Stunning Findings

[Tedob1]

http://%6f%64%7a%71%74%74%2e%74%2e%6...?%61%69%64=420

does decode to http://odzqtt.t.muxa.cc/s.php

which resolves to 81.211.105.37

which belongs to:

inetnum: 81.211.105.0 - 81.211.105.255
netname: SOVINTEL-ICSTM2
descr: ICS TM, JSC
descr: 70 Bolshoy pr. V.O.
descr: 199002 St.-Petersburg
country: RU

using wget to avoid any kind of infection i downloaded the page (attached)

it appears to be a cool web search web page judging by the links:

<a href="http://coolpage.cc/cprv.php?aid=100038&ww=gambling">Gambling</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=casino">Casino</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=games">Games</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=movies">Movies</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=music">Music</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=sports">Sports</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=travel">Travel</a><br>

href="http://coolpage.cc/cprv.php?aid=100038&ww=betting">Betting</a><br>
<a
href="http://coolpage.cc/cprv.php?aid=100038&ww=blackjack">Blackjack</a><br>
<a
href="http://coolpage.cc/cprv.php?aid=100038&ww=casinos">Casinos</a><br>
<a
href="http://coolpage.cc/cprv.php?aid=100038&ww=gambling">Gambling</a><br>
<a
href="http://coolpage.cc/cprv.php?aid=100038&ww=horse+racing">Horse Racing</a><br>
<a
href="http://coolpage.cc/cprv.php?aid=100038&ww=poker">Poker</a>

<a href="http://coolpage.cc/cprv.php?aid=100038&ww=baseball">Baseball</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=basketball">Basketball</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=fishing">Fishing</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=football">Football</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=skiing">Skiing</a><br>
<a href="http://coolpage.cc/cprv.php?aid=100038&ww=soccer">Soccer</a>
etc., etc.

=+=+=+=+=+=+=+=+=+=+=
side note

if you omit the "/s.php" from the url odzqtt.t.muxa.cc/s.php you get re-directed to:

http://ww9.linklist.cc/index.php?aid=20037

another attempt to hide no doubt

=+=+=+=+=+=+=+=+=+=+=


there's also a ref. or two to msn search. i think microSoft might be interested in hearing about this especially with the phony dns record which points to the MS domain for the non-existant muxa.cc and the use of their "terms" page (below)

<div id=$Ci>
<span style='text-align:right;font-family:arial;font-size:7pt'><span title="Legal information for this site"><a href='http://go.msn.com/npl/terms.asp' target='_main'><!--Terms of Use--></a></span></span>
</div>


if(l!=""){
document.location="http://search.msn.com/results.asp?RS=CHECKED&Dom=en&un=doc&v=1&q="+l;
}else


so after all this....yup! looks like you been hi-jacked and their trying to hide their operation behind MicroSoft