The image from your previous post displays fine for me (in Safari, on 10.4.7).

And it shows me loud and clear that you persist in logging in as 'root' in spite of repeated admonitions against this very insecure and unnecessary practice.
I'm not sure how much longer I will continue in trying to help someone who ignores good advice.

I'm seeing the image just fine on this site.

Have you tried installing a 3rd party firewall application?

Regarding proxy: my connection is a typical DSL via PPPoE with user name and password configured on my router so the router can supply IP addresses. I do not have a second computer but I may add one later and the router might add one more rather weak wall of security. In my previous location, I was on a university proxy server but not here. I use the OS X firewall but I don't blindly accept it as safe.

We don't have all the information needed to compleely solve this problem but it looks we can rule out this being a problem with an Apple OS.

I'd like to see a traceroute. Since you have a personal router using DHCP I suspect the problem is coming outside your network. Is it possible that because you don't have the CHina Net software installed you being are redirected to ChinaNet's "Welcome" page by a proxy server owned by the DSL company. Just a theory, but as unlikely as this sounds nothing else makes any sense to me.


edit: You aren't alone.

edit2: Apache's ProxyPassReverse creates redirects that are transparent to the end user.

Have you looked for any suspicious Input Managers? This little bits of code are stored in /Library/InputManagers and ~/Library/InputManagers. They are loaded into every application you run transparently, and have been desmonstrated in the past as a vector for malware on MacOS X.

Here in the State's, Comcast does the same thing. You need to have your modem registered with Comcast if you are a new user, or if you have switched modems. Before then, any DNS lookups will redirect to a comcast page.

You could try accessing pages by IP address to bypass DNS lookups.

If you're still interested in getting this sorted, show us the results of the rectified tcpdump command while connecting to one site (post #30), yet getting the vnet.cn redirect and what was requested in post #28.

While it would be interesting to get this sorted, your resistance to take advice makes progress rather difficult and once you've exhausted the patience of those willing to help you, you may very well be stuck with your problem.

Did the time when people tried to install extra software on your machine roughly coincide with the beginning of the problem ? There may very well be a transparent proxy installed by the ISP. Setting up a VPN into the next free country might be a solution for this and the censorship problem, but may be too difficult for you to set up.

If you can get there, you may want to read up on different methods to bypass such annoyances: http://www.rsf.org/article.php3?id_article=15013

As I mentioned before, I logged in as root (with ethernet cable disconnected) for the convenience of backing up three user accounts to an external drive. I just happened to use Process Viewer during the root login also, not much to do while waiting for the files to copy. All the backups are done now so I have no reason to use root. Now I am logged in as a non-admin user.

I know about VPN and setting a proxy from outside boundary but no further comments are available.

The idea of ChinaNet needing the router registered is interesting. Here are some details about that. I used this DSL connection with the router for more than one month with no anomolies. It now appears that the oddity of the sh.vnet.cn page began a couple of days after the agent from ChinaNet came door-to-door handing out software CDs. I may be able to get this sorted out when I get more translation of the leaflet that came with the CD.

The sh.cnet.cn page does set three cookie domains when it first loads. I blocked those in Firefox prefs and refreshed. The site set another cookie listed by IP address. I blocked that also. I have refreshed that page a couple of times and it does not register any new cookies. Among the leaflet notes is the word "cookies" so a translation should help.

If this sh.vnet.cn web page is a new service, is it possible it is just strong-arming its way in front of me to be noticed and the intrusions may stop after another couple of days on the assumption that it has bugged everyone enough to get them to register for the various services (music, auctions, etc.)? I will post again after my friend comes over to translate the leaflet.

While typing these comments, the browser status bar flashed "sh.vnet.cn". It appears to be much more than a cookie sender.

I must have the wrong syntax for the Terminal command. Here's what I get:

[localhost:~] browse% /usr/sbin/tcpdump -i en0 > ~/tcpflowOutput.txt
tcpdump: (no devices found) /dev/bpf0: Permission denied

I have an application called Zorfex (I am sure some Terminal commands would show the same info, but it is convenient). It shows four connected IPs:
64.215.169.215 / 72.14.219.147 / 64.154.80.250 / 64.215.169.206
When I click refresh in Zorfex, it shows:
218.30.64.20 / 204.2.128.185 / 64.154.80.250 / 218.30.64.121

You need to use 'sudo' in front of that command.