Sign in to follow this  
wenapee

Tencent / Qvod / soso search ( + seems getting reinfected with possible trojans)

Recommended Posts

PC problems caused after installing the qvod player (around 4 august). I will add full description in second post.

OTL scan is not making the extra log anymore, but few days ago I scanned with OTL and attached the "Extras" logs from that scan here.

Share this post


Link to post
Share on other sites

(Attachments: Latest HitmanPro scan found trojan but it seem to be false positive, but I cant confirm)

(Attachments: MBAM some of the previously identified infections)

(Attachments: emisoft, scan from yesterday which identified new infections)

(Attachments: Superantispyware: again new infections, cant confirm fp or not but the C:\I386\WEXTRACT.EXE C:\WINDOWS\$NTSERVICEPACKUNINSTALL$\WEXTRACT.EXE seem toe be an FP, cause it was finding these entries long before the pc problem started but I think these are FP.)

Description of the problem:

I wanted to install qvod player. Its a chinese video player and I installed it from their site here http://www.qvod.com/ which got me to this

http://www.kuaibo.com/ site to download the player.

The download file is small but the installation is much bigger (meaning the file downloads the installation files), anyway after I installed the player my pc was beginning to show some huge problems: (possible after restarting the pc)

A: Pc became very slow

B: Search engine was modified and no matter what I am trying it will not be deleted (modified to the so called "soso search engine from TENCENT")

I uninstalled the programs qvod player and a program with chinese marks at the "program add remove". After that nothing had improved so I had to run some other spyware removers.

Spybotsearch and destroy: identified some registry and TENCENT folders.

Emisoft Antimalware: identified allot registeries from the qvod player and some left over files from the uninstalation.

Malwarebyte: identified trojans on 6 different places all related to this TENCENT (2 files and 4 registry settings), I stopped the scan and removed threats to run full scan which found some more threats. But not all.

Superantispyware found more related to this infection, as the virustotal report indicated already (https://www.virustot...sis/1344228995/). But not all.

Until now my pc is still infected because my browser is still trying to have the soso search engine from TENCENT as the main search engine without any possible way to remove it at this point.

With allot searching I found that the registery that makes the soso search as primary search engine the following part:

IE - HKU\S-1-5-21-2138796484-1341467354-2207242880-1011\..\SearchScopes,DefaultScope = {1FF7973D-AB0A-496d-82C1-4EADBBA11E7B}

IE - HKU\S-1-5-21-2138796484-1341467354-2207242880-1011\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC

IE - HKU\S-1-5-21-2138796484-1341467354-2207242880-1011\..\SearchScopes\{1FF7973D-AB0A-496d-82C1-4EADBBA11E7B}: "URL" = http://www.soso.com/...}&unc=y400372_4

I don’t know if there are underlying files that control this or cause this and I am no pc expert so I would not know how to solve this.

If you perform a google search with the following: 1FF7973D-AB0A-496d-82C1-4EADBBA11E7B you will see that it is related to the qvod players and tencent.

Few days ago I installed Hitman pro and it found more infections, but after hitman pro removed them, the pc seem to be running more normally. Except at IE the tencent / soso search still tries to be the main search engine and there is no possible way to delete it.

http://imageshack.us/f/502/soso.jpg/

http://imageshack.us...entstartup.jpg/ (there is a tencent startup entry which I deactivated, when I activate it, in the IE8 browserextensions the following becomes visible:

http://imageshack.us...91/tencent.jpg/

Yesterday I wanted to request for help at the emisoft forum, I scanned with the EEK, it found the following (to my surprise because previously it did not find anything more related to this tencent infection):

scan gestart: 15-8-2012 13:08:51

Value: hkey_current_user\software\microsoft\internet explorer\urlsearchhooks --> {db8b2393-7a6c-4c76-88ce-6b1f6ff6ffe9} Ontdekt: Trace.Registry.tencent addressbar!E1

Value: hkey_current_user\software encent bh --> enabletbh Ontdekt: Trace.Registry.tencent addressbar!E1

Value: hkey_current_user\software encent bh --> enabletip Ontdekt: Trace.Registry.tencent addressbar!E1

Value: hkey_current_user\software encent bh --> showhistory Ontdekt: Trace.Registry.tencent addressbar!E1

Value: hkey_current_user\software encent bh --> showhotkeys Ontdekt: Trace.Registry.tencent addressbar!E1

Gescand 877575

Gevonden 5

Scan geëindigd: 15-8-2012 16:05:02

Scantijd: 2:56:11

As instructed I did not remove them but the following day the scan did not find them, so I might have removed them by accident. But I have scanned the pc before with emisoft and it did not find the above, which make me think that there is some kind of Trojan downloader active which causes re-infection of the pc.

