X
Tap here to go to the mobile version of the site.

Fóram Tacaíochta

Dúnadh an snáithe seo agus cuireadh sa chartlann é. Cuir ceist nua má tá cabhair uait.

Firefox hijacked by hao123

Postáilte

Everytime i open firefox which defaulted to google.com, it prompted http://www.hao123.com/?tn=98005892_hao_pg instead, I've use malware tools and other solution provided on internet but none of that work, please assist

Everytime i open firefox which defaulted to google.com, it prompted http://www.hao123.com/?tn=98005892_hao_pg instead, I've use malware tools and other solution provided on internet but none of that work, please assist

Réiteach roghnaithe

Scan with Latest TDSSKiller. But it returns 0 threat. I ve tried a lot of malware/adware detect tools, non of them really fixed the hijacking. Then I manually scaned machine with SysInternal's Autorun(thanks's jscher2000's reminder), and deleted a lot of unwanted entries. One of them named "QVOD Shenzhen" in preload dll tab looks suspicious. It is in user\appdata folder. Can't delete that dll directly, so I renamed it to another name, then deleted the dll entry from AutoRun, and rebooted to F8 safe mode to delete the dll. [Note: if not delete the entry, the dll will be loaded in safe mode. hence prevent from deleting the dll. That explains why homepage was hijacked in windows safe mode]

rebooted to normal mode, both IE and Firefox's home pages are back to blank. that means the clean up works !


So the temp solution is to 1. try to reset home page through regular way. 2. if 1 failes, try to create a BAT file to point to firefox 3. if 2 works, then it is a shortcut hijacking 4. run TDSSKiller to see any infestation 5. if TDSSkill returns 0 threat, try to locate "qvod" dll in Appdata folder 6. run AutoRun to find any "qvod" related entries and delete 7. reboot to F8 safe mode to delete the dll.

[Note: uninstall qvod won't solve the hao-123 page hijacking]

Read this answer in context 6

Tuilleadh mionsonraí faoin chóras

Breiseáin Shuiteáilte

  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Shockwave Flash 14.0 r0
  • QvodInsert
  • YunWebDetect
  • Google Update
  • QvodShareModule
  • Adobe PDF Plug-In For Firefox and Netscape 10.1.10
  • NPWLPG
  • GEPlugin
  • 5.1.20513.0
  • RealJukebox Netscape Plugin
  • RealNetworks(tm) RealPlayer Chrome Background Extension Plug-In
  • RealPlayer(tm) HTML5VideoShim Plug-In
  • RealPlayer(tm) LiveConnect-Enabled Plug-In
  • RealPlayer Download Plugin
  • Next Generation Java Plug-in 1.6.0_32 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers

Feidhmchlár

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0

Tuilleadh Eolais

jscher2000
  • Top 10 Contributor
8957 réiteach 73390 freagra

Is this site listed as your home page in the Options dialog? If it is, can you successfully change it or does Firefox not allow you to change it?

If Firefox will not allow you to change it, check the Windows Control Panel, Uninstall a Program, for something named SearchProtect and remove it.

If Firefox will allow you to change it, do you get the correct home page when you use either of these:

  • Click the home icon on the toolbar
  • Open a new window (Ctrl+n)

If you get the wrong page, it's probably an add-on. More on that in a second message.

If you get the right page, that's good. If it changes back after the next time you exit and restart Firefox, check this article: How to fix preferences that won't save (especially the part about a user.js file).


If the home page setting was correct and the home icon works fine, but the desktop icon still gives you the bad page, check to make sure your icon wasn't modified. Right-click the shortcut, choose Properties, and the Shortcut tab. The "Target" should be the following, no more, no less (for 64-bit Windows):

"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
Is this site listed as your home page in the Options dialog? If it is, can you successfully change it or does Firefox not allow you to change it? * [[Startup, home page and download settings]] If Firefox will not allow you to change it, check the Windows Control Panel, Uninstall a Program, for something named SearchProtect and remove it. If Firefox will allow you to change it, do you get the correct home page when you use either of these: * Click the home icon on the toolbar * Open a new window (Ctrl+n) If you get the wrong page, it's probably an add-on. More on that in a second message. If you get the right page, that's good. If it changes back after the next time you exit and restart Firefox, check this article: [[How to fix preferences that won't save]] (especially the part about a user.js file). ---- If the home page setting was correct and the home icon works fine, but the desktop icon still gives you the bad page, check to make sure your icon wasn't modified. Right-click the shortcut, choose Properties, and the Shortcut tab. The "Target" should be the following, no more, no less (for 64-bit Windows): "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
jscher2000
  • Top 10 Contributor
8957 réiteach 73390 freagra

Bad extensions often are installed externally to Firefox. I suggest starting here:

Open the Windows Control Panel, Uninstall a Program. Click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. Take out as much trash as possible here.

