tacosteam 0 Posted September 24, 2016 Share Posted September 24, 2016 Given ESET has helped me out in the past with virus removal tools I thought I'd post here first . 10 days ago I installed software from vttp://stereomixplus.com (replace v with h) to allow streaming my own internal PC audio online. After a few minutes I started noticing multiple background chrome processes making 200+ connections to different IPs. Initially hoping it was just an infection confined to Chrome I uninstalled, but then noticed exactly the same thing with background internet explorer processes in Kaspersky network monitor, so I blocked all connections, did numerous scans with various anti adware and malware scanners, and with Adwcleaner discovered numerous leftovers from Lavasoft Web Companion so I initially put it down to this. However, after a few days I unblocked internet explorer in Kaspersky, but required permission, I was then alerted when an encrypted connection was attempted to be made to vast.ssp.optimatic.com, so I blocked that and then checked Kaspersky Network Monitor. Again, there were 200+ connections to different ips in a background Internet Explorer process, so I blocked all net access, and blocked internet explorer again in Kaspersky settings. However, I then looked at process explorer, and I could see the 2nd highest cpu usage was by interstatnogui.exe located at C:\Users\YOURUSERNAME\AppData\Roaming\Interstatnogui , and it turns out this file was installed as I installed the Stereo_Mix_Plus_Setup.exe Looking at the strings of the exe in process explorer (attached as txt), I found quite a bit of data that links it to other malware, including the Weatherman trojan by the fact the programmer has put his user account name Ozrenko , the use of the Interstat theme, weather data in the strings, links to vttp://interstat.eu (replace v with h) classified as a malicious site by numerous providers: https://www.virustotal.com/en/url/826307362cf601012c703e9510275310a2876fd55505b6618656d8732f0c7d02/analysis/ I summed most of this up, with virustotal and reasoncore links on tenforums in this post hxxp://www.tenforums.com/antivirus-firewalls-system-security/63767-hundreds-hidden-chrome-now-ie-processes-after-installing-software-3.html#post820218 All the exes I think are variants inetstat.exe interstat.exe speedtray.exe isup.exe UserMon.exe inter_weather_v320.exe interstat.exe gpupd55f74af50.exe inter_weather2.exe softwebbar.exe sftwbbr_v333.exe NetworkMonitor.exe BandwidthMon.exe bandwidthstat.exe speedmon.exe inter_bandwidth_v339.exe interstatnogui.exe - Copy.txt Link to comment Share on other sites More sharing options...
tacosteam 0 Posted September 29, 2016 Author Share Posted September 29, 2016 (edited) Just a quick note to say I posted about this on freefixer, and someone observed the exact same behaviour - hundreds of background connections in Chrome, which they uninstalled, only to be followed by the same thing in a background internet explorer process hxxp://www.freefixer.com/library/file/interstatnogui.exe-206720/#comment11230 Roger Karlsson, the owner of freefixer, tested Stereo_Mix_Plus_Setup.exe in a virtual machine, but in his case a different adware was offered, so it looks like it might vary what is installed depending on location or your system. The stereo mix plus software seems to originate in China with a company named Shining Morning Inc. which has past form on installing adware at the very least with its magic camera softwarehttps://www.virustotal.com/en/file/c346ca58021c94b9411e132d9d19b65cc60dc870bacdf117cd65a78fd9ea1aad/analysis/https://www.virustotal.com/en/file/4b5263f6121fff63c1d19b336714b8c9b0fdc012d8e908b08b8f8b9807d95c74/analysis/ Edited September 29, 2016 by tacosteam Link to comment Share on other sites More sharing options...
tacosteam 0 Posted September 30, 2016 Author Share Posted September 30, 2016 A new version of Weatherman I just found, compiled in April, version 1.0.3.40, compared to older version number 1.0.3.18 had by previous Weatherman and variantsinterstatnogui ( inetstat.exe interstat.exe speedtray.exe isup.exe UserMon.exe )BandwidthMon ( BandwidthMon.exe aka bandwidthstat.exe speedmon.exe inter_bandwidth_v339.exe )User Monitor ( UserMon.exe aka softwebbar.exe sftwbbr_v333.exe )https://www.virustotal.com/en/file/1d44605d58be5df7fe72a3412b486186d56d485365babf26f06efcfdd84efcf5/analysis/ Link to comment Share on other sites More sharing options...
tacosteam 0 Posted September 30, 2016 Author Share Posted September 30, 2016 A variant of its Network Monitor incarnation with varying version numbers, now detected by 15 providers (not yet ESET) as a Trojan1.3.4.21.3.4.31.4.3.2confirmed links to interstat from variant filenames in strings interstat.exe inetstat.exe bandwidthstat.exehttps://www.virustotal.com/en/file/6d357e1f8f2a27accedf350f63718326299c8f14d567cc1f75f4054aab859379/analysis/ Link to comment Share on other sites More sharing options...
Recommended Posts