In fact after the qvod installation other scanners as mentioned above found many infections. I add some of the logs below.

Thank you for your time.

Share this post


Link to post
Share on other sites

Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

First download link stops at 22% second download link worked but:

http://imageshack.us...21/errordd.jpg/

I am getting above error message, should I select ignore to try and run the scan?

Disable antivirus includes disabling the comodo firewall?

EDIT: It does not seem to be possible to scan due to above error, should I try to scan in safe mode?

Share this post


Link to post
Share on other sites

The first link is working now and the program from the first link seem to be a woorking version, it seems the second link is a buged combofix, its slightly bigger and not signed.

Share this post


Link to post
Share on other sites

COMODO's firewall includes a HIPS called Defense+, and would need to be disabled in order to run ComboFix without interference.

I'll take a look at the file from the second link, and see why it isn't working.

Edit: It looks like the InfoSpyware link isn't working properly. I'll have to get in contact with sUBs, and see if he is aware of this.

Share this post


Link to post
Share on other sites

combofix logs attached.

I deactivated firwall and I dont have defense+ activated on default.

I expected you to ask for the non working file. I put it in recycle bin without deleting it, but after the combofix scan the recycke bin is empty (combofix empties recycle bin?).

Combofix was unable to install recovery console, is it possible to try and install it manually?

(After combofix scan IE was no longer main browser / some internet settings seem to have changed because loggin this site gave me warnings of secure connections / AVG icon tray disapeared, it will probably be fixed after restart)

thank you for your time.

Share this post


Link to post
Share on other sites

Redownloaded second link its still not working. Its to big to attach here so I uploaded it to sendspace here: http://www.sendspace.com/file/0whx92

Don't worry about that second link. I've contacted sUBs (the maker of ComboFix) to let him know it isn't working right.

As for your log, it looks like ComboFix took care of everything on its own. I did see evidence of what looked like a rootkit in the files that ComboFix deleted, so lets make sure that there is no further rootkit components on your system.

Please get me a log from TDSSKiller by following the instructions below:

  1. Download TDSSKiller from this link and save it on your desktop.
  2. Run the TDSSKiller download that you saved.
  3. Click on Change parameters as it shows in the following screenshot:
    tdsskiller_report_001.png
  4. Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:
    tdsskiller_report_002.png
  5. Click the Start scan button as in the following screenshot:
    tdsskiller_report_003.png
  6. You will see the following as the scan runs:
    tdsskiller_report_004.png
  7. If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:
    tdsskiller_report_005.png
  8. Click on Report in the upper-right corner, as in the following screenshot:
    tdsskiller_report_006.png
  9. You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.
    tdsskiller_report_007.png
  10. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.
    tdsskiller_report_008.png
  11. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.
  12. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:
    tdsskiller_report_009.png
  13. Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
    tdsskiller_report_010.png

Share this post


Link to post
Share on other sites

OK, that log look good to me (unsigned drivers are common even in legitimate software), so lets move on to a virus scan just to make sure that we are not missing anything. Please run an online virus scan through ESET by following the steps below:

  1. Turn off your anti-virus software.
  2. Click on this link.
  3. Click on the ESET Online Scanner button.
  4. Put a check in the box that says YES, I accept the Terms of Use.
  5. Click the 'Start' button just to the right of the checkbox.
  6. Uncheck the box that says Remove found threats (this is very important).
  7. Click on Advanced settings.
  8. Put a check in the box that says Scan for potentially unsafe applications.
  9. Verify that Scan for potentially unwanted applications is also checked.
  10. Verify that Enable Anti-Stealth technology is also checked.
  11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
  12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
  13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
  14. Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.

Share this post


Link to post
Share on other sites

Scan will take a while, I wil attach the logs in some hours. I dont expect it to find anything at this point, I scanned with it previously. From the combofix logs I saw it failed to remove some files, is it important to remove them at a later point?

Also do you think it is advised to still try to install the recovery console (maybe manually) since combofix was not able to install it.

thank you in advance

Share this post


Link to post
Share on other sites

The Tencent traces that emisoft found 2 days ago and somehow could not find yesterday (as mentioned before). It found them today again. Did not remove any waiting for further instuctions.

