X
點擊此處開啟此網站的行動版。

技術支援討論區

此討論串已經關閉並封存。 如果您有需要幫助,請新增一個新問題

Firefox hijacked by hao123

已張貼

Everytime i open firefox which defaulted to google.com, it prompted http://www.hao123.com/?tn=98005892_hao_pg instead, I've use malware tools and other solution provided on internet but none of that work, please assist

Everytime i open firefox which defaulted to google.com, it prompted http://www.hao123.com/?tn=98005892_hao_pg instead, I've use malware tools and other solution provided on internet but none of that work, please assist

被選擇的解決方法

Scan with Latest TDSSKiller. But it returns 0 threat. I ve tried a lot of malware/adware detect tools, non of them really fixed the hijacking. Then I manually scaned machine with SysInternal's Autorun(thanks's jscher2000's reminder), and deleted a lot of unwanted entries. One of them named "QVOD Shenzhen" in preload dll tab looks suspicious. It is in user\appdata folder. Can't delete that dll directly, so I renamed it to another name, then deleted the dll entry from AutoRun, and rebooted to F8 safe mode to delete the dll. [Note: if not delete the entry, the dll will be loaded in safe mode. hence prevent from deleting the dll. That explains why homepage was hijacked in windows safe mode]

rebooted to normal mode, both IE and Firefox's home pages are back to blank. that means the clean up works !


So the temp solution is to 1. try to reset home page through regular way. 2. if 1 failes, try to create a BAT file to point to firefox 3. if 2 works, then it is a shortcut hijacking 4. run TDSSKiller to see any infestation 5. if TDSSkill returns 0 threat, try to locate "qvod" dll in Appdata folder 6. run AutoRun to find any "qvod" related entries and delete 7. reboot to F8 safe mode to delete the dll.

[Note: uninstall qvod won't solve the hao-123 page hijacking]

從原來的回覆中察看解決方案 6

額外的系統細節

已安裝的外掛程式

  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Shockwave Flash 14.0 r0
  • QvodInsert
  • YunWebDetect
  • Google Update
  • QvodShareModule
  • Adobe PDF Plug-In For Firefox and Netscape 10.1.10
  • NPWLPG
  • GEPlugin
  • 5.1.20513.0
  • RealJukebox Netscape Plugin
  • RealNetworks(tm) RealPlayer Chrome Background Extension Plug-In
  • RealPlayer(tm) HTML5VideoShim Plug-In
  • RealPlayer(tm) LiveConnect-Enabled Plug-In
  • RealPlayer Download Plugin
  • Next Generation Java Plug-in 1.6.0_32 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers

應用程式

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0

更多資訊

jscher2000
  • Top 10 Contributor
8793 個解決方法 71928 個答案

Is this site listed as your home page in the Options dialog? If it is, can you successfully change it or does Firefox not allow you to change it?

If Firefox will not allow you to change it, check the Windows Control Panel, Uninstall a Program, for something named SearchProtect and remove it.

If Firefox will allow you to change it, do you get the correct home page when you use either of these:

  • Click the home icon on the toolbar
  • Open a new window (Ctrl+n)

If you get the wrong page, it's probably an add-on. More on that in a second message.

If you get the right page, that's good. If it changes back after the next time you exit and restart Firefox, check this article: How to fix preferences that won't save (especially the part about a user.js file).


If the home page setting was correct and the home icon works fine, but the desktop icon still gives you the bad page, check to make sure your icon wasn't modified. Right-click the shortcut, choose Properties, and the Shortcut tab. The "Target" should be the following, no more, no less (for 64-bit Windows):

"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
Is this site listed as your home page in the Options dialog? If it is, can you successfully change it or does Firefox not allow you to change it? * [[Startup, home page and download settings]] If Firefox will not allow you to change it, check the Windows Control Panel, Uninstall a Program, for something named SearchProtect and remove it. If Firefox will allow you to change it, do you get the correct home page when you use either of these: * Click the home icon on the toolbar * Open a new window (Ctrl+n) If you get the wrong page, it's probably an add-on. More on that in a second message. If you get the right page, that's good. If it changes back after the next time you exit and restart Firefox, check this article: [[How to fix preferences that won't save]] (especially the part about a user.js file). ---- If the home page setting was correct and the home icon works fine, but the desktop icon still gives you the bad page, check to make sure your icon wasn't modified. Right-click the shortcut, choose Properties, and the Shortcut tab. The "Target" should be the following, no more, no less (for 64-bit Windows): "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
jscher2000
  • Top 10 Contributor
8793 個解決方法 71928 個答案

Bad extensions often are installed externally to Firefox. I suggest starting here:

Open the Windows Control Panel, Uninstall a Program. Click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. Take out as much trash as possible here.

