[Irma]

Everytime I click the link to visit shuttertalk which is http://www.shuttertalk.com/forums/index.php I am redirected to this page... :/
Is it happening to some of you as well, or it's just me?
Sorry to complain but it is really getting on my nerves....

[StudioJ]

Where is that link found Irma? On the main page for ST?

[EnglishBob]

Could be a hijack program on your own computer Irma, does it do it on any other sites? I haven't had any such experiences here.

[Irma]

StudioJ, Yes, it is in the main page of ST.... in the index only... then I click back and it doesn't bother again... but I leave the site open in one of my threads and later I refresh I am redirected again....

It is just in this site, Bob... I will check my computer... Thanks

G activated a popup blocker and it seems to work normal now....

~~~~~~~~~~~~~~

**Note half an hour later.......

It didn't work I am still redirected

[Petographer]

Come to think of it, it happened quite some time ago. I don't recall what the fix was or if it just corrected itself.

[Irma]

I made a virus scanner just two weeks ago, and the program found a file and it destroyed it... I am planning to make another virus scanner tonight... I hope it helps...

[shuttertalk]

Hm.. that's quite disconcerting, Irma...

When the page loads, try viewing the page source and see if there's any malicious code there... redirect would usually be up the top, inside the head tags.

From my browser (trying both IE and Firefox) - I can't see anything untoward...

Anyone else seeing this?

[Polly]

Hm.. that's quite disconcerting, Irma...

When the page loads, try viewing the page source and see if there's any malicious code there... redirect would usually be up the top, inside the head tags.

From my browser (trying both IE and Firefox) - I can't see anything untoward...

Anyone else seeing this?

It sometimes happens to me too - IE6 - Norton Internet security and I'm sure I have no viruses - PC scanned every 24 hrs. Popups and ads are blocked - but not the text box ads on the right.

I have a feeling it happens when the cursor slips off the bar as I scroll down. I thought maybe it was slipping off onto a box advert - just sloppy scrolling by me. I have a hunch it happens when the cursor slip off to the *right* side rather than into the main body of the page? if it happens, i just click to go back, same as irma, then it's ok again.

Strange thing is - it never happens twice in one session. I can't deliberately find the page no matter how hard I try slopping the cursor off the edges as I scroll??

Pol

[Polly]

Hm.. that's quite disconcerting, Irma...

When the page loads, try viewing the page source and see if there's any malicious code there... redirect would usually be up the top, inside the head tags.

From my browser (trying both IE and Firefox) - I can't see anything untoward...

Anyone else seeing this?

It sometimes happens to me too - IE6 - Norton Internet security and I'm sure I have no viruses - PC scanned every 24 hrs. Popups and ads are blocked - but not the text box ads on the right.

I have a feeling it happens when the cursor slips off the bar as I scroll down. I thought maybe it was slipping off onto a box advert - just sloppy scrolling by me. I have a hunch it happens when the cursor slip off to the *right* side rather than into the main body of the page? if it happens, i just click to go back, same as irma, then it's ok again.

Strange thing is - it never happens twice in one session. I can't deliberately find the page no matter how hard I try slopping the cursor off the edges as I scroll??

Pol

PS .... I see no redirect in the source either??

It's just as though the cursor is slipping off the scroll bar onto an ad.

Pol

[shuttertalk]

Hey Pol! Long time no see...

It's just as though the cursor is slipping off the scroll bar onto an ad.

I suppose that would do it too...

[Polly]

Hey Pol! Long time no see...

It's just as though the cursor is slipping off the scroll bar onto an ad.

I suppose that would do it too...

Well here's something very interesting for you to think about!

I'd gone offline for a few minutes for breakfast. came back to the PC and deleted all the history, cleared the cache to get rid of all cookies etc to see if that made any difference - then went online again.

First thing I did online was to check the email, via mailwasher as usual. Found your email notification and clicked on the link to come back to this thread and guess what - that rogue page opened instead of this thread!

I saved a text copy of the source code ans I'm attaching a screenshot of the top headers. Then I closed the page, opened ST forums via my bookmark and got here without any more problems.

Very odd!! Here's the screenshot and I can zip and mail you the full text file of the source code if you want it.

BTW - I'm still around, looking in from time to time but i'm pre-occupied elsewhere atm, don't have a lot to say and not many pix - or not many worth looking at anyway! Ruf keeps in touch with me and nips my ankles occasionally .



Pol

[Polly]

Julian - I've sent you an email with a link to my personal webspace - from where you can d/l a zipped copy of the full source code of the intruding webpage.

Pol

[Irma]

The problem to me is when I am offline and access shuttertalk... at the moment I connect to internet I know I will be redirected... when I write a post and it takes long for me to write it and I submit it... I am redirected as well because I was already offline while I was writing my post so I had to connect first to internet and then submit...

I have paid attention to the bar at the bottom where you read the links... When I am redirected, the address changes so fast, but I could read two words just.... "trustbird" or "trostbird" and "extreme"... I really don't know if this is useful...

Irma

[Polly]

The problem to me is when I am offline and access shuttertalk... at the moment I connect to internet I know I will be redirected... when I write a post and it takes long for me to write it and I submit it... I am redirected as well because I was already offline while I was writing my post so I had to connect first to internet and then submit...

I have paid attention to the bar at the bottom where you read the links... When I am redirected, the address changes so fast, but I could read two words just.... "trustbird" or "trostbird" and "extreme"... I really don't know if this is useful...

Irma

It's not just you, irma - me too. I've email Julian as many details as I could so he can investigate.

After I read your post, I was suddenly redirected! i clicked to come back to the thread, which was ok. However, I couldn't post this reply until after I'd refreshed the page - because the quote/reply links has disappeared!!

definitely something not quite right happening.

I have to go now - we're on our way out.

TTFN

Pol

[slejhamer]

Though I have had many access problems with the site, I have not seen this particular one.

However, there have been many times when I click on one of the forum links on the main page and I get a 404 error instead. Perhaps this is related.

[Irma]

I think we cracked it. G ran a spyware scanner on my computer and it found more than 300 objects, including a trojan. These objects are removed now, and the effect is gone for the moment. I will watch this during the next few days.

If you're interested, there is a free version of the scanner available at LavaSoft.

Thanks for your help in this.

Irma

[Petographer]

It just happened to me. As Shuttertalks forum page was opening it redirected to http://www.atspace.com/how_to_choose_a_w...vider.html
I just finished a complete cleanout of my computer and I do mean complete yesterday.

[Polly]

I think we cracked it. G ran a spyware scanner on my computer and it found more than 300 objects, including a trojan. These objects are removed now, and the effect is gone for the moment. I will watch this during the next few days.

If you're interested, there is a free version of the scanner available at LavaSoft.

Thanks for your help in this.

Irma

Thanks for the suggestion and the link - but I already use Spybot S&D, which is very reputable, so I was sure my system is clean. I've just done another S&D scan and it didn't find any threats, nothing at all.

The redirect page is intermittent - sometimes happens, sometimes it doesn't. It DID happen a few seconds after logging in this time - even after the clean spybot scan.

I'm not too keen on installing another Spyware proggie, certainly for the moment, so I'll also watch and wait and see if Julian can make anything of the zip I mailed him (containing the source code of the offending webpage)

Pol

[Polly]

It just happened to me. As Shuttertalks forum page was opening it redirected to http://www.atspace.com/how_to_choose_a_w...vider.html
I just finished a complete cleanout of my computer and I do mean complete yesterday.

I'm as sure as I can be that there's something suspicious happening. I know my PC is clean, I'm also sure all my security software is up-to-date.

Hopefully something can be sussed and sorted.

Pol

[Petographer]

Even after running programs such as Spybot S&D, Spysweeper or Webroot's Adaware you would be surprised to find what is still on your computer. My suggestion is to run Hijack this. Download direct here and run the scan and save the file to your computer. Go to http://www.hijackthis.de and locate the file on your computer and hit the analyze button. You will get a complete list of the running programs that may be threats. It was recommended to reboot in safe mode to manually remove these threats but I did it both ways.

