Hi,
When my IE page loads, a command prompt screen appears and runs an executable (dd.exe) that is resident on my C: drive. I delete this, and it regenerates itself (the dd.exe). This program, when opened with Wordpad contains the following:


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html dir=ltr>

<head>
<style>
a:link {font:8pt/11pt verdana; color:FF0000}
a:visited {font:8pt/11pt verdana; color:#4e4e4e}
</style>

<META NAME="ROBOTS" CONTENT="NOINDEX">

<title>Page cannot be found</title>

<META HTTP-EQUIV="Content-Type" Content="text-html; charset=Windows-1252">
</head>

<body bgcolor="FFFFFF">

<table width="410" cellpadding="3" cellspacing="5">

<tr>
<td align="left" valign="middle" width="360">
<h1 style="COLOR:000000; FONT: 13pt/15pt verdana"><!--Problem-->Page cannot be found</h1>
</td>
</tr>

<tr>
<td width="400" colspan="2">
<font style="COLOR:000000; FONT: 8pt/11pt verdana">The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.</font></td>
</tr>

<tr>
<td width="400" colspan="2">
<font style="COLOR:000000; FONT: 8pt/11pt verdana">
<hr color="#C0C0C0" noshade>

<p>Please try the following:

<ul>
<li>If you typed the page address in the Address bar, make sure that it is spelled correctly.<br>
</li>

<li>Open the <A HREF="http://59.158.112.135:818/">59.158.112.135</a>
home page, and then look for links to the information you want.</li>

<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>

<h2 style="font:8pt/11pt verdana; color:000000">Problem: Connection timed out</h2>

<hr color="#C0C0C0" noshade>



</font></td>
</tr>

</table>
</body>
</html>

Is this some type of phishing? Any help would be appreciated.

David

OJ's advice is good.

Regarding whether or not you were being phished, I think there are three reasons why it is NOT a phish: first is because it opens a command prompt that runs an executable (but you haven't told us exactly what it DOES).

Second, because nothing in the code looks like it is requesting or prompting you for any kind of personal info.

And third, the numerical address points to: Registrant Organization of Internet Assigned Numbers Authority.

So I really don't think it's a phish. But what it IS, might be some kind of redirect, which could possibly be a pharming attempt gone awry and the self-renewing dd.exe could be a trojan.

DreamingFox has hit this one on the head. No, it was not a phish for all of the reasons that she stated.

It does, however, look like some sort of hijack attempt that may have been malformed. I say this because the file keeps appearing even after it has been deleted.

In order to help you we need a HiJackThis log.

You will be posting the HiJackThis log in the HiJackThis forum: http://castlecops.com/f67-Trend_Micro_HijackThis_Logs.html

Read the HJT forum posting rules: http://castlecops.com/postt8864.html

Download HiJackThis from : http://castlecops.com/downloads-cat-14.html

Create a folder and unzip the HiJackThis download to the folder. Do not unzip the HiJackThis download to your Desktop or a Temp folder as it creates backup files for your protection and we do not want to run the risk of losing them.

Doubleclick "HijackThis.exe". First, update HiJackThis by pressing the "Config" button, then press "Misc Tools", followed by "Check for update online". If you downloaded an updated HJT, click "Yes" at the "Open the file?" prompt. If you did not update, press the "Back" button .

Press "Scan".When the scan is finished, use "Save Log" button and save the log as a text file. Its best to save your text file in the same folder as where you put HiJackThis.

DO NOT FIX ANYTHING YOURSELF UNTIL INSTRUCTED TO DO SO ONLY BY A CCSP EXPERT. MOST OF THE HJT LOG ENTRIES ARE NEEDED TO RUN YOUR COMPUTER. REMOVING THE NEEDED ENTRIES CAN CAUSE SERIOUS DAMAGE TO YOUR COMPUTER.

Post your log in the HiJackThis forum : http://castlecops.com/f67-Trend_Micro_HijackThis_Logs.html. Click "NewTopic" and simply copy/paste the HJT log into the textbox. Include the information requested in the HJT forum posting rules: http://castlecops.com/postt8864.html

Make sure your HJT log is posted only in the HiJackThis forum: http://castlecops.com/f67-Trend_Micro_HijackThis_Logs.html.

_________________
MS MVP Security 2006-2008