Then, in Firefox, open the Add-ons page using either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions.

Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.

Finally, you can "mop up" remaining issues with the scanning/cleaning tools listed in our support article: Troubleshoot Firefox issues caused by malware.

Are you able to get control of your home page?

Bad extensions often are installed externally to Firefox. I suggest starting here: Open the Windows '''Control Panel''', Uninstall a Program. Click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. Take out as much trash as possible here. Then, in Firefox, open the '''Add-ons page''' using either: * Ctrl+Shift+a * "3-bar" menu button (or Tools menu) > Add-ons In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions. Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step. Finally, you can "mop up" remaining issues with the scanning/cleaning tools listed in our support article: [[Troubleshoot Firefox issues caused by malware]]. Are you able to get control of your home page?
cor-el
  • Top 10 Contributor
  • Moderator
17578 個解決方法 159013 個答案
http://malwaretips.com/blogs/remove-hao123-virus/
hao123infested 1 個解決方法 4 個答案

有幫助的回覆

After removing all add-ons and extensions in firefox, seting the history to "no remember history" and homepage to "blank". hao123 is still hijacking homepage.

After reseting Firefox in "help" menu, Firefox auto starts with clean homepage. But is hijacked again after normal exit of Firefox.

Reinstall Firefox doesn't help.

Enter Windows safe mode (without network). still seeing hao123 in the startup address. of cause, it can't display wihout network. But address bar's hao123 url, indicates that the homepage is hijacked. Looking at the Firefox -General tab, the homepage textbox is blank and " history" is "never remember".

IE also gets infested too. but Google chrome remains untouched.

All malware adware detectors don't find this virus. No "hao123-client", "search protected", "conduit" or "qvod" is found on machine. Regist Table, hardware virtual drivers, services are manually scaned and reviewed. Which indicated "hao123" has improved its hijack methods.

Hao123 hijack is different this time. I guess hao123 hijacks home page via modifying "last closing session URL" and "start with last session " function in Firefox. Just guessing.

I need some hints to remove this bad bug.

Thanks in advance

After removing all add-ons and extensions in firefox, seting the history to "no remember history" and homepage to "blank". hao123 is still hijacking homepage. After reseting Firefox in "help" menu, Firefox auto starts with clean homepage. But is hijacked again after normal exit of Firefox. '''Reinstall '''Firefox doesn't help. Enter Windows '''safe mode '''(without network). still seeing hao123 in the startup address. of cause, it can't display wihout network. But address bar's hao123 url, indicates that the homepage is hijacked. Looking at the Firefox -General tab, the homepage textbox is blank and " history" is "never remember". IE also gets infested too. but Google chrome remains untouched. All '''malware adware detectors '''don't find this virus. No "hao123-client", "search protected", "conduit" or "qvod" is found on machine. Regist Table, hardware virtual drivers, services are manually scaned and reviewed. Which indicated "hao123" has improved its hijack methods. Hao123 hijack is different this time. I guess hao123 hijacks home page via modifying "last closing session URL" and "start with last session " function in Firefox. Just guessing. I need some hints to remove this bad bug. Thanks in advance
jscher2000
  • Top 10 Contributor
8793 個解決方法 71928 個答案

Hi hao123infested, could you test:

Click Home icon or Press Alt+Home or Ctrl+n Keyboard Shortcuts

This should load the home page set in Options. Do you get the correct home page or the unwanted home page?

(A) Correct

Your Firefox shortcut may be hijacked. right-click it and check its Properties to make sure the unwanted URL is not included in the Target (this is set on the Shortcut tab).

(B) Unwanted

You may have a self-hiding extension or hijacked connection setting.

(1) Self-hiding extensions are visible in Firefox's Safe Mode. That's a standard diagnostic tool to deactivate extensions and some advanced features of Firefox. More info: Troubleshoot Firefox issues using Safe Mode.

You can restart Firefox in Safe Mode using either:

  • "3-bar" menu button > "?" button > Restart with Add-ons Disabled
  • Help menu > Restart with Add-ons Disabled

Not all add-ons are disabled: Flash and other plugins still run

After Firefox shuts down, a small dialog should appear. Click "Start in Safe Mode" (not Reset).

