Chrizze Posted May 15, 2018 ID:1243147 Share Posted May 15, 2018 I've tried to remove the infamous plague HAO123 from my computer, but it keeps resetting my chrome shortcut with http://hao.169x.cn?v=108. My Chrome (Google Chrome.lnk) shortcut is located at "C:\ProgramData\Microsoft\Windows\Start Menu\Programs". It keeps adding the hao-link to the end of "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe". I tried making the file write protected, but no luck. I've also run ADWCleaner and Malwarebytes, but they can't detect this one, neither can Avast. I have attached my Zemana report, and the Farbar Recovery Scan Tool reports to this query. All help is greatly appreciated! :) (I'm an avid supporter of Malwarebytes) Addition.txt FRST.txt 2018.05.15-18.41.42-i0-t92-d2.txt Link to post Share on other sites More sharing options...
Staff Malwarebytes Posted May 15, 2018 Staff ID:1243148 Share Posted May 15, 2018 ***This is an automated reply*** Hi, Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!! Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know. First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details: Spoiler Malwarebytes can detect and remove most malware with no further actions required for free. If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below. Open Malwarebytes for Windows To the left, click Scan > Scan Types. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available. Click Start Scan Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool: Spoiler Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult. Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to the disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually. Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. Spoiler To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button. After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post. Please Note the Following: One of our expert helpers will give you one-on-one assistance when one becomes available. Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine. Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here. Troubleshooting Tips FAQ - Malwarebytes won't run or failed to resolve my issues Groups authorized to help with Malware Removal for Windows logs Link to post Share on other sites More sharing options...
Chrizze Posted May 17, 2018 Author ID:1243547 Share Posted May 17, 2018 Double posting my reports..don't know what's going to work. 2018_05.15-18_41.42-i0-t92-d2.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
nasdaq Posted May 17, 2018 ID:1243650 Share Posted May 17, 2018 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The tool will create a log (Fixlog.txt) please post it to your reply. === Please download AdwCleaner by Xplode onto your Desktop. Close all open programs and internet browsers. Double click on AdwCleaner.exe to run the tool. Click the Scan button and wait for the process to complete. Click the LogFile button and the report will open in Notepad. IMPORTANT If you click the Clean button all items listed in the report will be removed. If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows. Close all open programs and internet browsers. Double click on AdwCleaner.exe to run the tool. Click the Scan button and wait for the process to complete. Check off the element(s) you wish to keep. Click on the Clean button follow the prompts. A log file will automatically open after the scan has finished. Please post the content of that log file with your next answer. You can find the log file at C:\AdwCleanerCx.txt (x is a number). === Reset Chrome... Open Google Chrome, click on menu icon or the 3 vertical dots located right side top of the google chrome. Click "Settings" then "Show advanced settings" at the bottom of the screen. Click "Reset browser settings" button. Restart Chrome. <<<>>> Please post the logs and let me know if the problem persists. fixlist.txt Link to post Share on other sites More sharing options...
Chrizze Posted May 18, 2018 Author ID:1244007 Share Posted May 18, 2018 Hello and thank you veru much for assisting me. I have done as you instructed, twice. First time I rebooted computer in safe mode and ran the softwares as instructed and reset the browser. Second time I followed your instructions while started in normal mode. I disconnected from Internet both times. I have attached the logs from both runs. Fixlog.txt is from the first run in safe mode with Internet disconnected, Fixlog_2.txt is from second run in normal boot, Internet still disconnected. I ran AdwCleaner in safe and normal modes, same result. (Log-files AdwCleaner[S03] and AdwCleaner[S04]) Upon starting the computer today, the Chrome.lnk was again altered, problem persists. Chrome.lnk was altered to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://hao.169x.cn/?v=108 I don't know what to do to get rid of this annoying thing...you have any other ideas you want to try? Thanks in advance! Fixlog.txt Fixlog_2.txt AdwCleaner[S03].txt AdwCleaner[S04].txt Link to post Share on other sites More sharing options...
nasdaq Posted May 18, 2018 ID:1244012 Share Posted May 18, 2018 Hi, Please run the Farbar program and check the box to include the Shortcuts list. Post the FRST.txt log for my review. Link to post Share on other sites More sharing options...
Chrizze Posted May 18, 2018 Author ID:1244062 Share Posted May 18, 2018 Ok, I ran the Farbar with all options selected instead (with all apps closed, and Internet disconnected), I attached the new reports here. Note that I have changed the Chrome.lnk by hand since I don't want the hao-link to pop every time I restart. I am using the command --pinned-tab-count 4, along with the URLs I wish to start Chrome with. But this is reset every 4 hours or so by the malware to the earlier mentioned link. Thank you in advance! Shortcut.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
nasdaq Posted May 19, 2018 ID:1244518 Share Posted May 19, 2018 Hi, This is the culprit. ShortcutWithArgument: C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao.169x.cn/?v=108 Delete this .lnk in bold. C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk Restart the computer normally. How is it now? Link to post Share on other sites More sharing options...
Chrizze Posted May 21, 2018 Author ID:1244810 Share Posted May 21, 2018 Ok, thank you. I will try this and get back to you asap. Link to post Share on other sites More sharing options...
