Windows 10: Hundreds of hidden Chrome now IE processes after installing software

I looked in the strings for anything like keylogger, capture, but couldn't see anything obvious. If it can do the others presumably it could do that too though. It seems it probably disguises its activities as crash reporting, see the registry entries listed at the bottom of this bleeping computer removal guide (for the older non hidden exe with gui)

How to remove Inetstat or Interstart (Removal Guide)

I have malwarebytes, adwcleaner, hitmanpro, superantispyware but none detected it. I just ran RKill again and it did detect it using heuristics

AppData\Roaming\Interstatnogui\interstatnogui.exe (PID: 7436) [UP-HEUR]

I am now pretty sure it is a clone of the older Weatherman trojan as there is still a lot of weather related crap, same filenames, same creator name in the strings. I had a look to see if there was a virus submission form on eset, I couldn't see anything obvious, presume I would have to download and install it? It seems a tad frustrating there isn't more I can do to alert more AV vendors about this bar posting on each forum individually *Think.

 

Thanks again Borg. I went into Revo Autorun Manager and hit confirm on delete and there were no other options - I think they only appear for programs that have been installed normally. Anyhow, on restart it has stopped it loading although the exe is still there. I ran superantispyware and it just detected 1500+ tracking cookies, maybe I should monitor these a bit more carefully in the future!

I may well do a system restore, or even a clean install. I am wondering whether I should nuke the hard drive first, and run command line based AV scanners as well to detect hidden files etc?

 

I think a system restore to a point 2 or 3 points past the infection time would be a good idea and would definitely be easier then trying to hunt down all the bits & pieces that this infection has spread all over. I say 2 or 3 points past because some malware can embed itself in the 1st restore point, so when you try to roll back it's still present on the OS.

Just to cover all the bases, d/l & run TDSSKiller to confirm there are no rootkits on your system. Do this before you do a restore, being that if one is present, a restore won't delete it.

TDSSKiller Download



Note When running TDSSKiller, launch the program, click on the blue text "Change Parameters" & check the box marked "Detect TDLFS File system." Click OK & then run the scan.

You could try a restore 1st & then if the trouble persists, then consider the option of a clean install.

Starting over is a PIA, but it's the best option to ensure that you start with a clean system. It's usually a good idea to wipe the drive since some malware, particularly rootkits can survive a clean install.

Here is a list of disk erasers you can opt to use. Once you wipe the HDD you shouldn't have anything left on the drive to need a scan on.

Five hard disk cleaning and erasing tools - TechRepublic

 

Yeah ESET would have to be installed, and run, for it to be submitted. I am not positive, but pretty sure that the major AVs share info on new threats. Trouble is, this is a PUP, not virus, so AVs don't really go there. You'll notice that BleepingComputer's cleaning instructions have no AV in sight.

I would try the system restore first. Actually, I would have tried that a long time ago. *Wink
I could be wrong, but I thought you could clean a drive easily using diskpart - even hidden partitions from infections will be nuked that way. I recently did that on a few sticks that were infected with worms and hidden partitions.

You could try a restore 1st & then if the trouble persists, then consider the option of a clean install. Agreed. TDSSKiller and then system restore.
Matter of fact, I would first go into Ccleaner and delete restore points that *could* be infected, and 2 or 3 more before that time. That way you're sure you don't use one you didn't mean to.

 

I am not sure it is just a PUP though. If you look at the earlier Weatherman malware that was almost certainly made by the same person it is detected by multiple AV providers as a Trojan. I think the programmer just got better at disguising it.

https://www.virustotal.com/en/analis...f88d/analysis/

Malware scan of gpupd55f74af50.exe (WeatherMan) 27e51183a0b4284d492b1a5ecb611b703f98e10c - Reason Core Security Labs

Also softwebbar from the same programmer installs a backdoor IRC channel, but that is still not detected by many AV vendors

Malware scan of softwebbar.exe (UserMon) c881585af321a20d92a1d4e9d5043faf00de474d - Reason Core Security Labs

https://www.virustotal.com/en/file/7...e082/analysis/

But what's stopping a trojan writer from just infecting all restore points? It doesn't sound like just going back to 3 steps before you can really be sure of being free of it. One thing I am not sure about with a clean install is I have a 'system reserved' virtual drive with bootmgr, boot and recycle bin hidden folders on, would a disk cleaner just remove and detect that also? So after doing that I could just put in a DVD with Windows 10 iso on it and boot into this?

 

Trojans download stuff. They bring in the infections.
Use diskpart, or put the W10 ISO in and do a custom install and delete all partitions so you're clean installing to a completely unallocated drive.
Then, make regular images with something like Macrium Reflect Free, and you won't have to go through this again. *Wink

 

Thanks for the tip. Sorry if a dumb question but how will Windows 10 then know I have a valid license, do I need to backup the serial number somewhere or can I use my original Windows 7 key?

Yeah, point taken *Wink.

Just a little extra point on the original software I installed, Stereo_Mix_Plus_Setup.exe (from REMOVETHIShttp://stereomixplus.com ), it seems to originate in China with a company named Shining Morning Inc. which has past form on installing adware at the very least with its 'magic camera' software*Think

https://www.virustotal.com/en/file/c...1aad/analysis/

https://www.virustotal.com/en/file/4...5c74/analysis/

ESET AV Remover—List of removable applications and instructions to run the toolESET Knowledgebase

 

Once a system has had W10 installed and activated, it's activation resides on the MS servers, and you can reinstall/clean install as often as you like/need. Just don't go changing the motherboard....If you'd like to see your keys:
Showkey - Windows 10 Forums
But don't enter one when reinstalling.

*Smile
Macrium Reflect - Backup Restore - Windows 10 Forums

Yeah, have to be so careful downloading stuff these days....*Sad

 

Simrick, Borg, thanks for your replies, am having some issues with reinstalling and formatting, would appreciate if you could check my pm, cheers.

 

Hi.
I will put your message here, in case it helps others in the future:

 

Thanks for your reply and the tutorial link*Smile. I think the 450MB partition currently on the SSD must be the UEFI partition. I presume it's best to use UEFI? I have seen suggestion that if I just change the boot order in BIOS so the SSD is disk 0, you might not need to remove the other drive?

 

UEFI is best. Please remove the other drive, unless you want Windows to mess up the boot info across the two!

 

Thanks, did this, and all went smoothly *Smile. Had a bunch of updates to install immediately to anniversary update, also spent a while disabling cortana with a registry fix & removing a ton of Windows programs I didn't need, using powershell. I also turned off all of the background app refresh in privacy, but it seems the few I have left as live tiles, reenabled themselves

How to Uninstall Windows 10’s Built-in Apps (and How to Reinstall Them)

 

Great news! If you're satisfied, please mark the thread as solved. Cheers!