Qvodplayer automatically opened ports on my router

[bbos]

Hi all,

I'm being perplexed by this situation.

I went into my router settings to forward port.  Found a number of ports open that I did not authorized, supposedly opened by a program called Qvodplayer. 

I have searched and found no such program installed, nor did avast pick up any threats in that regards. 

I have deleted the ports, but should I be worried that I am still vulnerable to threats?

[Pondus]

Found a number of ports open that I did not authorized, supposedly opened by a program called Qvodplayer.

curious.....how did you find that out?

[polonus]

Did you visit a site that silently downloaded this backdoor?Read:  http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20120719000042&cid=1502
Wait for a qualified removal expert to look into the issue,

polonus

[bbos]

curious.....how did you find that out?

I went into my router settings, to port forward, and found these unauthorized ports forwarded.

Did you visit a site that silently downloaded this backdoor?Read:  http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20120719000042&cid=1502
Wait for a qualified removal expert to look into the issue,

polonus

I think this is most likely the case, however, I did not find any suspicious programs in the "auto start up" in my msconfig nor did I find any in my task manager.  Usually backdoors present themselves as unusual .exe in the task manger and in start up. 

[Pondus]

supposedly opened by a program called Qvodplayer.

yes you already said that.......but how do you know it was Qvodplayer?

[bbos]

my worst fear has been realized and now i must prepare for reformat. 

but a reformat does not solve my problem because I can't prevent my family members (my teenage son) from visiting these malicious sites, often enticed by materials of pornographic nature, and accidentally download another malware. 

It also appears that avast alone wasn't enough to prevent this infection. 

what other solutions are available?

[bbos]

supposedly opened by a program called Qvodplayer.

yes you already said that.......but how do you know it was Qvodplayer?

my router displayed qvodplayer with the associated ports

[Pondus]

but a reformat does not solve my problem because I can't prevent my family members (my teenage son) from visiting these malicious sites, often enticed by materials of pornographic nature, and accidentally download another malware.

what other solutions are available?

OpenDNS......will block the sites

my worst fear has been realized and now i must prepare for reformat.

before you do i recomend letting one of the malware experts here have a look inside?

follow the guide and attach the logs   http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the removal expert will be notified

[polonus]

This back doored free Chinese QvodPlayer uses TCP and UDP to communicate as by default via dynamic ports, and it also support protocol of BT.
You did not see anything in Task Manager because all was going on inside your browser. Ports like 8032/8080/8031 are all available...
Tragedy is that Chinese Phishers now use QuvodPlayer to spread fake codecs (did you see irc communication server port 6668 being used
ircu.’ircu’ need not be used that way, but port 668 may be used by a trojan or virus - port 6667 is used by a variety of trojans...
Read: http://blog.webroot.com/2010/06/28/chinese-phishers-get-on-the-fake-codec-bandwagon/ (link article author =ghaldeman)

polonus

[polonus]

Hi bbos,

This is the trojan dropper reported: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDropper%3AWin32%2FLisiu.A
(this trojan dropper link analysis by Wei Li)...
Some report: 

  IE home page was set to wXw.hao123.com and can't reset or change to the page I prefer, anyone can help?

Quote taken from: http://forums.hardwarezone.com.sg/windows-7-294/qvod-player-not-displaying-anything-windows-7-a-2630682.html
As an alternative you could ask your family members to use the Baidu player, an equivalent for Wang Xing's QVOD-player,
mainly used to watch pr0n from illegal Chinese sites,

pol

[bbos]

This back doored free Chinese QvodPlayer uses TCP and UDP to communicate as by default via dynamic ports, and it also support protocol of BT.
You did not see anything in Task Manager because all was going on inside your browser. Ports like 8032/8080/8031 are all available...
Tragedy is that Chinese Phishers now use QuvodPlayer to spread fake codecs (did you see irc communication server port 6668 being used
ircu.’ircu’ need not be used that way, but port 668 may be used by a trojan or virus - port 6667 is used by a variety of trojans...
Read: http://blog.webroot.com/2010/06/28/chinese-phishers-get-on-the-fake-codec-bandwagon/ (link article author =ghaldeman)

polonus

yea i did recall those port numbers in my router port forward.

before you do i recomend letting one of the malware experts here have a look inside?

follow the guide and attach the logs   http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the removal expert will be notified

I will do that as soon as I have the time, thx.

Hi bbos,

Some report: 

  IE home page was set to wXw.hao123.com and can't reset or change to the page I prefer, anyone can help?

Quote taken from: http://forums.hardwarezone.com.sg/windows-7-294/qvod-player-not-displaying-anything-windows-7-a-2630682.html
As an alternative you could ask your family members to use the Baidu player, an equivalent for Wang Xing's QVOD-player,
mainly used to watch pr0n from illegal Chinese sites,

pol

there was no homepage change nor any trace of this backdoor other than the ports.  it was very stealthy operation, I would not have discovered it had I not viewed my router settings.

[polonus]

Hi bbos,

Did you check this info mentioned: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDropper%3AWin32%2FLisiu.A
Furthermore you have to wait for a removal expert to come to assist you. I have alerted him to the issue. Thank you for reporting all this here,

polonus

[daihung]

Hi all,

I found this page from Google.  I have the same exact issue.  Last week, for the first time, I went into my Verizon router to setup a port forwarding entries and saw a long list (maybe over 100) of qvodplayer entries.  I immediately deleted them all.  I should have done a screen capture first I guess.  I also use Avast as my only anti-virus.  Now I'm a little concern.  I remember it took me some time to delete all the qvodplayer entries so there must be a lot.  Was my computer being hacked into?  How can I tell?  If I check my router log, would it show?  If so, what should I look for? 

I removed the qvodplayer on my computer (my wife uses it to watch Asian drama online.)  She also uses the qvodplayer on our Android tablet. 

I also need advice on how to prevent this from happening again.  Thanks so much.

[polonus]

Hi daihung,

Use this list to block: https://adblock-chinalist.googlecode.com/svn/trunk/adblock.txt

polonus