Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Hijack In Ie6/ff1.5 Win98se


  • Please log in to reply
5 replies to this topic

#1 Rajesh J Kothari

Rajesh J Kothari

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 21 February 2007 - 07:45 AM

(Moderator edit: moved post to HJT Forum for team review and member help. Removed Member's E-mail address to prevent its being harvested by spambots. jgweed)

Hi,
I'm an experienced user in IT software business for last 21 years. My PC seems to have got it's search engine hijacked by some stealth software. I've tried all possible anti-spyware (incl NAV 2005) but all are saying PC is clean!

Whenever a site takes little more time to open e.g., verisign.com - this spyware takes over and displays a phoney site saying verisign.com is for sale! Click here and lot of other related links on it. Upon checking it's source (it's a html file with searchurl name e.g., verisign.com) it shows something like this.
-----------------------------------------------------------------------------
<html>
<head>
<title> Welcome to verisign.com</title>
<meta NAME="description" CONTENT="verisign.com">
<meta NAME="keywords" CONTENT="verisign.com">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
</head>

<frameset rows="20,*" frameborder="no" border="0" framespacing="0">
<frame src="/contactform.php?domain=verisign.com">
<frame src="http://searchportal.information.com/?a_id=6640&domainname=verisign.com">
</frameset>
<noframes>
<body bgcolor="#ffffff" text="#000000">
<a href="http://searchportal.information.com/?a_id=6640&domainname=verisign.com">Click here to enter</a>.
</body>
</noframes>

</html>
<!-- trafficclub.com -->
<!-- exec: 0.095219135284424 -->
<!-- domain: verisign.com -->
<!-- ip: 59.184.40.142 -->
<!-- fingerprint: -->
<!-- country: IN -->
<!-- service: 1 -->
<!-- rand: 87/100 -->
<!-- count: 1/0 -->
<!-- COOKIE OVERRIDE : 1 -->

<!-- OK -->
-----------------------------------------------------------------------------

Surprising part of the story is that after some time period the site to which search engine points is different. For example, in above case we are taken to searchportal.information.com; sometime back it was taking to sedoparking.com; and so on. Here is another example on the same URL:
----------------------------------------------------------------------
<html>
<head>
<title></title>
</head>
<body style="margin:0px;border:0px">
<table cellpadding=0 cellspacing=0 border=0 width=785>
<tr>
<td align=right><span style="font-size:14px;color:red;"><span style="font-weight:700">verisign.com</span> is for sale! &nbsp;</span><a href="http://www.domainsystems.com/bidform.php?domain=verisign.com" target="_blank" style="font-size:14px;color:blue;">Make an offer</a></td>
</tr>
</table>
</body>
</html>
---------------------------------------------------------------------

Also it creates are cookie named 'rajesh@verisign.com' with following content.
---------------------------
svc
1
verisign.com/
1536
1305295232
29838408
1839189024
29838206
*
---------------------------

So the spyware is extremely smart. I suppose it's hiding in some hidden part of the hard disk. I'm giving hijackthis log with safe boot and normal boot below.

------------- Win98SE safeboot hijackthis log begin----------------
Logfile of HijackThis v1.99.1
Scan saved at 10:38:33 AM, on 21/02/2007
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\MY DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.in/0SEENIN/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe"
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [SMARTAlerts] C:\Program Files\HP\SMART\SMARTAlerts.exe
O4 - HKLM\..\Run: [CertStoreInit] c:\WINDOWS\SYSTEM\CertStoreInit
O4 - HKLM\..\Run: [Symantec Core LC] "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SCardSvr] C:\WINDOWS\SYSTEM\SCardSvr.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: ClickTray Calendar.lnk = C:\Program Files\ClickTray Calendar\ClickTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {08F04139-8DFC-11D2-80E9-006008B066EE} (ConfigChkr Class) - https://mis.safescrypt.com/vscnfchk.cab
O16 - DPF: {70D86F3C-BA4D-11D2-80F5-006008B066EE} (VSPrefMgmt Class) - https://digitalid.safescrypt.com/class1/vspcakm.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://digitalid.safescrypt.com/dgft/vspta3.cab
O16 - DPF: {C702FF1B-40FF-4DD1-8A22-E8DB4835E322} (TCS RootCerts Control) - https://www.tcs-ca.tcs.co.in/controls/RootCerts.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {9765B508-0C62-4F32-AB7C-D30D0615580B} (TCSDataSigner Control) - https://onlineservices.tin.nsdl.com/TIN/DSi...SDataSigner.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mtnl.net.in
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 203.94.227.70,203.94.243.70
------------- Win98SE safeboot hijackthis log end----------------

