[I haven’t come across any other reports of similar problems, so I thought I’d write this up quickly for anybody else encountering this same issue.]
I normally do my utmost to avoid doing computer support, but my neighbours had been suffering from ad popups for several months now and were at their wits’ end. As the issues seemed to have disappeared after having had a laptop re-installed, I figured it was malware and recommended they do some scans and repair. Since they hadn’t mentioned it since, I figured the problem was solved. But they were instead suffering in silence. They had tried everything — even contacting their ISP’s tech support.
The symptoms were that clicking on Google search results caused the link target to popup in a new tab. I find this kind of behaviour pretty handy (it’s generally how I do search), and I was prepared to write it off as some browser bar feature from their provider, Rogers. But my warning bells were triggered when clicking on Google search result would occasionally spawn a popup ad (many of which were broken) or redirect to “search312.com”. Hooking up tcpdump showed that a number of machines were being connected to, including http://www.find-quick-results.com, 20614.172.hit.tadasearch.com, ltdomains.com, 21677.172.filter.blendernetworks.com, rev.ineting.net.
After some digging, I finally discovered that their router DNS settings had been changed to some Russian-based redirection servers (18.104.22.168, 22.214.171.124). These servers redirect Google and other sites to a server that rewrites links to be opened in new tabs. If the miscreants had been more subtle in their ad popups, my neighbours would likely never have complained. Imagine the data that these miscreants have been harvesting!
Unfortunately in this case the breach was introduced by the neighbours. They had a popup claiming that Mozilla Firefox had detected unusual network activity and asked that they change some settings to check whether it was a malfunctioning computer. This warning happened at the time that they started to notice these issues.
If you stumble upon this page as you’re having similar symptoms, check that your DNS settings are valid. If you’re uncertain, do a reverse-lookup of the DNS addresses and ensure that they match an organization you trust (e.g., your ISP). If you’re at all worried, then I’d highly recommend using Google’s Public DNS (126.96.36.199 and 188.8.131.52). And then do a round of malware and virus checking, and I’d also suggest change your banking passwords too.
[How are ordinary people supposed to figure this out?]