Google-chrome – Some pages in Chrome always redirect to ransom page at http://system-check-fyeltkhn.in

browserdnsfirefoxgoogle-chromenetworking

This is so weird and random that I have a problem explaining it fully. Since yesterday, those behaviors started:

Some pages in Chrome are be always redirected to:

http://system-check-fyeltkhn.in/js?t=53616c7465645f5fdc73029d4884acc0f7c68721db05e546f3bd3e721e01b9b76d6dbbcf918d95a3fcf0e861ab541e81968f107a0ae2ab13

If I open the same page right now in another browser, or even private browsing in Chrome, it works.
Some websites, after some time, just stop being reachable. Even with ping.
For example, Facebook.
I had it open and using ten minutes ago, and now a tracert says

Unable to resolve target system name www.facebook.com

On Firefox it starts a search on Yahoo with the website as subject.

I have right now a stream going and it doesn't have any problem, unless I refresh the page. Disabling and re-enabling the connection seems to solve the issue for some time, on some websites.

I tried changing the DNS to Google DNS to no avail.
I have the firewall on, and Avast running all time.

Let's take the example of twitch.tv, which is a website I can never reach on normal Chrome, but I can reach on private browsing Chrome and Firefox.

If I ping it, I get a timeout.
If I do a tracert this is what I get:

  1    <1 ms    <1 ms    <1 ms  192.168.2.1
  2    <1 ms    <1 ms    <1 ms  192.168.1.2
  3    20 ms    19 ms    19 ms  2-234-97-1.ip222.fastwebnet.it [2.234.97.1]
  4    19 ms    18 ms    18 ms  10.6.105.66
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.

By pure chance, I disabled the Avast! Shield, and what I got was a redirection to a page that permitted me to identify the virus as a ransomware. A variation of
Trojan.Ransomlock

The page shows a fake "police" page:

Screenshot of fake police ransom page

Apparently Avast was intercepting and blocking the redirect, so what I got was "Error 324 NO DATA RECEIVED" from Chrome. Still can't explain the kind of behaviour.

I'm on Windows 7.

Best Answer

Yes, we had the problem in Italy on the last days: primary DNS server on router/modem modified to 94.249.192.105 -> ransomware (javascript) downloaded from this same server by any device on the LAN and multiple sites and services blocked.

See also http://www.tomshw.it/forum/network/428865-dns-del-ruoter-che-cambia-solo-2.html?s=04f2682c7d0ab269bc6a9342980b64d4

Solution to be confirmed : change password on router/update firmware + change DNS servers on router to those of Google + clear browser data (reset)

Related Question