------------- Win98SE normal boot hijackthis log begin----------------
Logfile of HijackThis v1.99.1
Scan saved at 5:19:11 PM, on 21/02/2007
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\EXTENDED KEYBOARD\HPMMKBD.EXE
C:\WINDOWS\LOGWAT95.EXE
C:\PROGRAM FILES\UMSD TOOLS2.33\UMSD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\HP\SMART\SMARTALERTS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\PROGRAM FILES\CLICKTRAY CALENDAR\CLICKTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ETSRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\AUPDATE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER_3_0.EXE
C:\PROGRAM FILES\MAILWASHER\MAILWASHER.EXE
C:\MY DOCUMENTS\MY DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.in/0SEENIN/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe"
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [SMARTAlerts] C:\Program Files\HP\SMART\SMARTAlerts.exe
O4 - HKLM\..\Run: [CertStoreInit] c:\WINDOWS\SYSTEM\CertStoreInit
O4 - HKLM\..\Run: [Symantec Core LC] "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SCardSvr] C:\WINDOWS\SYSTEM\SCardSvr.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: ClickTray Calendar.lnk = C:\Program Files\ClickTray Calendar\ClickTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {08F04139-8DFC-11D2-80E9-006008B066EE} (ConfigChkr Class) - https://mis.safescrypt.com/vscnfchk.cab
O16 - DPF: {70D86F3C-BA4D-11D2-80F5-006008B066EE} (VSPrefMgmt Class) - https://digitalid.safescrypt.com/class1/vspcakm.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://digitalid.safescrypt.com/dgft/vspta3.cab
O16 - DPF: {C702FF1B-40FF-4DD1-8A22-E8DB4835E322} (TCS RootCerts Control) - https://www.tcs-ca.tcs.co.in/controls/RootCerts.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {9765B508-0C62-4F32-AB7C-D30D0615580B} (TCSDataSigner Control) - https://onlineservices.tin.nsdl.com/TIN/DSi...SDataSigner.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mtnl.net.in
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 203.94.227.70,203.94.243.70
------------- Win98SE normal boot hijackthis log end----------------

I've tried Norton Antivirus 2005; PCTools Antispyware, Spybot S&D 1.4, SpyRemover, Lavasoft Ad-aware Personl SE but no luck.

One more thing is that this spyware works equally well in Firefox 1.0 and now 1.5 also. That really foxes me.

Recently I suspect that this spyware is trying to insert wrong passwords - whenever i try to enter passwords - hence i'm getting failed logins. I lost etoken's access due to this - where my digital signature was stored. I'm really at a loss.

Please help.

Rajesh Kothari
bluechip@XXXXXXXXXXXXXXXXX

Edited by Rajesh J Kothari, 21 February 2007 - 08:47 AM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:04 PM

Posted 02 March 2007 - 09:21 PM

Hello Rajesh J Kothari and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean.

Here's a couple of suggestions for things to check:

- check with the ISP to see if their DNS servers are redirecting to the sites that are showing in the redirect

- check the tcpip properties and see if there are any domains listed in the append these dns suffixes section. If so, remove them and see if the problem goes away.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Rajesh J Kothari

Rajesh J Kothari
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 03 March 2007 - 04:26 AM

Dear OT,
My ISP is a government run basic telephony provider - with people running the infrastructure with quite inflexible set of mind. So, it's a difficult thing to get things that you have suggested. However, after going thru some additional details given below - if you still feel I should try that I would.

1. My PC is a part of LAN in my office. We have other PCs on the network running Win98SE, WinXPProfsp2 and Novell Netware 4.11 with sp9 or 10. Only 2 PCs running Win98SE are showing this behaviour. Mine is one of them. Other PCs are running fine. So, I strongly suspect that this 2 PCs have got infected and it's not a problem at ISP level. I checked my PC's tcp/ip properties and I could not find "append these dns suffixes section" in Win98SE.

2. Recently I visited a site with url www.bplmobile.com.There i clicked on link with name 'bplmail' and run in to problem I've described above. I did a find on recently created files. And I noticed following files. It shows clearly that there is some program in the memory that creates these files and that is the reason why my browser is getting redirected to some other sites. I've given content of each file below.

file-1: This is the html source of the page - where when I clicked on bplmail link I was rediected to the phoney site. This is a perfectly ok page.
---------------- content of bplmail[1].htm-----------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
<title>Welcome to the wirefree world - BPL Mobile</title>
<link rel="stylesheet" type="text/css" href="../css/bpl.css">
</head>
<script src="../js/lfnav_mum_pre.js"></script>