Anything new on the Add-ons page? Either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Extensions. Anything unexpected or suspicious on the list?

(2) You can check your connection setting here:

"3-bar" menu button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button

The default is "Use system proxy settings" but you also can try "No proxy" to see whether that helps.

Hi hao123infested, could you test: '''Click Home icon or Press Alt+Home or Ctrl+n Keyboard Shortcuts''' This should load the home page set in Options. Do you get the correct home page or the unwanted home page? (A) Correct Your Firefox shortcut may be hijacked. right-click it and check its Properties to make sure the unwanted URL is not included in the Target (this is set on the Shortcut tab). (B) Unwanted You may have a self-hiding extension or hijacked connection setting. (1) Self-hiding extensions are visible in Firefox's Safe Mode. That's a standard diagnostic tool to deactivate extensions and some advanced features of Firefox. More info: [[Troubleshoot Firefox issues using Safe Mode]]. You can restart Firefox in Safe Mode using either: * "3-bar" menu button > "?" button > Restart with Add-ons Disabled * Help menu > Restart with Add-ons Disabled Not all add-ons are disabled: Flash and other plugins still run After Firefox shuts down, a small dialog should appear. Click "Start in Safe Mode" (''not'' Reset). Anything new on the Add-ons page? Either: * Ctrl+Shift+a * "3-bar" menu button (or Tools menu) > Add-ons In the left column, click Extensions. Anything unexpected or suspicious on the list? (2) You can check your connection setting here: "3-bar" menu button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button The default is "Use system proxy settings" but you also can try "No proxy" to see whether that helps.
hao123infested 1 個解決方法 4 個答案

ALT-Home or homepage icon still points to "blank" page, which is my home page. So the answer is partially 'A'. Firefox icon is clean. Even start Firefox from windows start menu's "search application and file" box. Hao123 is still haunting.

I guess hao123 hijacks last session and history record in a stealth way. but some how sessionstore.js is clean.

ALT-Home or homepage icon still points to "blank" page, which is my home page. So the answer is partially 'A'. Firefox icon is clean. Even start Firefox from windows start menu's "search application and file" box. Hao123 is still haunting. I guess hao123 hijacks last session and history record in a stealth way. but some how sessionstore.js is clean.

由 hao123infested 於 修改

jscher2000
  • Top 10 Contributor
8793 個解決方法 71928 個答案

It's hard to think of where it's coming from if it's not in the usual places.

Are there specific factors leading you to believe it is somehow related to restoring your previous session? For example, is Restore Previous Session grayed out on the History menu? What if, after you exit Firefox, you rename sessionstore.js to sessionstore.old to prevent it from being used. Does that make any difference?

Is the problem limited to Firefox or does it occur in Internet Explorer as well (after making sure the Target is clean in its shortcut)?

It's hard to think of where it's coming from if it's not in the usual places. Are there specific factors leading you to believe it is somehow related to restoring your previous session? For example, is Restore Previous Session grayed out on the History menu? What if, after you exit Firefox, you rename sessionstore.js to sessionstore.old to prevent it from being used. Does that make any difference? Is the problem limited to Firefox or does it occur in Internet Explorer as well (after making sure the Target is clean in its shortcut)?
hao123infested 1 個解決方法 4 個答案

Here is what I found: It is a combination of 1)shortcut hijacking, 2)unwanted backdoor, and 3)virus.


1. hao123 hijack Firefox short cut. a) if I create a short cut from "c:\program files\Mozilla firefox\firefox.exe" , the newly created short cut is hijacked right away/ infested. b) if I uninstall firefox and reinstall it, the shortcut created by installation package is hijacked too. c) if I mouse double click on executable "c:\program files\Mozilla firefox\firefox.exe", the firefox window starts with hao123. Note: in a) and b) shortcut property is clean.

But , if I create a BAT file with command [start \d "c:\program files\mozilla firefox\" firefox.exe]. Then run the BAT file, hao123 is not display as homepage.

2. infestation involved backdoor to BAIDU.com First. I block hao123 from network router, so infested firefox won't open the hao123 page, and instead with network not available page. Then use SysInternal -- TCPViewer tool to trace infested firefox. It shows that BAT file started firefox doesn't make http connections to sites at start up.(Firefox has blank home page). But hao123 infested firefox makes http requests to a list of Unknown IPs. 61.135.185.* 220.181.23.* 123.125.112.* 119.75.208.*

whois service indicates these unknown IPs belongs to Baidu.com, which owns hao123.com. These IPs doesn't related to baidu's internet search services, which use 180.76.*.* network. I assume Unknown IPs associates with hao123.com only. So I block these unknown IPs in firewall an network router.