Then, in Firefox, open the Add-ons page using either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions.

Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.

Finally, you can "mop up" remaining issues with the scanning/cleaning tools listed in our support article: Troubleshoot Firefox issues caused by malware.

Are you able to get control of your home page?

Bad extensions often are installed externally to Firefox. I suggest starting here: Open the Windows '''Control Panel''', Uninstall a Program. Click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. Take out as much trash as possible here. Then, in Firefox, open the '''Add-ons page''' using either: * Ctrl+Shift+a * "3-bar" menu button (or Tools menu) > Add-ons In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions. Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step. Finally, you can "mop up" remaining issues with the scanning/cleaning tools listed in our support article: [[Troubleshoot Firefox issues caused by malware]]. Are you able to get control of your home page?
cor-el
  • Top 10 Contributor
  • Moderator
17860 réiteach 161609 freagra
http://malwaretips.com/blogs/remove-hao123-virus/
hao123infested 1 réiteach 4 freagra

Freagra Cabhrach

After removing all add-ons and extensions in firefox, seting the history to "no remember history" and homepage to "blank". hao123 is still hijacking homepage.

After reseting Firefox in "help" menu, Firefox auto starts with clean homepage. But is hijacked again after normal exit of Firefox.

Reinstall Firefox doesn't help.

Enter Windows safe mode (without network). still seeing hao123 in the startup address. of cause, it can't display wihout network. But address bar's hao123 url, indicates that the homepage is hijacked. Looking at the Firefox -General tab, the homepage textbox is blank and " history" is "never remember".

IE also gets infested too. but Google chrome remains untouched.

All malware adware detectors don't find this virus. No "hao123-client", "search protected", "conduit" or "qvod" is found on machine. Regist Table, hardware virtual drivers, services are manually scaned and reviewed. Which indicated "hao123" has improved its hijack methods.

Hao123 hijack is different this time. I guess hao123 hijacks home page via modifying "last closing session URL" and "start with last session " function in Firefox. Just guessing.

I need some hints to remove this bad bug.

Thanks in advance

After removing all add-ons and extensions in firefox, seting the history to "no remember history" and homepage to "blank". hao123 is still hijacking homepage. After reseting Firefox in "help" menu, Firefox auto starts with clean homepage. But is hijacked again after normal exit of Firefox. '''Reinstall '''Firefox doesn't help. Enter Windows '''safe mode '''(without network). still seeing hao123 in the startup address. of cause, it can't display wihout network. But address bar's hao123 url, indicates that the homepage is hijacked. Looking at the Firefox -General tab, the homepage textbox is blank and " history" is "never remember". IE also gets infested too. but Google chrome remains untouched. All '''malware adware detectors '''don't find this virus. No "hao123-client", "search protected", "conduit" or "qvod" is found on machine. Regist Table, hardware virtual drivers, services are manually scaned and reviewed. Which indicated "hao123" has improved its hijack methods. Hao123 hijack is different this time. I guess hao123 hijacks home page via modifying "last closing session URL" and "start with last session " function in Firefox. Just guessing. I need some hints to remove this bad bug. Thanks in advance
jscher2000
  • Top 10 Contributor
8957 réiteach 73390 freagra

Hi hao123infested, could you test:

Click Home icon or Press Alt+Home or Ctrl+n Keyboard Shortcuts

This should load the home page set in Options. Do you get the correct home page or the unwanted home page?

(A) Correct

Your Firefox shortcut may be hijacked. right-click it and check its Properties to make sure the unwanted URL is not included in the Target (this is set on the Shortcut tab).

(B) Unwanted

You may have a self-hiding extension or hijacked connection setting.

(1) Self-hiding extensions are visible in Firefox's Safe Mode. That's a standard diagnostic tool to deactivate extensions and some advanced features of Firefox. More info: Troubleshoot Firefox issues using Safe Mode.

You can restart Firefox in Safe Mode using either:

  • "3-bar" menu button > "?" button > Restart with Add-ons Disabled
  • Help menu > Restart with Add-ons Disabled

Not all add-ons are disabled: Flash and other plugins still run

After Firefox shuts down, a small dialog should appear. Click "Start in Safe Mode" (not Reset).

