scary adware , all links in websites using google analytics goes to ad page

i had no problem until yesterday but today i noticed when i click any links it redirects me to http://www.ultrafiles.net/7cc02b3a/url/MY-LINK-HERE which looks like this: enter image description here

the picture above i tried to open a question in stackoverflow !!! and i was redirected there

so the first thing i did obviously was to disable all browser Extension and remove some apps which i suspected to no avail . as i am using ubuntu it was unlikely the problem be a program in os rather i suspected a user-script or something similar.

after some testing and checking sites affected i noticed sites that do not use google analytics has no problem so i checked ga.js and faced a surprise : enter image description here

the only difference between left (Chromium) and right (Chrome) is that chromium is using a proxy with encryption.

so is my connection sniffed and modified somewhere between me and google ? how can i prevent it ? and does this means all passwords i entered in non-https sites may have been compromised ?

if you need any more info ask in comments and i try to provide them.

update: full script here

Bor691

Posted 2014-07-21T05:13:01.853

Reputation: 123

Answers

this type of hardware attack your router proxy specially when you have a UN and PW of your router is admin admin. try to reset your router and make a hard password and you will get rid of that ad.

hsawires

Posted 2014-07-21T05:13:01.853

Reputation: 324

i do have a weak password on my router but i thought that won't make any problems since its only accessible from lan , am i wrong? (if i enter my wan ip in another network i won't get the router page) – Bor691 – 2014-12-20T15:31:15.163

any PC connected to the router and have access to the internet I think it could attack the router ... or the switch by the way, if there is any. – hsawires – 2014-12-20T17:52:44.737

I found this info. it's the same Linkbuks adware, it's just a browser hijack Click Here. It looks like the connection is hijacked or something. Did u try to switch proxy of don't use proxy at all?

chrisupi007

Posted 2014-07-21T05:13:01.853

Reputation: 111

the No proxy one (on the right) is having problem , using a proxy i did not had any problems however because of higher ping i can't always use the proxy. – Bor691 – 2014-07-21T08:43:21.947

the link you provided is suggesting i use an ad-ware clean tool which is an EXE file , however i stated in the question that i use ubuntu which makes that file unusable for me. – Bor691 – 2014-07-21T08:44:14.883

fail! yes i noticed late lol, try connecting to a different network/location see if it happens? – chrisupi007 – 2014-07-21T08:50:24.460

it appears to load fine now , although i blocked the ga.js url with adblock extension in chrome , but the question remains unanswered , what steps to follow when a similar situation happens (when you think your connection is sniffed/modified in the route) and how to detect source of problem (is it in isp , some higher level or local network ?) – Bor691 – 2014-07-21T17:20:28.250

i'm glad u figured it out, it's a mystery sometimes – chrisupi007 – 2014-07-24T14:26:04.723

i didn't really figured it out , i still don't know what caused it . just magically went away the same way it came , and there is no guarantee that it won't come back – Bor691 – 2014-07-25T12:06:38.340