Page 4 of 5 FirstFirst ... 2345 LastLast
  1.    23 Sep 2016 #31
    Join Date : Oct 2014
    In a house with a crazy cat trying to kill me
    Posts : 16,132
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition

    Quote Originally Posted by tacos team View Post
    Thanks again Borg. I went into Revo Autorun Manager and hit confirm on delete and there were no other options - I think they only appear for programs that have been installed normally. Anyhow, on restart it has stopped it loading although the exe is still there. I ran superantispyware and it just detected 1500+ tracking cookies, maybe I should monitor these a bit more carefully in the future!

    I may well do a system restore, or even a clean install. I am wondering whether I should nuke the hard drive first, and run command line based AV scanners as well to detect hidden files etc?
    I think a system restore to a point 2 or 3 points past the infection time would be a good idea and would definitely be easier then trying to hunt down all the bits & pieces that this infection has spread all over. I say 2 or 3 points past because some malware can embed itself in the 1st restore point, so when you try to roll back it's still present on the OS.

    Just to cover all the bases, d/l & run TDSSKiller to confirm there are no rootkits on your system. Do this before you do a restore, being that if one is present, a restore won't delete it.

    TDSSKiller Download

    Note   Note
    When running TDSSKiller, launch the program, click on the blue text "Change Parameters" & check the box marked "Detect TDLFS File system." Click OK & then run the scan.


    You could try a restore 1st & then if the trouble persists, then consider the option of a clean install.

    Starting over is a PIA, but it's the best option to ensure that you start with a clean system. It's usually a good idea to wipe the drive since some malware, particularly rootkits can survive a clean install.

    Here is a list of disk erasers you can opt to use. Once you wipe the HDD you shouldn't have anything left on the drive to need a scan on.

    Five hard disk cleaning and erasing tools - TechRepublic
      My ComputerSystem Spec
  2.    23 Sep 2016 #32
    Join Date : Apr 2015
    Posts : 12,582
    W10Prox64

    Quote Originally Posted by tacos team View Post
    I looked in the strings for anything like keylogger, capture, but couldn't see anything obvious. If it can do the others presumably it could do that too though. It seems it probably disguises its activities as crash reporting, see the registry entries listed at the bottom of this bleeping computer removal guide (for the older non hidden exe with gui)

    How to remove Inetstat or Interstart (Removal Guide)

    I have malwarebytes, adwcleaner, hitmanpro, superantispyware but none detected it. I just ran RKill again and it did detect it using heuristics

    AppData\Roaming\Interstatnogui\interstatnogui.exe (PID: 7436) [UP-HEUR]

    I am now pretty sure it is a clone of the older Weatherman trojan as there is still a lot of weather related crap, same filenames, same creator name in the strings. I had a look to see if there was a virus submission form on eset, I couldn't see anything obvious, presume I would have to download and install it? It seems a tad frustrating there isn't more I can do to alert more AV vendors about this bar posting on each forum individually .
    Yeah ESET would have to be installed, and run, for it to be submitted. I am not positive, but pretty sure that the major AVs share info on new threats. Trouble is, this is a PUP, not virus, so AVs don't really go there. You'll notice that BleepingComputer's cleaning instructions have no AV in sight.
    Quote Originally Posted by tacos team View Post
    Thanks again Borg. I went into Revo Autorun Manager and hit confirm on delete and there were no other options - I think they only appear for programs that have been installed normally. Anyhow, on restart it has stopped it loading although the exe is still there. I ran superantispyware and it just detected 1500+ tracking cookies, maybe I should monitor these a bit more carefully in the future!

    I may well do a system restore, or even a clean install. I am wondering whether I should nuke the hard drive first, and run command line based AV scanners as well to detect hidden files etc?
    I would try the system restore first. Actually, I would have tried that a long time ago.
    I could be wrong, but I thought you could clean a drive easily using diskpart - even hidden partitions from infections will be nuked that way. I recently did that on a few sticks that were infected with worms and hidden partitions.


    Quote Originally Posted by Borg 386 View Post
    I think a system restore to a point 2 or 3 points past the infection time would be a good idea and would definitely be easier then trying to hunt down all the bits & pieces that this infection has spread all over. I say 2 or 3 points past because some malware can embed itself in the 1st restore point, so when you try to roll back it's still present on the OS.

