Vocal Voices

[TheOstrich]

I use Chrome,and I've also got AdBlock on my PC.

What I'm finding is that I've suddenly started getting redirected when making a Google search, or accessing various Daily Mail web-pages, to an advertising site for "Adfoc . us"

I've run AVG and Microsoft Security Essentials full scans but they've found nothing.

Googling the problem seems to indicate it's a known bug, but I'm loathe to download any removal tools from sites which I "don't know what they are", IYSWIM.

Master O (computer IT geek, 27, on same wifi network) also got this problem last night, and spent a couple of hours muttering darkly before announcing he'd got rid of it, but he's not very helpful when it comes to computer things, and if I raise any IT concerns, he tends to treat me as an incompetent neanderthal not worthy of communicating with. I can see his point, to a certain extent ..... His parting shot to me before disappearing was "it could be the router, then" and "take a screen print if it happens again" (which it did, and which I have done).

Any idea how I can get rid of the problem, please? Otherwise, I will have to throw myself on his mercy when he gets back from work on Monday evening ......

[Suff]

Hmmmmm,

I guess he did the same search I did. I guess he fixed it the way I would.

Remember a while ago I was talking about the Bash Bug and WM explained how to change the default password on your router? This sounds like an infected router.

You can check this by changing your internet settings. Go to

Control Panel->Network and Internet->Network and Sharing Center

Then click on the Change adapter settings on the left pane.

In the adapters, select the network adapter (is it wifi or wired?) and right click on it and select properties.

In the properties go to "Internet protocol version 4 (TCP/IPv4) and double click on it.

In the DNS section at the bottom, change it from Automatic, to manual and enter the two addresses as

8.8.4.4
8.8.8.8

Which are the Google public DNS servers. This changes you from the DNS on your router to the DNS on Google.

Save and exit. See if it works. You can always change it back to Automatic later if you need to, that is a simple change.

The very first thing I do with every router I have is change the default Admin password.....

[TheOstrich]

Many thanks, Suff!

I've done what you said and changed those addresses. I've tried the DM site and one other where I had the problem earlier tonight, and so far, I haven't had a re-occurrence. I'll experiment further tomorrow when I'm fresher and feeling less hassled .....

I did speak to the himself about the router password when Frank and yourself mentioned it in connection with the Bash Bug. He looked at it at the time and I think his conclusion was that the password settings were not the default, but we were not sure what they had been changed to ..... (!)

I'll have another go at him tomorrow about it, and keep you posted.

Thanks again.

[Suff]

You are welcome as always Os.

It could even be that your router password has been changed to stop you from undoing what has been done.... Possible.

BTW, personally I would not use either of the AV/AS programs you use. Too much gets through.

In the end you could hard reset the router, connect and immediately change the password, then reset the settings you lost. That should fix the problem for good.

The main problem seems to be that you have a compromised router. Well either that or your ISP has compromised DNS...

[Suff]

BTW my brother (12 more years in IT than me), treats my father the same way. Like a bumbling idiot. He even had my mother convinced. Until the time that my father and I planned his upgrade of his machine to the last detail and then my father ordered the parts, built the machine, installed all the software and restored all the files and settings. All on his own.

Now my mother is a lot more sceptical about what my brother says about my father.

It's an attitude I find hard to fathom... The only thing I can assume is that my brother is not as confident as he always makes out and so tries to keep my father from information and asking questions which might embarrass. I, on the other hand, rely on my father to keep me right as I don't have the time to concentrate enough on what he needs to do and I don't need to know his windows build or software mix... It works for both of us.

[Workingman]

Hi Ossie,

Many of us change default username/password pairs for security reasons - to stop miscreants messing with our systems, so changing those for your router should be a priority. To get there type 192.168.1.1 in your browser address bar and in the pop-up try admin and admin, Admin and admin, Admin and Admin or admin and Admin. However, if you are lucky, your ISP might not use defaults and the pair might be on a sticker on the router. Once in you can change the pair to whatever you wish..... within reason. You can then change the DNS servers to the best ones for you - more later.

