1) With the "Find" option along the top row (pair of binoculars next to it), search for "adtechus". This will highlight every request to advertising feed in yellow (in the left hand window/list).
2) Find the last one in the list (should be from the host adserver.adtechus.com) and select it, and then in the two right hand windows select "Raw View".
3) What you'll see is something like this:-
Code:
GET http://adserver.adtechus.com/addyn/3.0/5224/1274707/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1293117691969 HTTP/1.1
Host: adserver.adtechus.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: */*
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://forum.homepageofthedead.com/index.php
Cookie: JEB2=4BC8D0066E651643ED638F54F00118F9
Code:
HTTP/1.0 200 OK
Connection: keep-alive
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 457
document.write("\n");
document.write("<scr"+"ipt language='javascript'>\n");
document.write("var rnd = Math.round(Math.random()*10000000);\n");
document.write("document.write('<IFR' + 'AME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=728 HEIGHT=90 SRC=http://delb.opt.fimserve.com/adopt/?r=h&l=38a6b579-a36c-4c2f-a05b-66939c8ee57f&sz=728x90&rnd=' + rnd + '></IFR' + 'AME>');\n");
document.write("</scr"+"ipt>\n");
document.write("\n");
4) And now the uber important bit. So the line you're looking at is the request to get the advert. In the left hand window, a line or two down, will now be a response from some 3rd party host (ie: not forum.homepageofthedead.com or adserver.adtechus.com) with the code that actually results in the redirection. This is what we're after! Click on the line(s) and post here the "raw" text from those two right hand windows. Here's an example from an innocent advert (from host delb.opt.fimserve.com):-
Code:
GET http://delb.opt.fimserve.com/adopt/?r=h&l=38a6b579-a36c-4c2f-a05b-66939c8ee57f&sz=728x90&rnd=9398942 HTTP/1.1
Host: delb.opt.fimserve.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://forum.homepageofthedead.com/showthread.php?18161-VIRUS-WARNING-spot-thread-PLEASE-REPORT-ALL-OCCURRENCES!&p=256837
Cookie: UI="226c0297c9e673a0e0|99ho8..-5.ty.holfts.f.f@@who@@holfts@@+9_9@@zezgzi yilzwyzmw ornrgvw@@xl_fp@@hlfgs vzhg"; pfuid=ClIoJkvI3MSssGG3hjNHAg==; TRG=MzkuND02MDY2Jg==; SUBHS=||||23.1292963860337; DMEXP=4
Code:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SUBHS=||||24.1292963860337; Domain=delb.opt.fimserve.com; Expires=Thu, 30-Dec-2010 15:33:15 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 319
Date: Thu, 23 Dec 2010 15:33:14 GMT
<!-- 10.82.41.221,106899,300407 -->
<a href="http://www.myspacetv.com/" target="_blank"> <img border="0" src="http://aads.myspacecdn.com/Images/mstv_leader_728x90.gif"></a>
<script type="text/javascript">var _fanpid="664-000100";</script><script type="text/javascript" src="http://trgj.opt.fimserve.com/fp.js"></script>
5) Save your logs should they be need later:
File > Export Sessions > All Sessions