dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1770
share rss forum feed

fisherni

join:2012-11-27
Raleigh, NC

3 edits

[TWC] NC: Injected ads after activating modem. TWC or other?

UPDATE:
As posted below, it seems that the timing was just a coincidence. This is only affecting one device on my network, so it's most likely local Malware and not TWC injecting anything.

---------------------------------------------------------------

Short, less colorful version:
Activated my new modem. Now sites I browse to that don't normally have pop up/closable ads are featuring a square box in the lower left hand corner with an add and a close button. Also, I am repeatedly getting a challenge window from Opera saying that the certificate for Facebook doesn't match the issuer domain (which is coming up as google).

Right now, I am accusing TWC of modifying my web pages, but I realize that I am angry over this and that feels like it would be a PR nightmare if they were, so before I call them about it, I wanted to see if anyone else is seeing similar issues and eliminate other possibilities.

Longer, more colorful/ranty version:
Yesterday my new modem arrived (Motorola SB6121) so I plugged it in and called TWC so that I could replace the UBEE that they provided. After a painful 2 hours on the phone, I was told that they've done all that they can do and I need to wait 24 hours to see if it all works.

The issue I was having at the end of the call was that any site I attempted to load while things were being configured was automatically redirected to the Automatic Provisioning page ("Call us, give us your mac, etc"). In other words, I used bing.com to test if my connection worked while on the phone; After they claimed all was working, bing.com would still be redirected to ap_index while google.com (which I did not use as a test page) would work fine. This was consistent across multiple browsers and devices, even if that browser or device was not used to browse to that page (so that should eliminate any caching issues on my end). They gave up on trying to resolve this claiming that everything was correct on their side.

Within an hour or so, this issue seemed to clear up and I went to bed. This morning, I appeared to be able to load all pages without the Auto Provision page appearing. However, most of the pages that I browsed to this morning had a advertisement in the lower left hand corner of the browser. The content was generally the same regardless of page or browser and consisted mostly of Nationwide or other less reputable adds ("The craigslist of sex" for example). The websites affected included many sites that I know actively refuse such ads, namely Fark.com and Reddit.com, thus, I have no reason to believe that it is the website doing this.

Also, when pulling up Fark, Opera repeatedly pops up a challenge stating that the certificate for facebook.com doesn't match the issuing domain of google.com. As I have never seen this pop up before, and I find it odd that google would be issuing anything for facebook, this raised additional concern for me and added to my feelings that something is meddling with my connection.

I ran CCleaner to wipe my cache but saw no change. I kicked off an antivirus scan before I left for work just in case, and will double check on another device as well when I get home (should be able to use my cell phone's internet as a control as well). My router is a Buffalo running their spin of DD-WRT, but I assuming that it is not the issue. Browsing the same sites at work, I see no such ads.

Like I said in the abstract, I'm currently pointing my finger at TWC and fearing that they've decided to start injecting ads in my browsing to pad their income. The ads are consistent and definitely not from the websites. I am assuming the chances of my machine or router suddenly getting infected at the same time as my modem being replace is unlikely; My traffic being modified in route seems far more likely in my head. But again, I believe that that would be a PR nightmare for TWC, especially considering the content of the ads (why am I getting granny porn when trying to browse Fark?). Maybe they've got a misbehaving caching proxy that I was pointed to when they set up my modem (which I'm not sure would be better or worse. Either they'd be incompetent or malicious.... neither please me)

So I'm looking to see if anyone else is seeing these issues or if I am alone. Also, I want to make sure that I am dotting my t's and crossing my i's, so what else should I be looking to check to eliminate possible issues.



Smith6612
Premium,MVM
join:2008-02-01
North Tonawanda, NY
kudos:23
Reviews:
·Verizon Online DSL
·Frontier Communi..

Strange. After provisioning you did reboot your modem and also check to make sure you don't have the Opera Accelerator on, right? I'm not a user of Opera, but if you are using it's Turbo function that does go through Opera-operated Proxy servers. Perhaps that is where the ads are coming from?



bitemeboy

join:2005-04-06
Otego, NY
reply to fisherni

You need to get over your paranoid everything negative leads to TWC.

They could care less about your "PR nightmare".

Anyone with an ounce of common sense would have tried another browser.

Have you?
--
"But the world is full of annoyances; if we killed all of our annoyances, there would be nobody left" - John McAfee


fisherni

join:2012-11-27
Raleigh, NC
reply to fisherni

Same behavior seen in both Opera (Accelerator is off) and Firefox. Did not yet try IE or Chrome.

I'm not saying that I am going to create a PR nightmare for them. I am saying that if they were injecting ads and the general public learned of it, I would see that as a PR nightmare. That alone is why it strikes me as unlikely that TWC would willingly do this. That said, I know the variables that changed on my side (Modem swapped out), I don't know the variables changed on their side.



Smith6612
Premium,MVM
join:2008-02-01
North Tonawanda, NY
kudos:23

OK.

Can you supply a screenshot of this ad so we can get an idea of what it might be?


fisherni

join:2012-11-27
Raleigh, NC

Not a problem, once I get home from work (about 5 hours)



DrDrew
So that others may surf.
Premium
join:2009-01-28
SoCal
kudos:12
reply to fisherni

What DNS servers are you using?


bshampine

join:2010-04-08
Gouverneur, NY

Dr Drew.. Does it really matter in this situation what dns servers she is using? Not being smart im kind of new at this stuff and ive been doing some research on dns servers to use with time warner. Thanks


fisherni

join:2012-11-27
Raleigh, NC

To his defense, it shouldn't matter (within reason), but no harm in checking.