Anything new on the Add-ons page? Either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Extensions. Anything unexpected or suspicious on the list?

(2) You can check your connection setting here:

"3-bar" menu button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button

The default is "Use system proxy settings" but you also can try "No proxy" to see whether that helps.

Hi hao123infested, could you test: '''Click Home icon or Press Alt+Home or Ctrl+n Keyboard Shortcuts''' This should load the home page set in Options. Do you get the correct home page or the unwanted home page? (A) Correct Your Firefox shortcut may be hijacked. right-click it and check its Properties to make sure the unwanted URL is not included in the Target (this is set on the Shortcut tab). (B) Unwanted You may have a self-hiding extension or hijacked connection setting. (1) Self-hiding extensions are visible in Firefox's Safe Mode. That's a standard diagnostic tool to deactivate extensions and some advanced features of Firefox. More info: [[Troubleshoot Firefox issues using Safe Mode]]. You can restart Firefox in Safe Mode using either: * "3-bar" menu button > "?" button > Restart with Add-ons Disabled * Help menu > Restart with Add-ons Disabled Not all add-ons are disabled: Flash and other plugins still run After Firefox shuts down, a small dialog should appear. Click "Start in Safe Mode" (''not'' Reset). Anything new on the Add-ons page? Either: * Ctrl+Shift+a * "3-bar" menu button (or Tools menu) > Add-ons In the left column, click Extensions. Anything unexpected or suspicious on the list? (2) You can check your connection setting here: "3-bar" menu button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button The default is "Use system proxy settings" but you also can try "No proxy" to see whether that helps.
hao123infested 1 réiteach 4 freagra

ALT-Home or homepage icon still points to "blank" page, which is my home page. So the answer is partially 'A'. Firefox icon is clean. Even start Firefox from windows start menu's "search application and file" box. Hao123 is still haunting.

I guess hao123 hijacks last session and history record in a stealth way. but some how sessionstore.js is clean.

ALT-Home or homepage icon still points to "blank" page, which is my home page. So the answer is partially 'A'. Firefox icon is clean. Even start Firefox from windows start menu's "search application and file" box. Hao123 is still haunting. I guess hao123 hijacks last session and history record in a stealth way. but some how sessionstore.js is clean.

Athraithe ag hao123infested ar

jscher2000
  • Top 10 Contributor
8957 réiteach 73390 freagra

It's hard to think of where it's coming from if it's not in the usual places.

Are there specific factors leading you to believe it is somehow related to restoring your previous session? For example, is Restore Previous Session grayed out on the History menu? What if, after you exit Firefox, you rename sessionstore.js to sessionstore.old to prevent it from being used. Does that make any difference?

Is the problem limited to Firefox or does it occur in Internet Explorer as well (after making sure the Target is clean in its shortcut)?

It's hard to think of where it's coming from if it's not in the usual places. Are there specific factors leading you to believe it is somehow related to restoring your previous session? For example, is Restore Previous Session grayed out on the History menu? What if, after you exit Firefox, you rename sessionstore.js to sessionstore.old to prevent it from being used. Does that make any difference? Is the problem limited to Firefox or does it occur in Internet Explorer as well (after making sure the Target is clean in its shortcut)?
hao123infested 1 réiteach 4 freagra

Here is what I found: It is a combination of 1)shortcut hijacking, 2)unwanted backdoor, and 3)virus.


1. hao123 hijack Firefox short cut. a) if I create a short cut from "c:\program files\Mozilla firefox\firefox.exe" , the newly created short cut is hijacked right away/ infested. b) if I uninstall firefox and reinstall it, the shortcut created by installation package is hijacked too. c) if I mouse double click on executable "c:\program files\Mozilla firefox\firefox.exe", the firefox window starts with hao123. Note: in a) and b) shortcut property is clean.

But , if I create a BAT file with command [start \d "c:\program files\mozilla firefox\" firefox.exe]. Then run the BAT file, hao123 is not display as homepage.

2. infestation involved backdoor to BAIDU.com First. I block hao123 from network router, so infested firefox won't open the hao123 page, and instead with network not available page. Then use SysInternal -- TCPViewer tool to trace infested firefox. It shows that BAT file started firefox doesn't make http connections to sites at start up.(Firefox has blank home page). But hao123 infested firefox makes http requests to a list of Unknown IPs. 61.135.185.* 220.181.23.* 123.125.112.* 119.75.208.*

whois service indicates these unknown IPs belongs to Baidu.com, which owns hao123.com. These IPs doesn't related to baidu's internet search services, which use 180.76.*.* network. I assume Unknown IPs associates with hao123.com only. So I block these unknown IPs in firewall an network router.

