Jump to content
Chrizze

Unable to remove hao123 malware

Recommended Posts

I've tried to remove the infamous plague HAO123 from my computer, but it keeps resetting my chrome shortcut with http://hao.169x.cn?v=108. My Chrome (Google Chrome.lnk) shortcut is located at "C:\ProgramData\Microsoft\Windows\Start Menu\Programs". It keeps adding the hao-link to the end of "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe". I tried making the file write protected, but no luck. I've also run ADWCleaner and Malwarebytes, but they can't detect this one, neither can Avast. 

I have attached my Zemana report, and the Farbar Recovery Scan Tool reports to this query.

All help is greatly appreciated! :)

(I'm an avid supporter of Malwarebytes)

 

Addition.txt

FRST.txt

2018.05.15-18.41.42-i0-t92-d2.txt

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.
    image.png
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
    image.png
  4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.
    _frst_scan.jpg.d10e66dc03e35ede4fdcba12b
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.

Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

_mb_attach.jpg.a0465aaafd6cae688aa38ab16

 

After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

_mb_follow.jpg.7868cc281f66ac22e919c2c48

_mb_follow_options.jpg.dcb79fc10aa35beb0

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.

IMPORTANT

  • If you click the Clean button all items listed in the report will be removed.

If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).


===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
<<<>>>

Please post the logs and let me know if the problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

Hello and thank you veru much for assisting me.

I have done as you instructed, twice. First time I rebooted computer in safe mode and ran the softwares as instructed and reset the browser. Second time I followed your instructions while started in normal mode. I disconnected from Internet both times. I have attached the logs from both runs. Fixlog.txt is from the first run in safe mode with Internet disconnected, Fixlog_2.txt is from second run in normal boot, Internet still disconnected. 

I ran AdwCleaner in safe and normal modes, same result. (Log-files AdwCleaner[S03] and AdwCleaner[S04])

Upon starting the computer today, the Chrome.lnk was again altered, problem persists. Chrome.lnk was altered to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://hao.169x.cn/?v=108

I don't know what to do to get rid of this annoying thing...you have any other ideas you want to try?

Thanks in advance!

Fixlog.txt

Fixlog_2.txt

AdwCleaner[S03].txt

AdwCleaner[S04].txt

Share this post


Link to post
Share on other sites

Hi,

Please run the Farbar program and check the box to include the Shortcuts list.

Post the FRST.txt log for my review.

 

Share this post


Link to post
Share on other sites

Ok, I ran the Farbar with all options selected instead (with all apps closed, and Internet disconnected), I attached the new reports here. Note that I have changed the Chrome.lnk by hand since I don't want the hao-link to pop every time I restart. I am using the command --pinned-tab-count 4, along with the URLs I wish to start Chrome with. But this is reset every 4 hours or so by the malware to the earlier mentioned link. 

Thank you in advance! :)

 

Shortcut.txt

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Hi,

This is the culprit.

ShortcutWithArgument: C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao.169x.cn/?v=108

Delete this .lnk in bold. C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

Restart the computer normally.

How is it now?

Share this post


Link to post
Share on other sites

Removed the file at C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk. 
Then restored the original Chrome.lnk to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", emptied out history and reset Chrome under Advanced settings.
I then rebooted the computer in normal mode and ran ADWCleaner.

All seemed fine until 12.44 (my local time), when the Chrome.lnk file at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk was reset again to:  "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" hxxp://hao.169x.cn/?v=108

The file you mentioned earlier is deleted and does not come back. But the Chrome.lnk changes back.

So the problem seems to persist. Can I search for something, how do we find the string in hiding?

Edited by Chrizze
Added som extra information

Share this post


Link to post
Share on other sites


Hi,

It could be Syncing issue?
Are you Syncing Chrome with other devices?
To remove it you will have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

Restart the computer normally.

Again Removed the file at C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk. 
Then restored the original Chrome.lnk to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

Restart the computer normally to reset the registry.

How is it now?


 

Share this post


Link to post
Share on other sites

Thanks.

I have reset the sync, and have now turned it off completely. The file C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk was removed earlier, and does not "spawn" again. But the original C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk was again changed at 19:46 (local time).

I have now logged out of Chrome, reset it, and emptied out cache etc. I have also run Malwarebytes and ADWCleaner again, but found nothing. I will wait until tomorrow and see if the original Google Chrome.lnk changes again tomorrow. I will boot my computer offline tomorrow to see if the problem sits in the system, or if it is synced from somewhere.

I will run the Farbar again tomorrow, and send you the report files again. I really hope I don't need to wipe the computer and re-install again.

All your help is much appreciated! :)

Share this post


Link to post
Share on other sites

So, today I booted up my computer at 08:54 (local time) with all network physically disconnected from it, so it cold not communicate with anything.

Upon logging into Windows, the file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk was again changed at 08:54 (local time). This confirms that the issue is within the system. Prior to this, I have turned off all syncing and logged out of Chrome and reset it. I also ran ADWCleaner with the "basic repair", but unfortunately it did not detect the issue.

In my GIT manager, it says that the file was changed by admin account (not specific). And it changed upon booting the computer up, which leads me to think it runs at startup or is a service of sort. I have attached a fresh Farbar report, I ran it with all things checked while computer was still disconnected.

The malware is still persistent and active, it copies the file Google Chrome.lnk  to the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\, replacing the existing one, I think.

FRST.txt

Addition.txt

Shortcut.txt

Share this post


Link to post
Share on other sites

Hi,

Please repeat the instructions in post no. 11.

Make sure you execute all the instructions as listed.

Make sure you restart the compugter normally.

Do not re sync Chrome just yet.
Wait until all is well with this computer then in a day or two re sync if you need.

Share this post


Link to post
Share on other sites

I don't understand. I did follow that instruction to the letter, reset Chrome and turned off sync completely. I can't do another reset of sync, because it is no longer enabled on this device, I am not even logged into Chrome.

I did restart the computer normally, and cleared all cache etc. But the malware reset the file automatically even when the computer was offline, no Internet or network available. It now gets reset multiple times a day, about every 2 hours in the morning, and every 4 hours in the afternoon/evening. Resync is going to be disabled until problem is resolved.

Thankful for all help! :)

(I will try the steps in post #11 once more later today, and send results tomorrow)

Share this post


Link to post
Share on other sites

Hi,

Before you reset the Sync make sure that the issue is cleared.

Share this post


Link to post
Share on other sites

Problem still persist. I have reset sync, it is completely off now. I did follow the given instructions and did go through them twice even. And even though the computer is booted and logged into in normal mode, but without network connection, the Google Chrome.lnk still changed to contain the malicious ref-link to Hao123.

I'm attaching the reports from Farbar, do you need any other reports from any other tools? :)

Both Malwarebytes and ADWCleaner came up empty. I removed Zemana, because it only sees the Chrome link but not the real problem.

Addition.txt

FRST.txt

Shortcut.txt

Share this post


Link to post
Share on other sites

Hello again,

Nothing seems to work at all, all efforts have been fruitless. The link keeps resetting every day, regardless of being offline or online, even with sync off. 
I have no other option but to completely reset my computer, and re-install everything from scratch again. Maybe I should send a invoice/bill to Hao123 for this?

Thanks for all your help anyway.

Have a nice day! :)

Share this post


Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

p.s.
The fix will remove these two shortcuts.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk


C:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\chrome.lnk

After the restart please DO NOT create a new shotcut.

When all is well you can create a new one as you like.

fixlist.txt

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.