Skip to content

Add Tobii & Queencreek #96

Open
Open
Add Tobii & Queencreek#96
@eabase

Description

@eabase
eabase
opened on Dec 13, 2025

Problem statement

There are 2 other very disturbing apps getting installed on some Windows Intel and nVidia based PC's.

They are called Tobii and QueenCreek (QC).

  • Tobii is an integrated eye/face tracking software that uploads an AI hashed fingerprint of your face. It's nearly impossible to remove, and re-installs itself on any windows update, unless technically blocked.

  • QueenCreek on the other hand, seem to be behaving as a government spyware, that uploads just about everything found on your computer, except the files themselves.

Scripts and many useful comments to remove/block Tobii can be found here:
https://gist.github.com/jcary741/19cc74c93a499f8c23ad7dd5a04faf86

Tobii Summary:

Get the IP's used for the above API:

# Resolve-DnsName "api.statistics.ice.tobii.com"

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
api.statistics.ice.tobii.com                   A      60    Answer     18.154.63.45
api.statistics.ice.tobii.com                   A      60    Answer     18.154.63.48
api.statistics.ice.tobii.com                   A      60    Answer     18.154.63.19
api.statistics.ice.tobii.com                   A      60    Answer     18.154.63.39

Important

It seem that the cloudfront.net servers are dynamically rotating the IP addresses, making it nearly impossible to block based on raw IP address alone.

Some other useful powershell commands fore reference:

Resolve-DnsName "statistics.ice.tobii.com"
Resolve-DnsName "ice.tobii.com"
Resolve-DnsName "tobii.com"

# dig api.statistics.ice.tobii.com
# nslookup api.statistics.ice.tobii.com

# Create a FW rule:
# Be careful as you may block unrelated IP's if you use `/24`. 
New-NetFirewallRule -DisplayName "Block Tobii Malware API IP addresses" -Direction Outbound -LocalPort Any -Protocol TCP -Action Block -RemoteAddress  18.66.122.1/24

Check out:
https://www.robtex.com/dns-lookup/tobii.com
and consider checking the similar domains.

QueenCreek Summary:

Warning

Another very nasty Intel malware was hogging up my CPU and uploading just about every possible Network setting, including info on every single SW and app installed and a full record of what programs have been running on the CPU. The malware is called QUEENCREEK and is supposed to help you tune your processor... Instead uploading just about everything else about your computer, your network, your connected devices, apart your files themselves!

Upload folders can be found here:

  • C:\WINDOWS\system32\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\

Program folder here:

  • C:\Program Files\Intel\SUR\QUEENCREEK\x64\

Registry Keys here:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ESRV_SVC_QUEENCREEK\

Service is called ESRV_SVC_QUEENCREEK.

# Stop Service
sc.exe stop ESRV_SVC_QUEENCREEK

# Delete Service
sc.exe delete ESRV_SVC_QUEENCREEK

# Disable scheduled task:
schtasks.exe /change /tn USER_ESRV_SVC_QUEENCREEK /disable

Use firewall to block port 49350.

Important

This one is very tricky, hiding in plain sight! 👺
However, if you leave your PC without using anything, you will suddenly find your CPU fans and CPU usage go up massively as all the collection scripts are being run and then uploaded to their spy DB servers. As soon as you touch anything, mouse or key button, it immediately drops back to normal. If you're lucky to find any associated process, you'll only see yet another svchost.exe and nothing else obvious.

List of Contacting IPs

Click to expand 
20.69.140.28
20.69.140.28
20.69.140.28
20.99.133.109
20.99.133.109
20.99.133.109
23.32.75.16
23.38.194.13
23.38.194.17
23.46.228.41
23.46.228.49
23.53.122.202
23.53.122.207
23.53.122.208
23.53.122.210
23.53.122.211
23.53.122.212
23.53.122.213
23.53.122.214
23.53.122.216
23.53.122.219
23.55.140.42
23.55.140.42
23.55.140.42
23.55.219.177
23.59.183.74
23.192.230.10
23.196.145.221
23.196.145.221
23.196.193.245
23.196.193.245
23.196.193.245
23.215.176.43
23.215.176.48
23.215.176.56
23.215.176.58
23.215.176.64
23.215.176.65
23.215.176.66
23.215.176.74
23.215.176.75
23.216.147.6
23.216.147.13
23.216.147.22
23.216.147.23
23.216.147.26
23.216.147.32
23.216.147.34
23.216.147.35
23.216.147.35
23.216.147.38
23.216.147.41
52.111.227.11
52.123.130.14
52.123.131.14
52.123.250.133
52.123.250.134
52.123.250.155
52.123.250.159
52.123.250.160
52.123.250.161
52.123.250.162
52.123.250.175
92.38.145.145
104.71.214.69
104.98.118.136
104.98.118.136
104.98.118.137
104.98.118.137
104.98.118.144
104.98.118.144
104.98.118.145
104.98.118.146
104.98.118.146
104.98.118.147
104.98.118.152
104.98.118.152
104.98.118.154
104.98.118.154
104.98.118.155
104.98.118.155
104.98.118.160
104.98.118.161
104.98.118.163
104.98.118.168
104.98.118.171
104.98.118.176
104.98.118.177
104.98.118.178
104.98.118.179
104.98.118.179
142.251.184.94
151.101.22.172
151.101.22.172
184.27.218.92
184.27.218.92
184.27.218.92
199.232.210.172
199.232.214.172
217.20.54.34

a83f:8110:0:0:2000::
a83f:8110:2e00:6900:6e00:6600::
a83f:8110:3f8:ffff:f022:f369:3f8:ffff
a83f:8110:1414:14ff:1414:14ff:1414:14ff
a83f:8110:1414:14ff:1414:14ff:1414:14ff
a83f:8110:3671:a3ff:3671:a3ff:3671:a3ff
a83f:8110:3671:a3ff:3671:a3ff:3671:a3ff
a83f:8110:4646:4646:4646:4646:4646:4646
a83f:8110::1b00:100:2800:0
a83f:8110::4d88:21:0:0
a83f:8110::100:0:1800:0

Proposed solution

Help create scripts to blocking these.
(Sorry I don't have the skills/experience to do this for privacy.sexy.

Alternatives considered

None

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions