Browser redirects almost all of links to Adfoc.us

3

0

Since yesterday, most of users in our region and as far as I know, many other peoples received a lot of link redirection. most of these redirection are going to adfoc.us website. this redirection happens after going to page (not exactly as you go to page) and new URL have no "Back" button.
I understood that the URLs which didn't visited yet are redirecting to adfoc.us websites so if we visit URL A and see the adfoc.us advertising once, we won't see it again if we go to URL A again.

What is the problem and how can I fix it? I use Windows 7 and Google Chrome browser and tried these:

  • Scanning whole my drive for virus and other bad wares
  • Disabling plug-ins and extensions
  • Clearing DNS cache and other caches
  • Using different DNS servers

Redirection example:
Original URL: http://isthisretina.com/
Redirected URL: http://adfoc.us/serve/?id=25497650908175

I also tried to ping the pages I never visited before like linuxmint.com here are the results:
Linuxmint.com: [213.175.215.218] Packets: Sent = 33, Received = 33, Lost = 0 (0% loss)
comodo.com: [91.199.212.176] Packets: Sent = 33, Received = 33, Lost = 0 (0% loss)

And also note that this redirections are stopped 3 hours ago and I don't know is it only for me or for other users, they stopped to.

Amirreza Nasiri

Posted 2014-11-24T21:01:52.283

Reputation: 2 418

Which region/ISP? – Journeyman Geek – 2014-11-25T05:01:04.333

1I have it in Sweden to. It has begun for two days now. I'm only using Mac software/hardwares. I cant understand why this happening. Any sugestions to a fix is very helpful.. – None – 2014-11-25T04:52:34.110

1This happens in Italy too. It is happening on both mobile and desktop chrome browser, as far as I know. I tried this in 2 different networks. I thought it could've been ISP related, but since it is going on abroad, too... I am at a loss – Stark – 2014-11-25T04:44:47.867

As I said, this problem occurs almost everywhere. But I'm in Iran and use local ISPs. – Amirreza Nasiri – 2014-11-25T07:40:50.527

Could you try to do a DNS lookup on a domain you certainly haven't visited so far? Write down the results, then try visiting that domain. If the redirects happen, you've got a domain for comparison with others. Just some examples you could try: frankfurt.de berlin.de munich.de comodo.com linuxmint.com eff.org – Mario – 2014-11-25T08:33:27.377

Also, does the problem happen with other browsers? Internet Explorer for example? – Mario – 2014-11-25T08:34:14.157

I too saw this problem in New Zealand. I was using Chrome and one in about three pages were redirected to adfoc.us for about 15 minutes. I tried to see if I could repeat the issue in Safari (I'm using OS X 10.9). But I'm not sure if the problem disappeared before I started using Safari. – Matthew Walker – 2014-11-28T23:45:18.580

1Further, I saw that the DNS addresses in the router I was using had been changed (read hacked). The primary address had been set to 94.249.192.82. The secondary address was set to the original primary address (8.8.8.8). The router is a TP-Link ADSL2+ Router. – Matthew Walker – 2014-11-28T23:50:34.517

As @Mario suggested, I did a DNS lookup on frankfurt.de, a site I'd never visited. I'm not sure if I did this after the "redirection" had stopped. $ nslookup frankfurt.de ;; Got recursion not available from 94.249.192.82, trying next server Server: 8.8.8.8 Address: 8.8.8.8#53

Non-authoritative answer: Name: frankfurt.de Address: 62.96.236.95 – Matthew Walker – 2014-11-28T23:53:02.273

1The last redirection before it stopped took me to www.aliexpress.com rather than adfoc.us. – Matthew Walker – 2014-11-29T00:01:41.113

And finally, it appeared that content might also have been injected into our wordpress site; this stopped at about the same time the redirection stopped. – Matthew Walker – 2014-11-29T00:02:35.280

@MatthewWalker Sounds similar to some worm/botnet being active right now. Better also check your wordpress installation for new/unknown (admin) accounts. – Mario – 2014-11-29T08:09:17.133

In case this is useful to others, I moved the Mac laptop to another wifi network and I'm still experiencing similar issues, so the problem is not limited to the DNS settings on the router. Opening the top ten links for "adfoc.us popup" in Google sends me to adfoc.us for three of the ten pages in Chrome, but when doing the same thing in Safari no page redirects occur. – Matthew Walker – 2014-11-30T06:57:17.667

