Some pages in Chrome always redirect to ransom page at http://system-check-fyeltkhn.in

This is so weird and random that I have a problem explaining it fully. Since yesterday, those behaviors started:

Some pages in Chrome are be always redirected to:

http://system-check-fyeltkhn.in/js?t=53616c7465645f5fdc73029d4884acc0f7c68721db05e546f3bd3e721e01b9b76d6dbbcf918d95a3fcf0e861ab541e81968f107a0ae2ab13

If I open the same page right now in another browser, or even private browsing in Chrome, it works. Some websites, after some time, just stop being reachable. Even with ping. For example, Facebook. I had it open and using ten minutes ago, and now a tracert says

Unable to resolve target system name www.facebook.com

On Firefox it starts a search on Yahoo with the website as subject.

I have right now a stream going and it doesn't have any problem, unless I refresh the page. Disabling and re-enabling the connection seems to solve the issue for some time, on some websites.

I tried changing the DNS to Google DNS to no avail. I have the firewall on, and Avast running all time.

Let's take the example of twitch.tv, which is a website I can never reach on normal Chrome, but I can reach on private browsing Chrome and Firefox.

If I ping it, I get a timeout. If I do a tracert this is what I get:

  1    <1 ms    <1 ms    <1 ms  192.168.2.1
  2    <1 ms    <1 ms    <1 ms  192.168.1.2
  3    20 ms    19 ms    19 ms  2-234-97-1.ip222.fastwebnet.it [2.234.97.1]
  4    19 ms    18 ms    18 ms  10.6.105.66
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.

By pure chance, I disabled the Avast! Shield, and what I got was a redirection to a page that permitted me to identify the virus as a ransomware. A variation of Trojan.Ransomlock

The page shows a fake "police" page:

Apparently Avast was intercepting and blocking the redirect, so what I got was "Error 324 NO DATA RECEIVED" from Chrome. Still can't explain the kind of behaviour.

I'm on Windows 7.

Duralumin

Posted 2014-07-18T16:52:17.650

Reputation: 153

well, now when it redirects me, it's redirecting to http://law-enforcement-jjc.s1.lv/js which makes me think more of a virus. Still, can't find any info and my av is drawing blanks....

– Duralumin – 2014-07-18T19:41:16.863

and back to http://system-check-zagcqrhq.in/

– Duralumin – 2014-07-18T20:05:15.303

Do you get the same issues when using a different browser? – and31415 – 2014-07-19T09:47:37.723

@Arjan it's in the system for sure, but it's quite hard to eradicate. Going to reinstall today.No, chrome doesn't give any warning, just a 324, but I'm sure it's because of the antivirus. The problem with finding it out was because of the erratic behavior. – Duralumin – 2014-07-21T12:20:13.457

@Arjan Ah, sorry for the misunderstanding. I was sure it was a ransomware because the page i got redirected to was a fake police (Carabinieri, actually) page asking me to pay a fine. (screenshot not mine) : http://i61.tinypic.com/k4gvtk.jpg

– Duralumin – 2014-07-21T12:35:17.083

Any chance Firefox is not doing the redirect to Yahoo! when Avast is disabled? (Maybe Firefox defaults to a search when it doesn't get a response, and if so: the problem might still be with some extension ONLY in Chrome, not system wide, which then might also explain why incognito browsing is fine.) What about Internet Explorer? – Arjan – 2014-07-21T12:52:09.093

See also http://malwarefixes.com/remove-system-check-cabhpfuv/ (I don't know if that site can be trusted.)

– Arjan – 2014-07-21T12:57:22.910

@Arjan Yes, I thought the same about firefox.IE, at least with twitch, was ok.First thing I did was remove all the extensions and reinstall chrome. – Duralumin – 2014-07-21T13:02:02.767

"I thought the same about firefox" -- but did you try? (Also, please respond to gronostaj's answer.) – Arjan – 2014-07-21T13:50:53.547

No, I didn't try, but as I said, with firefox the behavior is even more erratic, so it's more difficult to test. Should we move this to chat? – Duralumin – 2014-07-21T14:11:03.017

"as I said, with firefox the behavior is even more erratic" -- all I read in the question is that it redirects to a Yahoo! search, probably only if your virusscanner blocks access. If I were you, I'd want to know if it's just Chrome, or if a full system reinstall is needed... – Arjan – 2014-07-21T16:46:53.740

Even if it was only Chrome, having fully uninstalled it with Revo Uninstaller, and reinstalled it, I would say that a windows reinstall was still the best thing. I didn't try explicitly without the Avast Block, but still, firefox is not working, chrome is not working, ping is not working, tracert is not working. Other PCs don't have problems. I would say that it's not a Chrome only problem, without needing more evidence. – Duralumin – 2014-07-22T07:01:46.197

Answers

Yes, we had the problem in Italy on the last days: primary DNS server on router/modem modified to 94.249.192.105 -> ransomware (javascript) downloaded from this same server by any device on the LAN and multiple sites and services blocked.