Share this post


Link to post
Share on other sites

Lets get a fresh OTL log, and see if these show up. Here's the instructions:

  1. Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run').
  2. Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
  3. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
  4. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
  5. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

Share this post


Link to post
Share on other sites

I talked to one of our developers, and he's fairly certain that the detections are being displayed improperly due to a bug in the EAM scan engine that may also be preventing it from removing the infection. The infection is also not showing up in the OTL log, and is not really a dangerous infection (more along the lines of a nuisance or a minor spyware). Chances are it is in another profile on the computer, and that's why OTL isn't showing it.

The bug should be fixed when version 7 of Emsisoft Anti-Malware is released. For now, since the OTL log isn't showing the infection, I wouldn't worry about it.

Share this post


Link to post
Share on other sites

Yes I tried to remove them now and these entries keep coming back.

How about the soso search, is there anyway to remove it. I just reseted IE and it still is there wanting to make my IE the main search engine with no way to remove it.

And from the combofix logs I saw it failed to remove some files, is it important to remove them still?

thank you in advnace

Share this post


Link to post
Share on other sites

Yes, the soso.com search is easy to remove.

I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

  1. Please download the following OTL_Script file, and save it on your desktop. After saving it, open it, run OTL, and copy and paste the contents of the OTL_Script file into the Custom Scans/Fixes box at the bottom of the OTL window:
  2. Then click the Run Fix button at the top.
  3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
  4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

Share this post


Link to post
Share on other sites

OTL logs attached

(I was running Superantispyware and it found some of the same entries from emisoft. I will try to remove them, log attached)

Share this post


Link to post
Share on other sites

Well, SystemLookup says that it is malicious, so lets see if we can verify that they have been deleted. Here's another OTL_Script:

  1. Please download the following OTL_Script file, and save it on your desktop. After saving it, open it, run OTL, and copy and paste the contents of the OTL_Script file into the Custom Scans/Fixes box at the bottom of the OTL window:
  2. Then click the Run Fix button at the top.
  3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
  4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

Share this post


Link to post
Share on other sites

I was re running superantispyware to remove the previously found entires (because I did not remove them the first time because I first wanted to perform your instructions to remove that soso search.) But it did not find the entries anymore, I guess it has some kind of same error as emisoft is having handling these entries. Or these infections get only activated after performing some IE actions on the pc?

I will run the OTL scan now.

Share this post


Link to post
Share on other sites

The infections in question are persistent, unless something else is physically removing and recreating them. Technically, they are just registry entries that define addons for Internet Explorer, so if the files do not exist then there is no danger from the registry entries. They would just be useless leftovers, and not capable of causing any harm.

Share this post


Link to post
Share on other sites

OTL log attached.

So if these entries are being recreated and removed is it possible that it is caused by some kind of serious infections with possibly other affected unidentified files / registeries?

Share this post


Link to post
Share on other sites

Ok first about the soso search: It was removed from IE only at my user profile. I run the fix at one other user profile to remove it there as well. To remove it at other user profiles should I run the fix on each individual user profile?

Second: It appears that I found out why these tencent registeries appear. It was bothering me that the comodo program killswitch was not working. I tried to identify when these infections appeared by going thru some things that I did that might activate / create these registeries.

So when I try to run killswitch these registeries get created. While starting killswitch it get closed by itself, so to me it appeares that malicious program / files is blocking killswitch from working.

When I restart the pc these registeries are gone again. And when I try to start killswitch they appear again, and as mentioned I am unable to completly start killswitch (except in safe mode which I tried about a week ago).

Share this post


Link to post
Share on other sites

So if these entries are being recreated and removed is it possible that it is caused by some kind of serious infections with possibly other affected unidentified files / registeries?

I don't see anything in your logs that would suggest that there is a serious infection.

Ok first about the soso search: It was removed from IE only at my user profile. I run the fix at one other user profile to remove it there as well. To remove it at other user profiles should I run the fix on each individual user profile?

That's because the registry entries are profile-specific, and OTL does not scan multiple profiles at once. Assuming the entries are exactly the same for each profile, then the fix should be able to remove it from each profile if you run it in each profile separately.

Second: It appears that I found out why these tencent registeries appear. It was bothering me that the comodo program killswitch was not working. I tried to identify when these infections appeared by going thru some things that I did that might activate / create these registeries.

So when I try to run killswitch these registeries get created. While starting killswitch it get closed by itself, so to me it appeares that malicious program / files is blocking killswitch from working.

When I restart the pc these registeries are gone again. And when I try to start killswitch they appear again, and as mentioned I am unable to completly start killswitch (except in safe mode which I tried about a week ago).

Please run OTL again while Windows is running in Safe Mode, and attach the log to a reply. I want to see if it looks different when Windows is running in Safe Mode.

