I've got a readdressing problem in China which I thought everyone might find interesting.
Recently my ISP went down and when I went to my address, <website>.org, a spam page came up instead.
The offending IP 202.102.110.207 is on my NoScript blacklist and so is the domain 025.zhenhuasuan.com, so what I expected to happen was that the redirect would stop. YET, even with <website>.org coming from my server with no problem, when I type in <website>.org into my firefox browser, the address redirection still happens.
Some interesting points:
1. If I use SeaMonkey instead, the readdressing doesn't happen
2. Even with cookies cleared and 202.102.110.207 blocked via NoScript, the redirect happens again and the cookie is reinstalled into Firefox. Now cookies are blocked from both that IP and 025.zhenhuasuan.com, but this doesn't stop the redirect.
3. I blacklisted 025.zhenhuasuan.com by editing the etc/hosts file (I'm running Ubuntu 10.04). The readdressing STILL happens, only that I get a "could not connect to the server" error in Firefox with the address still showing as 025.zhenhuasuan.com! (I assume the same would happen if I installed BlockSite FF addon).
4. I ran FF in safemode according to this, ran FF without plugins and the address redirect was still there. Not a rogue plugin!
5. I also tried about:config and searched for 025.zhenhuasuan.com and got no results. I can't find where the redirect is being ordered from in the config file. (any suggestions?)
I contacted the developer of NoScript and he said:
There's no toolbar, plugins/addons have been disabled and the thing still redirects - so I don't think that's the problem. Making a new profile would work, but it takes too long to keep up with all the new hijacking attacks.there's probably something (a rogue add-on / toolbar or plugin? maybe a proxy configuration?) installed into your Firefox profile which performs the redirect. At least, this is the only theory consistent with the fact Seamonkey is unaffected.
Please check if running Firefox in safe mode or with a clean profile helps. If it does, you may need http://kb.mozillazine.org/Transferri..._a_new_profile
Any suggestions on how I might kick this Chinese virus? Thanks in advance to anyone who has read this far!
Bookmarks