3. virus

A folder name "QvodPlayer" is re-created in C drive after is deleted. And a function is hooking on shortcut creation api. still trying to trace down what application is behind it. Given that I don't have "hao123-client", "search protected", "conduit" or "qvod" installed,  the folder and hooker are signs of virus

Temporal solution is that: 1. block hao123.com and the list of unknown IPs in firewall or Network router 2. create a BAT file with command [start \d "c:\program files\mozilla firefox\" firefox.exe] to start firefox.


Thanks jscher2000's suggestion. It is shortcut hijacking, but it is an improved version of shortcut hijacking : with backdoor and virus.

Here is what I found: It is a combination of 1)shortcut hijacking, 2)unwanted backdoor, and 3)virus. '''1. hao123 hijack Firefox short cut. ''' a) if I create a short cut from "c:\program files\Mozilla firefox\firefox.exe" , the newly created short cut is hijacked right away/ infested. b) if I uninstall firefox and reinstall it, the shortcut created by installation package is hijacked too. c) if I mouse double click on executable "c:\program files\Mozilla firefox\firefox.exe", the firefox window starts with hao123. Note: in a) and b) shortcut property is clean. But , if I create a '''BAT''' file with command ['''start \d "c:\program files\mozilla firefox\" firefox.exe''']. Then run the BAT file, hao123 is not display as homepage. '''2. infestation involved backdoor to BAIDU.com''' First. I block hao123 from network router, so infested firefox won't open the hao123 page, and instead with network not available page. Then use SysInternal -- TCPViewer tool to trace infested firefox. It shows that BAT file started firefox doesn't make http connections to sites at start up.(Firefox has blank home page). But hao123 infested firefox makes http requests to a list of Unknown IPs. 61.135.185.* 220.181.23.* 123.125.112.* 119.75.208.* whois service indicates these unknown IPs belongs to '''Baidu.com''', '''which owns hao123.com'''. These IPs doesn't related to baidu's internet search services, which use 180.76.*.* network. I assume Unknown IPs associates with hao123.com only. So I block these unknown IPs in firewall an network router. '''3. virus''' A folder name "QvodPlayer" is re-created in C drive after is deleted. And a function is hooking on shortcut creation api. still trying to trace down what application is behind it. Given that I don't have "hao123-client", "search protected", "conduit" or "qvod" installed, the folder and hooker are signs of virus '''Temporal solution is that:''' 1. block hao123.com and the list of unknown IPs in firewall or Network router 2. create a BAT file with command [start \d "c:\program files\mozilla firefox\" firefox.exe] to start firefox. Thanks jscher2000's suggestion. It is shortcut hijacking, but it is an improved version of shortcut hijacking : with backdoor and virus.

Athraithe ag hao123infested ar

jscher2000
  • Top 10 Contributor
8957 réiteach 73390 freagra

A rootkit is a possibility; that will frustrate clean-up efforts. TDSSKiller and some others rootkit-specific cleaners are suggested in that case.

Microsoft's Autoruns tool can help by collating data from the registry, startup folders, and other areas to show what runs at startup. http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

A rootkit is a possibility; that will frustrate clean-up efforts. TDSSKiller and some others rootkit-specific cleaners are suggested in that case. Microsoft's Autoruns tool can help by collating data from the registry, startup folders, and other areas to show what runs at startup. http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
cor-el
  • Top 10 Contributor
  • Moderator
17860 réiteach 161609 freagra

Do a malware check with several malware scanning programs on the Windows computer. Please scan with all programs because each program detects different malware. All these programs have free versions.

Make sure that you update each program to get the latest version of their databases before doing a scan.

You can also do a check for a rootkit infection with TDSSKiller.

