Firefox hijacked by hao123
Everytime i open firefox which defaulted to google.com, it prompted http://www.hao123.com/?tn=98005892_hao_pg instead, I've use malware tools and other solution provided on internet but none of that work, please assist
Обране рішення
Scan with Latest TDSSKiller. But it returns 0 threat. I ve tried a lot of malware/adware detect tools, non of them really fixed the hijacking. Then I manually scaned machine with SysInternal's Autorun(thanks's jscher2000's reminder), and deleted a lot of unwanted entries. One of them named "QVOD Shenzhen" in preload dll tab looks suspicious. It is in user\appdata folder. Can't delete that dll directly, so I renamed it to another name, then deleted the dll entry from AutoRun, and rebooted to F8 safe mode to delete the dll. [Note: if not delete the entry, the dll will be loaded in safe mode. hence prevent from deleting the dll. That explains why homepage was hijacked in windows safe mode]
rebooted to normal mode, both IE and Firefox's home pages are back to blank. that means the clean up works !
So the temp solution is to
1. try to reset home page through regular way.
2. if 1 failes, try to create a BAT file to point to firefox
3. if 2 works, then it is a shortcut hijacking
4. run TDSSKiller to see any infestation
5. if TDSSkill returns 0 threat, try to locate "qvod" dll in Appdata folder
6. run AutoRun to find any "qvod" related entries and delete
7. reboot to F8 safe mode to delete the dll.
[Note: uninstall qvod won't solve the hao-123 page hijacking]
Читати цю відповідь у контексті 👍 6Усі відповіді (14)
Is this site listed as your home page in the Options dialog? If it is, can you successfully change it or does Firefox not allow you to change it?
If Firefox will not allow you to change it, check the Windows Control Panel, Uninstall a Program, for something named SearchProtect and remove it.
If Firefox will allow you to change it, do you get the correct home page when you use either of these:
- Click the home icon on the toolbar
- Open a new window (Ctrl+n)
If you get the wrong page, it's probably an add-on. More on that in a second message.
If you get the right page, that's good. If it changes back after the next time you exit and restart Firefox, check this article: How to fix preferences that won't save (especially the part about a user.js file).
If the home page setting was correct and the home icon works fine, but the desktop icon still gives you the bad page, check to make sure your icon wasn't modified. Right-click the shortcut, choose Properties, and the Shortcut tab. The "Target" should be the following, no more, no less (for 64-bit Windows):
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
Bad extensions often are installed externally to Firefox. I suggest starting here:
Open the Windows Control Panel, Uninstall a Program. Click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. Take out as much trash as possible here.
Then, in Firefox, open the Add-ons page using either:
- Ctrl+Shift+a
- "3-bar" menu button (or Tools menu) > Add-ons
In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions.
Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.
Finally, you can "mop up" remaining issues with the scanning/cleaning tools listed in our support article: Troubleshoot Firefox issues caused by malware.
Are you able to get control of your home page?
After removing all add-ons and extensions in firefox, seting the history to "no remember history" and homepage to "blank". hao123 is still hijacking homepage.
After reseting Firefox in "help" menu, Firefox auto starts with clean homepage. But is hijacked again after normal exit of Firefox.
Reinstall Firefox doesn't help.
Enter Windows safe mode (without network). still seeing hao123 in the startup address. of cause, it can't display wihout network. But address bar's hao123 url, indicates that the homepage is hijacked. Looking at the Firefox -General tab, the homepage textbox is blank and " history" is "never remember".
IE also gets infested too. but Google chrome remains untouched.
All malware adware detectors don't find this virus. No "hao123-client", "search protected", "conduit" or "qvod" is found on machine. Regist Table, hardware virtual drivers, services are manually scaned and reviewed. Which indicated "hao123" has improved its hijack methods.
Hao123 hijack is different this time. I guess hao123 hijacks home page via modifying "last closing session URL" and "start with last session " function in Firefox. Just guessing.
I need some hints to remove this bad bug.
Thanks in advance
Hi hao123infested, could you test:
Click Home icon or Press Alt+Home or Ctrl+n Keyboard Shortcuts
This should load the home page set in Options. Do you get the correct home page or the unwanted home page?
(A) Correct
Your Firefox shortcut may be hijacked. right-click it and check its Properties to make sure the unwanted URL is not included in the Target (this is set on the Shortcut tab).
(B) Unwanted
You may have a self-hiding extension or hijacked connection setting.
(1) Self-hiding extensions are visible in Firefox's Safe Mode. That's a standard diagnostic tool to deactivate extensions and some advanced features of Firefox. More info: Diagnose Firefox issues using Troubleshoot Mode.
You can restart Firefox in Safe Mode using either:
- "3-bar" menu button > "?" button > Restart with Add-ons Disabled
- Help menu > Restart with Add-ons Disabled
Not all add-ons are disabled: Flash and other plugins still run
After Firefox shuts down, a small dialog should appear. Click "Start in Safe Mode" (not Reset).
Anything new on the Add-ons page? Either:
- Ctrl+Shift+a
- "3-bar" menu button (or Tools menu) > Add-ons
In the left column, click Extensions. Anything unexpected or suspicious on the list?
(2) You can check your connection setting here:
"3-bar" menu button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button
The default is "Use system proxy settings" but you also can try "No proxy" to see whether that helps.
ALT-Home or homepage icon still points to "blank" page, which is my home page. So the answer is partially 'A'. Firefox icon is clean. Even start Firefox from windows start menu's "search application and file" box. Hao123 is still haunting.
