Some pages in Chrome always redirect to ransom page at http://system-check-fyeltkhn.in

Question

This is so weird and random that I have a problem explaining it fully. Since yesterday, those behaviors started:

Some pages in Chrome are be always redirected to:

http://system-check-fyeltkhn.in/js?t=53616c7465645f5fdc73029d4884acc0f7c68721db05e546f3bd3e721e01b9b76d6dbbcf918d95a3fcf0e861ab541e81968f107a0ae2ab13

If I open the same page right now in another browser, or even private browsing in Chrome, it works. Some websites, after some time, just stop being reachable. Even with ping. For example, Facebook. I had it open and using ten minutes ago, and now a tracert says

Unable to resolve target system name www.facebook.com

On Firefox it starts a search on Yahoo with the website as subject.

I have right now a stream going and it doesn't have any problem, unless I refresh the page. Disabling and re-enabling the connection seems to solve the issue for some time, on some websites.

I tried changing the DNS to Google DNS to no avail. I have the firewall on, and Avast running all time.

Let's take the example of twitch.tv, which is a website I can never reach on normal Chrome, but I can reach on private browsing Chrome and Firefox.

If I ping it, I get a timeout. If I do a tracert this is what I get:

  1    <1 ms    <1 ms    <1 ms  192.168.2.1
  2    <1 ms    <1 ms    <1 ms  192.168.1.2
  3    20 ms    19 ms    19 ms  2-234-97-1.ip222.fastwebnet.it [2.234.97.1]
  4    19 ms    18 ms    18 ms  10.6.105.66
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.

By pure chance, I disabled the Avast! Shield, and what I got was a redirection to a page that permitted me to identify the virus as a ransomware. A variation of Trojan.Ransomlock

The page shows a fake "police" page:

Apparently Avast was intercepting and blocking the redirect, so what I got was "Error 324 NO DATA RECEIVED" from Chrome. Still can't explain the kind of behaviour.

I'm on Windows 7.

Answer 1

Yes, we had the problem in Italy on the last days: primary DNS server on router/modem modified to 94.249.192.105 -> ransomware (javascript) downloaded from this same server by any device on the LAN and multiple sites and services blocked.

See also http://www.tomshw.it/forum/network/428865-dns-del-ruoter-che-cambia-solo-2.html?s=04f2682c7d0ab269bc6a9342980b64d4

Solution to be confirmed : change password on router/update firmware + change DNS servers on router to those of Google + clear browser data (reset)

Answer 2

It definitely sounds like some kind of malware.

• Check your browser extensions. In Chrome it's the hamburger menu → Tools → Extensions. First, try to disable all of them and check if that strange behavior persists. If not, enable them one by one, each time checking if the redirection still happens. This way you'll be able to track it down to a specific extension. Rogue extension will very likely pretend to be something useful, don't trust them.

• Check your proxy settings: hamburger menu → Settings → scroll down → Show advanced settings → Network section, Change proxy settings. A new window will open. Click the LAN settings button and make sure Use a proxy server for your LAN is unchecked.

• Run malware scan. Malwarebytes Antimalware and SpyBot Search & Destroy are well-known malware removal tools. Note that the malware may attempt to prevent you from downloading antimalware tools, so you may have to use another device to download those files. Scans should preferably be ran in Safe mode.

Those are just some basic steps. If those won't suffice, we have an entire question dedicated to fighting viruses and malware.

Answer 3

Take a backup of your documents and personal stuff, format the harddrive and reinstall Windows 7. That is the easiest and safest solution.

Answer 4

I got the same problem yesterday on a Galaxy Note 3 with Chrome. Clearing the app data helped for me.

More details:

Every website I went to redirected to this url with an error

system-check-elotpdux.in/js?t=sjdhehdjsjdi (long string)

The page says "not found"

Before the redirect there's actually another one to an IP:

94.249.192.105/index.html

I tried a different wifi network and it still happened. I also tried https:// SSL sites and it didn't redirect. I tried incognito tab and it didn't redirect.

I noticed that the system-check-elotpdux URL was quoted on a Thai forum with someone experiencing the same problem. It was only when I searched for "system-check chrome redirect" did I find this post, which mentions a different domain, system-check-fyeltkhn.in. I am in Thailand so I suspect the redirect URL is being geo targeted.

I had installed camera360 app and I noticed in the comments on the store that a users AV detected malware. Uninstalling and rebooting phone didn't work.

AVG scan did not show anything. I also installed addons detector and airpush detector and it didn't find anything.

I updated to the latest version of Chrome and this did not fix it.

I installed Firefox and this was not affected by the redirect.

It was only when I cleared the Chrome app data that the redirect went away.

I am very worried how this managed to do this to Chrome. It was as if the cache was infected with a trojan JS file. But I can't figure it out. This means either Android or Chrome has a security flaw somewhere.

Hope this answer helps people.

If you know what the exploit is or any more info please post. Thanks.