Anyone know about parking.ps/ virus?

[davejonesbkk]

Seems I have acquired a browser virus in the last 24 hrs or so, randomly websites redirect to http://parking.ps/, there doesnt seem to be any pattern on how or why, I have noticed that in the last hr its only been doing it in Google Chrome incognito mode while normal mode has been fine.

Ive been Googling and most of the results ask me to donwload a program to clean it which looks very suspicous to me eg:

http://www.cleanpcguide.com/remove-parking-ps-removal-guide-how-to-remove-parking-ps/

Ive been trying to follow the manual instructions to but I havent been able to find any evidence of Parking.ps in my installed programs or processes etc

[davejonesbkk]

p.s done full scans with CCleaner and Adaware already which havent resolved it

[RedCardinal]

What ISP are you with.

I'm also seeing this, but it's affecting all devices in my home so I suspect it's a DNS hack. I'm on True cable.

PS do not download anything that looks dodgy - it will probably just double your pain. Stick to MalwareBytes or well known Malware/AV vendors only.

PPS CCleaner doesn't fix malware, ans Adaware wouldn't be a very good anti-malware program IMO.

Edited September 5, 2013 by RedCardinal

[Silurian]

I am getting the same thing across Chrome, Firefox and IE. It appears to be some sort of redirect. From what I researched, it is either a DNS hack, a WEB site hack, flash or javascript hack. One thing that seemed to help me was to clear the cache, history, etc of each browser.

[lomatopo]

Could it be related to ThaiVisa?

[RedCardinal]

I am getting the same thing across Chrome, Firefox and IE. It appears to be some sort of redirect. From what I researched, it is either a DNS hack, a WEB site hack, flash or javascript hack. One thing that seemed to help me was to clear the cache, history, etc of each browser.

Who's your ISP? What DNS servers are you using?

[Silurian]

I am getting the same thing across Chrome, Firefox and IE. It appears to be some sort of redirect. From what I researched, it is either a DNS hack, a WEB site hack, flash or javascript hack. One thing that seemed to help me was to clear the cache, history, etc of each browser.

Who's your ISP? What DNS servers are you using?

Using True for ISP. I am using Google DNS (8.8.4.4) as my primary DNS and asianet DNS (203.144.207.49) as my secondary DNS server.

After clearing my browser data, I haven't seen the redirect in the past 30 minutes.

I also cleared my cached DNS by issuing "ipconfig /flushdns" in a windows command prompt. But that didn't seem to help.

[davejonesbkk]

IM on True cable also, it only started around 24-36 hrs ago for me, I had downlaoded divx.com free trail just before that but I doubt from there, not done much else different really.

Interesting that other people are getting it and also on True. Im using opendns like always, I did a full cache clear etc an hr ago and after that it seems that this is now only happening in the incognito mode of chrome which is very weird.

I will try flushdns now myself and MalwareBytes.

So I guess if no evidence of it on my actual computer (none so far) then its a DNS hack? If so how worried should I be about passwords etc?

[davejonesbkk]

Silurian -try running some test fro 20 mins or so opening websites in normal chrome and incognito and see what happens

[RedCardinal]

Lots of Thai users also getting this over on Pantip. Only ISP mentioned is True, so I reckon this is either something that's sitting on their caching servers, or some stupid change they've made.

A couple of years ago they got caught red-handed injecting their own ads into Youtube pages. Suffice to say Google security people were none too happy with them, and it stopped very quickly after Google were alerted.

I use True with Google DNS, cleared caches and still getting it. Will try True proxy to see if that fixes it.

[Chicog]

Open a command prompt and type NSLOOKUP

Then enter a site that's giving you this problem and see what answers.

e.g. www.ibm.com

[RedCardinal]

Open a command prompt and type NSLOOKUP

Then enter a site that's giving you this problem and see what answers.

e.g. www.ibm.com

Won't work. Sites are loading fine, but then redirected after a short delay. It may be an ad network, although I've now seen it on a page without ads. Debugging this is very hard since the redirect is probably being loaded asynchronously into the page, so wont appear in the initial page collateral. Still looking for the actual redirect...

[muratremix]

I'm also having this problem and using True Ultra cable internet, however I'm not using ISP DNS servers. I use google dns, and now I use local dns server (on Synology Nas) which has no effect. Problem is, I got this redirects on iPad, not my windows laptop. So I found adblock for safari on Jailbreak and installed it, problem solved. I have adblock on firefox so it was blocking this hijack somehow.

It is very annoying and I hardly understand how can they mess things up like this?

[muratremix]

Oh, I forget to mention. I had this annoying redirects on iPad even when I use a personal proxy server (proxy resolves DNS queries so it should prevent redirects). So problem mostly lies on hacked internet infastructure of True internet.

[partington]

Definitely not a virus. I got this yesterday on a MacBook Pro. Others are getting it on Windows, still others on the iPad OS. Unlikely a virus on three different OS.

The common link is everyone reporting this has True as their ISP, so it's likely something they've done, or security they have failed to do.

Edited September 5, 2013 by partington

[chuckygobyebye]

We have two True cable connections for the office and a backup 3bb ADSL line. We're not getting the effect when we're on the backup line.

I can reliably reproduce the effect with news.bbc.co.uk and linkedin.com, doesn't happen on any https sessions, so it's code injection somewhere along the line.

[elfpattaya]

I also had this problem, maybe something to do with True ?? Found it very annoying. Tried Avast, Malware Bytes, SUPERantispyware and tried removing it manually but no joy.

I found that both Chrome and Firefox have an Add On called "HTTPS Everywhere". I installed this and it seems to have cured the problem.

Edited September 5, 2013 by elfpattaya

[muratremix]

Who wants to contact true and explain this situation to them?

[RedCardinal]

Switching to True's Proxy also resolves this issue. Not a great solution, but at least until they fix it on their end it removes this painful redirect.

[Chicog]

Switching to True's Proxy also resolves this issue. Not a great solution, but at least until they fix it on their end it removes this painful redirect.

Perhaps that is the MICT's intention.....

[chuckygobyebye]

Problem fixed at our end.

It turns out our loadbalancer was assigning fixed DNSs to the workstations. True updated their DNSs last year or something and changed the addresses. When we switched to the new servers the problem vanished.

I expect what's happened is that True have left these creaky old DNSs on as a courtesy but haven't been patching them and they've been hacked/poisoned.

[RedCardinal]

Problem fixed at our end.

It turns out our loadbalancer was assigning fixed DNSs to the workstations. True updated their DNSs last year or something and changed the addresses. When we switched to the new servers the problem vanished.

I expect what's happened is that True have left these creaky old DNSs on as a courtesy but haven't been patching them and they've been hacked/poisoned.

Don't think so. A few posters in thread use Google DNS. I do also. This is something else. I suspect that a bad file served via an ad network is probably cached in True's caching infrastructure, and that's why it keeps appearing. Either that or True are trying to do something clever and doing it really badly.

[partington]

Problem fixed at our end.

It turns out our loadbalancer was assigning fixed DNSs to the workstations. True updated their DNSs last year or something and changed the addresses. When we switched to the new servers the problem vanished.

I expect what's happened is that True have left these creaky old DNSs on as a courtesy but haven't been patching them and they've been hacked/poisoned.

Don't think so. A few posters in thread use Google DNS. I do also. This is something else. I suspect that a bad file served via an ad network is probably cached in True's caching infrastructure, and that's why it keeps appearing. Either that or True are trying to do something clever and doing it really badly.

Yes, I was using the Google DNS when it began for me too.

[BWPattaya]

I was talking to a friend last night who had the same issues. He emailed me today to say:

After praising True I think I've just realised that they were the reason why my pages were being redirected to Parking.ps, after spending most of the day trying to fix this with various antiviruses etc.

Anyway I found a cure using an Add On with Firefox and Chrome called "HTTPS Everything".

This looks like a good Add On as it opens everything on the browser securely and seems to work really well, I think I shall keep it even though True seems to have cured the problem.

[HardenedSoul]

Has True actually solved the problem, though?

I didn't have the issue on Chrome but on IE9 instead. I tried to do a system restore but although the last backups are there, this virus seems to prevent access to them via the restore function.

Does anyone have a definitive cure for this?

[partington]

It's NOT a Virus!!!!! It's originating from something within the True servers.

AdBlock may possibly stop it as it seems to be some kind of flash ad loading then redirecting when the flash fails to open (somewhat guessing here).

You can read about parking domains here http://en.wikipedia.org/wiki/Domain_parking

It seems like someone has set up a link to an ad that fails to open, and this is designed to redirect your browser to a site which someone gets money for hits on?

Edited September 5, 2013 by partington

[SecretAgentMan]

Could it be related to ThaiVisa?

I have it too and it started for me while i was on Thaivisa.

I am also using True.

Edited September 5, 2013 by SecretAgentMan

[sfm]

PS do not download anything that looks dodgy - it will probably just double your pain. Stick to MalwareBytes or well known Malware/AV vendors only.

PPS CCleaner doesn't fix malware, ans Adaware wouldn't be a very good anti-malware program IMO.

That is a damned important piece of advice!

Got the problem myself, and googling for it took me to a number of websites.

Some of them just suggested downloads, some others suggested a manual removal method first that appeared to deliberately make things so complicated that nobody will try it.

If you download solutions from companies you don't know, yes, you are in for it. Fake virus-removers are the oldest trick in the book.

Clearing all history seems so far to have fixed it for me.

I agree with those who say it may be a problem outside the PC.

[kotsak]

Occurred to me also on two different computers. LinkedIn website seems to always redirect to parking.ps. Looks like there is a Google URL shortener that is responsible for the redirect.

Tried different DNS servers but it made no difference..

[ignis]

The only time I ever see it is on here.......... like a few seconds ago....

All webpages load as soon as I click them, just ThaiVisa takes it time loading and in the waiting this parking website replaces the ThaiVisa page that is trying to load...

It has appeared a few times but only ever on ThaiVisa

I just thought it was yet another ThaiVisa problem........... getting so used to a ThaiVisa problem being fixed which causes another problem or 3...... so appear this Parking thing is not from ThaiVisa ? and maybe from TRUE.... True + Google DNS