3

Since yesterday, most of users in our region and as far as I know, many other peoples received a lot of link redirection. most of these redirection are going to adfoc.us website. this redirection happens after going to page (not exactly as you go to page) and new URL have no "Back" button.
I understood that the URLs which didn't visited yet are redirecting to adfoc.us websites so if we visit URL A and see the adfoc.us advertising once, we won't see it again if we go to URL A again.

What is the problem and how can I fix it? I use Windows 7 and Google Chrome browser and tried these:

  • Scanning whole my drive for virus and other bad wares
  • Disabling plug-ins and extensions
  • Clearing DNS cache and other caches
  • Using different DNS servers

Redirection example:
Original URL: http://isthisretina.com/
Redirected URL: http://adfoc.us/serve/?id=25497650908175

I also tried to ping the pages I never visited before like linuxmint.com here are the results:
Linuxmint.com: [213.175.215.218] Packets: Sent = 33, Received = 33, Lost = 0 (0% loss)
comodo.com: [91.199.212.176] Packets: Sent = 33, Received = 33, Lost = 0 (0% loss)

And also note that this redirections are stopped 3 hours ago and I don't know is it only for me or for other users, they stopped to.

Amirreza Nasiri
  • 2,940
  • 10
  • 34
  • 48
  • Which region/ISP? – Journeyman Geek Nov 25 '14 at 05:01
  • 1
    I have it in Sweden to. It has begun for two days now. I'm only using Mac software/hardwares. I cant understand why this happening. Any sugestions to a fix is very helpful.. –  Nov 25 '14 at 04:52
  • 1
    This happens in Italy too. It is happening on both mobile and desktop chrome browser, as far as I know. I tried this in 2 different networks. I thought it could've been ISP related, but since it is going on abroad, too... I am at a loss – Stark Nov 25 '14 at 04:44
  • As I said, this problem occurs almost everywhere. But I'm in Iran and use local ISPs. – Amirreza Nasiri Nov 25 '14 at 07:40
  • Could you try to do a DNS lookup on a domain you certainly haven't visited so far? Write down the results, then try visiting that domain. If the redirects happen, you've got a domain for comparison with others. Just some examples you could try: frankfurt.de berlin.de munich.de comodo.com linuxmint.com eff.org – Mario Nov 25 '14 at 08:33
  • Also, does the problem happen with other browsers? Internet Explorer for example? – Mario Nov 25 '14 at 08:34
  • I too saw this problem in New Zealand. I was using Chrome and one in about three pages were redirected to adfoc.us for about 15 minutes. I tried to see if I could repeat the issue in Safari (I'm using OS X 10.9). But I'm not sure if the problem disappeared before I started using Safari. – Matthew Walker Nov 28 '14 at 23:45
  • 1
    Further, I saw that the DNS addresses in the router I was using had been changed (read hacked). The primary address had been set to 94.249.192.82. The secondary address was set to the original primary address (8.8.8.8). The router is a TP-Link ADSL2+ Router. – Matthew Walker Nov 28 '14 at 23:50
  • As @Mario suggested, I did a DNS lookup on frankfurt.de, a site I'd never visited. I'm not sure if I did this after the "redirection" had stopped. $ nslookup frankfurt.de ;; Got recursion not available from 94.249.192.82, trying next server Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: frankfurt.de Address: 62.96.236.95 – Matthew Walker Nov 28 '14 at 23:53
  • 1
    The last redirection before it stopped took me to www.aliexpress.com rather than adfoc.us. – Matthew Walker Nov 29 '14 at 00:01
  • And finally, it appeared that content might also have been injected into our wordpress site; this stopped at about the same time the redirection stopped. – Matthew Walker Nov 29 '14 at 00:02
  • @MatthewWalker Sounds similar to some worm/botnet being active right now. Better also check your wordpress installation for new/unknown (admin) accounts. – Mario Nov 29 '14 at 08:09
  • In case this is useful to others, I moved the Mac laptop to another wifi network and I'm still experiencing similar issues, so the problem is not limited to the DNS settings on the router. Opening the top ten links for "adfoc.us popup" in Google sends me to adfoc.us for three of the ten pages in Chrome, but when doing the same thing in Safari no page redirects occur. – Matthew Walker Nov 30 '14 at 06:57
  • The three pages that were redirecting had "waiting for adultcameras.info" in the status bar at the bottom of Chrome when the about-to-be-redirected page had almost finished loading. Looking at Chrome's Developer Tools indicated that when the redirection didn't occur it was because adultcameras.info was not returning a response. I used Settings > Advanced Settings > Reset Settings to return Chrome to its factory default settings. Reloading the same ten pages showed that none were attempting to communicate with adultcameras.info. Thus this seems to be the answer. – Matthew Walker Nov 30 '14 at 07:27
  • @MatthewWalker what do you think about the settings? which of them may cause this problem? – Amirreza Nasiri Nov 30 '14 at 10:51
  • @AmirrezaNasiri I'm sorry but I can no longer analyse this as the use of Reset Settings seems to have completely removed the problem. I too would be interested to know what settings had been compromised. I can say that before I used Reset Settings I tried clearing all but Google from the Settings > Search > Manage Search Engines. That had no effect. – Matthew Walker Nov 30 '14 at 21:49
  • @AmirrezaNasiri Further, before resetting there was only one extension in Chrome, Google Docs 0.7. I doubt this was the problem. – Matthew Walker Nov 30 '14 at 21:55
  • @MatthewWalker I have this extension (v 0.7) to. let see if other people have this extension or not. – Amirreza Nasiri Nov 30 '14 at 22:36
  • @AmirrezaNasiri Chrome on my work laptop (Windows 7) has Google Docs 0.7 installed too. I've just run the same test (the top ten pages returned for "adfoc.us popup") on my work laptop that I ran on the Mac and none of the pages redirected to adfoc.us. I think that eliminates any concerns regarding the Google Docs extension. – Matthew Walker Nov 30 '14 at 22:42