However, there might be another simple thing to try before looking at the router, searching for a BHO (Browser Helper Object). It is quick and easy to do and there are some well known tools to help you.

https://toolslib.net/downloads/viewdown ... dwcleaner/ AdwCleaner

http://toolbarcleaner.com/ Toolbar Cleaner

Just run them and follow the instructions - scan and clean.

As for DNS. I never use ISP servers as they are not usually the quickest or most secure, so I try to get the best of the rest. To do this you can use the DNS Benchmark tool from : https://www.grc.com/dns/benchmark.htm DNS Benchmark. The first time you run it it will use a generic set of nameservers to get itself a benchmark. You then have the option if creating a custom set to find the best servers for you. When you want to find a good pair of servers you run the custom.ini file and it will show you who and where the servers are. You change them as per the instructions form Suff given above.

[TheOstrich]

Thanks guys.

The bad news is that despite all that, I've still got the adfoc . us problem.

I've run AdwCleaner as suggested by WM, but it didn't clear it. Chrome got very unhappy about me downloading Toolbar Cleaner so I didn't pursue that option. I presume this is now pointing to a compromised router rather than something on our machines.

Yes, the default router username / password is underneath the machine on a sticker, but they don't work. We don't think they have been changed, unless it was done by the tech who came out to reconnect the Wifi when we were having problems, a couple of years ago. I made as many notes as I could at the time (!), and they do include a Wifi security password which he installed for us. But as far as I remember, this was to do with stopping someone potentially piggybacking our Wifi and isn't the same as and doesn't apply to the router set-up. So we are stumped with the router at present.

I'll have to speak to the tonight ..... it may possibly mean a new router (we do have one in the house) but - and this has an interesting resonance with Suff's post above - Master O has indicated that he might prefer someone to come in and set it up for us. Indeed, there may well be an underlying confidence issue .... speaking personally, this level of "tech" is miles beyond my own capabilities, so I have no problem in asking for help, even if it means a call-out and costs. Kudos to your father, Suff - building and installing a computer is not something I could ever (or even want) to do, I'm afraid .....

[Suff]

Ah the penny drops after a lot of surfing...

Have a look at this post.

I had this problem with my Son in Law's computer and it was a cast iron nightmare to remove. Basically because the rootkit is agile and disables TDSSKiller before it can run. The rootkit installs itself outside of the partition table so that it's signature can't be seen, literally it's not on the drive as far as windows is concerned and it has capabilities to disable just about any spyware or removal tools.

The only way I could get it out was with the Kaspersky rescue disk 10 found here.

You download the iso, burn it to a CD and boot the system from the CD. If it finds and deletes the virus, I then suggest a full range of virus scanning and adaware scanning after Windows has re-booted. I would re-boot into safe mode personally. You can do this by running msconfig, selecting the boot tab and selecting network before shutting down and booting with the rescue CD.

Once the rescue CD has done it's bit, Windows will reboot into safe mode with networking and you can download any AV/Adaware software you need to scan and clean the machine.

This is why I run a heuristic AV with heuristic firewall. The engine does not just check for signatures, it checks for actions and maps them against correct and legal actions. I have only once seen it find a rootkit and it eviscerated it before any harm could come to the computer. Although I did have to go and find the registry entries and remove them.

Try this and let me know if you find a Trojan. Worth trying with the offline rescue disk anyway.

[Workingman]

Oh dear! Spy Hunter is almost as bad as a Trojan, and as Suff has ponted out with the rescue disc, there are lots of free tools to remove malwares. Most of them only do a limited set of specific tasks, unlike a dedicated suite, but the full armoury is out there. Loads of them are here: http://www.bleepingcomputer.com/downloa ... /security/

A quick question about your DNS servers, Ossie, have they changed from the ones Suff suggested back to automatic?

Also, if you do want to hard reset your router there is a comprehensive list of default passwords here: http://portforward.com/default_username ... D-Link.htm

[Suff]

Sorry haven't used spy hunter. But the last time I saw a Google redirect which could not be found or cured it was a TDSS Trojan. Bitch to remove and the only tool I could find to remove it was the Kaspersky rescue CD.