If you need to post your findings here for people to look at and determine what is safe and what is not then do so. It is better that you get a second opinion before you remove something that you are not sure about. The program could bring up something as a possible threat if it is not familiar with the program.

Good luck. I hope this helps.

[Polly]

Even after running programs such as Spybot S&D, Spysweeper or Webroot's Adaware you would be surprised to find what is still on your computer. My suggestion is to run Hijack this. Download direct here and run the scan and save the file to your computer. Go to http://www.hijackthis.de and locate the file on your computer and hit the analyze button. You will get a complete list of the running programs that may be threats. It was recommended to reboot in safe mode to manually remove these threats but I did it both ways.

If you need to post your findings here for people to look at and determine what is safe and what is not then do so. It is better that you get a second opinion before you remove something that you are not sure about. The program could bring up something as a possible threat if it is not familiar with the program.

Good luck. I hope this helps.

Thanks. I'd been thinking about running Hijack this but wouldn't be able to interpret the log - so I'll follow your advice and intructions and see how it goes.

Pol

[Polly]

Even after running programs such as Spybot S&D, Spysweeper or Webroot's Adaware you would be surprised to find what is still on your computer. My suggestion is to run Hijack this. Download direct here and run the scan and save the file to your computer. Go to http://www.hijackthis.de and locate the file on your computer and hit the analyze button. You will get a complete list of the running programs that may be threats. It was recommended to reboot in safe mode to manually remove these threats but I did it both ways.

If you need to post your findings here for people to look at and determine what is safe and what is not then do so. It is better that you get a second opinion before you remove something that you are not sure about. The program could bring up something as a possible threat if it is not familiar with the program.

Good luck. I hope this helps.

I ran Hijack this - went to the link you posted and ran the analysis and there was nothing suspicious. Almost all green ticks and the only ones that were queried were related to my ISP, the ISP help application and that was it.

Absolutely nothing I didn't recognise as valid anywhere in the analysis list. I'll keep an eye on it and run another scan after a few days but ............... ??

Thanks for that analysis link though - it's superb!

Pol

[Petographer]

You are welcome Pol. It nabbed things on my puter that other adaware programs didn't.

[shuttertalk]

This is very annoying indeed - thanks for your patience veryone...

I've checked the source on the server, and can't see anything that would cause the problems. I've also disabled all security on my computer and IE browser (eek) and hit the page numerous times, but I can't seem to replicate the problem...

Are people still having problems?

If so, can you let me know what browser you're using?


Pol, thanks for the code as well - it's quite interesting because when I view the source of the page at http://www.atspace.com/domain_name_basics.html, I see the following:

Code:

<HTML>
<HEAD>
<TITLE>FREE Web Hosting, Domain Hosting - ATSPACE.COM - Web Hosting, Domain Name Registration, Inexpensive, Low Cost, Affordable, Reliable Provider, PHP, MySQL, Linux, Ecommerce</TITLE>
<link rel="STYLESHEET" type="text/css" href="http://www.atspace.com/images/styles.css">
<script type="text/javascript">
<!--
if (self != top) {
top.location = self.location;
}
// -->
</script>
</HEAD>
<BODY  TEXT=#000000  LINK=#ff0000  ALINK=#FF0000  VLINK=#ff0000>
<center>

<a href="http://www.atspace.com/"><i>ATSPACE.COM</i></a> a FREE
<a href="http://www.zettahost.com/">Web Hosting</a> Service of
<a href="http://www.zettahost.com/">ZETTA HOSTING SOLUTIONS</a>
<br><br>

With your version of the code, I can see some extra bits in there, namely:

Code:

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

and also:

Code:

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

It could be what's causing the redirection. If you could find what's inserting that code into your browser, and when it is being inserted, it might lead to the culprit...

[Polly]

Hi Julian - thanks for the reply. Interesting that there's a difference in the source code but I dunno what else I can do TBH.

It's still happening this morning - cleared the cache, ran the scans again and nothing nasty was found so .................... ????

I'm using IE6 - all up-to-date with the security updates.

Could it be some rogue set to redirect at random, maybe via the bulletin board services? it doesn't happen to me every time but it does happen quite a lot.

Nothing like this has ever happened anywhere else on the net - just here on the ST forum.

Pol