recorder.
    Could not find any files matching the search template.
    Video recording completed.
    [encoding_video]
    Desktop video recording disabled; skipping.
    Encoding recorded video, please wait...
    Error encoding video.
    DescVideo
    DetailDlg
    Finished encoding video.
    Error opening file for writing.
    Error saving XML document to file: 
    HKEY_LOCAL_MACHINE\
    HKEY_CURRENT_USER\
    Restarting the application...
    Application restarted OK.
    Error restarting the application!
    \*.txt
    Unspecified error.
    Error reading crash info: %s
    RTLReading
    Settings
    DescScreenshot
    Code:
    AppVersion
    Sending error report over HTTP...
    Preparing HTTP request data...
    OperatingSystem
    crashrptver
    OSIs64Bit
    appname
    GeoLocation
    appversion
    crashguid
    SystemTimeUTC
    0x%I64x
    emailfrom
    emailsubject
    ExceptionAddress
    [taking_screenshot]
    description
    Taking desktop screenshot
    Desktop screenshot generation disabled; skipping.
    ExceptionModule
    Code:
    SOFTWARE\Clients\Mail
    Error detecting E-mail client
    Detected E-mail client 
    mapi32.dll
    Error loading mapi32.dll
    Not found required function entries in mapi32.dll
    MAPILogon has failed with code %X.
    Error allocating memory
    Error allocating memory
    MAPISendMail has failed with code %X.
    EDISPLAY
    %s\screenshot%d.png
    %s\screenshot%d.jpg
    %s\screenshot%d.bmp
    Start sending email
    Error querying DNS record.
    Finished OK.
    Critical error detected.
    Error sending email.
    Code:
    buffer error
    incompatible version
    RSDS
    J8UP
    C:\Users\Ozrenko\Documents\Work\Interstat2\crashrpt\bin\CrashSender.pdb
      My Computer


  7. Posts : 16,325
    W10Prox64
       #27

    Wow. I've been reading this thread and I have to say this is really interesting. Video, desktop screenshots and email? Wonder if it also has a keylogger?
    I just wonder if it wouldn't help to install the 30-day trial of ESET NOD32 and have this crap identified/uploaded to them?
    Also, do you have MBAE Free on the system? That helps protect against zero-day browser exploits. I know this is after the fact...
      My Computer


  8. Posts : 39,789
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition, Win 11 Pro
       #28

    Once you select the program to delete, you will be given 3 options as to method of removal. Seen on page 7 of the PDF.

    Advanced - includes the Moderate mode and performs a deep and thorough scan to find all of the application's leftover information in the Registry and on the hard drive. This is the slowest mode.
    On page 8 of the PDF you will see the illustration of what will be presented when reg keys are presented for removal.

    You may want to look at this & run the malware removal after you have run RKill as well as being disconnected from the net while doing it.

    Remove adware (Virus Removal Guide)

    Is there any chance you can do a system restore 2 or 3 points before the infection occurred? This might solve the problem in one easy step.

    There's another malware scanner that hasn't been suggested/used yet, SuperAntiSpyware. They make a portable version which you can run from a USB or without installation. You can find it here. As with the others, run RKill 1st & then run the malware scanner.

    SUPERAntiSpyware - SUPERAntiSpyware Portable Scanner
    Last edited by Borg 386; 23 Sep 2016 at 06:40.
      My Computer


  9. Posts : 32
    Windows 10 64 bit Home
    Thread Starter
       #29

    simrick said:
    Wow. I've been reading this thread and I have to say this is really interesting. Video, desktop screenshots and email? Wonder if it also has a keylogger?
    I just wonder if it wouldn't help to install the 30-day trial of ESET NOD32 and have this crap identified/uploaded to them?
    Also, do you have MBAE Free on the system? That helps protect against zero-day browser exploits. I know this is after the fact...
    I looked in the strings for anything like keylogger, capture, but couldn't see anything obvious. If it can do the others presumably it could do that too though. It seems it probably disguises its activities as crash reporting, see the registry entries listed at the bottom of this bleeping computer removal guide (for the older non hidden exe with gui)

    How to remove Inetstat or Interstart (Removal Guide)

    I have malwarebytes, adwcleaner, hitmanpro, superantispyware but none detected it. I just ran RKill again and it did detect it using heuristics

    AppData\Roaming\Interstatnogui\interstatnogui.exe (PID: 7436) [UP-HEUR]

    I am now pretty sure it is a clone of the older Weatherman trojan as there is still a lot of weather related crap, same filenames, same creator name in the strings. I had a look to see if there was a virus submission form on eset, I couldn't see anything obvious, presume I would have to download and install it? It seems a tad frustrating there isn't more I can do to alert more AV vendors about this bar posting on each forum individually .
      My Computer


  10. Posts : 32
    Windows 10 64 bit Home
    Thread Starter
       #30

    Borg 386 said:
    Once you select the program to delete, you will be given 3 options as to method of removal. Seen on page 7 of the PDF.



    On page 8 of the PDF you will see the illustration of what will be presented when reg keys are presented for removal.

    You may want to look at this & run the malware removal after you have run RKill as well as being disconnected from the net while doing it.

    Remove adware (Virus Removal Guide)

    Is there any chance you can do a system restore 2 or 3 points before the infection occurred? This might solve the problem in one easy step.

    There's another malware scanner that hasn't been suggested/used yet, SuperAntiSpyware. They make a portable version which you can run from a USB or without installation. You can find it here. As with the others, run RKill 1st & then run the malware scanner.

    SUPERAntiSpyware - SUPERAntiSpyware Portable Scanner
    Thanks again Borg. I went into Revo Autorun Manager and hit confirm on delete and there were no other options - I think they only appear for programs that have been installed normally. Anyhow, on restart it has stopped it loading although the exe is still there. I ran superantispyware and it just detected 1500+ tracking cookies, maybe I should monitor these a bit more carefully in the future!

    I may well do a system restore, or even a clean install. I am wondering whether I should nuke the hard drive first, and run command line based AV scanners as well to detect hidden files etc?
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:50.
Find Us




Windows 10 Forums