Auto-re-routing

[Whacker]

You have a virus and/or rootkit. You'll want to run MS Defender, Adaware, possibly Spybot, and your AV program of choice until they show up clean. If this still doesn't fix your problem, then you've got a rootkit, and those are just about impossible to extract without the right tools and some serious knowhow.

[Braden]

Autorouting link for 2nd issue:

http://protect-yourselfb.com/1/?sess...EyNTU1McQMMQkN

Like I said, if it occured on one PC I'd agree with all of you and say its a virus issue on the PC in question but with two seperate and one is a work based PC with corporate firewalls etc etc as well as many non-work sites blocked I assumed it may be something embedded in the forums.

Not saying I'm right though by a long shot!

[Tellos Athenaios]

Interestingly enough:

Code:

wget -O ~/dltestfile -c http://protect-yourselfb.com/
file ~/dltestfile

The result is: dltestfile: very short file (no magic); not surprising since wget reports an amazing content-length of: Length: 1 [text/html]. (1 byte). Guess what that single byte is? 0x0A. (Newline.)

[Pannonian]

Someone else seems to have the same problem on another forum. Googling doesn't find anything else on it yet, and the site itself isn't on my DNS. Try tracerting that host and noting down what IP it produces.

[Whacker]

The other possibility is that a DNS server has been either compromised or poisoned.

I still say scan the crap out of both of your machines with those programs I listed. If it's clean, then they're clean, and the problem is ISP related.

[Braden]

Yup, going with that option for now. Posted this mainly as a warning for the forum Admin, can't actively scan the work PC as that's done by our national IT department on a regular basis (multinational company) but will go down hard on my home one as soon as I have the 2hr+ it'll take.

[Banquo's Ghost]

If it helps, I have experienced the same problem with the bingo redirect just recently.

I have been given a brand new Windows laptop for running games. The OS is Windows 7. The only programs installed on the machine are Baldur's Gate, STW, MTW, M2TW, ETW with Steam connection. There is AVG anti-virus and Firefox with Ad Block.

I have used Firefox to visit one site only, and that is the Org. A couple of days ago, I got the redirect as described above.

My usual machines are a MacBook Pro and a MacBook Air, both running Snow Leopard. I use Safari to visit the Org and the rest of the web, and occasionally Firefox.

There has never been this issue with the Mac set-up. Given that I have a pretty clean Windows machine, I might venture that this is a problem with something on the Org, and that uses a Windows vulnerability.

I don't know whether this information helps the more technically knowledgeable, but I hope so.

[Aemilius Paulus]

You have a virus and/or rootkit. You'll want to run MS Defender, Adaware, possibly Spybot, and your AV program of choice until they show up clean. If this still doesn't fix your problem, then you've got a rootkit, and those are just about impossible to extract without the right tools and some serious knowhow.

Definitely. That is what I first thought. Usually such symptoms are usually malware-induced. But Windows Defender and Adware are near useless, I used them a long time ago. Now, Spybot is a different thing. It actually works quite well. But not nearly as well as the fully-functional 30-day trial of the best AV package ever made - Kaspersky Internet Security 2010. It even has a feature called Safe-Run where you can run any program in a virtual, closed environment, which protects you from virtually any malware you can pick up from surfing the web.

So get it. It is free, for 30 days. Fully functional - it scans, protects, and neutralises any infections. I never got why they have such permissive trials, but whatever - take advantage of it. Here is the download link.

[Braden]

I'm doubting its something on the PC's now as the issue is very specifically related to these forums and only ever happens whilst i'm here...and I use a lot of other forums and even host my own one.

[HopAlongBunny]

I'm with drone Try installing NoScript for FF. If it is something embedded on the the site, that should take care of it. It's free, it updates fairly regularly and its painless.

You may also try http://www.safer-networking.org/en/mirrors/index.html; spy-bot search & destroy.
Immunize function is handy.

[Sevis]

Okay, first of all, this looks absolutely nothing like an already activated virus, trojan or rootkit. Why in the world would such a thing blatantly show itself, almost yelling "Hey, you're infected!" at the user? What would it possibly have to gain? Neither does DNS-poisoning seem to be all that likely - but, none the less, you could try setting your DNS to be something unlikely to be poisoned, such as your work DNS-server or (if possible) the RNS.

Now, as to what I'd guess this is:
The image it displays looks silly, at best. It is either trying to keep the user focused on it (at the risk of alerting the user to it being malicious) or wants to give the user some sort of choice. The second, although unlikely, is possible - something like "If you're stupid enough to agree to what we're suggesting, we'll rootkit you, but we'll spare the smart ones." Ethics? Meh.

Either way, you are not of any true influence on the process. If it can run arbitrary code on your machine, it will do so as it pleases, and does not need your permission. If it cannot, I see little point in it existing... A prank? Unlikely.

Thus, what we know about the program:
1. It shows up while, and only while, you are browsing the Guild from a Windows machine.
1.1. Thus, it likely has a check about whether your browser claims you're using Windows - try changing this variable, and see if it vanishes. If you post your current one, I can try it under Linux.
2. It shows up on both Firefox and IE.
2.1. Kudos for making it browser independant >.>
3. Neither antivirus is alarmed by it.
3.1. Now this is the interesting bit. The high-security one should be tipped off by just about anything. Could you specify which one it is that you use at home and at work, please? No need to include firewalls - I'm guessing this is purely http.

I would advise scanning at least your home system fully, to make sure it didn't cause you to get infected. Further, NoScript was already mentioned - it's a great thing, although not all that necessary now that AdBlock can block .js files. When browsing the Guild, Firefox wishes to execute scripts from totalwar.org, google.com, adbureau.net, quantserve.com and atomicgamer.com. I allowed the first two, blocked the rest (don't know the last one, but the other two are ad sites). Back on Windows machines, I've had Avast light up while browsing quantserve - that could very well be the problem.

[Braden]

Sure.

I have browsed many...many forums etc and this occurs only here. So, we can confirm some association.

Antivirus kits

Home - Avira (using IE8)

Work - Mcafee (using Firefox)

Both machines are using Windows XP with the latest service packs etc making them fully upto date.

I don't get much facetime with my home PC so a full scan is planned just not executed yet. I can't self-scan my work based PC but this is done every night by automatic IT executable and I have not been notified of anything amiss.

I now use the Tabs functions more to help prevent this annoyance. Always having two tabs active means that when this occurs it occurs on only one tab so I just manually close that tab (it displays another fake warning which I "X" close down rather than using its "OK" to close).

[Braden]

When browsing the Guild, Firefox wishes to execute scripts from totalwar.org, google.com, adbureau.net, quantserve.com and atomicgamer.com. I allowed the first two, blocked the rest (don't know the last one, but the other two are ad sites). Back on Windows machines, I've had Avast light up while browsing quantserve - that could very well be the problem.

Done a little research and I think you may have found the issues here...but I'll still scan my PC, always good practice.

[Viking]

So much for the 'checks OS' theory.

Spoiler Alert, click show to read: