Hi,

I've run into a problem at work with more and more computers and I really can't explain it. When visiting certain sites, the browser (happens on both firefox 2 and IE6) redirects to some chinese homepage. Upon clearing the cache of the browser, the problem seems to disappear temporarily. The site that mainly seems to trigger this behavior is hxxx://engadget.com but probably not the only one. Since this is a big tech blog it makes no sense that it would be infected somehow. Once "infected" - you get redirected to the same page when visiting some sites with no relation to eachother, digg.com, imdb.com to name a few. However it doesn't happen with all sites we visit.

We're running Windows XP SP2 inside a company firewall with updated Symantec virus protection, I've personally ran Kaspersky's online antivirus scanner, Spybot S&D and Ad-Aware, both updated, and no tool has found anything. Hijack This doesn't show anything weird AFAIK, there are no weird processes running and the problem doesn't go away upon reboot. A very talented developer here has helped me troubleshoot it with filemon, wireshark and all kinds of tools, I'm a sysadmin myself and we still have no clue what's going on.

One possible long shot we thought of was if someone has managed to modify Google Adwords to modify the cache of the browser to redirect to this chinese site, since the sites that trigger this seems to be using Adwords. However firefox cache files aren't completely plaintext and somewhat hard to decipher. I've been looking for other users outside of our company with the same problem since it started showing up yesterday but only found one single forum post on a small forum somewhere with no explanation or solution.

The URL we get redirected to changes a little now and then, from media-china.com.cn to wxx.globalclimb.com currently. I don't think it's DNS-related since pings to the redirecting sites seem OK and I've tried other external DNS-servers (like 4.2.2.1).

Am I going crazy here, is this just happening to us? Any help is most appreciated. I can supply HJT-logs and other data if needed.

- Daniel Netz

After writing this I saw that IE6 threw some javascript errors on engadget.com, pointing to a script for SiteCatalyst, a web analytics application. So when visiting omniture.com, developers of SiteCatalyst, and their customer showcase page, I would get the same chinese redirect page every time I visited their customers, on both FF2, IE6 and Opera 9. After rebooting however I can't replicate the error anymore no matter how many SiteCatalyst sites I visit.

Is it possible that for some mindboggling reason, the javascript triggered this weird redirection? Seems a little too good to be true.

Despite our troubleshooting efforts, this seems to have been related to one of our internal DNS-servers and its forwarding policy, you can delete this thread if you want.

Im Glad you worked it out, thanks for posting back.

Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).