    Just to cover all the bases, d/l & run TDSSKiller to confirm there are no rootkits on your system. Do this before you do a restore, being that if one is present, a restore won't delete it.

    TDSSKiller Download

    Note   Note
    When running TDSSKiller, launch the program, click on the blue text "Change Parameters" & check the box marked "Detect TDLFS File system." Click OK & then run the scan.


    You could try a restore 1st & then if the trouble persists, then consider the option of a clean install.
    Agreed. TDSSKiller and then system restore.
    Matter of fact, I would first go into Ccleaner and delete restore points that *could* be infected, and 2 or 3 more before that time. That way you're sure you don't use one you didn't mean to.
      My ComputerSystem Spec
  3.    24 Sep 2016 #33
    Join Date : Sep 2016
    Posts : 24
    Windows 10 64 bit Home
    Thread Starter

    Quote Originally Posted by Borg 386 View Post
    I think a system restore to a point 2 or 3 points past the infection time would be a good idea and would definitely be easier then trying to hunt down all the bits & pieces that this infection has spread all over. I say 2 or 3 points past because some malware can embed itself in the 1st restore point, so when you try to roll back it's still present on the OS.

    Just to cover all the bases, d/l & run TDSSKiller to confirm there are no rootkits on your system. Do this before you do a restore, being that if one is present, a restore won't delete it.

    TDSSKiller Download

    Note   Note
    When running TDSSKiller, launch the program, click on the blue text "Change Parameters" & check the box marked "Detect TDLFS File system." Click OK & then run the scan.


    You could try a restore 1st & then if the trouble persists, then consider the option of a clean install.

    Starting over is a PIA, but it's the best option to ensure that you start with a clean system. It's usually a good idea to wipe the drive since some malware, particularly rootkits can survive a clean install.

    Here is a list of disk erasers you can opt to use. Once you wipe the HDD you shouldn't have anything left on the drive to need a scan on.

    Five hard disk cleaning and erasing tools - TechRepublic
    Thanks again Borg. I ran TDSSKiller and nothing found. I did notice it's Kaspersky though which I have installed and since Kaspersky is not detecting this malware, it may not find anything related to it? There was also the mystery of a connection to Kaspersky servers from one of these background internet explorer processes possibly from this malware which made me somewhat suspicious . I asked Kaspersky about it and there was no response.

    I haven't decided whether to restore or clean install yet. Part of me wants to clean install as I did an upgrade install to Windows 10 and part of the hardware was not detected correctly.
      My ComputerSystem Spec
  4.    24 Sep 2016 #34
    Join Date : Sep 2016
    Posts : 24
    Windows 10 64 bit Home
    Thread Starter

    Quote Originally Posted by simrick View Post
    Yeah ESET would have to be installed, and run, for it to be submitted. I am not positive, but pretty sure that the major AVs share info on new threats. Trouble is, this is a PUP, not virus, so AVs don't really go there. You'll notice that BleepingComputer's cleaning instructions have no AV in sight.
    I am not sure it is just a PUP though. If you look at the earlier Weatherman malware that was almost certainly made by the same person it is detected by multiple AV providers as a Trojan. I think the programmer just got better at disguising it.

    https://www.virustotal.com/en/analis...f88d/analysis/

    Malware scan of gpupd55f74af50.exe (WeatherMan) 27e51183a0b4284d492b1a5ecb611b703f98e10c - Reason Core Security Labs

    Also softwebbar from the same programmer installs a backdoor IRC channel, but that is still not detected by many AV vendors

    Malware scan of softwebbar.exe (UserMon) c881585af321a20d92a1d4e9d5043faf00de474d - Reason Core Security Labs

    https://www.virustotal.com/en/file/7...e082/analysis/

    Quote Originally Posted by simrick View Post
    I would try the system restore first. Actually, I would have tried that a long time ago.
    I could be wrong, but I thought you could clean a drive easily using diskpart - even hidden partitions from infections will be nuked that way. I recently did that on a few sticks that were infected with worms and hidden partitions.

