Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Thousands of Compromised WordPress Sites Redirect to Tech Support Scams

Featured Deal: Get 96% off a Xamarin Cross Platform Development Bundle Deal

Infected with tencentdl Malware

Started by Centuck , Feb 03 2016 12:36 AM

Please log in to reply

24 replies to this topic

#1 Centuck

Members
68 posts
OFFLINE

Local time:09:12 AM

Posted 03 February 2016 - 12:36 AM

Hi There,

I am currently infected with tencentdl Malware. I have tried running Malwarebytes and it has removed files/keys in the hundreds but it doesn't seem to stop the spread of this thing. I am in need of some more expert help. I believe Malwarebytes got rid of some of it, but there still seems to be a bunch of Asian stuff popping up and it's very tough to do anything in an internet browser right now (thank god for Ad-block)

Computer: Windows 8.1

I will wait for a reply and thanks in advance for the help!

Regards,

Centuck

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Aura

Bleepin' Special Ops

Malware Response Team
19,670 posts
ONLINE

Gender:Male
Local time:12:12 PM

Posted 03 February 2016 - 10:06 AM

Hi Centuck

My name is Aura and I'll be assisting you with your issue. Follow the instructions below please.

MiniToolBox

Download MiniToolBox and move the file to your Desktop;
Right-click on MiniToolBox.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
Check the following options:
- Flush DNS;
- Report IE Proxy Settings;
- Reset IE Proxy Settings;
- Report FF Proxy Settings;
- Reset FF Proxy Settings;
- List content of Hosts;
- List IP Configuration;
- List Winsock Entries;
- List Last 10 Event Viewer Errors;
- List Installed Programs;
- List Devices - Only Problems;
- List Users, Partitions and Memory size;
Once this is done, click on Go and wait for the scan to complete;
Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

Since you already ran Malwarebytes, I would like to see your previous Scan log. Open Malwarebytes and go under the History tab. From there, click on Application logs in the left pane.

Click on the most recent (usually at the top) Scan log to open it. From there, click on the Export button and select the first option, Copy to Clipboard

Paste the content of your clipboard in your next reply.

Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.

#3 Centuck

Topic Starter

Members
68 posts
OFFLINE

Local time:09:12 AM

Posted 03 February 2016 - 06:35 PM

Thank you for the quick reply. I ran Malwarebytes 3 times and it found stuff all 3 times. 1st time I didn't have scan for rootkits enabled.

Here are the logs you requested:

MiniToolBox by Farbar Version: 03-02-2016 01

Ran by Centuck (administrator) on 03-02-2016 at 17:19:41

Running from "C:\Users\Centuck\Desktop"

Microsoft Windows 8.1 (X64)

Model: GT70 Manufacturer: Micro-Star International Co., Ltd.

Boot Mode: Normal

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.

No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= Hosts content: =================================

127.0.0.1 down.baidu2016.com

127.0.0.1 123.sogou.com

127.0.0.1 www.czzsyzgm.com

127.0.0.1 www.czzsyzxl.com

========================= IP Configuration: ================================

Killer e2200 Gigabit Ethernet Controller (NDIS 6.30) = Ethernet (Connected)

Intel® Centrino® Wireless-N 2230 = Wi-Fi (Media disconnected)

Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)

# ----------------------------------

# IPv4 Configuration

# ----------------------------------

pushd interface ipv4

reset

set global icmpredirects=enabled taskoffload=disabled

set interface interface="Ethernet-WFP Native MAC Layer LightWeight Filter-0000" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

set interface interface="Local Area Connection* 12" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

set interface interface="ethernet_3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

popd

# End of IPv4 configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : Travis-LT

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : Home

Wireless LAN adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter

Physical Address. . . . . . . . . : 60-36-DD-5F-13-07

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)

Physical Address. . . . . . . . . : 60-36-DD-5F-13-0A

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wi-Fi:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . : Home

Description . . . . . . . . . . . : Intel® Centrino® Wireless-N 2230

Physical Address. . . . . . . . . : 60-36-DD-5F-13-06

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : Home

Description . . . . . . . . . . . : Killer e2200 Gigabit Ethernet Controller (NDIS 6.30)

Physical Address. . . . . . . . . : 8C-89-A5-08-08-3C

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::21c5:80e1:92e3:c9a9%2(Preferred)

IPv4 Address. . . . . . . . . . . : 172.16.1.71(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . : February 3, 2016 5:12:00 PM

Lease Expires . . . . . . . . . . : February 4, 2016 5:12:00 PM

Default Gateway . . . . . . . . . : 172.16.1.254

DHCP Server . . . . . . . . . . . : 172.16.1.254

DHCPv6 IAID . . . . . . . . . . . : 478972325

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-72-B3-14-8C-89-A5-08-08-3C

DNS Servers . . . . . . . . . . . : 172.16.1.254

142.165.21.5

NetBIOS over Tcpip. . . . . . . . : Enabled

DNS request timed out.

timeout was 2 seconds.