Talking to a coworker who recently switched his modem, he's not seeing the same issues, but the first thing that he said was that he is using openDNS instead of Time Warner's. Time Warner's DNS should be fine. Select third party DNS's should be fine. Maybe I am using a less that reputable DNS. It's an easy thing to change though to test.

(again, when I get home this evening, I will reply with DNS info)



DrDrew
So that others may surf.
Premium
join:2009-01-28
SoCal
kudos:12

4 edits
reply to bshampine

said by bshampine:

Dr Drew.. Does it really matter in this situation what dns servers she is using? Not being smart im kind of new at this stuff and ive been doing some research on dns servers to use with time warner. Thanks

When using certain DNS (OpenDNS for example, not sure about GoogleDNS though) popular websites are redirected to different servers for the pages then the standard servers most DNS servers use.

Some versions of UBEE modems were also routers which defaulted to using TWC DNS servers (which couldn't be changed) and issued that to connected devices.

Changing the modem to a non-router version like the SB6121 allows users to get away from the default TWC DNS servers, especially when using their own router and custom config (like DD-WRT). OpenDNS is a commonly used 3rd party DNS service. This could be the reason for some of the alerts the OP is seeing, a change in DNS servers now causing redirects.

Other parts of the initial post just sound like the Walled Garden/Auto Provisioning page for new unregistered modems. That activity cleared up the day after the OP finished new modem registration. It might have cleared up sooner if the users router was reset. I've seen home routers and PCs hang on to old DNS servers used by Auto Provisioning and cause all sorts of odd issues until they're reset and caches are cleared.

The pop-up ad activity sounds like a 3rd party plugin or malware. I've never seen or heard of TWC doing that. A screenshot would help narrow down what is happening.
--
If it's important, back it up... twice. Even 99.999% availability isn't enough sometimes.

iansltx

join:2007-02-19
Austin, TX
kudos:2

+1 for thinking that's malware; OpenDNS doesn't do popups like that.

Expand your moderator at work

fisherni

join:2012-11-27
Raleigh, NC
reply to DrDrew

Re: [TWC] NC: Injected ads after activating modem. TWC or other?

And now that I am home and have time to do the investigation suggested and other steps I wanted to do when I got home......

I agree completely, DrDrew

said by DrDrew:

Other parts of the initial post just sound like the Walled Garden/Auto Provisioning page for new unregistered modems. That activity cleared up the day after the OP finished new modem registration. It might have cleared up sooner if the users router was reset. I've seen home routers and PCs hang on to old DNS servers used by Auto Provisioning and cause all sorts of odd issues until they're reset and caches are cleared.

DNS 1: 209.18.47.61
DNS 2: 209.18.47.62

I may not have rebooted my modem expressly (I think I did... doesn't matter now), but I know I renewed the DHCP lease which should have come down with the new DNS address. That said, I agree with you, it could very likely have been my router hating on me. When I tried to direct connect to the modem I couldn't seem to get an IP, so I didn't get to explore that option last night too much when on the phone with TWC.

said by DrDrew:

The pop-up ad activity sounds like a 3rd party plugin or malware. I've never seen or heard of TWC doing that.

The coincidental timing of it is a bitch though. Replace my modem, come online, get infected... That's roughly the statistic for an unpatched machine as I recall, not one that should be up to date.

That said, it's looking like that is the case. My tablet, phone, and a Win2k VM all look like they are working without the issues. The virus scan finished and claimed it saw 2 issues, though cleaning them and rebooting has not resolved it.

So now that my anger at TWC has passed (2 hours on the phone with their hold music, incompetent staff hanging up on me, and not having a resolution by the end of it all will do that), I must begin finding what malware has found it's way onto my system.

The promised pictures:
Certificate issues:
»imageshack.us/photo/my-images/69···ark.png/

DSLReports when I loaded this thread:
»imageshack.us/photo/my-images/85···rts.png/

When I tried to load this thread the first time, I was thread jacked to here:
»imageshack.us/photo/my-images/26···ink.png/

And the same add being shown in firefox and opera on two different sites:
»imageshack.us/photo/my-images/19···ing.png/


DataRiker
Premium
join:2002-05-19
00000
reply to fisherni

100% certain this is adware


fisherni

join:2012-11-27
Raleigh, NC
reply to fisherni

And after a couple virus scans, malware scans, and finally remembering to run HijackThis, it looks like it's been resolved.

Something went and added this to my hosts file:
O1 - Hosts: 93.115.241.27 www.google-analytics.com.
O1 - Hosts: 93.115.241.27 ad-emea.doubleclick.net.
O1 - Hosts: 93.115.241.27 www.statcounter.com.
O1 - Hosts: 93.115.241.27 connect.facebook.net.
O1 - Hosts: 66.197.194.232 www.google-analytics.com.
O1 - Hosts: 66.197.194.232 ad-emea.doubleclick.net.
O1 - Hosts: 66.197.194.232 www.statcounter.com.
O1 - Hosts: 66.197.194.232 connect.facebook.net.

After some dancing to make the hosts file editable and a reboot, all looks well again. Thanks for reminding me of other things to check so I could remember that association doesn't mean causation.


Oedipus

join:2005-05-09
kudos:1
reply to fisherni

Glad you got it fixed, but I did smile at the implication that TWC would nefariously link you to suddenlink's website.


fisherni

join:2012-11-27
Raleigh, NC

As you should.