Share this post


Link to post
Share on other sites

(note as you stated to not change any settings of the OTL, that means I ran it at default without LOP and purity check which was required to get a topic started)

(Since I uninstalled some unnecesary programs and removed some unnecesarry files to try and free some HD space I rerun OTL in normal mode as well)

Attached files in order:

1: OTL run in safe mode

2: new OTL run in normal mode (confirmed malicious registeries not present)

3: OTL run after trying to run killswitch (malicious registeries got created, confirmed)

Share this post


Link to post
Share on other sites

According to System Lookup, those Tencent registry entries are created by "TencentAddressBar aka TCent adware - bundled with the Tencent QQ instant messaging client". It is not beyond the realm of possibility that COMODO might bundle toolbars with their products (I know they have in the past bundled them with their installers), however I don't think that they would bundle this particular toolbar.

Where did you obtain this particular copy of COMODO's KillSwitch?

Share this post


Link to post
Share on other sites

From their website http://www.comodo.com/business-security/network-protection/cleaning_essentials.php

You can try it on your pc or secondary pc and see if those registeries get created at your pc.

But I only downloaded and tried it out after the infection, which I described in my first post that along the qvod player tencent malware and trojans got installed as well.

Share this post


Link to post
Share on other sites

I am not seeing those entries created when running KillSwitch. The KillSwitch EXE appears to be about 7MB in size, so you can upload it to VirusTotal for analysis. Please do that, and then post the link for me so that I can take a look at it.

Share this post


Link to post
Share on other sites

https://www.virustotal.com/file/450c4c7050f0fe60066b190c0301981529848dd8f02ad61c1ef5ae53e7ecf23d/analysis/1345578941/

I dont think its the killswitch program itself. I redownloaded and/or renamed and nothing worked. Is it possible that with current used tools no malicious software can be identified

(Earlier today I broke my recycle bin, because I was trying to fix it because I accidently deleted a map from another user profile using fileassasin tru the explorer window instead of the program itself. While trying to fix it I tried to log into administrator account in safe mode, but its not possible to log into it because pc gets stuck on loading user data. I assume the profile is broken as well. I assume recycl bin can be fixed by created new user profile and move all needed files an remove old user account.

But lets assume worse case, if no serious infection can be found does not mean there is none especially since there appears something related to this tencent malware that something is blocking it from working. Then there was the combofix, you said it found something that appeared to be a rootkit and it fixed itself, in fact after that IE was running much faster, although it could also be the changed settings to IE that combofix made,

If nothing can be found with these tools while there seems to be an infection would you recomend reformating PC also since recycle bin is broken and administrator account not working either and: quote from Elise:

"BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:" )

Share this post


Link to post
Share on other sites

The SHA256 hash looks correct to me, so I don't think the file has been modified.

Lets assume for a moment that there is some sort of rootkit that is not being detected (and I have my doubts that this is the case). Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive.

  1. Disconnect from the Internet and close all running programs.
  2. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  3. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page).
  4. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  5. Allow the driver to load if asked.
  6. You may be prompted to scan immediately if it detects rootkit activity.
  7. If you are prompted to scan your system click "No", save the log and post back the results.
  8. If not prompted, click the "Rootkit/Malware" tab.
  9. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  10. Select all drives that are connected to your system to be scanned.
  11. Click the Scan button to begin. (Please be patient as it can take some time to complete)
  12. When the scan is finished, click Save to save the scan results to your Desktop.
  13. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it).
  14. Exit the program and re-enable all active protection when done.

Share this post


Link to post
Share on other sites

GMER does not appear to be showing anything malicious or strange.

I do not think there is an infection. I have a feeling that the behavior you are experiencing is most likely due to your security software. You can test this by disabling them one at a time to see if that resolves the issues you are experiencing.

Share this post


Link to post
Share on other sites

That would explain why it only works in safe mode, I tried disabling AVG or Comodo firewall but it still did not work, there might be other processes in background from other installed security software such as emisoft and superantispyware eventho I disabled all active protection form these but it does not explain why these malicious entries from tencent reapear, so the pc might very well still be infected or left overs from the tencent infection still interfere with killswitch working properly.

Just in case I will try to reformat and reinstall pc.

Thank you very much for the help provided.

Share this post


Link to post
Share on other sites

Elise mentioned that SUPERAntiSpyware has been known to recreate some registry entries after they have been deleted, so it might be possible that one of your security softwares could be automatically restoring the entries after they are deleted. I know that Spybot Search & Destroy's TeaTimer used to do that as well.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude, Elise, or GT500 to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.