Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tencent rootkit, need libraries


  • Please log in to reply
6 replies to this topic

#1 peterius

peterius

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 22 July 2017 - 07:24 AM

Hi,

    I stupidly installed Tencent (腾讯)  QQ to talk to Chinese people.  Tencent is a big company in China, like facebook in America, and everyone uses QQ.  It rootkitted me and I should have realized it, but I didn't for a while.  But the other day I happened to see some kernel code and it didn't look right.  So...

 

    Anyway, I'm hoping I can just do a restore from the laptop's system partition or whatever, but I was kind of curious about what this stuff does.  I assume that it collects everything I say or do and sends it to Tencent and from there to the Chinese government, but I'm still curious.

 

    So I wrote a little program with some library loader code I wrote a while back, and I wanted to try and catch some of the hidden processes running with it.  This seems like a simple trick, and I might end up finding an easier way of doing it but...

 

   The thing is, I think tencent is hiding a bunch of libraries that the kernel uses and that they have their own library loader to ensure that their libraries are loaded.

 

   I'm hoping that someone can send me a big zip file full of the libraries I'm missing, 32 bit stuff for windows 10, preferable 10.0.15063, though the api-ms-win-core-api-query-l1-1-0.dll I have is 6.2.9200.16384 so maybe the version doesn't matter so much as long as it it's the 32 bit syswow libraries from an x64 machine.  Or tell me where I can get this stuff.

 

           Thanks

Attached Files


Edited by peterius, 22 July 2017 - 07:26 AM.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:26 PM

Posted 22 July 2017 - 11:08 AM

Please download Malwarebytes Antirootkit, follow the prompts to install it.

In the introduction page you will be asked to agree on the license agreement, by clicking Next you will be agreeing to the terms of the license.

You will be prompted to update the database, click on Update, then Next.

To start the scan click on Scan.

When the scan has completed it will display either Scan Finished: No malware found, or Malware Found.  Click on Next to continue. 

Be sure that each check box has a check in it, and make sure there is a check mark in the Create Restore point box.  Click on Cleanup.  Please click on Yes to restart the computer.
Please run AdwCleaner

Please download AdwCleaner and install it.

When AdwCleaner opens click/tap on Scan to start the scan.

Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.

If there are no malicious programs are found you will receive a message stating that nothing malicious was found.
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.

Edited by dc3, 22 July 2017 - 11:14 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,643 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:01:26 AM

Posted 22 July 2017 - 11:16 AM

As an aside, and since I know this user is running Windows 10 since I moved this post from that forum to this one, if he or she is using Windows Defender and is on Version 1703 or later (it may have hit in Version 1607, but that's not what this machine has on it so I can't check) there is an option for Windows Defender to do an offline scan for rootkits at the next restart.

 

It can be triggered from the Windows Defender Dialog, Virus & Threat Protection Pane, Advanced Scan link.  If you choose to do this you will be presented with a radio button for the offline scan and warned that the machine will restart to perform it and it generally takes around 15 minutes.

 

Just another tool for the toolbox.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#4 peterius

peterius
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 22 July 2017 - 01:52 PM

Thanks guys.  But actually I was hoping to see what the thing is doing.  Is it a keylogger, what's it tracking, is it a backdoor, etc..  Why does it keep these processes running in the background...  but in order to do that I kind of need clean system libraries and all the api-ms-core ext-ms-core libraries that it has hidden.  So is there anyway I can get those somewhere?  Anyone with a windows 10 64 bit computer that can send me a zip of their wow64 directory?  Or wherever the 32bit api-ms-core, etc., libraries are?



#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:26 PM

Posted 22 July 2017 - 01:56 PM

From everything that I found this is adware which was installed when you installed the tencent software.  Please follow my instructions.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:26 PM

Posted 22 July 2017 - 01:59 PM

If you are not comfortable with my suggestions I would suggest that you do the following.

 

You need to start a topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum.  You will need to do the following prior to starting your topic.

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

   * If you cannot complete a step, then skip it and continue with the next.
   * In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done this, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so this topic can be closed.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 peterius

peterius
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 23 July 2017 - 11:11 AM

Okay, I guess this isn't really the right forum. Like I said I was looking for these libraries so that I could see what the thing was doing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users