Tabs opening in the background for no reason

[dan1el]

Hello forum!

I'm Daniel and I'm currently studying for a master degree in computer science in Norway. I must admit that this problem is one of the weirdest I've encountered.

I thought I had a problem with spyware when tabs started to open in the background (using Opera) and foreground (using Chrome) last week.

I searched trough my computer with AVG Free, Spybot and MalwareBytes. No infections. Last night I used my laptop (which I almost never use) and the problem occurred there as well! Also cross browser. I downloaded MalwareBytes' software and my frustration grew when I realized the software would not update. Using dualboot, I booted into Ubuntu and downloaded the update (.exe-file) there, trying to update the software manually.

However, the same problem, tabs opening in the background while browsing (only when clicking links), also occurs in Ubuntu! I asked my roommate if he had similar issues. He did. I saw it myself.

The tabs opening in the background has this URL: http://205.234.231.38/ after.php?type=www.malwarebytes.org. The IP-adress is sometimes a different one, but this one occurs more often. The URL reflects what domain I were visiting. Also, sometimes I'm redirected to Google or Yahoo, via some URLs I didnt have time to catch.

The problem DOES NOT occur when connected to a different network, like the University network. It's clearly that this is not related to the individual computer, but rather the network I'm currently connected to. Fortunately, I have physical access to the router, so I can do whatever I want with it.

What is this problem? Could someone have hacked my router and replaced the software? And if thats the case, how can a hacked router have any effect on the applications I'm using (as in opening new tabs/websites then clicking links)?

Do you have any tips to try to solve this problem? Should I change my DNS servers, etc, etc? Replace the firmware on the router? Contact my ISP (like they can ever help you)?

I hope you can help me on this.

Daniel.

[Haider]

Hi Dan1el:

You can reset your router to factory defaults, change the admin password (to prevent re-hijack), configure it as per your ISP provided settings, moreover if you are using wireless connectivity change the encryption key too

[dan1el]

Hi. Thanks for your reply. I will try that later and post eventual results here.

A little update regarding the redirect process...

Lately I'm redirected to other sites. It's usually this pattern:

search.google-analytics.com ...

results.google-analytics.com ...

then some redirect, in one case it was:

http://www.newsreader.ws/?PHPSESSID=j5k968...4o4bq5kt5acemv4

and I ended up on

http://wordslife.com/index.php

another example is this url:

http://173.244.197.147/s/in.cgi?17&ab_...parameter=e-zan

Which redirected me to:

http://shop.lonelyplanet.com/europe/wester...-travel-guide-9

So can we assume that this nasty stuff collects my browser habbits and feeds me "relevant" webpages? Many redirects also ends up on just Google or just Yahoo (no query strings).

I caught the source-code for one of the redirects if that is of any use:

<html><script src="/A2EB891D63C8/avg_ls_dom.js" type="text/javascript"></script><body onload="setTimeout('document.forms.jump.submit();',500);"><form method="get" name="jump" action="http://www.newsreader.ws/search.php"><input type=hidden name=out value="4"><input type=hidden name="PHPSESSID" value="j5k968gep914o4bq5kt5acemv4"</form><noscript><span style="font-size: 9px;font-family: Verdana,Arial">Naviguer vers <a href="http://www.newsreader.ws/search.php?out=6&PHPSESSID=j5k968gep914o4bq5kt5acemv4" style="font-size: 9px;font-family: Verdana,Arial">le nouveau site</a> / Browse to <a href="http://www.newsreader.ws/search.php?out=9&PHPSESSID=j5k968gep914o4bq5kt5acemv4" style="font-size: 9px;font-family: Verdana,Arial">the new website</a></body></html>

[Haider]

Hello dan1el:

Please don't post live links, surround them in code tags. From what you mentioned "currently studying for a master degree in computer science" and "The problem DOES NOT occur when connected to a different network, like the University network" you should have inferred that it is your router problem

Should you have any other question(s) please post back using button

[Firefox]

it is looking like your router is indeed hijacked, please follow the advice by Haider to reset your router.

it is a DNS issue, and it's possible that your DNS settings have been hijacked.

Try this - It is general solution that works most times -

You may want to copy/paste this to notepad as you will disconnect from the Internet for a while -

1. Very important: First disconnect your computer from the Internet. Just Log Off- while you reset the router -

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

• NOTE: To help prevent the router from getting hijacked again, make sure you change the default password to the router and also secure your wireless connection.
  

3. Reset the IP/DNS settings of your Internet connection:

Download this Microsoft Item

4. Flush the DNS cache:

• Click the Start logo in the bottom left corner of the screen
  
• Click on Run or press Windows Logo+R
  
• In the command window copy/paste the following:
  

  ipconfig /flushdns

  
  

• Then hit enter and a black box will flash .
  
• Exit the command window.
  

Thank You -

[dan1el]

Thank you for your help. As suspected, the router was the problem. A firmware-reset fixed the problem. Now everything is back to normal :-).

Scary though... that someone may have hijacked my wifi-router.

[Firefox]

this happens when folks leave the routers with default settings and don't bother to change their password and secure their wireless.

Glad you are back to normal now though.....