Server: UnKnown

Address: 172.16.1.254

Name: google.com

Addresses: 2607:f8b0:400f:803::200e

207.47.131.230

207.47.131.238

207.47.131.231

207.47.131.216

207.47.131.224

207.47.131.210

207.47.131.237

207.47.131.244

207.47.131.217

207.47.131.223

207.47.131.251

207.47.131.245

Pinging google.com [207.47.131.237] with 32 bytes of data:

Reply from 207.47.131.237: bytes=32 time=1ms TTL=59

Ping statistics for 207.47.131.237:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

DNS request timed out.

timeout was 2 seconds.

Server: UnKnown

Address: 172.16.1.254

Name: yahoo.com

Addresses: 2001:4998:c:a06::2:4008

2001:4998:44:204::a7

2001:4998:58:c02::a9

206.190.36.45

98.138.253.109

98.139.183.24

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

Reply from 206.190.36.45: bytes=32 time=32ms TTL=53

Reply from 206.190.36.45: bytes=32 time=30ms TTL=53

Ping statistics for 206.190.36.45:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 30ms, Maximum = 32ms, Average = 31ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================

Interface List

9...60 36 dd 5f 13 07 ......Microsoft Wi-Fi Direct Virtual Adapter

6...60 36 dd 5f 13 0a ......Bluetooth Device (Personal Area Network)

4...60 36 dd 5f 13 06 ......Intel® Centrino® Wireless-N 2230

2...8c 89 a5 08 08 3c ......Killer e2200 Gigabit Ethernet Controller (NDIS 6.30)

1...........................Software Loopback Interface 1

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 172.16.1.254 172.16.1.71 20

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

172.16.1.0 255.255.255.0 On-link 172.16.1.71 276

172.16.1.71 255.255.255.255 On-link 172.16.1.71 276

172.16.1.255 255.255.255.255 On-link 172.16.1.71 276

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 172.16.1.71 276

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 172.16.1.71 276

===========================================================================

Persistent Routes:

None

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination Gateway

1 306 ::1/128 On-link

2 276 fe80::/64 On-link

2 276 fe80::21c5:80e1:92e3:c9a9/128

On-link

1 306 ff00::/8 On-link

2 276 ff00::/8 On-link

===========================================================================

Persistent Routes:

None

========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55296] (Microsoft Corporation)

Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70144] (Microsoft Corporation)

Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70144] (Microsoft Corporation)

Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65536] (Microsoft Corporation)

Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23040] (Microsoft Corporation)

Catalog5 07 C:\WINDOWS\SysWOW64\wshbth.dll [50688] (Microsoft Corporation)

Catalog9 01 C:\WINDOWS\SysWOW64\BfLLR.dll [196096] (Bigfoot Networks, Inc.)

Catalog9 02 C:\WINDOWS\SysWOW64\BfLLR.dll [196096] (Bigfoot Networks, Inc.)

Catalog9 03 C:\WINDOWS\SysWOW64\BfLLR.dll [196096] (Bigfoot Networks, Inc.)

Catalog9 04 C:\WINDOWS\SysWOW64\BfLLR.dll [196096] (Bigfoot Networks, Inc.)

Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 12 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 13 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 14 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 15 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)

Catalog9 16 C:\WINDOWS\SysWOW64\BfLLR.dll [196096] (Bigfoot Networks, Inc.)

x64-Catalog5 01 C:\Windows\System32\napinsp.dll [69120] (Microsoft Corporation)

x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [88576] (Microsoft Corporation)

x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [88576] (Microsoft Corporation)

x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [86016] (Microsoft Corporation)

x64-Catalog5 05 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog5 06 C:\Windows\System32\winrnr.dll [30720] (Microsoft Corporation)

x64-Catalog5 07 C:\Windows\System32\wshbth.dll [63488] (Microsoft Corporation)

x64-Catalog9 01 C:\Windows\System32\BfLLR.dll [216064] (Bigfoot Networks, Inc.)

x64-Catalog9 02 C:\Windows\System32\BfLLR.dll [216064] (Bigfoot Networks, Inc.)

x64-Catalog9 03 C:\Windows\System32\BfLLR.dll [216064] (Bigfoot Networks, Inc.)

x64-Catalog9 04 C:\Windows\System32\BfLLR.dll [216064] (Bigfoot Networks, Inc.)

x64-Catalog9 05 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 06 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 07 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 08 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 09 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 10 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 11 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 12 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 13 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 14 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 15 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

x64-Catalog9 16 C:\Windows\System32\BfLLR.dll [216064] (Bigfoot Networks, Inc.)

