Hi, I went to delete it and I can't see an advanced option, it just asks OK to delete this item? Meanwhile I have been looking at process explorer (with the process suspended), and I found some info in the strings that seems to:
1. confirm links to other malware processes inetstat.exe interstat.exe speedtray.exe isup.exe UserMon.exe
What is speedtray.exe?
2. confirms link to REMOVETHIShttp://interstat.eu
3. suggests it has screenshot video and emailing ability.
4. The programmer of the adware / trojans seems to be named Ozrenko (yugoslavian name) which links it to an older more widely detected trojan Weatherman ( exes inter_weather_v320 interstat gpupd55f74af50 inter_weather2 )
Malware scan of gpupd55f74af50.exe (WeatherMan) 27e51183a0b4284d492b1a5ecb611b703f98e10c - Reason Core Security Labs
https://www.virustotal.com/en/file/6...fb9a/analysis/
https://www.virustotal.com/en/analis...f88d/analysis/
also User Monitor UserMon.exe aka softwebbar.exe sftwbbr_v333.exe
https://www.virustotal.com/en/file/7...e082/analysis/
Malware scan of softwebbar.exe (UserMon) c881585af321a20d92a1d4e9d5043faf00de474d - Reason Core Security Labs
NetworkMonitor NetworkMonitor.exe
https://virustotal.com/it/file/a3476...1a72/analysis/
BandwidthMon BandwidthMon.exe aka bandwidthstat.exe speedmon.exe inter_bandwidth_v339.exe
https://www.virustotal.com/en/analis...f9a8/analysis/
Code:
HTTPRequest
POST
HTTP/1.0
GET
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept - Encoding: gzip, deflate
Interstat
reinstall_started
reinstall_started
Interstat\Interstat.exe
Interstat
gInterstat\Interstat.exe
\InetStat\inetstat.exe
.exe
\SpeedTray\speedtray.exe
.\isup.exe
DisplayIcon
DisplayName
Publisher
DisplayVersion
NoModify
UninstallString
NoRepair
isup.exe
mention of screenshots
Code:
true;
window.ises.isAlexaToolbarInstalled =
false;
URL set
:Javascript called
Internet Explorer deleted, owner delete
Internet Explorer deleted,for closing tabs
Failed to fetchIID_IDispatchEx
event:
event:
event:
savesshot.php
Failed to getElementById
Failed to take screenshot on IE:
noc
/uninstall
Unsupported OS
taskkill /f /im
Are you sure you want to uninstall
tempRun123.lnk
%TEMP%\
Failed to delete shortcut lnk
event.html?n=
.exe
Code:
>>> Performing actions with error report: '%s'
Error opening file %s.
Copying file %s.
Couldn't get file size of %s
CrashSender%d.exe
Error creating file %s.
Start video recording.
Local\CrashRptEvent_%s_2
Error opening event.
Looking for files using search template: %s
Error initializing video recorder.
Could not find any files matching the search template.
Video recording completed.
[encoding_video]
Desktop video recording disabled; skipping.
Encoding recorded video, please wait...
Error encoding video.
DescVideo
DetailDlg
Finished encoding video.
Error opening file for writing.
Error saving XML document to file:
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
Restarting the application...
Application restarted OK.
Error restarting the application!
\*.txt
Unspecified error.
Error reading crash info: %s
RTLReading
Settings
DescScreenshot
Code:
AppVersion
Sending error report over HTTP...
Preparing HTTP request data...
OperatingSystem
crashrptver
OSIs64Bit
appname
GeoLocation
appversion
crashguid
SystemTimeUTC
0x%I64x
emailfrom
emailsubject
ExceptionAddress
[taking_screenshot]
description
Taking desktop screenshot
Desktop screenshot generation disabled; skipping.
ExceptionModule
Code:
SOFTWARE\Clients\Mail
Error detecting E-mail client
Detected E-mail client
mapi32.dll
Error loading mapi32.dll
Not found required function entries in mapi32.dll
MAPILogon has failed with code %X.
Error allocating memory
Error allocating memory
MAPISendMail has failed with code %X.
EDISPLAY
%s\screenshot%d.png
%s\screenshot%d.jpg
%s\screenshot%d.bmp
Start sending email
Error querying DNS record.
Finished OK.
Critical error detected.
Error sending email.
Code:
buffer error
incompatible version
RSDS
J8UP
C:\Users\Ozrenko\Documents\Work\Interstat2\crashrpt\bin\CrashSender.pdb