    Agreed. TDSSKiller and then system restore.
    Matter of fact, I would first go into Ccleaner and delete restore points that *could* be infected, and 2 or 3 more before that time. That way you're sure you don't use one you didn't mean to.
    But what's stopping a trojan writer from just infecting all restore points? It doesn't sound like just going back to 3 steps before you can really be sure of being free of it. One thing I am not sure about with a clean install is I have a 'system reserved' virtual drive with bootmgr, boot and recycle bin hidden folders on, would a disk cleaner just remove and detect that also? So after doing that I could just put in a DVD with Windows 10 iso on it and boot into this?
      My ComputerSystem Spec
  5.    24 Sep 2016 #35
    Join Date : Apr 2015
    Posts : 12,582
    W10Prox64

    Quote Originally Posted by tacos team View Post
    I am not sure it is just a PUP though. If you look at the earlier Weatherman malware that was almost certainly made by the same person it is detected by multiple AV providers as a Trojan. I think the programmer just got better at disguising it.

    https://www.virustotal.com/en/analis...f88d/analysis/

    Malware scan of gpupd55f74af50.exe (WeatherMan) 27e51183a0b4284d492b1a5ecb611b703f98e10c - Reason Core Security Labs

    Also softwebbar from the same programmer installs a backdoor IRC channel, but that is still not detected by many AV vendors

    Malware scan of softwebbar.exe (UserMon) c881585af321a20d92a1d4e9d5043faf00de474d - Reason Core Security Labs

    https://www.virustotal.com/en/file/7...e082/analysis/


    But what's stopping a trojan writer from just infecting all restore points? It doesn't sound like just going back to 3 steps before you can really be sure of being free of it. One thing I am not sure about with a clean install is I have a 'system reserved' virtual drive with bootmgr, boot and recycle bin hidden folders on, would a disk cleaner just remove and detect that also? So after doing that I could just put in a DVD with Windows 10 iso on it and boot into this?
    Trojans download stuff. They bring in the infections.
    Use diskpart, or put the W10 ISO in and do a custom install and delete all partitions so you're clean installing to a completely unallocated drive.
    Then, make regular images with something like Macrium Reflect Free, and you won't have to go through this again.
      My ComputerSystem Spec
  6.    24 Sep 2016 #36
    Join Date : Sep 2016
    Posts : 24
    Windows 10 64 bit Home
    Thread Starter

    Quote Originally Posted by simrick View Post
    Trojans download stuff. They bring in the infections.
    Use diskpart, or put the W10 ISO in and do a custom install and delete all partitions so you're clean installing to a completely unallocated drive.
    Thanks for the tip. Sorry if a dumb question but how will Windows 10 then know I have a valid license, do I need to backup the serial number somewhere or can I use my original Windows 7 key?
    Quote Originally Posted by simrick View Post
    Then, make regular images with something like Macrium Reflect Free, and you won't have to go through this again.
    Yeah, point taken .

    Just a little extra point on the original software I installed, Stereo_Mix_Plus_Setup.exe (from REMOVETHIShttp://stereomixplus.com ), it seems to originate in China with a company named Shining Morning Inc. which has past form on installing adware at the very least with its 'magic camera' software

    https://www.virustotal.com/en/file/c...1aad/analysis/

    https://www.virustotal.com/en/file/4...5c74/analysis/

    ESET AV Remover—List of removable applications and instructions to run the toolESET Knowledgebase
      My ComputerSystem Spec
  7.    24 Sep 2016 #37
    Join Date : Apr 2015
    Posts : 12,582
    W10Prox64

    Quote Originally Posted by tacos team View Post
    Thanks for the tip. Sorry if a dumb question but how will Windows 10 then know I have a valid license, do I need to backup the serial number somewhere or can I use my original Windows 7 key?
    Once a system has had W10 installed and activated, it's activation resides on the MS servers, and you can reinstall/clean install as often as you like/need. Just don't go changing the motherboard....If you'd like to see your keys:
    Showkey - Windows 10 Forums
    But don't enter one when reinstalling.
    Quote Originally Posted by tacos team View Post
    Yeah, point taken .