The three pages that were redirecting had "waiting for adultcameras.info" in the status bar at the bottom of Chrome when the about-to-be-redirected page had almost finished loading. Looking at Chrome's Developer Tools indicated that when the redirection didn't occur it was because adultcameras.info was not returning a response. I used Settings > Advanced Settings > Reset Settings to return Chrome to its factory default settings. Reloading the same ten pages showed that none were attempting to communicate with adultcameras.info. Thus this seems to be the answer. – Matthew Walker – 2014-11-30T07:27:22.000

@MatthewWalker what do you think about the settings? which of them may cause this problem? – Amirreza Nasiri – 2014-11-30T10:51:13.807

@AmirrezaNasiri I'm sorry but I can no longer analyse this as the use of Reset Settings seems to have completely removed the problem. I too would be interested to know what settings had been compromised. I can say that before I used Reset Settings I tried clearing all but Google from the Settings > Search > Manage Search Engines. That had no effect. – Matthew Walker – 2014-11-30T21:49:33.763

@AmirrezaNasiri Further, before resetting there was only one extension in Chrome, Google Docs 0.7. I doubt this was the problem. – Matthew Walker – 2014-11-30T21:55:48.650

@MatthewWalker I have this extension (v 0.7) to. let see if other people have this extension or not. – Amirreza Nasiri – 2014-11-30T22:36:12.187

@AmirrezaNasiri Chrome on my work laptop (Windows 7) has Google Docs 0.7 installed too. I've just run the same test (the top ten pages returned for "adfoc.us popup") on my work laptop that I ran on the Mac and none of the pages redirected to adfoc.us. I think that eliminates any concerns regarding the Google Docs extension. – Matthew Walker – 2014-11-30T22:42:17.390

Answers

1

Google helped me: Some pages in Chrome always redirect to ransom page at http://system-check-fyeltkhn.in

Your router has been hacked and you need to fix your dns and upgrade the firmware

Stark

Posted 2014-11-24T21:01:52.283

Reputation: 11

Nop. It didn't because we use safest methods to protect our network and things like modems. in other hand, It's no only my modems problem as I said, a lot of people have this problem these days. – Amirreza Nasiri – 2014-11-25T07:55:27.997

Stark, have you installed Google Docs 0.7 on your chrome? – Amirreza Nasiri – 2014-11-30T22:44:14.640

0

There are three thing you can do.

Try another browser. If it doesn't work... Try using a different DNS... like a public DNS such as 8.8.8.8 or 8.8.4.4 or using a VPN service with your browser like zenmate (Zenmate is a pluging for chrome)

Are all of the people using the same ISP as yours?

Kunwar

Posted 2014-11-24T21:01:52.283

Reputation: 323

Redirection happens if there's a server in between altering DNS requests or if the DNS it self is redirecting you. DNS is the server which coverts the URL in to server IP or helps locate the server. – Kunwar – 2014-11-24T21:24:36.293

No, they don't. I tried google's public dns before and even other browsers but no result. I really have no idea why is going on. – Amirreza Nasiri – 2014-11-24T21:31:00.053

Okay try using Zenmate... also can you paste a trace route to that website and a screen shot of what you are getting with URL so that I can test things on my end to see if I can help you with this. – Kunwar – 2014-11-24T21:33:50.417

Ok, I edited the question. – Amirreza Nasiri – 2014-11-24T22:00:28.040

0

Check both extension and plug-ins whether any recently installed plug-in is causing the issue.

To delete any extension follow the below path:

Chrome menu icon > More tools > Extensions > delete extensions

To disable unwanted plugins go to chrome -- plugins and disable it.

vembutech

Posted 2014-11-24T21:01:52.283

Reputation: 5 693

As I said, I tried doing this and it's not ONLY my problem. I know a lot of people which have this problem since yesterday or two days ago so I think this problem can not be happened by a single plugin. – Amirreza Nasiri – 2014-11-24T22:01:40.323

1@AmirrezaNasiri Just because others have that problem as well doesn't mean it's nothing on your local PC. It might be some hijacker hiding itself using rootkit technology. Possibly distributed through some local news site that got hijacked or similar. – Mario – 2014-11-25T08:37:25.693

@Mario the problem is going wider. now, a lot of more people have this problem all over our country and as I know, in other countries to. Is it possible that the problem is with the modems? I mean, the problem is not from our system, DNS and the servers so I think this is from modems firmware which changed for most of users at a specific time! or something similar. – Amirreza Nasiri – 2014-11-25T21:08:16.173

Asked: 2014-11-24T21:01:52.283

Viewed: 6 903 times

Active: 2014-12-04T19:14:44.813