I guess hao123 hijacks last session and history record in a stealth way. but some how sessionstore.js is clean.
Змінено
It's hard to think of where it's coming from if it's not in the usual places.
Are there specific factors leading you to believe it is somehow related to restoring your previous session? For example, is Restore Previous Session grayed out on the History menu? What if, after you exit Firefox, you rename sessionstore.js to sessionstore.old to prevent it from being used. Does that make any difference?
Is the problem limited to Firefox or does it occur in Internet Explorer as well (after making sure the Target is clean in its shortcut)?
Here is what I found: It is a combination of 1)shortcut hijacking, 2)unwanted backdoor, and 3)virus.
1. hao123 hijack Firefox short cut.
a) if I create a short cut from "c:\program files\Mozilla firefox\firefox.exe" , the newly created short cut is hijacked right away/ infested.
b) if I uninstall firefox and reinstall it, the shortcut created by installation package is hijacked too.
c) if I mouse double click on executable "c:\program files\Mozilla firefox\firefox.exe", the firefox window starts with hao123.
Note: in a) and b) shortcut property is clean.
But , if I create a BAT file with command [start \d "c:\program files\mozilla firefox\" firefox.exe]. Then run the BAT file, hao123 is not display as homepage.
2. infestation involved backdoor to BAIDU.com First. I block hao123 from network router, so infested firefox won't open the hao123 page, and instead with network not available page. Then use SysInternal -- TCPViewer tool to trace infested firefox. It shows that BAT file started firefox doesn't make http connections to sites at start up.(Firefox has blank home page). But hao123 infested firefox makes http requests to a list of Unknown IPs. 61.135.185.* 220.181.23.* 123.125.112.* 119.75.208.*
whois service indicates these unknown IPs belongs to Baidu.com, which owns hao123.com. These IPs doesn't related to baidu's internet search services, which use 180.76.*.* network. I assume Unknown IPs associates with hao123.com only. So I block these unknown IPs in firewall an network router.
3. virus
A folder name "QvodPlayer" is re-created in C drive after is deleted. And a function is hooking on shortcut creation api. still trying to trace down what application is behind it. Given that I don't have "hao123-client", "search protected", "conduit" or "qvod" installed, the folder and hooker are signs of virus
Temporal solution is that: 1. block hao123.com and the list of unknown IPs in firewall or Network router 2. create a BAT file with command [start \d "c:\program files\mozilla firefox\" firefox.exe] to start firefox.
Thanks jscher2000's suggestion. It is shortcut hijacking, but it is an improved version of shortcut hijacking : with backdoor and virus.
Змінено
A rootkit is a possibility; that will frustrate clean-up efforts. TDSSKiller and some others rootkit-specific cleaners are suggested in that case.
Microsoft's Autoruns tool can help by collating data from the registry, startup folders, and other areas to show what runs at startup. http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Do a malware check with several malware scanning programs on the Windows computer. Please scan with all programs because each program detects different malware. All these programs have free versions.
Make sure that you update each program to get the latest version of their databases before doing a scan.
- Malwarebytes' Anti-Malware:
http://www.malwarebytes.org/mbam.php - AdwCleaner:
http://www.bleepingcomputer.com/download/adwcleaner/
http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml - SuperAntispyware:
http://www.superantispyware.com/ - Microsoft Safety Scanner:
http://www.microsoft.com/security/scanner/en-us/default.aspx - Windows Defender:
http://windows.microsoft.com/en-us/windows/using-defender - Spybot Search & Destroy:
http://www.safer-networking.org/en/index.html - Kasperky Free Security Scan:
http://www.kaspersky.com/security-scan
You can also do a check for a rootkit infection with TDSSKiller.
- Anti-rootkit utility TDSSKiller:
http://support.kaspersky.com/5350?el=88446
See also:
- "Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked
Вибране рішення
Scan with Latest TDSSKiller. But it returns 0 threat. I ve tried a lot of malware/adware detect tools, non of them really fixed the hijacking. Then I manually scaned machine with SysInternal's Autorun(thanks's jscher2000's reminder), and deleted a lot of unwanted entries. One of them named "QVOD Shenzhen" in preload dll tab looks suspicious. It is in user\appdata folder. Can't delete that dll directly, so I renamed it to another name, then deleted the dll entry from AutoRun, and rebooted to F8 safe mode to delete the dll. [Note: if not delete the entry, the dll will be loaded in safe mode. hence prevent from deleting the dll. That explains why homepage was hijacked in windows safe mode]
rebooted to normal mode, both IE and Firefox's home pages are back to blank. that means the clean up works !
So the temp solution is to
1. try to reset home page through regular way.
2. if 1 failes, try to create a BAT file to point to firefox
3. if 2 works, then it is a shortcut hijacking
4. run TDSSKiller to see any infestation
5. if TDSSkill returns 0 threat, try to locate "qvod" dll in Appdata folder
6. run AutoRun to find any "qvod" related entries and delete
7. reboot to F8 safe mode to delete the dll.
[Note: uninstall qvod won't solve the hao-123 page hijacking]
Yes mine was completely shortcut hijacking, but google chrome didnt get infected (Impressive)!
I try all above but in the end things turn okay when i run the AutoRun & find the qvod shenzen, happen to be in my browser helper objects, i guess this how it "hijack" my browsers. Then I delete all this Qvod entries.
Yes uninstall qvod won't solve the page hijack.
Thank you so much @hao123infested!!
Hello, there is video guide how to remove hao123 <Youtube link removed> May be it will be helpful
Змінено
PCFixHelp:
This is a solved and now closed thread. Please do not advertise programs here.