Windows 10: Hundreds of hidden Chrome now IE processes after installing software

I have used process hacker briefly & I am not familiar with it's full array of functions. However I do know from experience that Process Explorer is capable of many, many functions. There is a guide here:

SysInternals Pro: Understanding Process Explorer

Also, you may wish to have a look at this tool.

TCPView for Windows

 

OK, I neglected to run AdwCleaner, have now done so and pretty shocked to see a huge number of files and registry keys from the Lavasoft Web Companion including LavasoftTcpService flagged by AdwCleaner, I thought Lavasoft were meant to be the good guys*sarc. All now deleted and cleaned after a reboot. I did disable IE's internet connection so I may reenable and see what happens. On a side note I just tried updating itunes and it failed maybe due to IE not having net access?

 

Lavasoft was good at one point until they started adding PUP's & other additions. I ran their software about 8 years back & it was a good choice at the time. As of late, not so much.

You may have to reset your browsers to get rid of all the additions the software probably added.

As I mentioned earlier, if you could roll back to 2 or 3 points past where all the problems started, that would be the easiest option. You may still have to reset your browsers though. I have no experience with iTunes so I cannot say if disabling IE is the cause of it. If the iTunes relies on an IE connection to function, then that is likely the cause.

Another tool you could run to make sure nothing is left over is JRT. Run as admin & read the documentation. Please note on this tool, you do not have a choice as to what it removed, it is a one click removes all tool.

Junkware Removal Tool Download

 

Borg, thanks for your reply. I had a look on the Lavasoft forums and it seems there are plenty of people unhappy with the behaviour of their web companion, including inability to remove it using normal methods, the fact it removes remembered tabs in firefox etc. How ironic that a company people once trusted to fight adware looks like its become a purveyor of it*Think. I am still unsure if it was linked to the internet explorer background process as I haven't unblocked it yet. I did try and update itunes again and that worked, so wasn't a related issue.

 

Good to hear it's working again.

That's happening to a lot of companies. They need to generate money, so they go to allowing certain ads/programs. The legitimate ones will give you the option to opt out of any PUP's, some will try to sneak them in. It is no longer safe to just use the regular install when putting a new program on your PC. It's a good idea to go to custom install (if they give you that option) and there you usually find several surprise PUP's that would have installed with standard install.

Sign of the times unfortunately.

Have a look at this article & what happens when you d/l from a file hosting site. Not all do this, but a high majority of them try to sneak something in.

Heres What Happens When You Install the Top 10 Download.com Apps

If you haven't uninstalled Lavasoft yet, there is a uninstaller that does a good job of removing everything associated with a program, even the registry keys. It's Revo Uninstaller, read the documentation well since removing the wrong reg keys can hose your system. If you use the advanced option, which would be good choice removing everything. Make sure to only remove the bolded back reg keys. I've put a link to a tutorial here also. It's for the pro version but it applies to the free version as well.

Download Revo Uninstaller Freeware - Free and Full Download - Uninstall software, remove programs, solve uninstall problems


Revo Uninstaller Pro Online User's Manual

Another thing you might consider, d/l CCleaner & let it scan your system for orphan files & then do a reg scan. It give you the option to back up the reg keys about to be deleted, put them in an easily accessible place in case removing one breaks something. It may clean out the leftovers & restore your browser.

CCleaner - Free Download - Piriform

If your browser isn't connecting, you may wish to consider resetting your browser.

 

Thanks Borg for your further comments. I took the risk of enabling internet explorer again today but required permission to access from Kaspersky and unfortunately it seems I am still infected- I blocked an encrypted connection that was being made to vast.ssp.optimatic.com and then checked Network Monitor which showed hundreds of connections being made so I immediately blocked all connections, and then checked process explorer. The second most high cpu usage was interstatnogui.exe which looked like it was attempting to relaunch connections. Doing a search it appears interstat aka inetstat is a known adware program, and checking the install date of the exe it coincided precisely with when I installed the stereo mix plus. It is surprising that neither malwarebytes, adwcleaner, or kaspersky with pup detection spotted this*Huh?