Chrizze Posted May 21, 2018 Author ID:1244833 Share Posted May 21, 2018 (edited) Removed the file at C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk. Then restored the original Chrome.lnk to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", emptied out history and reset Chrome under Advanced settings. I then rebooted the computer in normal mode and ran ADWCleaner. All seemed fine until 12.44 (my local time), when the Chrome.lnk file at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk was reset again to: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" hxxp://hao.169x.cn/?v=108 The file you mentioned earlier is deleted and does not come back. But the Chrome.lnk changes back. So the problem seems to persist. Can I search for something, how do we find the string in hiding? Edited May 21, 2018 by Chrizze Added som extra information Link to post Share on other sites More sharing options...
nasdaq Posted May 21, 2018 ID:1244859 Share Posted May 21, 2018 Hi, It could be Syncing issue? Are you Syncing Chrome with other devices? To remove it you will have to reset the Sync in Chrome. Read this article and proceed. Chrome Secure Preferences detection always comes backhttps://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/ <<<>>> Restart the computer normally. Again Removed the file at C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk. Then restored the original Chrome.lnk to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Restart the computer normally to reset the registry. How is it now? Link to post Share on other sites More sharing options...
Chrizze Posted May 21, 2018 Author ID:1245045 Share Posted May 21, 2018 Thanks. I have reset the sync, and have now turned it off completely. The file C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk was removed earlier, and does not "spawn" again. But the original C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk was again changed at 19:46 (local time). I have now logged out of Chrome, reset it, and emptied out cache etc. I have also run Malwarebytes and ADWCleaner again, but found nothing. I will wait until tomorrow and see if the original Google Chrome.lnk changes again tomorrow. I will boot my computer offline tomorrow to see if the problem sits in the system, or if it is synced from somewhere. I will run the Farbar again tomorrow, and send you the report files again. I really hope I don't need to wipe the computer and re-install again. All your help is much appreciated! :) Link to post Share on other sites More sharing options...
Chrizze Posted May 22, 2018 Author ID:1245171 Share Posted May 22, 2018 So, today I booted up my computer at 08:54 (local time) with all network physically disconnected from it, so it cold not communicate with anything. Upon logging into Windows, the file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk was again changed at 08:54 (local time). This confirms that the issue is within the system. Prior to this, I have turned off all syncing and logged out of Chrome and reset it. I also ran ADWCleaner with the "basic repair", but unfortunately it did not detect the issue. In my GIT manager, it says that the file was changed by admin account (not specific). And it changed upon booting the computer up, which leads me to think it runs at startup or is a service of sort. I have attached a fresh Farbar report, I ran it with all things checked while computer was still disconnected. The malware is still persistent and active, it copies the file Google Chrome.lnk to the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\, replacing the existing one, I think. FRST.txt Addition.txt Shortcut.txt Link to post Share on other sites More sharing options...
nasdaq Posted May 22, 2018 ID:1245254 Share Posted May 22, 2018 Hi, Please repeat the instructions in post no. 11. Make sure you execute all the instructions as listed. Make sure you restart the compugter normally. Do not re sync Chrome just yet. Wait until all is well with this computer then in a day or two re sync if you need. Link to post Share on other sites More sharing options...
Chrizze Posted May 22, 2018 Author ID:1245255 Share Posted May 22, 2018 I don't understand. I did follow that instruction to the letter, reset Chrome and turned off sync completely. I can't do another reset of sync, because it is no longer enabled on this device, I am not even logged into Chrome. I did restart the computer normally, and cleared all cache etc. But the malware reset the file automatically even when the computer was offline, no Internet or network available. It now gets reset multiple times a day, about every 2 hours in the morning, and every 4 hours in the afternoon/evening. Resync is going to be disabled until problem is resolved. Thankful for all help! (I will try the steps in post #11 once more later today, and send results tomorrow) Link to post Share on other sites More sharing options...
nasdaq Posted May 22, 2018 ID:1245415 Share Posted May 22, 2018 Hi, Before you reset the Sync make sure that the issue is cleared. Link to post Share on other sites More sharing options...
Chrizze Posted May 23, 2018 Author ID:1245514 Share Posted May 23, 2018 Problem still persist. I have reset sync, it is completely off now. I did follow the given instructions and did go through them twice even. And even though the computer is booted and logged into in normal mode, but without network connection, the Google Chrome.lnk still changed to contain the malicious ref-link to Hao123. I'm attaching the reports from Farbar, do you need any other reports from any other tools? Both Malwarebytes and ADWCleaner came up empty. I removed Zemana, because it only sees the Chrome link but not the real problem. Addition.txt FRST.txt Shortcut.txt Link to post Share on other sites More sharing options...
nasdaq Posted May 23, 2018 ID:1245560 Share Posted May 23, 2018 Hi, Please navigate to this page. https://greatis.com/blog/howto/remove-hao-169x-cn-completely-2.htm Investigate and see if you can find the bad entry. As the last issue you may decide to download their removal tool. If at any time you need help to remove an entry, please ask. Link to post Share on other sites More sharing options...
Chrizze Posted May 24, 2018 Author ID:1245824 Share Posted May 24, 2018 Hello again, Nothing seems to work at all, all efforts have been fruitless. The link keeps resetting every day, regardless of being offline or online, even with sync off. I have no other option but to completely reset my computer, and re-install everything from scratch again. Maybe I should send a invoice/bill to Hao123 for this? Thanks for all your help anyway. Have a nice day! :) Link to post Share on other sites More sharing options...
nasdaq Posted May 24, 2018 ID:1245941 Share Posted May 24, 2018 Hi, Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The tool will create a log (Fixlog.txt) please post it to your reply. === p.s. The fix will remove these two shortcuts. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\chrome.lnk After the restart please DO NOT create a new shotcut. When all is well you can create a new one as you like. fixlist.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 16, 2018 Root Admin ID:1250565 Share Posted June 16, 2018 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts