What is interstatnogui.exe?
interstatnogui.exe is part of UserMon and developed by Global surveys according to the interstatnogui.exe version information.
interstatnogui.exe's description is "Internet usage"
interstatnogui.exe is usually located in the 'c:\users\%USERNAME%\appdata\roaming\interstatnogui\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about interstatnogui.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on interstatnogui.exe:
| Property | Value |
|---|---|
| Product name | UserMon |
| Company name | Global surveys |
| File description | Internet usage |
| Internal name | User monitor |
| Original filename | UserMon.exe |
| Legal copyright | Copyright (C) 2015 |
| Product version | 1.0.3.18 |
| File version | 1.0.3.18 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | UserMon |
| Company name | Global surveys |
| File description | Internet usage |
| Internal name | User monitor |
| Original filename | UserMon.exe |
| Legal copyright | Copyright (C) 2015 |
| Product version | 1.0.3.18 |
| File version | 1.0.3.18 |
Digital signatures [?]
interstatnogui.exe is not signed.
VirusTotal report
None of the 57 anti-virus programs at VirusTotal detected the interstatnogui.exe file.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | e631969505d845c43c61a383def6de81 |
| SHA256 | 45203abce638147888f50b6494595d0db0e402d0c648eb26394bc2745ae81dc3 |
Error Messages
These are some of the error messages that can appear related to interstatnogui.exe:
interstatnogui.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
interstatnogui.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Internet usage has stopped working.
End Program - interstatnogui.exe. This program is not responding.
interstatnogui.exe is not a valid Win32 application.
interstatnogui.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
What did other users do?
The poll result listed below shows what users chose to do with the file. 99% have voted for removal. Based on votes from 256 users.
NOTE: Please do not use this poll as the only source of input to determine what you will do with the file.
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
i aveinterstanogui on my cmuter and i cannot remove it??
is there any way to remove it for free???
# 20 Feb 2016, 9:36
Dennis F writes
edsf2001: Revo UnInstaller worked fine on removing the file & the 8 registry entries without problem.
# 24 Mar 2016, 17:58
Kelly writes
i have deleted the interstatnogui.exe with everything i can including your software and it keeps coming back.
# 1 Apr 2016, 18:04
Edtion writes
For the past for days I've noticed that chrome had some open processes but running in the background, using a lot of memory and tremendously slowing down other tasks, so much that I uninstalled chrome (not my main browser anyway). But then Internet Explorer starting doing it instead. After looking up where data that chrome was interacting with was being sent, I found to check the startup items with msconfig. I found this {interstatnogui.exe} and obviously I never knowingly installed it, so I disabled it, ended it's process in task manager then deleted the file. Now chrome isn't running in the background anymore.
Malwarebytes Anti-Malware doesn't detect this as a virus but given it's nature to hide in the background, suck up my memory and use network/data, it is definitely a virus.
# 21 Jul 2016, 6:34
Carter writes
I have observed exactly the same behaviour as described by Edtion, Chrome was running in the background, making 200+ connections to different ips, so I uninstalled and then Internet Explorer started doing the exact same thing.
I had installed audio software Stereo_Mix_Plus_Setup.exe from REMOVETHIShttp://stereomixplus.com to allow streaming my own internal PC audio online. It's possible I left a box ticked to install something extra, but I can't remember for sure. What it was clear it installed was Lavasoft Web Companion which I initially assumed to be the culprit, as even after uninstalling, a scan with adwcleaner revealed a large number of registry entries and files left over. I then ran a full Kaspersky and malwarebytes scan and nothing was found.
After a few days, assuming everything was now OK, I unblocked Internet Explorer in Kaspersky, but set it so it had to request access. A short while after, I got a warning that an encrypted connection was attempted to being made to vast.ssp.optimatic.com, so I blocked that and then checked Kaspersky Network Monitor. Again, there were 200+ connections to different ips in a background Internet Explorer process, so I blocked all net access, and blocked internet explorer again in Kaspersky settings. However, I then looked at process explorer, and I could see the 2nd highest cpu usage was by interstatnogui.exe located at C:\Users\YOURUSERNAME\AppData\Roaming\Interstatnogui , and it turns out this file was installed as I installed the Stereo_Mix_Plus_Setup.exe
It appears to be a variant of inetstat a bogus programme claiming to measure download speed
http://www.bleepingcomputer.com/virus-removal/remove-inetstat
The original filename in its file properties is UMon.exe version 1.0.3.18
It is connected to the website REMOVETHISinterstat.eu which is marked as a malware or malicious site by at least 10 providers
https://www.virustotal.com/en/url/e9193ed1ca0445eabd32eb7857209dfb77402949fff2598a21d7de298be9142c/analysis/
https://www.virustotal.com/en/url/2f3dab06e6cd32f1d90e1265f2d3bc08efcd004cbfd3b227aff87a5fb473ac52/analysis/
https://www.virustotal.com/en/url/17734cc45766bbf2937986e2d4cc7d939a5e24cac188ce4e1f12727701d9031e/analysis/1474571993/
The file, as UMon.exe is only detected by 4 providers so far
https://www.virustotal.com/en/analisis//file/73a084673e3cc0abec2b21c79fe42f51d2f8e603c8ad50492229c1f34843e082/analysis/
I just reanalysed interstatnogui.exe and it is now being detected by one provider (previously was zero)
https://www.virustotal.com/en/file/671384ef9121c768009c7077eff5a77ac986b93678dd11902335f37b4c09b71a/analysis/1474575150/
# 22 Sep 2016, 13:18
Carter writes
Hi Roger! I actually made a typo there, the original exe was UserMon.exe not UMon.exe. I assume you could run it in a virtual machine or sandbox, I think it requires itself to be run as administrator (possibly for nefarious reasons) so I wouldn't recommend running in standard mode! It gave an option to untick, I presume you should leave that, although I suspect it makes no difference to the interstat malware. The software itself is also only a trial, which is what made me uninstall as there was no warning of that on its webpage. There is free software that does the same thing here which I used instead REMOVETHIShttp://vb-audio.pagesperso-orange.fr/Cable/index.htm .