How to remove Inetstat or Interstart (Removal Guide)

https://www.virustotal.com/en-gb/url...7d02/analysis/

 

Found this discussion below on freefixer, it seems someone noticed the exact same behaviour with chrome then internet explorer launching a large number of connections in the background

What is interstatnogui.exe?

A number of companies including Dr Web, Sophos, Google and Fortinet recognise the url connected to it as a malware site, four recognise the original filename UserMon.exe as Malware/PUP, but only one this filename in particular. Is there any way apart from contacting all these companies separately to alert AV makers to this*sarc?

 

It would be good to follow the 1st guide you posted the link to. I notice they advise you to use RKill. A word about using this, the program terminates known malware/virus processes running in the background. This is needed due to the fact that some malware cannot be removed while it is running.

Once you have run RKill, do not reboot your OS. This will only enable the malware to run again upon start up. Instead, once you run RKill, immediately stasrt scanning with the recommended software. It might be a good idea not to be connected to the net while doing the scans since this nuisance has a habit of trying to connect to home.

 

Hey Borg*Smile thanks for your comments, I actually did this but Rkill did not detect it, I did then do another malwarebytes and adwcleaner scan, but nothing found. It seems like it really is out in the wild with only a few vendors detecting it so far. Is there an easy way, or do I basically have to post at all these vendors different forums or virus submission forms to get this info out there to other providers?

I also tried Revo but it would not even find the program.

OK, I tell a lie, it is listed in autorun manager, under HKCU Run, although I have it suspended in process explorer. Presumably if I right click and click remove selected, it will remove the prog and the registry entry?

 

RKill doesn't remove anything, it only attempts to stop malicious processes from running. After it does that, the other scanners can remove anything malicious. Most times when a malware process is running, it can't be removed. Once stopped with RKill, it is usually detected & can be removed.

If you found the offending reg key & you are sure it's linked to that malware, go ahead & back up your registry & then remove it. Removing the reg key may cripple the malware but the program is still in your files somewhere. If you can find the location & remove that as well then that might solve the problem.

How to Backup and Restore the Windows Registry

Meanwhile, if you want to let the malware scanners try again after running RKill, then go ahead.

 

Hi Borg, sorry if I wasn't clear I meant Revo found it in its Autorun Manager function. Weirdly it does not show up at all in msconfig*Huh? If I select in Revo the Remove button goes active, I presume if I click it it will remove both the registry key and program?

 

Oh, OK, if Revo found it then go ahead & use that to remove it. Choose the advanced setting & it will also show the reg keys linked to the program that you are removing & give you the chance to select & remove those also.

Please read this guide 1st & make sure to remove only the bolded reg keys. Removing anything else will possibly hose the OS completely. Revo make a restore point if it has not been disabled in settings, but making one before running Revo would be a good idea. .

http://www.revouninstaller.com/manua...are%20Help.pdf

 

Hi, I went to delete it and I can't see an advanced option, it just asks OK to delete this item? Meanwhile I have been looking at process explorer (with the process suspended), and I found some info in the strings that seems to:

1. confirm links to other malware processes inetstat.exe interstat.exe speedtray.exe isup.exe UserMon.exe

What is speedtray.exe?

2. confirms link to REMOVETHIShttp://interstat.eu

3. suggests it has screenshot video and emailing ability.

4. The programmer of the adware / trojans seems to be named Ozrenko (yugoslavian name) which links it to an older more widely detected trojan Weatherman ( exes inter_weather_v320 interstat gpupd55f74af50 inter_weather2 )

Malware scan of gpupd55f74af50.exe (WeatherMan) 27e51183a0b4284d492b1a5ecb611b703f98e10c - Reason Core Security Labs

https://www.virustotal.com/en/file/6...fb9a/analysis/

https://www.virustotal.com/en/analis...f88d/analysis/

also User Monitor UserMon.exe aka softwebbar.exe sftwbbr_v333.exe

https://www.virustotal.com/en/file/7...e082/analysis/

Malware scan of softwebbar.exe (UserMon) c881585af321a20d92a1d4e9d5043faf00de474d - Reason Core Security Labs


