«

»

Dec 03 2014

Browser redirections and Adfoc.us virus removal

I received a computer that was opening ads after loading webpages. The browsers (Chrome and IE) were redirecting to adfoc.us page. The computer was recently reinstalled with Windows 7 and had Microsoft Security Essentials installed. The owner was for a few days in Italy and returned home (in Romania) with this problem.

The strange thing is that his phone (Android OS) is having redirects to adfoc.us both in Italy and Romania.

About the PC : I checked it with Trojan Remover and Malwarebytes and had no results.

When i tried to install Spybot Search and Destroy it gave me an error saying that it couldn’t create and .exe file required for the program to run. This led me to the conclusion that a program was running in the background tampering with the Spybot installation.

I took his laptop at my place and tried other software solutions. I didn’t check if the redirect happens on my network. He has a TP-Link TL-WDR3600 wireless router and i have a Cisco 881.

I installed Combofix and scanned the system. It generated a log file that contained a list of files : a few registry entries, a few quarantined files, a few txt files.

Among the registry files, there was one where i found something interesting : C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

In this file i found an IP : 94.249.192.82 that seems to be a DNS server. Searching the internet for other users with this problem i found the same IP in the logs they posted. Some have aliexpress.com instead of adfoc.us

One comment in this link is :

Further, I saw that the DNS addresses in the router I was using had been changed (read hacked). The primary address had been set to 94.249.192.82. The secondary address was set to the original primary address (8.8.8.8). The router is a TP-Link ADSL2+ Router

Another user with the same problem (PC and Nexus tablet, the tablet tested in a different network) said :

Requesting that this thread be locked/deleted. I’ve managed to solve the problem on my own by wiping/resetting all internet-related things on my devices and resetting my router. The problem in the end was the a virus or a script got into my router and started messing up all my devices from there, embedding into the devices themselves via temp. files.

Other DNS adresses that may cause problems are : 199.182.166.168,  199.182.166.169, 107.170.189.30 , 107.170.245.37

Conclusion for the moment : I think that some routers had their DNS addresses changed and this causes redirection to sites that download malware on Android and Windows devices.

UPDATE : I took the laptop back to it’s owner. Started redirecting again to adfoc.us when using Internet Explorer. His android phone was redirecting pages too.

His PC was not. The difference was that the PC had it’s DNS servers set manually. His laptop and phone were using the router’s IP for DNS resolving.

I looked at the DNS servers used by the router (PPPOE configuration) but the IP’s displayed were from the ISP. It seems that the router is not using them, and forwards it’s DNS queries to different DNS servers.

I changed the router’s DNS adresses provided by DHCP to the clients, changed the default password and reset Internet Explorer settings for the PC. I deleted the cache from the phone’s browser.

I rebooted the router and redirects stopped.

When i started to write this post i was convinced that a virus was causing the redirects. It seems that this is not the case, because i couldn’t find any files for the virus.

So the DNS addresses provided by the router were the problem.

4 comments

Skip to comment form

  1. TomA

    Exact same thing happenned to me. My conceptronic router was redirected to 94.249.192.82

  2. Brian

    This is happening to me right now. Firefox or Chrome starts a tab titled cityadspix which redirects quickly to aliexpress. Seemed like a virus, so I went to go back to a restore point, but that kept giving me a blue screen and failing. I went to safemode and was able to run system restore. But later I find my browser still randomly getting a new tab. Also flash is behaving unpredictably.

    Then my wife describes the same aliexpress thing on her Mac. Uh-oh. We are visiting parents in Italy. The wifi here has finally been stabilized after a few years of unreliability. It is quite a shame if the router here has been hacked. How can it be repaired easily? And will our computers accumulate some infection that we will take home with us?

    Thank you for posting this issue.

    1. Bogdan

      Change the router’s password, and disable remote administration from internet.
      That should be all.
      And scan your PC with antimalware software : Spybot Search and Destroy, Malwarebytes, Trojan Remover.

      1. Brian

        Thank you Bogdan. I will do these things and try to report back.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*