3. virus

A folder name "QvodPlayer" is re-created in C drive after is deleted. And a function is hooking on shortcut creation api. still trying to trace down what application is behind it. Given that I don't have "hao123-client", "search protected", "conduit" or "qvod" installed,  the folder and hooker are signs of virus

Temporal solution is that: 1. block hao123.com and the list of unknown IPs in firewall or Network router 2. create a BAT file with command [start \d "c:\program files\mozilla firefox\" firefox.exe] to start firefox.


Thanks jscher2000's suggestion. It is shortcut hijacking, but it is an improved version of shortcut hijacking : with backdoor and virus.

Here is what I found: It is a combination of 1)shortcut hijacking, 2)unwanted backdoor, and 3)virus. '''1. hao123 hijack Firefox short cut. ''' a) if I create a short cut from "c:\program files\Mozilla firefox\firefox.exe" , the newly created short cut is hijacked right away/ infested. b) if I uninstall firefox and reinstall it, the shortcut created by installation package is hijacked too. c) if I mouse double click on executable "c:\program files\Mozilla firefox\firefox.exe", the firefox window starts with hao123. Note: in a) and b) shortcut property is clean. But , if I create a '''BAT''' file with command ['''start \d "c:\program files\mozilla firefox\" firefox.exe''']. Then run the BAT file, hao123 is not display as homepage. '''2. infestation involved backdoor to BAIDU.com''' First. I block hao123 from network router, so infested firefox won't open the hao123 page, and instead with network not available page. Then use SysInternal -- TCPViewer tool to trace infested firefox. It shows that BAT file started firefox doesn't make http connections to sites at start up.(Firefox has blank home page). But hao123 infested firefox makes http requests to a list of Unknown IPs. 61.135.185.* 220.181.23.* 123.125.112.* 119.75.208.* whois service indicates these unknown IPs belongs to '''Baidu.com''', '''which owns hao123.com'''. These IPs doesn't related to baidu's internet search services, which use 180.76.*.* network. I assume Unknown IPs associates with hao123.com only. So I block these unknown IPs in firewall an network router. '''3. virus''' A folder name "QvodPlayer" is re-created in C drive after is deleted. And a function is hooking on shortcut creation api. still trying to trace down what application is behind it. Given that I don't have "hao123-client", "search protected", "conduit" or "qvod" installed, the folder and hooker are signs of virus '''Temporal solution is that:''' 1. block hao123.com and the list of unknown IPs in firewall or Network router 2. create a BAT file with command [start \d "c:\program files\mozilla firefox\" firefox.exe] to start firefox. Thanks jscher2000's suggestion. It is shortcut hijacking, but it is an improved version of shortcut hijacking : with backdoor and virus.

由 hao123infested 於 修改

jscher2000
  • Top 10 Contributor
8793 個解決方法 71928 個答案

A rootkit is a possibility; that will frustrate clean-up efforts. TDSSKiller and some others rootkit-specific cleaners are suggested in that case.

Microsoft's Autoruns tool can help by collating data from the registry, startup folders, and other areas to show what runs at startup. http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

A rootkit is a possibility; that will frustrate clean-up efforts. TDSSKiller and some others rootkit-specific cleaners are suggested in that case. Microsoft's Autoruns tool can help by collating data from the registry, startup folders, and other areas to show what runs at startup. http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
cor-el
  • Top 10 Contributor
  • Moderator
17578 個解決方法 159013 個答案

Do a malware check with several malware scanning programs on the Windows computer. Please scan with all programs because each program detects different malware. All these programs have free versions.

Make sure that you update each program to get the latest version of their databases before doing a scan.

You can also do a check for a rootkit infection with TDSSKiller.