<body background="../images/bg.gif" marginheight=0 marginwidth=0 leftmargin="0" topmargin="0" bgcolor="#9FCEEF">
<table width="780" align="center" cellspacing="0" bgcolor="#FFFFFF" cellpadding="0" border="0">
<tr>
<td style="padding:1px">
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tr>
<td colspan="3" style="padding-left:10px "><script language="javascript" src="../js/header_mum.js"></script></td>
</tr>
<tr>
<td width="582" valign="top">
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tr>
<td height="87" style="background-image:url(images/header_bg.gif) "><img src="images/push_mail_ani.gif" alt="" hspace="30"></td>
</tr>
<tr>
<td style="padding:20px 12px 0px 16px">
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tr>
<td colspan="2"><img src="images/mobilemail.gif" alt="" hspace="8"></td>
</tr>
<tr>
<td height="18"></td>
</tr>
<tr>
<td width="14"></td>
<td width="536" class="txt">
In today's fast & competitive world decision needs to be made quickly, but email may stand unanswered in your mail box when you are out of office or away from your PC.
<br><br>
With Mobile mail, our push mail solution, its no longer a concern - It's email that looks for you even on the move. Access your work and personal email with a wide array of devices - from PDAs to phones. Discover a whole new way to stay in touch as you are "Never Away" from your Family & Friends and even your work.
<br>
<br>
Push mail supports Microsoft Exchange, Lotus Notes, SMTP and IMAP/POP3 servers. Push Mail works on a variety of handheld devices and operating systems, including Windows Mobile, Symbian OS, Java and Palm OS.With a quick and easy set up process, Push Mail is a great way to go mobile with work or personal email.
<br>
<br>So what are you waiting for, Subscribe to the service NOW!!
</td>
</tr>
<tr>
<td height="15"></td>
</tr>
<tr>
<td width="14" valign="top" align="center"><img src="images/red_bullet.gif" alt="" vspace="3"></td>
<td align="left" class="txt"><span class="txt_q">Individual Users</span><br>Now stay connected to your personal POP3 enabled mail accounts even when you are away from your PC.You just need a POP3 enabled account, a BPL Mobile connection & a compatible mobile phone.Thats it!! You can be online 24X7 with your near & dear ones.<br><br><a href="bplmail_ind.htm"><img src="images/knowmore.gif" alt="" border="0"></a></td>
</tr>
<tr>
<td height="15"></td>
</tr>
<tr>
<td width="14" valign="top" align="center"><img src="images/red_bullet.gif" alt="" vspace="3"></td>
<td align="left" class="txt"><span class="txt_q">Enterprise Users</span><br>
Push mail enterprise edition is specially designed for corporates & provides employees with always on, secure, real-time access to their office email, calendar accounts as well as task lists & contacts list,keeping employees productive wherever they go, at an affordable price.<br>
<br><a href="bplmail_ent.htm"><img src="images/knowmore.gif" alt="" border="0"></a></td>
</tr>
<tr>
<td height="20"></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td width="3"></td>
<td width="193" valign="top">
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tr>
<td><img src="images/mobilemail_rhs1.jpg" alt=""></td>
</tr>
<tr>
<td><img src="images/mobilemail_rhs2.jpg" alt=""></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</html>
----------------------- end of bplmail[1].htm------------------

file-2: I noticed a cookie with name rajesh@bplmobile.com in the \windows\cookie folder. It's content is given below:
-------cookie begin----------
  C:\WINDOWS\Cookies\rajesh@bplmobile[1].txt ile[1].txt  T  \ ?E C   C & C  0 ?E b C wr0 L C C  ?E p 0\J 0?E  H?E   l@E  l9W
---------cookie end----------

Now, whenever pushmail link is clicked this cookie always displays the phoney site.

file-3: file name 'header_mum[1].js'. This file is referenced in the page source given at file-1; and it's changed by the trojan/spyware. This file is found in temporary internet files folder under c:\windows. <html>

---------------------- start of header_mum[1].js----------------
<head>
<title> Welcome to bplmobile.com</title>
<meta NAME="description" CONTENT="bplmobile.com">
<meta NAME="keywords" CONTENT="bplmobile.com">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
</head>

<frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
<frame src="http://67.15.35.18/?dn=bplmobile.com&cid=6484d09957">
</frameset>
<noframes>
<body bgcolor="#ffffff" text="#000000">
<a href="http://67.15.35.18/?dn=bplmobile.com&cid=6484d09957">Click here to enter</a>.
</body>
</noframes>

</html>
<!-- trafficclub.com -->
<!-- exec: 0.09601092338562 -->
<!-- domain: bplmobile.com -->
<!-- ip: 59.184.6.240 -->
<!-- fingerprint: 576ebcec7e84a5d6f0be5b996f593bdf -->
<!-- country: IN -->
<!-- service: 12 -->
<!-- rand: 1/0 -->
<!-- count: 1/ -->
<!-- -->

<!-- OK -->

---------------------- end of header_mum[1].js----------------

file-3. File name: dc0. This file is found in the same temporary internet file folder. It's content is a suspicious.
-------------- begin of dc0. file ----------
svc
12
bplmobile.com/
1056
3623472640
29841410
4212466432
29841208
*
-------------- end of dc0. file ----------

file-4: file name 67.15.35[1]. This file's content is very suspicious. It's found under temporry internet file folder.

------------------- begin of 67.15.35[1]. file -------------------



<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Bplmobile.com - Bplmobile.com</title>
<!-- <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -->
<style type="text/css">

#categories { width: 700px;
}
#categories a { display: block;
width: 230px;
padding: 1.5px;
font-family: verdana, arial, sans-serif;
font-size: 11px;
text-decoration: none;
color: #000066;
}
#categories a:hover { text-decoration: underline;
}
#header { font-family: arial, sans-serif;
color: #666;
}
#header em { font-size: 11px;
font-style: normal;
display: block;
}
#header strong { font-weight: bold;
font-size: 14px;
text-transform: uppercase;
}
#main-content .searchbox { float: right; }
#masthead { margin: 11px auto; }
#navcontainer { font-style: italic;
font-size: 11px;
font-family: verdana, arial, sans-serif;
margin-bottom: 19px;
text-align: left; }
#navlist { padding: 0;
margin: 0;
border-top: 1px solid black; }
#navlist li { list-style: none;
font-style: normal;
margin: 0;
padding: 0;
font-size: 11px;
border-bottom: 1px solid #ccc;
font-weight: bold;
line-height: 18px; }
#navlist li a { text-decoration: none; display: block; margin: 0; padding: 2px 0 2px 4px; color: #444; }
#navlist li a:hover { background: #f5f5f5; }
#navlist ul { margin: 0;
padding: 0; }
#sidebar { padding-top: 18px; }
#top-links { font-size: 11px; color: #fff; text-decoration: none; }
#top-links a { color: #fff;
text-decoration : none; }
#top-links a:hover { text-decoration: underline; }
.divider_bg { background: url(http://images.bmnq.com/tplg/39/divider_bg.gif) repeat-x left top;
display: block;
margin: 8px 0;
padding: 0;
}
.domainname { font-family: trebuchet ms, arial, sans-serif;
font-size: 21px;
color: #555;
float: left; }
.expiry_note { font-family: tahoma;
font-size: 11px;
color: #555;
margin: 0;
padding: 0;
}
.featured_list { text-align: left;
display: block;
width: 210px;
margin: 0;
padding: 0; }
.featured_list li { width: 210px;
list-style: none;
font-size: 14px;
font-weight: bold;
margin: 0 0 0 5px;
padding: 0; }
.featured_list li a { text-decoration: underline;color: #000;line-height: 18px;padding: 2px 0;
background: url(http://images.bmnq.com/tplg/39/featured_listing_bullet.gif) no-repeat left center; padding-left: 8px; font-weight:normal;font-size:14px;font-family:arial, sans-serif }
.featured_list li a:hover { color: #cc0000;
background: url(http://images.bmnq.com/tplg/39/featured_listing_bullet.gif) no-repeat left center;
text-decoration: none;


}
.featured_section { border: 1px solid #EAEDE1;
}
.featured_title { background: #EAEDE1;
font-size: 10px;
font-family: verdana;
color: #576039;
display: block;
margin: 0;
padding: 4px 0 4px 11px;
font-weight: bold;
}
.footer { border: 1px solid #EAEDE1;
}
.footer_bookmark { font-size: 21px;
font-family: georgia;
background: #EAEDE1;
}
.listing { margin: 0;
padding: 0;
border-top: 1px solid #bababa;
width: 278px;
text-align: left;
display: block;
}
.listing li { list-style: none;
width: 276px;
display: block;
margin: 0 0 3px 0;
}
.listing li a { display: block;text-decoration: none;width: 256px !important;width: 277px;color: #003399;font-size: 12px;font-weight: bold;padding: 6px 0 6px 21px;background: url(http://images.bmnq.com/tplg/39/listing_icon.gif) #f5f5f5 no-repeat 5px center;line-height: }
.listing li a:hover { background: url(http://images.bmnq.com/tplg/39/listing_icon.gif) #EAEDE1 no-repeat 5px center;
}
.related-categories { font: 11px/18px verdana, arial, sans-serif;
}
.related-categories a { text-decoration: none;
color: #333333;
display: block;
/*padding: 2px 0;*/
}
.related-categories a:hover { color: #cc0000;
text-decoration: underline; }
.related-categories td { font: 11px/18px verdana, arial, sans-serif;
padding-left: 6px !important;
padding-left: 16px;
}
.related-searches a { font-weight: bold;
text-decoration: none;
color: #330066;
display: block;
padding: 3px 0 3px 0px;
}
.related-searches a:hover { text-decoration: underline;
}
.related-searches td { font: 13px/18px verdana, arial, sans-serif;
padding-left: 17px !important;
padding-left: 19px;
}
.related_categories { width: 180px;
background: url(http://images.bmnq.com/tplg/39/corner.gif) #eee no-repeat right top;
text-align: left;

}
.related_categories li {
text-decoration: none;
color: #333;
display: block;
padding: 0;
margin: 5px 0;
}
.related_categories li a { text-decoration: none;
color: #333;

}
.related_categories li a:hover { color: #CC6600;
}
.related_categories ul { margin: 1.5em 1em;
list-style: none;
padding: 0;
font-size: 12px;
font-family: arial, sans-serif;
}
.related_categories ul strong { display: block;
font-family: Arial, 'trebuchet ms';
border-bottom: 1px solid #fff;
font-size: 12px;
margin-bottom: 8px;
width: 140px; height: 20px;
}
.related_categories2 { width: 180px;
background: url(http://images.bmnq.com/tplg/39/pin.gif) #eeeedd no-repeat right top;
text-align: left;

}
.related_categories2 li { text-decoration: none;
color: #333;
display: block;
padding: 0;
margin: 5px 0;

}
.related_categories2 li a { text-decoration: none;
color: #000;

}
.related_categories2 li a:hover { color: #CC6600;
}
.related_categories2 ul { margin: 1.5em 1em;
list-style: none;
padding: 0;
font-size: 12px;
font-family: arial, sans-serif;

}
.related_categories2 ul strong { display: block;
font-family: Arial, 'trebuchet ms';
border-bottom: 1px solid #fff;
font-size: 12px;
margin-bottom: 8px;
width: 140px; height: 20px;
}
.spons a { color: navy; font-family: verdana, helvetica, sans-serif; font-weight: bold;font-size: 11pt; color: #000066; }
.spons a:hover { color: navy; font-family: verdana, helvetica, sans-serif; font-size: 11pt; font-weight: bold; text-decoration: none; }
.sponsored_results { background: url(http://images.bmnq.com/tplg/39/bg.gif) repeat-x left top;
padding-left: 8px;
}
.sponsored_results .head { font-size: 14px;
font-weight: bold;
text-decoration: none;
margin-bottom: 1px;
color: #000066;
}
.sponsored_results .url { font-size: 11px;
color: #000066;
}
.sponsored_results em { font-family: tahoma;
color: #888;
font-size: 11px;
font-style: normal;
}
.sponsored_results p { font-size: 12px;
color: #333;

}
.sponsoredlinks { font-family: verdana, arial, sans-serif;
font-size: 11px;
text-align: left; }
.sponsurl a { color: #5196E1; font-family: verdana, helvetica, sans-serif; font-size: 8pt; }
.sponsurl a:hover { color: #5196E1; font-family: verdana, helvetica, sans-serif; font-size: 8pt; text-decoration: none; }
.text { font-family: verdana, helvetica, sans-serif; font-size: 9pt; }
a:hover { color: orange;
}
body { margin: 0;
padding: 0;
font-family: verdana, arial, sans-serif;
color: #000;
}
h1 { font-family: arial, san-serif;
font-size: 21px;
margin: 0;
padding: 0;
}
table, td { font-family: verdana, arial, sans-serif;
font-size: 11px; }
.featured_list2 { text-align: left;
display: block;
width: 210px;
margin: 0;
padding: 0; }
.featured_list2 li { width: 210px;list-style: none;margin: 0 0 0 5px;padding: 0; }
.featured_list2 li a { text-decoration: none; color: #000; line-height: 18px;padding: 2px 0;
background: url(http://images.bmnq.com/tplg/39/featured_listing_bullet.gif) no-repeat left center;padding-left: 8px; font-weight:normal;font-size: 8pt;font-family: Verdana; }
.featured_list2 li a:hover { color: #cc0000;
background: url(http://images.bmnq.com/tplg/39/featured_listing_bullet.gif) no-repeat left center;
text-decoration: none; }

</style>


<script language="JavaScript" type="text/javascript">
<!--
var SrchBtn_clicked = false;


function clear_SrchText(SrchObj,searchbox_value)
{
if((SrchBtn_clicked == false) && (SrchObj.value == searchbox_value))
{
SrchObj.value = "";
}
SrchObj.select();
}




function replaceall(string,text,by)
{
var strLength = string.length, txtLength = text.length;
if ((strLength == 0) || (txtLength == 0))
return string;

var i = string.indexOf(text);

if ((!i) && (text != string.substring(0,txtLength)))
return string;

if (i == -1)
return string;

var newstr = string.substring(0,i) + by;

if (i+txtLength < strLength)
newstr += replaceall(string.substring(i+txtLength,strLength),text,by);

return newstr;
}




function submit_action(formname, type, position)
{
d = document.forms[formname];

if ((d.elements['q'].value.length == 0) || (d.elements['q'].value == "Enter Keyword"))
{
alert("Please enter a search keyword !");
d.elements['q'].focus();
return false;
}
else
{
newstr = replaceall(d.elements['q'].value," ","_");
newstr = escape(newstr);
d.action = '/' + newstr +".cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=" + type + "&p=" + position;
}
return true;
}




function url_change(url)
{
s = decodeBase64(url);
window.location = s;
}




function sendRequest(thisform, strElement)
{
thisform = document.getElementById("frmSponsAds");
var strforms = strElement;
var arrElement = new Array();
arrElement = strforms.split("@@@@");
for(var i=0; i< arrElement.length; i++)
{
var arrTemp = new Array();
var strTemp = new String(arrElement[i]);
arrTemp = strTemp.split("####");
switch(arrTemp[0])
{
case "action":
thisform.action = arrTemp[1]+'&t=&p=';
break;
case "data":
thisform.param6.value = arrTemp[1];
break;
case "domain":
thisform.domain.value = arrTemp[1];
break;
case "tr":
thisform.param1.value = arrTemp[1];
break;
case "vurl":
thisform.param2.value = arrTemp[1];
break;
case "l1":
thisform.param3.value = arrTemp[1];
break;
case "q":
thisform.q.value = arrTemp[1];
break;
}

}
thisform.method = "POST";
thisform.submit();
return(false);
}




function changeStatus(keyword)
{
window.status = keyword;
return true;
}






function addbookmark()
{
bookmarkurl="http://www.Bplmobile.com";
bookmarktitle="Welcome To Bplmobile.com";

if (document.all)
window.external.AddFavorite(bookmarkurl,bookmarktitle)

return(false);
}




function HandleLoc()
{
var strUrl;


strUrl = 'http://images.bmnq.com';strUrl += '/lt.php?dn=';strUrl += '';strUrl += '&ck=';strUrl += '&isbn=';strUrl += '1';strUrl += '&uid=3&k=';


location.href = strUrl;
return true;
}




function pp ()
{


newpop = window.open('/1st?q=&dn=bplmobile.com&cid=6484d09957&nft=1&sp=1', 'newpop', 'directories=0,menubar=0,width=700,height=370');
this.focus();
}


-->
</script>




</head>
<!-- keyword start -->
<body onLoad="pp()"><!-- <br> --><!-- keyword end -->

<!-- Form to submit Sponsored Ads -->
<div style="visibility:hidden" id="divSponAds">
<form name="frmSponsAds" id="frmSponsAds" method="POST" action="" target="_blank">
<input type="hidden" name="param1" id="param1">
<input type="hidden" name="param2" id="param2">
<input type="hidden" name="param3" id="param3">
<input type="hidden" name="q" id="q">
<input type="hidden" name="domain" id="domain">
<input type="hidden" name="param6" id="param6">
</form>

</div>
<!--RMIP-->
<!--
192.168.2.45-->
<!--/RMIP-->



<br>
<!-- HEADER -->
<table width="750" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="54" height="50" align="left" valign="middle">
<img src="http://images.bmnq.com/tplg/39/header-name.gif" border="0" align="left" width="48" height="50">
</td>
<td width="359" valign="middle">
<h1>Bplmobile.com</h1>
</td>
<td width="337" align="center" valign="middle">
<p class="expiry_note" style="margin-bottom: 10px;">
</p>
<form name="form2" onSubmit="return submit_action('form2', 5, 1)" method="post">
<input type="text" name="q" size="23" style="font-family: Verdana; font-size:8pt" value="Enter Keyword" onClick="clear_SrchText(this,'Enter Keyword')" >
<input type="submit" value="Search!" name="B1" style="width: 91px; font-family: verdana; font-size:10px; font-weight:bold; background-color:#CCCC99">
</form>
</td>
</tr>
</table>

<!-- /HEADER -->

<!-- MASTHEAD -->
<br>

<!-- DIVIDER BACKGROUND -->
<div class="divider_bg">
<img src="http://images.bmnq.com/tplg/39/divider_bg.gif" border="0">
</div>
<!-- /DIVIDER BACKGROUND -->

<!-- /MASTHEAD -->

<!-- MAIN TABLE -->
<!-- LISTINGS SECTIONS -->
<table width="750" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<!-- FIRST LISTING SECTION -->
<td width="375" height="65" valign="top" align="center" nowrap>
<div style='display:none;'><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a></div> <!-- img src="http://images.bmnq.com/tplg/39/listing_header_1.jpg" border="0" -->
<img src="http://images.bmnq.com/tplg/39/listing_header_txt1.gif" border="0">
<ul class="listing">

<li>
<A href="/infidelity.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Infidelity');return true;" onmouseout="changeStatus('');return true;" target="_top">Infidelity</a></li>

<li>
<A href="/sim_free_mobile_phones.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Sim Free Mobile Phones');return true;" onmouseout="changeStatus('');return true;" target="_top">Sim Free Mobile Phones</a></li>

<li>
<A href="/exercising.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Exercising');return true;" onmouseout="changeStatus('');return true;" target="_top">Exercising</a></li>

<li>
<A href="/cheap_mobile_phones.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Cheap Mobile Phones');return true;" onmouseout="changeStatus('');return true;" target="_top">Cheap Mobile Phones</a></li>

<li>
<A href="/running_clothes.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Running Clothes');return true;" onmouseout="changeStatus('');return true;" target="_top">Running Clothes</a></li>

</ul>
</td>
<!-- /FIRST LISTING SECTION -->

<!-- SECOND LISTING SECTION -->
<td width="375" valign="top" align="center" nowrap>
<div style='display:none;'><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a></div> <!-- img src="http://images.bmnq.com/tplg/39/listing_header_2.jpg" border="0" -->
<img src="http://images.bmnq.com/tplg/39/listing_header_txt2.gif" border="0">
<ul class="listing">

<li>
<A href="/pay_monthly_mobile_phones.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Pay Monthly Mobile Phones');return true;" onmouseout="changeStatus('');return true;" >Pay Monthly Mobile Phones</a></li>

<li>
<A href="/exercise_fitness.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Exercise Fitness');return true;" onmouseout="changeStatus('');return true;" >Exercise Fitness</a></li>

<li>
<A href="/exercise.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Exercise');return true;" onmouseout="changeStatus('');return true;" >Exercise</a></li>

<li>
<A href="/running_apparel.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Running Apparel');return true;" onmouseout="changeStatus('');return true;" >Running Apparel</a></li>

<li>
<A href="/mobile_phones_orange.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Mobile Phones Orange');return true;" onmouseout="changeStatus('');return true;" >Mobile Phones Orange</a></li>

</ul>
</td>
<!-- /SECOND LISTING SECTION -->
</tr>
</table>
<!-- /LISTINGS SECTIONS -->
<br>

<!-- FEATURED SECTION -->
<table width="660" border="0" align="center" cellpadding="0" cellspacing="0" class="featured_section">
<tr>
<td height="22" colspan="3" valign="top">
<p class="featured_title"> featured listing</p>
</td>
</tr>
<tr>
<td width="220" height="101" valign="middle" align="center" nowrap>
<img src="http://images.bmnq.com/tplg/39/featured_header_1.jpg" border="0">
</td>

<!-- FIRST FEATURED LISTING -->
<td width="220" valign="middle" align="middle" nowrap>
<ul class="featured_list">
<li>
<A href="/exercise_weight_loss.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Exercise Weight Loss');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Exercise Weight Loss</a></li>
<li>
<A href="/motorola_mobile_phones.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Motorola Mobile Phones');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Motorola Mobile Phones</a></li>
<li>
<A href="/running_clothing.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Running Clothing');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Running Clothing</a></li>
<li>
<A href="/mobile_phones_nokia.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Mobile Phones Nokia');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Mobile Phones Nokia</a></li>

