Adware, malware popups and redirects

0

About a week ago, while browsing the internet - with my Lenovo S860 / Android / Chrome -, some popups came out, and initially i thought that the site has some ads, but it was something else. I've found an article about an adware that's auto-rooting your phone, and you can't get cleaned with hard-resetting, or scanning with any type of antivirus. Ref: http://www.cmcm.com/blog/en/security/2015-09-18/799.html

So, after connecting the device to my PC, (i think) the adware moved on my PC also. So now i have that virus on my phone, and also on my PC. I've tried reinstalling browsers (Firefox, Chrome), reinstalling Windows - formatting HDD - scanning with different antiviruses (AVG, BitDefender, Kaspersky, Malwarebytes, Spyhunter, AdwCleaner and many other) but without success.

The ads are appearing both in Firefox and Chrome, on different events - link click, background click. On my phone appears a site, with the message "Your battery has [some number] battery viruses" and vibrates. On my PC different sites are opened, like Alibaba, some radio websites. Any idea is appreciated!

Suspect domains included on webpages: 

ntvk1.ru
tarkita.ru
cukcopo.ru
darangi.ru
onclickads.net
morgdm.ru

Another thing is that i've found out that Google Analytics is including these domains in the source - now i have blocked these domains and google-analytics.com in hosts file, but i don't think it's the best solution.

Thanks in advance!

K Attila

Posted 2016-01-20T08:10:38.580

Reputation: 1

Question was closed 2016-01-23T00:16:55.290

Answers

0

*I can't comment yet, so I have to make suggestions in an answer to get context.

Are you sure the Adware hasn't installed a plugin in the browsers? Check for anything installed through Chrome/Firefox. The fact that you've re-formatted means its unlikely the Malware/Adware is sitting within your hard-drive.

I've never experienced an attack that moves from my phone to my PC, but I can see how it MIGHT be possible.

Of course - One thing you should really do is backup your data and reformat the phone. Using the TWRP Bootloader should wipe your phone properly if its in a rooted state.

Then, the next thing is to check where the Adware/Malware is sitting within your system.

Are there any strange processes running on your machine? Check Windows Task Manager for this. Do you have any plugins installed that appear strange? Remove them completely.

Happy to help a bit further if nothing above helps you.

Also, it might be good to find out how you got this? Did you visit a strange website? Download a weird app?

Dandy

Posted 2016-01-20T08:10:38.580

Reputation: 342

Phone: I've tried resetting my phone, wiping user data, deleting / reinstalling chrome but without results. – K Attila – 2016-01-20T08:57:29.670

Deleting/Reinstalling Chrome won't necessarily resolve a plugin issues. Plugins are tied to your Google account and are reinstalled when you login. Do you see anything peculiar in the Task Manager?

As for phone wiping, a custom bootloader might perform a more effective wipe then the standard factory reset. – Dandy – 2016-01-20T09:01:18.427

PC: I've installed some common softwares like MSVC++, AVG, Chrome, Mozilla, Skype, and so on. Browser plugins: Adblock Plus, and that's all.

But...i've figured out that my router had some very strage DNS settings (manually configured) and changet that to Google DNS. Now the tracking script name is "ga.js" not "analytics.js" <- see attachment in post. But i'll post the results tomorrow, to see if adware appears again. Thanks for your post! – K Attila – 2016-01-20T09:01:38.273

Might also be worth looking into the cause - So it doesn't happen again! – Dandy – 2016-01-20T09:03:19.433

@KAttila Also, if this is a local network, you shouldn't have any DNS settings configured unless you have intentionally done so, or your ISP requires it. – Dandy – 2016-01-20T09:06:05.893

I've updated the router's firmware about a month ago, and deactivated the manual config of DNS Servers, but it was active now. So i replaced the default DNS Servers with Google's one (8.8.8.8 and 8.8.4.4). Now it's fine, but i'll wait a day to see if it's permanent. – K Attila – 2016-01-20T09:13:47.763

Asked: 2016-01-20T08:10:38.580

Viewed: 241 times

Active: 2016-01-20T08:33:11.443