========================= Event log errors: ===============================

Application errors:

==================

Error: (02/03/2016 05:14:09 PM) (Source: Application Error) (User: )

Description: Faulting application name: KLM.exe, version: 1.0.1112.1901, time stamp: 0x4eeed613

Faulting module name: KERNELBASE.dll, version: 6.3.9600.18007, time stamp: 0x55c4bcfc

Exception code: 0xe0434352

Fault offset: 0x00015b68

Faulting process id: 0xf74

Faulting application start time: 0xKLM.exe0

Faulting application path: KLM.exe1

Faulting module path: KLM.exe2

Report Id: KLM.exe3

Faulting package full name: KLM.exe4

Faulting package-relative application ID: KLM.exe5

Error: (02/03/2016 05:14:08 PM) (Source: .NET Runtime) (User: )

Description: Application: KLM.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.Management.ManagementException

Stack:

at System.Management.ManagementException.ThrowWithExtendedInfo(System.Management.ManagementStatus)

at System.Management.ManagementEventWatcher.Start()

at KLM.MainWindow.<.ctor>b__0()

at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)

at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)

at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)

at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)

at System.Threading.ThreadHelper.ThreadStart()

Error: (02/02/2016 11:50:37 PM) (Source: Application Error) (User: )

Description: Faulting application name: KLM.exe, version: 1.0.1112.1901, time stamp: 0x4eeed613

Faulting module name: KERNELBASE.dll, version: 6.3.9600.18007, time stamp: 0x55c4bcfc

Exception code: 0xe0434352

Fault offset: 0x00015b68

Faulting process id: 0x176c

Faulting application start time: 0xKLM.exe0

Faulting application path: KLM.exe1

Faulting module path: KLM.exe2

Report Id: KLM.exe3

Faulting package full name: KLM.exe4

Faulting package-relative application ID: KLM.exe5

Error: (02/02/2016 11:50:32 PM) (Source: .NET Runtime) (User: )

Description: Application: KLM.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.Management.ManagementException

Stack:

at System.Management.ManagementException.ThrowWithExtendedInfo(System.Management.ManagementStatus)

at System.Management.ManagementEventWatcher.Start()

at KLM.MainWindow.<.ctor>b__0()

at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)

at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)

at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)

at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)

at System.Threading.ThreadHelper.ThreadStart()

Error: (02/02/2016 11:41:33 PM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:

AddWin32ServiceFiles: Unable to back up image of service Kujgak since QueryServiceConfig API failed

System Error:

The system cannot find the file specified.

Error: (02/02/2016 11:41:33 PM) (Source: Microsoft-Windows-CAPI2) (User: )

Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:

AddLegacyDriverFiles: Unable to back up image of binary BDICx64.

System Error:

The system cannot find the file specified.

Error: (02/02/2016 11:19:41 PM) (Source: Application Error) (User: )

Description: Faulting application name: BDALeakfixer.exe, version: 4.0.0.8029, time stamp: 0x554c696c

Faulting module name: ntdll.dll, version: 6.3.9600.18007, time stamp: 0x55c4bc8e

Exception code: 0xc0000008

Fault offset: 0x0003c7dc

Faulting process id: 0x144c

Faulting application start time: 0xBDALeakfixer.exe0

Faulting application path: BDALeakfixer.exe1

Faulting module path: BDALeakfixer.exe2

Report Id: BDALeakfixer.exe3

Faulting package full name: BDALeakfixer.exe4

Faulting package-relative application ID: BDALeakfixer.exe5

Error: (02/02/2016 11:18:22 PM) (Source: Application Error) (User: )

Description: Faulting application name: BaiduHips.exe, version: 1.2.0.892, time stamp: 0x5530d674

Faulting module name: ntdll.dll, version: 6.3.9600.18007, time stamp: 0x55c4bc8e

Exception code: 0xc0000008

Fault offset: 0x0007d315

Faulting process id: 0x1a08

Faulting application start time: 0xBaiduHips.exe0

Faulting application path: BaiduHips.exe1

Faulting module path: BaiduHips.exe2

Report Id: BaiduHips.exe3

Faulting package full name: BaiduHips.exe4

Faulting package-relative application ID: BaiduHips.exe5

Error: (02/02/2016 11:17:09 PM) (Source: SideBySide) (User: )

Description: Activation context generation failed for "Microsoft.VC80.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053"1".

Dependent Assembly Microsoft.VC80.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053" could not be found.

Please use sxstrace.exe for detailed diagnosis.

Error: (02/02/2016 11:17:09 PM) (Source: SideBySide) (User: )

Description: Activation context generation failed for "Microsoft.VC80.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053"1".

Dependent Assembly Microsoft.VC80.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053" could not be found.

Please use sxstrace.exe for detailed diagnosis.

System errors:

=============

Error: (02/03/2016 05:14:27 PM) (Source: Service Control Manager) (User: )

Description: The NVIDIA Update Service Daemon service failed to start due to the following error:

%%1069

Error: (02/03/2016 05:14:27 PM) (Source: Service Control Manager) (User: )

Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:

%%2

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (02/03/2016 05:11:58 PM) (Source: Service Control Manager) (User: )

Description: The UAC File Virtualization service failed to start due to the following error:

%%1275

Error: (02/03/2016 05:11:54 PM) (Source: BTHUSB) (User: )

Description: The local adapter does not support an important Low Energy controller state. The minimum required supported state mask is 0x1f7fffff, got 0x1f3fffff. Low Energy functionality will be disabled.