Web Browser Got Hijacked by www.2345.com

I rarely write a blog these days due to my busy family life. So, this would be my first blog for 2015, and it is not related to programming. Yesterday I ran into a very annoying problem. I am not sure when it had happened because this happens on my parent's PC, but when whenever I start a web browser (IE, and Chrome), it always redirect me to www.2345.com.

I knew the homepage is hijacked, but how! Most likely my parents accidentally installed something when they are looking at some China's website. I just want to get rid of it. To ensure the PC isn't infected with any viruses, I ran the typical MS Security Essential, and IObit Advance System Care to see if the issue can be removed automatically. None of these tools fixed it.

After Googling a bit, I found this YAC has a guide on how to manually fix it. I even installed YAC but it didn't fix the issue.

I suspect a Windows service or some installed Chinese software is causing that.  After digging around and try to uninstall a number of toolbars and Chinese software, not only it didn't fix the program. I notice additional software where installed:
I found the following in c:\Users\MyUserName\AppData\Roaming" after sorting the file by last Create Date:

eCyber
Carefree
cleanvd
ËÙÀËÊäÈë·¨ (probably in Big 5 encoding)
ÌìÌìÐÇ×ùÔ˳Ì

In addition, I found these suspicious folder:
SuLang
kunlun
kusuInput

Afterward, something did change after I restarted my computer. I notice a Chinese PingYin (速浪输入法) input keyboard running on my system. In addition, there is a file call SogouPinyin.local (related to 搜狗拼音输入法) sitting in my c:\Users\MyUserName\AppData\Roaming, and this is what the file contains:


[inst]
update_1231.exe=1420148229
Browser_V4.0.3214.0_r_4332_(Build14122211)_1419958802.exe=1420161108
hkyl_yls_hk2014_201lm.exe=1420161121
install1557915.exe=1420161125
jKAVSETUPS_60_307927.exe=1420161149
ksimekusu_zhim_012.exe=1420161155
setup_13b4.exe=1420161169
zhezi_setup_ZFBE.exe=1420161178
setup_90_34533.exe=1420176913

[config]
land=1420148229
last=lnk=1;44=1;img=1;ins=1;mh=1;hp=http://url.cn/QnWnpG;hp2=http://www.2345.com/?26189;

It is definitely something related to the issue that I am facing. In fact, looking at all these weird naming .exe, it seems very suspicious the computer is infected with malwares. Not sure how this configuration file is access, but it is likely being use when the input keyboard is initialized. So removed the Chinese input.

In addition, I manually deleted the AppData/Roaming folders to see if these files continue to be accessed somehow. So far the system seems to be running fine.

Afterward, I manually delete the www.2345.com links argument from the Chrome and IE shortcut icons, because they were altered.

So far, this seems to have fixed the issue. I still have to figure out how to remove the keyboard layout entry from Windows.

This may not be a virus or malware, but it definitely can lead someone to visit unsafe web pages.