    Macrium Reflect - Backup Restore - Windows 10 Forums

    Quote Originally Posted by tacos team View Post
    Just a little extra point on the original software I installed, Stereo_Mix_Plus_Setup.exe (from REMOVETHIShttp://stereomixplus.com ), it seems to originate in China with a company named Shining Morning Inc. which has past form on installing adware at the very least with its 'magic camera' software

    https://www.virustotal.com/en/file/c...1aad/analysis/

    https://www.virustotal.com/en/file/4...5c74/analysis/

    ESET AV Remover—List of removable applications and instructions to run the toolESET Knowledgebase
    Yeah, have to be so careful downloading stuff these days....
      My ComputerSystem Spec
  8.    26 Sep 2016 #38
    Join Date : Sep 2016
    Posts : 24
    Windows 10 64 bit Home
    Thread Starter

    Simrick, Borg, thanks for your replies, am having some issues with reinstalling and formatting, would appreciate if you could check my pm, cheers.
      My ComputerSystem Spec
  9.    26 Sep 2016 #39
    Join Date : Apr 2015
    Posts : 12,582
    W10Prox64

    Hi.
    I will put your message here, in case it helps others in the future:

    Hey guys
    Finally got round to backing everything up and reinstalling , but have encountered a pretty major stumbling block. On using the Windows 10 install disk, I got into the installation process, up to where I wanted to install windows, I have various partitions showing up of both my drives - my 128GB Samsung Pro SSD and 3TB WD HDD - the SSD has three partitions:

    Partition 1: System Reserved 100MB

    Partition 2: Primary 118GB

    Partition 3: OEM (Reserved) 450MB

    The HDD has two partitions:

    Partition 1 128MB

    Partition 2 2794GB

    I selected the primary partition of the SSD and selected format, but now when trying to install it shows error 0x80300024 - I found this thread on sevenforums suggesting it doesn't like other large hard drives connected - could this still be the same issue in Windows 10 and Microsoft haven't bothered to fix it, or could it be another issue? Do I also need to format the system reserved and OEM partitions on the SSD?? Would really appreciate advice on this, cheers.

    Error (0x80300024) Solved - Page 6 - Windows 7 Help Forums
    Correct, you must not have any other hard drives connected during install. The "custom install" option should be used, then delete all partitions on the SSD, and install to a completely unallocated drive, as shown in the tutorial.


    Click image for larger version. 

Name:	unallocated-drive-space.PNG 
Views:	15 
Size:	77.4 KB 
ID:	103270
      My ComputerSystem Spec
  10.    26 Sep 2016 #40
    Join Date : Sep 2016
    Posts : 24
    Windows 10 64 bit Home
    Thread Starter

    Thanks for your reply and the tutorial link. I think the 450MB partition currently on the SSD must be the UEFI partition. I presume it's best to use UEFI? I have seen suggestion that if I just change the boot order in BIOS so the SSD is disk 0, you might not need to remove the other drive?
      My ComputerSystem Spec

 
Page 4 of 5 FirstFirst ... 2345 LastLast


Similar Threads
Thread Forum
W10 64-bit installing 32-bit software by default?
Hi there, I have upgraded my W7 64-bit to W10-64bit some time ago and been testing W10 since then. I had some random crashes and BSODs which I could not find the reason why as my W7 was running pristine. Last week I had a crash for Visual...
Software and Apps
BSOD when installing software
Hello, Recently i upgraded my windows 8 laptop to windows 10. Now when i want to install vmware player 7 i get a BSOD. When i look at the dump files i see only the ntoskernel marked red. How can i fix this. I have added the zip file as in...
BSOD Crashes and Debugging
Chrome keeps freezing since installing W10
My Chrome has been acting, really, really weird since I updated to W10 a few weeks ago. I've reinstalled the browser multiple times with no sign of improvement. There are NO issues on any other browser (Edge, Firefox & Opera) Let me give you a...
Browsers and Email
Anyone had issues with this software when installing Win 10?
Anyone had issues with this software when installing Win 10? Office 2007 This game - Battlefield Bad Company 2 FTP
Software and Apps
Get Windows 10: Microsoft's hidden roadmap for the biggest software up
Get Windows 10: Microsoft's hidden roadmap for the biggest software upgrade in history | ZDNet The above is a few paragraphs down into Ed Bott's article, but for me is the real purpose of letting us know what's next.
Windows 10 News
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 19:16.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums