James Cook2
Level 1 (15 points)
Notebooks

Q: onclickads - malware or virus?

As of this morning, when I click on a link within a page, a new page opens to onclickads and then reloads with some advertisement.

 

I've searched all of the usual folders in my Library, cleared caches etc, but cannot find out how to get rid of it. Norton found nothing.

 

I've not visited any unreputable sites and the only thing I can think of that I recently installed was a Flash update - though I can't vouch now for its authenticity.

 

I'm worried about it spreading to my other devices so I've turned off Safari in iCloud, hoping it's not already too late.

 

How do I get rid of this pest?

MacBook Pro, OS X Mavericks (10.9.2)

Posted on Apr 28, 2014 7:46 AM

by James Cook2,Solvedanswer
James Cook2 James Cook2
Level 1 (15 points)
Notebooks
A:

I think there may be something to the DNS. My router DNS settings were on

199.182.166.168

199.182.166.169

 

They belong to Serverel.com

 

I've entered corrected DNS numbers and will expect to be able to report success.

 

I've also had my router back up the settings so they're easy to restore if this thing ever shows up again.

Posted on Apr 29, 2014 1:46 PM

Close
James Cook2

Q: onclickads - malware or virus?

  • All replies
  • Helpful answers

first Previous Page 3 of 4 last Next

  • by thomas_r.,

    thomas_r. thomas_r. Apr 29, 2014 12:25 PM in response to omijan7
    Level 7 (30,889 points)
    Mac OS X
    Apr 29, 2014 12:25 PM in response to omijan7

    omijan7 wrote:

     

    My laptop and desktop both list: 192.168.1.1

     

    That's your wireless router. You'll need to check and see what DNS settings it's using.

  • by James Cook2,Solvedanswer

    James Cook2 James Cook2 Apr 29, 2014 1:46 PM in response to thomas_r.
    Level 1 (15 points)
    Notebooks
    Apr 29, 2014 1:46 PM in response to thomas_r.

    I think there may be something to the DNS. My router DNS settings were on

    199.182.166.168

    199.182.166.169

     

    They belong to Serverel.com

     

    I've entered corrected DNS numbers and will expect to be able to report success.

     

    I've also had my router back up the settings so they're easy to restore if this thing ever shows up again.

  • by thomas_r.,

    thomas_r. thomas_r. Apr 29, 2014 2:15 PM in response to James Cook2
    Level 7 (30,889 points)
    Mac OS X
    Apr 29, 2014 2:15 PM in response to James Cook2

    Aha! I think we have a winner! Looks like two of you had the same Serverel.net/com DNS servers.

     

    Now the question is, how did it get that way? Are these settings specific to your computer, or inherited from your wireless router? If they're in the wireless router, then it must have been hacked and will need to be reset... but then that begs the question of why your other devices were working fine.

     

    If none of your other devices have those settings, then how did your computer get set that way?

  • by James Cook2,

    James Cook2 James Cook2 Apr 29, 2014 2:29 PM in response to thomas_r.
    Level 1 (15 points)
    Notebooks
    Apr 29, 2014 2:29 PM in response to thomas_r.

    I have a theory that the phony Flash update was the opening. And, little by little the problem did start appearing on other computers on our network. Its random effect made it hard to tell but eventually it was showing itself everywhere.

     

    Since changing the DNS in the router set up there have been no recurrances - and I expect there won't be.

  • by thomas_r.,

    thomas_r. thomas_r. Apr 29, 2014 2:39 PM in response to James Cook2
    Level 7 (30,889 points)
    Mac OS X
    Apr 29, 2014 2:39 PM in response to James Cook2

    Actually, I'll bet the phony Flash update was a symptom, not a cause. There are a lot of known router hacks that cause fake Flash update pages to appear when trying to visit common pages (Google, Yahoo, Facebook, etc). And there doesn't appear to be anything malicious on your machine.

     

    In any case, I'm glad you seem to have gotten it fixed!

  • by Joseph White1,

    Joseph White1 Joseph White1 Apr 30, 2014 7:13 PM in response to James Cook2
    Level 1 (5 points)
    Apr 30, 2014 7:13 PM in response to James Cook2

    I encountered the same exact issue. In my instance all devices were experiencing the same problem. Upon noticing these DNS entries I attempted to login to my router and noticed its password had been reset/changed and so I performed a permanent reset on the device.

     

    One thing to note: I was using a DDNS to expose my router login page to the outside world and perhaps my password was hacked in this way, who knows. I have a cisco e4200 fwiw.

