4

I have a strange attribute that's showing up in my F12 developer tools in IE10. The test case I've been using is about:blank. This is supposed to be a completely minimal HTML page.

When I look at the DOM for this page, I see <html dpWbAdvi="2781">. In particular that attribute seems wrong. It also appears on every other page I visit.

So far, I've disabled every Add-on in the "Manage add-ons" menu item, and searched my registry for dpWbAdvi. This kind of smells like malware, but I'm stuck. Has anyone heard of this?

Edit:

<html>foo</html> still exhibits the problem. Here's the screenshot.

screenshot

Edit 2:

I've run hijackthis, and removed every BHO reference, even the ones that sound plausibly useful. I've already disabled all add-ons through IE's menu. I'm still seeing the same behavior. I'm in the process of running a full MS Security Essentials scan as well.

Improve this question
13
  • I'd say malware: google.co.uk/search?q=dpWbAdvi
    – NickW
    Commented Jun 3, 2013 at 16:44
  • Try it with a truly minimal page: <html>foo</html>, what do you see? Is the tag inserted?
    – terdon
    Commented Jun 3, 2013 at 16:46
  • Is it always the same number?
    – Synetech
    Commented Jun 3, 2013 at 16:52
  • 1
    @OliverSalzburg, what’s that? Googling Web Advisor brings up nothing specific, and Googling the attribute brings only a single hit on a Chinese site.
    – Synetech
    Commented Jun 3, 2013 at 16:57
  • 1
    @Synetech: No idea what it is, it just sounds like it :D
    – Oliver Salzburg
    Commented Jun 3, 2013 at 17:13

3 Answers 3

Reset to default
3

I recently ran into this while troubleshooting an issue for the client. The attribute is being injected onto the page by a process associated with a program called HP ProtectTools, which is crapware preinstalled on Hewlett-Packard machines.

Your question was actually very helpful to me, because I cross-referenced your HiJackThis log with the client's list of installed software. I noticed the entry for DPAgent.exe in your log and found that you had the same HP security suite as the client.

I'm happy to report that uninstalling HP ProtectTools resolved the issue completely.

Improve this answer
0
0

I guess it's some sort of malware. Please run HiJackThis http://sourceforge.net/projects/hjt/ and post the logfile here. Also please run ccleaner http://www.piriform.com/ccleaner/builds and take a look at the values in the "autostart" -> "Internet explorer" thingy.

Edit: What kind of antivirus are you running? Is there an option to disable "web security" or something?

Improve this answer
2
  • hjt log is here: pastebin.com/u1e9A8Rr I'm running MS Security Essentials.
    – recursive
    Commented Jun 3, 2013 at 17:17
  • Actually, I recommend against posting logs on the Internet; they often contain things like user and directory names, installed hardware and software, and other things that it would be better not to publicize.
    – Synetech
    Commented Jun 3, 2013 at 17:27
-1

I got this email source, if I go to omoidol.com/wp-content/7c334.php I find that tag:

To: 88888888 Subject: X-PHP-Script: omoidol.com/wp-content/7c334.php for 127.0.0.1 From: X-Mailer: SayMailSMTP Reply-To: Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="----------137459387551EEA3530301B" Return-Path: [email protected] X-OriginalArrivalTime: 23 Jul 2013 15:38:47.0040 (UTC) FILETIME=[B88F7800:01CE87BA]

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .