MainDoctor WhoMusicSoftware
Main Page

Alden Bates' Weblog

Feigning normality since 1973

Mystery - spyware or hack?

Filed in: Computers, Internet.

After getting home from work today, I checked the blogs I follow using Bloglines. All was well until I got to the last blog, which happened to be Zeusblog. When I clicked on the title of the entry to visit the blog, I was instead taken to the following URL:

I shouldn't have to warn you not to go there.

So, why did I go there instead of Zeusblog? My initial thought was maybe Zeusblog got hacked. I downloaded the server logs, but according to them, no request reached the server in order to be redirected. I even downloaded all of the files on the site and checked them, just in case, but found nothing.

I turned to my second assumption - that my PC had picked up some spyware. Scans with AVG, Ad Aware, Spybot and Windows Defender all came up blank.

So... what the hell? What caused this redirect? Some new spyware which the scanning programs don't know about yet?

I experienced the same redirect a few weeks back. I couldn't find the cause then, I can't now, and whatever it is is obviously still affecting my PC.

Googling found two relevant articles, but neither of them provide any good suggestions as to what caused the redirect in the first place:

  • The Norton AntiVirus guys seem more interested in telling the guy that their product blocked the redirect than why clicking on a google result took him to a different place than he expected

  • Geeks to Go couldn't find anything on this victim's system, though he was happy enough when the problem didn't repeat.

This is very odd and disturbing.

Posted March 26, 2009 9:33 PM


This French site seems to have some information on the problem, but don't know if it will help you:

(That link should take you to the translation.)

Posted by: Thad Ritchards | March 26, 2009 11:05 PM

It's weird - even with that hack, I'd expect there to be a log of the redirect occurring...

Posted by: Alden | March 27, 2009 12:25 AM

I've just had the same on a random flick to Zeus Blog - virus scans and spyware check aplenty for me, running now.

Posted by: David R | March 27, 2009 6:16 PM

Looks like I know what I'll be doing this weekend.

Posted by: Alden | March 27, 2009 6:38 PM

I came across this page while researching the redirect. The first time I clicked it (in google) I was redirected to

The other times I hit it were all in clicking the result found by google for xxcopy

I've started a topic on it in the xxcopy discussion group and given them links to here and the french page.

Posted by: Graham | March 28, 2009 7:12 AM

I had the same issue as the guy who posted on Geeks to Go: clicked a google results link for a real site and my onboard AV blocked access to the trojan downloader at

I went back and was then able to access the real website I wanted. So I don't know where this redirect came from.

FFox was up to date as was just about everything else.

I'm wondering if this is an exploit on some of the Windows OS updates & add-onsI just did today.

It's worth noting that a modified HOSTS file goes a long way in avoiding things like this. the site in question is listed here:

Posted by: Anonymous | March 28, 2009 8:07 AM

Hrm, well, I was going to purge and reinstall zeusblog today, but if it's happening on this site as well, then that likely won't help. There is NO record in the server logs of Graham's initial attempt to access the site and the redirect. It's highly unlikely Google and Bloglines were hacked, so I'm thinking that the problem is somewhere else.

Bloglines uses Javascript heavily, and I will note that when I usually click on a post title in Bloglines, it will open in a new tab. When I got redirected, it opened in the same tab.

I may be wrong, but doesn't Google also sometimes use Javascript for launching URLs? Could someone have slipped something in to the last Sun java update, or maybe found a way to install a hack into the JRE?

Posted by: Alden | March 28, 2009 12:06 PM

On the off-chance, I removed Java from my system and did a fresh install from Sun's site. The problem is the redirect seems to only happen once every few weeks, so working out if the problem's been eliminated is hard when we don't know exactly how its being done.

Posted by: Alden | March 28, 2009 12:40 PM

I just wanna say good luck to all those toiling to fix this baffling problem.

Posted by: Jeff Stone | March 28, 2009 6:11 PM

I solved this issue by referencing a thread on the google webmaster forum. It seems like it infects Apache itself, which will require it to be reinstalled at the server level. The thread is located here:

Posted by: HM | April 23, 2009 10:32 AM

Thanks, HM! I've taken it up with my web host, and they've moved the site to a different server. Hopefully that should eliminate the problem.

Posted by: Alden | April 24, 2009 6:49 PM

Post a comment Site Map