Jump to content

Recommended Posts

Here's the puzzle,

1. The intro page of my Gmail account is in Chinese or some other Asian characters - but the inbox etc are in English. 

2. On any other computer there is no Chinese intro on my Gmail, it's only on one computer; Windows 10 

3. Gmail and browser language is set to English and the computer is English (only).

4. On the infected computer the Chinese intro appears in Edge and in Chrome browsers; so it is limited to one computer and not browser dependent.

5. Malwarebytes free does not find any malware and neither does Windows Defender.

Does anyone have any suggestions on how to find and get rid of the hack?

Thanks very much

RichardHC

Link to post
Share on other sites

Hi Kevin80,

No, that doesn't help. Checking the language settings was one of the first things I did and it is set to English. Only.

Important: The Chinese characters ONLY appear on the select an account and login page. The mailbox is in English as it was before.

And,  if I had the language settings wrong anywhere - why would this problem be on any browser on only one computer and not any other computer? 

That's the Chinese Puzzle.

🤔

Link to post
Share on other sites

Thanks Kevinf80.  I tried your suggestion and it worked!   

But when I logged out of gmail and logged in again it was in Chinese again.

The scary part of the Chinese puzzle is:

1. How did it get changed to Chinese in the first place and then change back again? I didn't do it.

2. What would a hacker want to know ?  The login name and password.

I used my cell phone to change the password on my google account but am afraid to use my working computer for my email until I find out what's going on - and why Malwarebytes and Windows Defender are not finding any malware.

Any idea how the hack could operate or how it could be found????

 

Link to post
Share on other sites

Hiya richardhc,

This is an odd one for sure, I never use Chrome personally but do have it on my PC. I loaded Chrome and have searched through all of its settings also in GMail, have not found anything obvious to attribute the rogue setting like yours.

One problem I found doing a Google search did suggest your IP being used by GMail to attribute your default language, are you possibly using any VPN software?

Run the following diagnostic scan to see if anything obvious shows in the produced logs:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English if English is not your primary language
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Thank you,

Kevin
Link to post
Share on other sites

OK, I'll give it a try. I don't use Chrome either - I use Vivaldi (love it) - but tried Chrome and Edge to see if there was any difference there.

I do use a VPN at times (Astril) but the first time I noticed the Chinese characters it was connected to a US server. I turned it off, deleted all Gmail and google cookies and still got the same characters.

As I said, using another Win10 computer with the same software (including Astril) the Chinese characters don't appear.

And they don't appear on any other web page either. Only the Gmail select account and login - not on the email account once logged in.

And English is the computer default.

Not sure Farbar will show anything useful unless it will detect a malware hidden in a registry setting ; I thought Malwarebytes would discover the problem. But I'll give it a try. Meanwhile I changed my gmail password and am not using that computer to access my email until I either do a fresh complete reinstall of Win10 or find another antivirus that does detect the problem.

Thanks for your help,

Richard

Link to post
Share on other sites

Hiya richardhc,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
  • Then click on Report button.
  • Click Export button and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.


Let me see those logs in your reply...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Hi KevinF80,

Did as you instructed and the log files are attached. 

- I copied the "fixlist.txt file" in the USB key where I had installed FRST portable.
- I ran FRST with the "fix" button checked
- Obtained log "Fixlog.txt" (attached)
- Downloaded RogueKiller and ran it
- While it ran (quite a long time), I got a message from my other antivirus
(Avast) telling me it had found a bit of malware called "IDP.ALEXA.53"
(see attached screen shot). I clicked "Move to virus chest", whereupon
RK finished its scan (see attached screen shot)).
- Clicked the "Report" button, then the "export as text file". This
generated "RKlog.txt" (attached).

Capture avast.jpg

Capture Rogue.jpg

Fixlog.txt RKlog.txt

Link to post
Share on other sites

On 4/7/2021 at 7:56 PM, kevinf80 said:

Do you know what this software is, why its installed etc, HKCU\Software\APN PIP

Hi Kevinf80, No I don't know what it is. I searched it and found an older Malwarebytes forum post on it recommending to clean the computer with Malwarebytes AdwCleaner. I'll give that a try. 

Link to post
Share on other sites

Let me see the log from AdwCleaner when the scan is done...

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"


Thank you.....

Edited by kevinf80
Link to post
Share on other sites

I ran AdwCleaner and TDSSKiller as recommended on the bleepingcomputer.com forum and after rebooting the Chinese Connection was gone and the Gmail login page in English, as normal.

I'm attaching the log files. 

I don't suppose there's anyway of knowing how the computer got infected but I'm assuming, now that the malware is gone, the computer is OK to use and won't infect any other computer. 

Thanks for your help,

Richard

Addition.txt AdwCleaner[S00].txt

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.