     

    Joe

  • by noelrr,

    noelrr noelrr May 1, 2014 12:25 AM in response to Joseph White1
    Level 1 (0 points)
    May 1, 2014 12:25 AM in response to Joseph White1

    Want to chime in - I was having the same popups issue appear around the same time this thread started. Noticed it was only when devices were connected to my home network, checked the DNS settings on my router, googled them, (199.182.166.168 and 199.182.166.169) and found this page. I've changed them back and seems to be all good, but the question on my mind is how the DNS settings changed in the first place? There is a password on my router (Cisco Linksys E1500), and it was not changed. The router admin page is accessible from the Internet, and while improbable, it's plausible that the password may have been guessed. Would love to have more people chime in to see similarities. Already seeing a few between me and joe.

  • by thomas_r.,

    thomas_r. thomas_r. May 1, 2014 1:58 AM in response to noelrr
    Level 7 (30,889 points)
    Mac OS X
    May 1, 2014 1:58 AM in response to noelrr

    Your router has been hacked. It is not necessary to know or guess the admin password. See:

     

    https://tools.cisco.com/security/center/viewAlert.x?alertId=29291

  • by noelrr,

    noelrr noelrr May 1, 2014 2:22 AM in response to thomas_r.
    Level 1 (0 points)
    May 1, 2014 2:22 AM in response to thomas_r.

    Wow - thanks for that. Didn't think to look that up. There are several vulnerabilities in the E1500 that Cisco will never fix, by the looks of it. I just turned off remote access, and will look into installing something like DD-WRT on it.

  • by thomas_r.,

    thomas_r. thomas_r. May 1, 2014 3:53 AM in response to noelrr
    Level 7 (30,889 points)
    Mac OS X
    May 1, 2014 3:53 AM in response to noelrr

    Good plan.

  • by Joseph White1,

    Joseph White1 Joseph White1 May 1, 2014 7:16 AM in response to thomas_r.
    Level 1 (5 points)
    May 1, 2014 7:16 AM in response to thomas_r.

    Thank you Thomas and Noel,

     

    Here's the vulnerability report for the E4200: http://tools.cisco.com/security/center/viewAlert.x?alertId=32943

     

    Vulnerable products for this exploit : Linksys EA2700, EA3500, E4200, EA4500

     

    Joe

  • by n8huntsman,

    n8huntsman n8huntsman May 1, 2014 11:22 AM in response to Joseph White1
    Level 1 (0 points)
    May 1, 2014 11:22 AM in response to Joseph White1

    I'm not sure it was the exploit.  My router is the WNDR3700v3.  I don't see any exploits for that.  The commonality here is that we all had the remote admin feature turned on and open to the outside.  Mine even had a link to it from a webpage seved on port 80 of one of the machines in my network.

  • by xphobe,

    xphobe xphobe May 1, 2014 9:56 PM in response to James Cook2
    Level 1 (0 points)
    May 1, 2014 9:56 PM in response to James Cook2

    A few days ago I also found that my router's DNS ip addresses were set to 199.182.166.168 and 199.182.166.169. I have a Linksys E1000. 

     

    I had remote admin turned on for testing but I've since turned it off again.  But a hacker doesn't need remote admin or the router password to hack some routers.  It can be a malicious browser script run inadvertently by a home user behind the router. Such a script could use a Cross-site scripting (CSS) attack to change certain settings in the router.  I notice that Cisco has released updated firmware for the E1000 that "addresses several security issues" though they don't go into detail.  So I have disabled remote admin and upgraded the firmware.  Hopefully that's the end of that.

     

    But still, who owns 199.182.166.168 and 199.182.166.169??  Serverel is only a colocation facility.  The owner of those IPs would be a client of Serverel.  If thousands of routers have been compromised recently, this could be a very serious problem.  I submitted a complaint to the FBI.  We'll see if anyone reads it.

  • by James Cook2,

    James Cook2 James Cook2 May 2, 2014 3:10 PM in response to xphobe
    Level 1 (15 points)
    Notebooks
    May 2, 2014 3:10 PM in response to xphobe

    Sigh... after enjoying a few trouble free days from the popups, they came back. My router's DNS had been changed again. Now I know what to do and it only takes a few moments.

     

    But I have to wonder what other issues this may introduce or leave me vulnerable to.

     

    I do have port forwarding active on my Linksys E2500 router and port 80 is among the ports I use for running a development server.

     

    Do I buy a differnet router, or how do any of us get away from this nuisance?

  • by thomas_r.,

    thomas_r. thomas_r. May 3, 2014 3:19 AM in response to James Cook2
    Level 7 (30,889 points)
    Mac OS X
    May 3, 2014 3:19 AM in response to James Cook2

    Port forwarding isn't really the issue... that exposes your server to possible attack, but not your router. The issue is that your router has security vulnerabilities that allow it to be attacked. Some botnet is probably finding your router, detecting that it's vulnerable and hacking it.

     

    You could buy a different router, or you could install the DD-WRT router firmware:

     

    http://www.dd-wrt.com/site/index

     

    This would give you more secure firmware.

first Previous Page 3 of 4 last Next