</ul>
<div style='display:none;'><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a></div> </td>
<!-- /FIRST FEATURED LISTING -->

<!-- SECOND FEATURED LISTING -->
<td width="220" valign="middle" align="left" nowrap>
<ul class="featured_list">
<li>
<A href="/moves.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Moves');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Moves</a></li>
<li>
<A href="/nokia_mobile_phones.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Nokia Mobile Phones');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Nokia Mobile Phones</a></li>
<li>
<A href="/mobile_phones_uk.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Mobile Phones Uk');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Mobile Phones Uk</a></li>
<li>
<A href="/t_mobile_phones.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('T Mobile Phones');return true;" onmouseout="changeStatus('');return true;" nowrap="true">T Mobile Phones</a></li>

</ul>
</td>
<!-- /SECOND FEATURED LISTING -->
</tr>
</table>
<!-- /FEATURED SECTION -->
<br />
<!-- FEATURED SECTION -->
<table class="featured_section" align="center" border="0" cellpadding="0" cellspacing="0" width="660">
<tbody>
<tr>
<td colspan="3" height="22" valign="top">
<div style='display:none;'><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a></div> <p class="featured_title"> popular topics</p>
</td>

</tr>
<tr>
<!-- FIRST FEATURED LISTING -->
<td align="left" height="101" nowrap="nowrap" valign="middle" width="220">
<ul class="featured_list2">
<li>
<A href="/pay_as_you_go_mobile_phones.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Pay As You Go Mobile Phones');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Pay As You Go Mobile Phones</a></li>
<li>
<A href="/free_mobile_phones.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Free Mobile Phones');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Free Mobile Phones</a></li>
<li>
<A href="/Travel.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Travel');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Travel</a></li>
<li>
<A href="/Computer_Notebooks.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Computer Notebooks');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Computer Notebooks</a></li>
<li>
<A href="/Music_Download.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Music Download');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Music Download</a></li>

</ul>
</td>
<!-- /FIRST FEATURED LISTING -->

<!-- SECOND FEATURED LISTING -->
<td align="left" height="101" nowrap="nowrap" valign="middle" width="220">
<ul class="featured_list2">
<li>
<A href="/Online_Dating.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Online Dating');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Online Dating</a></li>
<li>
<A href="/Education_Online.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Education Online');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Education Online</a></li>
<li>
<A href="/Insurance.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Insurance');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Insurance</a></li>
<li>
<A href="/Credit_Card.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Credit Card');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Credit Card</a></li>
<li>
<A href="/Jobs.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Jobs');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Jobs</a></li>

</ul>
</td>
<!-- /SECOND FEATURED LISTING -->

<!-- THIRD FEATURED LISTING -->
<td align="left" height="101" nowrap="nowrap" valign="middle" width="220">
<ul class="featured_list2">
<li>
<A href="/Health_and_Beauty.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Health And Beauty');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Health And Beauty</a></li>
<li>
<A href="/Online_Store.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Online Store');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Online Store</a></li>
<li>
<A href="/Professional_Services.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Professional Services');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Professional Services</a></li>
<li>
<A href="/New_Technology.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('New Technology');return true;" onmouseout="changeStatus('');return true;" nowrap="true">New Technology</a></li>
<li>
<A href="/Health_Insurance.cfm?dn=bplmobile.com&cid=6484d09957&nft=1&sp=1&t=4&p=4" onmouseover="changeStatus('Health Insurance');return true;" onmouseout="changeStatus('');return true;" nowrap="true">Health Insurance</a></li>

</ul>
<div style='display:none;'><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a><a href="#" onclick="return HandleLoc();"><img src="http://images.bmnq.com/px.gif" width=0 height=0 border=0></a></div> </td>
<!-- /THIRD FEATURED LISTING -->
</tr>
</tbody>
</table>

<!-- /FEATURED SECTION -->


<br>

<!-- FOOTER WITH BOOKMARK AND SEARCH -->
<!--
<table width="660" border="0" align="center" cellpadding="2" cellspacing="2" class="footer">
<tr>
<td align="center" valign="middle" class="footer_bookmark">
<a href="" onclick="addbookmark();return false;" nowrap style="font-family: verdana, sans-serif; font-size: 9pt; color:black">Bookmark This Page!</a>
</td>
<td width="480" valign="middle" align="center" nowrap>
<form name="form3" onsubmit="return submit_action('form3', 6, 1)" method="post" style="margin: 0; padding: 0;">
<input type="text" name="q" size="51" style="font-family: Verdana; font-size:8pt" value="Enter Keyword" onClick="clear_SrchText(this,'Enter Keyword')" >

<input type="submit" value="Search!" name="B1" style="width: 111px; font-family: verdana; font-size:10px; font-weight:bold; background-color:#CCCC99">
</form>
</td>
</tr>
</table>
-->
<table class="footer" align="center" border="0" cellpadding="2" cellspacing="2" width="660">
<tbody><tr>

<td align="center" nowrap="nowrap" valign="middle">
<form name="form3" onSubmit="return submit_action('form3', 6, 1)" method="post" style="margin: 0pt; padding: 0pt;">
<input name="q" size="71" style="font-family: Verdana; font-size: 8pt;" value="Enter Keyword" onClick="clear_SrchText(this,'Enter Keyword')" type="text">
</td>