I have also been posting about this on tenforums, my latest post is below, in which I post extracts from the strings which reveal quite a lot of information on the malware, and link it to many other processes and a more widely detected malware named Weatherman both seemingly created by someone named Ozrenko (a Yugoslavian name). That is assessed as much more dangerous by some av providers than simple adware, possibly installing backdoor irc channels. The crash reporting seems a possible cover for data theft, perhaps a tactic to trick avs into thinking it's benign?
http://www.tenforums.com/antivirus-firewalls-system-security/63767-hundreds-hidden-chrome-now-ie-processes-after-installing-software-3.html#post820218
inetstat.exe interstat.exe speedtray.exe isup.exe UserMon.exe
inter_weather_v320.exe interstat.exe gpupd55f74af50.exe inter_weather2.exe
https://www.reasoncoresecurity.com/gpupd55f74af50.exe-27e51183a0b4284d492b1a5ecb611b703f98e10c.aspx
https://www.virustotal.com/en/file/602e35a185867eaa9b63a5892079c1d43a082ca7e9c56e0d047f065f6190fb9a/analysis/
https://www.virustotal.com/en/analisis//file/c6949956bc2b1bb33b75c61a4616378caed878d6369045c3392ef8948f13f88d/analysis/
softwebbar.exe sftwbbr_v333.exe
https://www.virustotal.com/en/file/73a084673e3cc0abec2b21c79fe42f51d2f8e603c8ad50492229c1f34843e082/analysis/
https://www.reasoncoresecurity.com/softwebbar.exe-c881585af321a20d92a1d4e9d5043faf00de474d.aspx
NetworkMonitor.exe
https://virustotal.com/it/file/a3476ebeaf08ea454868f4d2a07f48748335075c1078bc9702e9eaf71a971a72/analysis/
BandwidthMon BandwidthMon.exe aka bandwidthstat.exe speedmon.exe inter_bandwidth_v339.exe
https://www.virustotal.com/en/analisis//file/5d02cb181ea36f22ed15f70f63ed88b2f88ac460cc32ff9fa003c13ea094f9a8/analysis/
See also
http://www.bleepingcomputer.com/virus-removal/remove-inetstat
note registry entries at bottom of page with crash reporting etc.
https://malwaretips.com/blogs/remove-inetstat-ads/
# 23 Sep 2016, 4:41
Carter writes
Hi Roger, when you say it bundled it, was it offered as a tickable box option or did it just install regardless? That's the thing about my install, I think Lavasoft Web Companion was the declared option but interstat came unannounced. Might be worth downloading Web Companion and it see if it comes as part of that?
I could email the interstatnogui file if you like, and my download of Stereo Mix Plus in case it's different. I note the software seems to originate in China with a company named Shining Morning Inc. which has past form on installing adware at the very least with its 'magic camera' software
https://www.virustotal.com/en/file/c346ca58021c94b9411e132d9d19b65cc60dc870bacdf117cd65a78fd9ea1aad/analysis/
https://www.virustotal.com/en/file/4b5263f6121fff63c1d19b336714b8c9b0fdc012d8e908b08b8f8b9807d95c74/analysis/
# 27 Sep 2016, 3:39
Carter writes
Thanks for your reply Roger. Did you try and set interstatnogui as a startup object and try and observe its behaviour? Annoyingly I deleted the exact registry key it used with Revo Uninstaller Autorun Manager.
# 29 Sep 2016, 3:57
Carter writes
A newer version of Weatherman I just discovered, compiled in April, version 1.0.3.40, compared to older version number 1.0.3.18 had by previous Weatherman and variants
interstatnogui
BandwidthMon (BandwidthMon.exe aka bandwidthstat.exe speedmon.exe inter_bandwidth_v339.exe)
User Monitor (UserMon.exe aka softwebbar.exe sftwbbr_v333.exe)
https://www.virustotal.com/en/file/1d44605d58be5df7fe72a3412b486186d56d485365babf26f06efcfdd84efcf5/analysis/
# 29 Sep 2016, 17:06
Carter writes
Another variant Network Monitor with varying version numbers, now detected by 15 providers as a Trojan
1.3.4.2
1.3.4.3
1.4.3.2
confirmed links to interstat from variant filenames in strings interstat.exe inetstat.exe bandwidthstat.exe
https://www.virustotal.com/en/file/6d357e1f8f2a27accedf350f63718326299c8f14d567cc1f75f4054aab859379/analysis/
# 29 Sep 2016, 17:42
edsf2001@gmail.com writes