See also:

Do a malware check with several malware scanning programs on the Windows computer. Please scan with all programs because each program detects different malware. All these programs have free versions. Make sure that you update each program to get the latest version of their databases before doing a scan. *Malwarebytes' Anti-Malware:<br>http://www.malwarebytes.org/mbam.php *AdwCleaner:<br>http://www.bleepingcomputer.com/download/adwcleaner/<br>http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml *SuperAntispyware:<br>http://www.superantispyware.com/ *Microsoft Safety Scanner:<br>http://www.microsoft.com/security/scanner/en-us/default.aspx *Windows Defender:<br>http://windows.microsoft.com/en-us/windows/using-defender *Spybot Search & Destroy:<br>http://www.safer-networking.org/en/index.html *Kasperky Free Security Scan:<br>http://www.kaspersky.com/security-scan You can also do a check for a rootkit infection with TDSSKiller. *Anti-rootkit utility TDSSKiller:<br>http://support.kaspersky.com/5350?el=88446 See also: *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked
hao123infested 1 réiteach 4 freagra

Réiteach Roghnaithe

Scan with Latest TDSSKiller. But it returns 0 threat. I ve tried a lot of malware/adware detect tools, non of them really fixed the hijacking. Then I manually scaned machine with SysInternal's Autorun(thanks's jscher2000's reminder), and deleted a lot of unwanted entries. One of them named "QVOD Shenzhen" in preload dll tab looks suspicious. It is in user\appdata folder. Can't delete that dll directly, so I renamed it to another name, then deleted the dll entry from AutoRun, and rebooted to F8 safe mode to delete the dll. [Note: if not delete the entry, the dll will be loaded in safe mode. hence prevent from deleting the dll. That explains why homepage was hijacked in windows safe mode]

rebooted to normal mode, both IE and Firefox's home pages are back to blank. that means the clean up works !


So the temp solution is to 1. try to reset home page through regular way. 2. if 1 failes, try to create a BAT file to point to firefox 3. if 2 works, then it is a shortcut hijacking 4. run TDSSKiller to see any infestation 5. if TDSSkill returns 0 threat, try to locate "qvod" dll in Appdata folder 6. run AutoRun to find any "qvod" related entries and delete 7. reboot to F8 safe mode to delete the dll.

[Note: uninstall qvod won't solve the hao-123 page hijacking]

'''Scan with Latest TDSSKiller. But it returns 0 threat.''' I ve tried a lot of malware/adware detect tools, non of them really fixed the hijacking. Then I manually scaned machine with SysInternal's Autorun(thanks's jscher2000's reminder), and deleted a lot of unwanted entries. One of them named "QVOD Shenzhen" in preload dll tab looks suspicious. It is in user\appdata folder. Can't delete that dll directly, so I renamed it to another name, then deleted the dll entry from AutoRun, and rebooted to F8 safe mode to delete the dll. [Note: if not delete the entry, the dll will be loaded in safe mode. hence prevent from deleting the dll. That explains why homepage was hijacked in windows safe mode] rebooted to normal mode, both IE and Firefox's home pages are back to blank. that means the clean up works ! So the temp solution is to 1. try to reset home page through regular way. 2. if 1 failes, try to create a BAT file to point to firefox 3. if 2 works, then it is a shortcut hijacking 4. run TDSSKiller to see any infestation 5. if TDSSkill returns 0 threat, try to locate "qvod" dll in Appdata folder 6. run AutoRun to find any "qvod" related entries and delete 7. reboot to F8 safe mode to delete the dll. [Note: uninstall qvod won't solve the hao-123 page hijacking]
jnls 0 réiteach 1 freagra

Yes mine was completely shortcut hijacking, but google chrome didnt get infected (Impressive)!

I try all above but in the end things turn okay when i run the AutoRun & find the qvod shenzen, happen to be in my browser helper objects, i guess this how it "hijack" my browsers. Then I delete all this Qvod entries.

Yes uninstall qvod won't solve the page hijack.

Thank you so much @hao123infested!!

Yes mine was completely shortcut hijacking, but google chrome didnt get infected (Impressive)! I try all above but in the end things turn okay when i run the AutoRun & find the qvod shenzen, happen to be in my browser helper objects, i guess this how it "hijack" my browsers. Then I delete all this Qvod entries. Yes uninstall qvod won't solve the page hijack. Thank you so much @hao123infested!!
PCFixHelp 0 réiteach 7 freagra

Hello, there is video guide how to remove hao123 <Youtube link removed> May be it will be helpful

Hello, there is video guide how to remove hao123 <Youtube link removed> May be it will be helpful

Athraithe ag James ar

Moses
  • Moderator
459 réiteach 3608 freagra

PCFixHelp:

This is a solved and now closed thread. Please do not advertise programs here.

PCFixHelp: This is a solved and now closed thread. Please do not advertise programs here.