<td align="center" nowrap="nowrap" valign="middle">
<input value="Search!" name="B1" style="width: 141px; font-family: verdana; font-size: 10px; font-weight: bold; background-color: rgb(204, 204, 153);" type="submit">

</form>
</td>

</tr>
</tbody></table>
<!--
<p align="center"><span style='font-family: Arial;font-size:11px;'>Copyright 2005, Bplmobile.com All Rights Reserved.</span></p>
-->
<!-- /FOOTER WITH BOOKMARK AND SEARCH -->
<br>

<!-- cps -->
<!-- cpe -->



<!-- Form to submit Sponsored Ads -->
<br>
<!-- Test -->
<IFRAME ID="frmId" HEIGHT="0%" WIDTH="0%" STYLE="display: none;">
</IFRAME>
<FRAMESET cols="0%">
<FRAME>
<noscript>
<img src='browlog?fr=1&js=0&infr=-1&ifr=-1&frh=-1&frw=-1&ck=6484d09957&dn=bplmobile.com' alt="" height=0 width =0/>
</noscript>
<script>

var intIfrm;
intIfrm = 0;
if(document.getElementById("frmId"))
{
intIfrm = 1;
}

var imgTag;
imgTag = document.createElement('img');
imgTag.width = 0;
imgTag.height = 0;
frmHeight = 0;
frmWidth = 0;
inFrmae = 0;

if (parent!= self)
{
frmHeight = parent.frames[0].height;
frmWidth = parent.frames[0].width;
inFrame = 1;
}

imgTag.src='browlog?fr=1&js=1&infr='+inFrmae+'&ifr='+intIfrm+'&frw='+frmWidth+'&frh='+frmHeight+'&ck=6484d09957&dn=bplmobile.com';
document.body.appendChild(imgTag);
</script>
</FRAME>
<NOFRAMES>
<noscript>
<img src='browlog?fr=0&js=0&infr=0&ifr=-1&ck=6484d09957&dn=bplmobile.com' alt="" height=0 width =0 />
</noscript>
<script>
var intIfrm;

intIfrm = 0;
if(document.getElementById("frmId"))
{
intIfrm = 1;
}

var imgTag;
imgTag = document.createElement('img');
imgTag.width = 0;
imgTag.height = 0;
imgTag.src='browlog?fr=0&js=1&infr=0&ifr='+intIfrm+'&ck=6484d09957&dn=bplmobile.com';
document.body.appendChild(imgTag);
</script>
</NOFRAMES>
</FRAMESET>


</body>
</html>
----------------------- end of 67.15.25[1]. file ----------------------

Apart from these files there are many other files which displays the re-directed (phoney) page. But among them above files are the ones having suspicious content.

Please help.

Rajesh Kothari

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:04 PM

Posted 03 March 2007 - 05:36 PM

Hi Rajesh J Kothari. Yes, those are just the web pages and support files from the website. They will be downloaded and stored in the temporary internet files folder for every website that is visited. The page itself has the sponsored links embedded in it. It looks like the sponsored links are coming from bmnq.com which is a domain parking site that has literally 10's of thousands of registered domains. What they do is register names and then feed queries into their own sites. With the thousands of site names they own all feeding into their own advertising sites it can be quite lucrative.

The advertising functions themselves all appear to be written in javascript. If some users are not seeing the ads then they may have their java settings setup to block the scripts. You should be able to compare settings between a machine that is seeing the ads to one that is not. Various java versions support different settings so it might not be an apples to apples comparison. To flush the java code you might try deleting all the content in the IE temp folders and flushing the java caches. Also, installing the latest java version will give you the best security performance.

The web browsing forum here: http://www.bleepingcomputer.com/forums/f/14/web-browsingemail-and-other-internet-applications/ can give a more detailed explanation on browser and java settings.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Rajesh J Kothari

Rajesh J Kothari
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 04 March 2007 - 02:16 AM

HI OT,

Thanks for your help. Javscript is 'on' in all PCs. It's NOT turned off in any way. Problem with getting latest Java runtime is that it gets installed everytime in a new directory - without caring to update old version and/or removing it. I also have two java runtimes on my PC. I'm not sure what to do. Of course, I'll clear Java cache. I'll clear temporarty internet files - which I've done infinite times.

I have a feeling that we are missing wood for the trees. Million dollar question is who is responsible for the browser hijack? When a website has a delayed response how is that my getting redirected to these sites hosted by bnmq.com? It happens both in IE 6 and FireFox 1.5. And also site being redirected to (advertising sit)e is getting changed every few days. Could it be 'googel tool bar' or 'clicktray calendar' or 'RoboForm'?

Rajesh Kothari

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:04 PM

Posted 04 March 2007 - 10:26 AM

Hi Rajesh J Kothari. I would doubt very highly if it is something that Google or Roboform is doing but you could test that by disabling them. If it is happening by something on the machine it would have to be a system wide connection setting.

More likely it is something either at the site level or the dns level. Since the site is known you could block it either in the hosts file or the Restricted Sites settings. Set the IP for 67.15.35.18 in the restricted sites.

As for java, no it won't update a previous version. If an older version is present you need to uninstall any older version(s) and then install the latest version.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users