#Google Analytic Tracker


Jan 2, 2015

Web Browser Got Hijacked by www.2345.com

I rarely write a blog these days due to my busy family life. So, this would be my first blog for 2015, and it is not related to programming. Yesterday I ran into a very annoying problem. I am not sure when it had happened because this happens on my parent's PC, but when whenever I start a web browser (IE, and Chrome), it always redirect me to www.2345.com.

I knew the homepage is hijacked, but how! Most likely my parents accidentally installed something when they are looking at some China's website. I just want to get rid of it. To ensure the PC isn't infected with any viruses, I ran the typical MS Security Essential, and IObit Advance System Care to see if the issue can be removed automatically. None of these tools fixed it.

After Googling a bit, I found this YAC has a guide on how to manually fix it. I even installed YAC but it didn't fix the issue.

I suspect a Windows service or some installed Chinese software is causing that.  After digging around and try to uninstall a number of toolbars and Chinese software, not only it didn't fix the program. I notice additional software where installed:
I found the following in c:\Users\MyUserName\AppData\Roaming" after sorting the file by last Create Date:

ËÙÀËÊäÈë·¨ (probably in Big 5 encoding)

In addition, I found these suspicious folder:

Afterward, something did change after I restarted my computer. I notice a Chinese PingYin (速浪输入法) input keyboard running on my system. In addition, there is a file call SogouPinyin.local (related to 搜狗拼音输入法) sitting in my c:\Users\MyUserName\AppData\Roaming, and this is what the file contains:



It is definitely something related to the issue that I am facing. In fact, looking at all these weird naming .exe, it seems very suspicious the computer is infected with malwares. Not sure how this configuration file is access, but it is likely being use when the input keyboard is initialized. So removed the Chinese input.

In addition, I manually deleted the AppData/Roaming folders to see if these files continue to be accessed somehow. So far the system seems to be running fine.

Afterward, I manually delete the www.2345.com links argument from the Chrome and IE shortcut icons, because they were altered.

So far, this seems to have fixed the issue. I still have to figure out how to remove the keyboard layout entry from Windows.

This may not be a virus or malware, but it definitely can lead someone to visit unsafe web pages.