3 Answers3

1

Google helped me: Some pages in Chrome always redirect to ransom page at http://system-check-fyeltkhn.in

Your router has been hacked and you need to fix your dns and upgrade the firmware

Community
  • 1
Stark
  • 11
  • 1
0

There are three thing you can do.

Try another browser. If it doesn't work... Try using a different DNS... like a public DNS such as 8.8.8.8 or 8.8.4.4 or using a VPN service with your browser like zenmate (Zenmate is a pluging for chrome)

Are all of the people using the same ISP as yours?

Kunwar
  • 475
  • 3
  • 7
  • 18
  • Redirection happens if there's a server in between altering DNS requests or if the DNS it self is redirecting you. DNS is the server which coverts the URL in to server IP or helps locate the server. – Kunwar Nov 24 '14 at 21:24
  • No, they don't. I tried google's public dns before and even other browsers but no result. I really have no idea why is going on. – Amirreza Nasiri Nov 24 '14 at 21:31
  • Okay try using Zenmate... also can you paste a trace route to that website and a screen shot of what you are getting with URL so that I can test things on my end to see if I can help you with this. – Kunwar Nov 24 '14 at 21:33
  • Ok, I edited the question. – Amirreza Nasiri Nov 24 '14 at 22:00
0

Check both extension and plug-ins whether any recently installed plug-in is causing the issue.

To delete any extension follow the below path:

Chrome menu icon > More tools > Extensions > delete extensions

To disable unwanted plugins go to chrome -- plugins and disable it.

BDRSuite
  • 6,228
  • 1
  • 19
  • 21
  • As I said, I tried doing this and it's not ONLY my problem. I know a lot of people which have this problem since yesterday or two days ago so I think this problem can not be happened by a single plugin. – Amirreza Nasiri Nov 24 '14 at 22:01
  • 1
    @AmirrezaNasiri Just because others have that problem as well doesn't mean it's nothing on your local PC. It might be some hijacker hiding itself using rootkit technology. Possibly distributed through some local news site that got hijacked or similar. – Mario Nov 25 '14 at 08:37
  • @Mario the problem is going wider. now, a lot of more people have this problem all over our country and as I know, in other countries to. Is it possible that the problem is with the modems? I mean, the problem is not from our system, DNS and the servers so I think this is from modems firmware which changed for most of users at a specific time! or something similar. – Amirreza Nasiri Nov 25 '14 at 21:08