Jump to content


  • Posts

  • Joined

  • Last visited


0 Neutral
  1. Hello again, Nothing seems to work at all, all efforts have been fruitless. The link keeps resetting every day, regardless of being offline or online, even with sync off. I have no other option but to completely reset my computer, and re-install everything from scratch again. Maybe I should send a invoice/bill to Hao123 for this? Thanks for all your help anyway. Have a nice day! :)
  2. Problem still persist. I have reset sync, it is completely off now. I did follow the given instructions and did go through them twice even. And even though the computer is booted and logged into in normal mode, but without network connection, the Google Chrome.lnk still changed to contain the malicious ref-link to Hao123. I'm attaching the reports from Farbar, do you need any other reports from any other tools? Both Malwarebytes and ADWCleaner came up empty. I removed Zemana, because it only sees the Chrome link but not the real problem. Addition.txt FRST.txt Shortcut.txt
  3. I don't understand. I did follow that instruction to the letter, reset Chrome and turned off sync completely. I can't do another reset of sync, because it is no longer enabled on this device, I am not even logged into Chrome. I did restart the computer normally, and cleared all cache etc. But the malware reset the file automatically even when the computer was offline, no Internet or network available. It now gets reset multiple times a day, about every 2 hours in the morning, and every 4 hours in the afternoon/evening. Resync is going to be disabled until problem is resolved. Thankful for all help! (I will try the steps in post #11 once more later today, and send results tomorrow)
  4. So, today I booted up my computer at 08:54 (local time) with all network physically disconnected from it, so it cold not communicate with anything. Upon logging into Windows, the file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk was again changed at 08:54 (local time). This confirms that the issue is within the system. Prior to this, I have turned off all syncing and logged out of Chrome and reset it. I also ran ADWCleaner with the "basic repair", but unfortunately it did not detect the issue. In my GIT manager, it says that the file was changed by admin account (not specific). And it changed upon booting the computer up, which leads me to think it runs at startup or is a service of sort. I have attached a fresh Farbar report, I ran it with all things checked while computer was still disconnected. The malware is still persistent and active, it copies the file Google Chrome.lnk to the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\, replacing the existing one, I think. FRST.txt Addition.txt Shortcut.txt
  5. Thanks. I have reset the sync, and have now turned it off completely. The file C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk was removed earlier, and does not "spawn" again. But the original C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk was again changed at 19:46 (local time). I have now logged out of Chrome, reset it, and emptied out cache etc. I have also run Malwarebytes and ADWCleaner again, but found nothing. I will wait until tomorrow and see if the original Google Chrome.lnk changes again tomorrow. I will boot my computer offline tomorrow to see if the problem sits in the system, or if it is synced from somewhere. I will run the Farbar again tomorrow, and send you the report files again. I really hope I don't need to wipe the computer and re-install again. All your help is much appreciated! :)
  6. Removed the file at C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk. Then restored the original Chrome.lnk to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", emptied out history and reset Chrome under Advanced settings. I then rebooted the computer in normal mode and ran ADWCleaner. All seemed fine until 12.44 (my local time), when the Chrome.lnk file at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk was reset again to: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" hxxp://hao.169x.cn/?v=108 The file you mentioned earlier is deleted and does not come back. But the Chrome.lnk changes back. So the problem seems to persist. Can I search for something, how do we find the string in hiding?
  7. Ok, thank you. I will try this and get back to you asap.
  8. Ok, I ran the Farbar with all options selected instead (with all apps closed, and Internet disconnected), I attached the new reports here. Note that I have changed the Chrome.lnk by hand since I don't want the hao-link to pop every time I restart. I am using the command --pinned-tab-count 4, along with the URLs I wish to start Chrome with. But this is reset every 4 hours or so by the malware to the earlier mentioned link. Thank you in advance! Shortcut.txt Addition.txt FRST.txt
  9. Hello and thank you veru much for assisting me. I have done as you instructed, twice. First time I rebooted computer in safe mode and ran the softwares as instructed and reset the browser. Second time I followed your instructions while started in normal mode. I disconnected from Internet both times. I have attached the logs from both runs. Fixlog.txt is from the first run in safe mode with Internet disconnected, Fixlog_2.txt is from second run in normal boot, Internet still disconnected. I ran AdwCleaner in safe and normal modes, same result. (Log-files AdwCleaner[S03] and AdwCleaner[S04]) Upon starting the computer today, the Chrome.lnk was again altered, problem persists. Chrome.lnk was altered to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://hao.169x.cn/?v=108 I don't know what to do to get rid of this annoying thing...you have any other ideas you want to try? Thanks in advance! Fixlog.txt Fixlog_2.txt AdwCleaner[S03].txt AdwCleaner[S04].txt
  10. Double posting my reports..don't know what's going to work. 2018_05.15-18_41.42-i0-t92-d2.txt Addition.txt FRST.txt
  11. I've tried to remove the infamous plague HAO123 from my computer, but it keeps resetting my chrome shortcut with http://hao.169x.cn?v=108. My Chrome (Google Chrome.lnk) shortcut is located at "C:\ProgramData\Microsoft\Windows\Start Menu\Programs". It keeps adding the hao-link to the end of "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe". I tried making the file write protected, but no luck. I've also run ADWCleaner and Malwarebytes, but they can't detect this one, neither can Avast. I have attached my Zemana report, and the Farbar Recovery Scan Tool reports to this query. All help is greatly appreciated! :) (I'm an avid supporter of Malwarebytes) Addition.txt FRST.txt 2018.05.15-18.41.42-i0-t92-d2.txt
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.