See also:

Do a malware check with several malware scanning programs on the Windows computer. Please scan with all programs because each program detects different malware. All these programs have free versions. Make sure that you update each program to get the latest version of their databases before doing a scan. *Malwarebytes' Anti-Malware:<br>http://www.malwarebytes.org/mbam.php *AdwCleaner:<br>http://www.bleepingcomputer.com/download/adwcleaner/<br>http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml *SuperAntispyware:<br>http://www.superantispyware.com/ *Microsoft Safety Scanner:<br>http://www.microsoft.com/security/scanner/en-us/default.aspx *Windows Defender:<br>http://windows.microsoft.com/en-us/windows/using-defender *Spybot Search & Destroy:<br>http://www.safer-networking.org/en/index.html *Kasperky Free Security Scan:<br>http://www.kaspersky.com/security-scan You can also do a check for a rootkit infection with TDSSKiller. *Anti-rootkit utility TDSSKiller:<br>http://support.kaspersky.com/5350?el=88446 See also: *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked
hao123infested 1 個解決方法 4 個答案

選擇的解決方法

Scan with Latest TDSSKiller. But it returns 0 threat. I ve tried a lot of malware/adware detect tools, non of them really fixed the hijacking. Then I manually scaned machine with SysInternal's Autorun(thanks's jscher2000's reminder), and deleted a lot of unwanted entries. One of them named "QVOD Shenzhen" in preload dll tab looks suspicious. It is in user\appdata folder. Can't delete that dll directly, so I renamed it to another name, then deleted the dll entry from AutoRun, and rebooted to F8 safe mode to delete the dll. [Note: if not delete the entry, the dll will be loaded in safe mode. hence prevent from deleting the dll. That explains why homepage was hijacked in windows safe mode]

rebooted to normal mode, both IE and Firefox's home pages are back to blank. that means the clean up works !


So the temp solution is to 1. try to reset home page through regular way. 2. if 1 failes, try to create a BAT file to point to firefox 3. if 2 works, then it is a shortcut hijacking 4. run TDSSKiller to see any infestation 5. if TDSSkill returns 0 threat, try to locate "qvod" dll in Appdata folder 6. run AutoRun to find any "qvod" related entries and delete 7. reboot to F8 safe mode to delete the dll.

[Note: uninstall qvod won't solve the hao-123 page hijacking]

'''Scan with Latest TDSSKiller. But it returns 0 threat.''' I ve tried a lot of malware/adware detect tools, non of them really fixed the hijacking. Then I manually scaned machine with SysInternal's Autorun(thanks's jscher2000's reminder), and deleted a lot of unwanted entries. One of them named "QVOD Shenzhen" in preload dll tab looks suspicious. It is in user\appdata folder. Can't delete that dll directly, so I renamed it to another name, then deleted the dll entry from AutoRun, and rebooted to F8 safe mode to delete the dll. [Note: if not delete the entry, the dll will be loaded in safe mode. hence prevent from deleting the dll. That explains why homepage was hijacked in windows safe mode] rebooted to normal mode, both IE and Firefox's home pages are back to blank. that means the clean up works ! So the temp solution is to 1. try to reset home page through regular way. 2. if 1 failes, try to create a BAT file to point to firefox 3. if 2 works, then it is a shortcut hijacking 4. run TDSSKiller to see any infestation 5. if TDSSkill returns 0 threat, try to locate "qvod" dll in Appdata folder 6. run AutoRun to find any "qvod" related entries and delete 7. reboot to F8 safe mode to delete the dll. [Note: uninstall qvod won't solve the hao-123 page hijacking]
jnls 0 個解決方法 1 個答案

Yes mine was completely shortcut hijacking, but google chrome didnt get infected (Impressive)!

I try all above but in the end things turn okay when i run the AutoRun & find the qvod shenzen, happen to be in my browser helper objects, i guess this how it "hijack" my browsers. Then I delete all this Qvod entries.

Yes uninstall qvod won't solve the page hijack.

Thank you so much @hao123infested!!

Yes mine was completely shortcut hijacking, but google chrome didnt get infected (Impressive)! I try all above but in the end things turn okay when i run the AutoRun & find the qvod shenzen, happen to be in my browser helper objects, i guess this how it "hijack" my browsers. Then I delete all this Qvod entries. Yes uninstall qvod won't solve the page hijack. Thank you so much @hao123infested!!
PCFixHelp 0 個解決方法 7 個答案

Hello, there is video guide how to remove hao123 <Youtube link removed> May be it will be helpful

Hello, there is video guide how to remove hao123 <Youtube link removed> May be it will be helpful

由 James 於 修改

Moses
  • Moderator
459 個解決方法 3607 個答案

PCFixHelp:

This is a solved and now closed thread. Please do not advertise programs here.

PCFixHelp: This is a solved and now closed thread. Please do not advertise programs here.