NetworkMonitor NetworkMonitor.exe

https://virustotal.com/it/file/a3476...1a72/analysis/

BandwidthMon BandwidthMon.exe aka bandwidthstat.exe speedmon.exe inter_bandwidth_v339.exe

https://www.virustotal.com/en/analis...f9a8/analysis/

Code: HTTPRequest POST HTTP/1.0 GET Accept: */* Content-Type: application/x-www-form-urlencoded Accept - Encoding: gzip, deflate Interstat reinstall_started reinstall_started Interstat\Interstat.exe Interstat gInterstat\Interstat.exe \InetStat\inetstat.exe .exe \SpeedTray\speedtray.exe .\isup.exe DisplayIcon DisplayName Publisher DisplayVersion NoModify UninstallString NoRepair isup.exe[/quote] mention of screenshots
Code: true; window.ises.isAlexaToolbarInstalled = false; URL set :Javascript called Internet Explorer deleted, owner delete Internet Explorer deleted,for closing tabs Failed to fetchIID_IDispatchEx event: event: event: savesshot.php Failed to getElementById Failed to take screenshot on IE: noc /uninstall Unsupported OS taskkill /f /im Are you sure you want to uninstall tempRun123.lnk %TEMP%\ Failed to delete shortcut lnk event.html?n= .exe[/quote] Code: >>> Performing actions with error report: '%s' Error opening file %s. Copying file %s. Couldn't get file size of %s CrashSender%d.exe Error creating file %s. Start video recording. Local\CrashRptEvent_%s_2 Error opening event. Looking for files using search template: %s Error initializing video recorder. Could not find any files matching the search template. Video recording completed. [encoding_video] Desktop video recording disabled; skipping. Encoding recorded video, please wait... Error encoding video. DescVideo DetailDlg Finished encoding video. Error opening file for writing. Error saving XML document to file: HKEY_LOCAL_MACHINE\ HKEY_CURRENT_USER\ Restarting the application... Application restarted OK. Error restarting the application! \*.txt Unspecified error. Error reading crash info: %s RTLReading Settings DescScreenshot[/quote] Code: AppVersion Sending error report over HTTP... Preparing HTTP request data... OperatingSystem crashrptver OSIs64Bit appname GeoLocation appversion crashguid SystemTimeUTC 0x%I64x emailfrom emailsubject ExceptionAddress [taking_screenshot] description Taking desktop screenshot Desktop screenshot generation disabled; skipping. ExceptionModule[/quote] Code: SOFTWARE\Clients\Mail Error detecting E-mail client Detected E-mail client mapi32.dll Error loading mapi32.dll Not found required function entries in mapi32.dll MAPILogon has failed with code %X. Error allocating memory Error allocating memory MAPISendMail has failed with code %X. EDISPLAY %s\screenshot%d.png %s\screenshot%d.jpg %s\screenshot%d.bmp Start sending email Error querying DNS record. Finished OK. Critical error detected. Error sending email.[/quote] Code: buffer error incompatible version RSDS J8UP C:\Users\Ozrenko\Documents\Work\Interstat2\crashrpt\bin\CrashSender.pdb[/quote]

 

Wow. I've been reading this thread and I have to say this is really interesting. Video, desktop screenshots and email? Wonder if it also has a keylogger?
I just wonder if it wouldn't help to install the 30-day trial of ESET NOD32 and have this crap identified/uploaded to them?
Also, do you have MBAE Free on the system? That helps protect against zero-day browser exploits. I know this is after the fact...

 

Once you select the program to delete, you will be given 3 options as to method of removal. Seen on page 7 of the PDF.

On page 8 of the PDF you will see the illustration of what will be presented when reg keys are presented for removal.

You may want to look at this & run the malware removal after you have run RKill as well as being disconnected from the net while doing it.

Remove adware (Virus Removal Guide)

Is there any chance you can do a system restore 2 or 3 points before the infection occurred? This might solve the problem in one easy step.

There's another malware scanner that hasn't been suggested/used yet, SuperAntiSpyware. They make a portable version which you can run from a USB or without installation. You can find it here. As with the others, run RKill 1st & then run the malware scanner.

SUPERAntiSpyware - SUPERAntiSpyware Portable Scanner