Solution to be confirmed : change password on router/update firmware + change DNS servers on router to those of Google + clear browser data (reset)

Anon

Posted 2014-07-18T16:52:17.650

Reputation: 46

We just had a very similar issue in New Zealand. Our router's primary DNS address had been set (hacked) to 94.249.192.82. The secondary address had the original primary address (8.8.8.8). The router is a TP-Link ADSL 2+ Router. We too saw the "police" ad a few weeks ago. – Matthew Walker – 2014-11-29T00:08:35.630

It definitely sounds like some kind of malware.

Check your browser extensions. In Chrome it's the hamburger menu → Tools → Extensions. First, try to disable all of them and check if that strange behavior persists. If not, enable them one by one, each time checking if the redirection still happens. This way you'll be able to track it down to a specific extension. Rogue extension will very likely pretend to be something useful, don't trust them.
Check your proxy settings: hamburger menu → Settings → scroll down → Show advanced settings → Network section, Change proxy settings. A new window will open. Click the LAN settings button and make sure Use a proxy server for your LAN is unchecked.
Run malware scan. Malwarebytes Antimalware and SpyBot Search & Destroy are well-known malware removal tools. Note that the malware may attempt to prevent you from downloading antimalware tools, so you may have to use another device to download those files. Scans should preferably be ran in Safe mode.

Those are just some basic steps. If those won't suffice, we have an entire question dedicated to fighting viruses and malware.

gronostaj

Posted 2014-07-18T16:52:17.650

Reputation: 33 047

Just to put things in context, (and it's my fault for not saying so) I'm a programmer and I consider myself a somewhat experienced user with some 20 years of PC usage, some of which spent providing tech assistance. Plus, being a Web Developer I know some about Chrome and browsers. – Duralumin – 2014-07-21T14:17:44.200

...but did you try, @Duralumin? Nothing in your question or comments indicate you even ran any malware scan? – Arjan – 2014-07-21T16:44:50.550

Yes, sorry, i thought that, having identified the precise kind of ransomware, it was implicit that I did run a scan. I did a full scan on reboot with Avast, did a full scan with YAC and Microsoft Security Essentials. – Duralumin – 2014-07-22T06:59:34.783

Take a backup of your documents and personal stuff, format the harddrive and reinstall Windows 7. That is the easiest and safest solution.

ZippyV

Posted 2014-07-18T16:52:17.650

Reputation: 1 557

I got the same problem yesterday on a Galaxy Note 3 with Chrome. Clearing the app data helped for me.

More details:

Every website I went to redirected to this url with an error

system-check-elotpdux.in/js?t=sjdhehdjsjdi (long string)

The page says "not found"

Before the redirect there's actually another one to an IP:

94.249.192.105/index.html

I tried a different wifi network and it still happened. I also tried https:// SSL sites and it didn't redirect. I tried incognito tab and it didn't redirect.

I noticed that the system-check-elotpdux URL was quoted on a Thai forum with someone experiencing the same problem. It was only when I searched for "system-check chrome redirect" did I find this post, which mentions a different domain, system-check-fyeltkhn.in. I am in Thailand so I suspect the redirect URL is being geo targeted.

I had installed camera360 app and I noticed in the comments on the store that a users AV detected malware. Uninstalling and rebooting phone didn't work.

AVG scan did not show anything. I also installed addons detector and airpush detector and it didn't find anything.

I updated to the latest version of Chrome and this did not fix it.

I installed Firefox and this was not affected by the redirect.

It was only when I cleared the Chrome app data that the redirect went away.

I am very worried how this managed to do this to Chrome. It was as if the cache was infected with a trojan JS file. But I can't figure it out. This means either Android or Chrome has a security flaw somewhere.

Hope this answer helps people.

If you know what the exploit is or any more info please post. Thanks.

ian

Posted 2014-07-18T16:52:17.650

Reputation: 11

an Italian website said that the virus hits the router, but I don't think that's possible, as I didn't have any problem with the other pc (with Ubuntu) even while using chrome. – Duralumin – 2014-07-21T12:33:00.520

2Also, if it were related to a router, it couldn't be solved by clearing the Chrome data on ian's mobile device, @Duralumin. – Arjan – 2014-07-21T13:52:35.563

Seeing that Italian website now, I might have been wrong about a router not causing this. Be sure to see the accepted answer, Ian. – Arjan – 2014-07-27T13:43:35.957