javascripts added to visited html- or xml-pages in the internet

9 views
Skip to first unread message

Barbara de Zoete

unread,
Oct 23, 2004, 4:40:10 PM10/23/04
to
My system:
- OS Windows XP SP1;
- various graphical browsers (IE6, OP7.54, Firefox 0.9);
- protection from Norton AntiVirus 2001 (up to date);
- firewall ZoneAlarm Pro (up to date);
- running Ad-Aware, Spybot S&D, SpywareBlaster regularly;
- UMTS connection to the internet.

If I visit html- or xml-pages, two things happen:
1. All code gets 'compressed', that is all white space is taken out of the
pages which
is particularly harmful with xml-pages (error 'not well formed').
2. Some javascript gets called on:
in the head of the page
<script src="http://1.2.3.4/bmi-int-js/bmi.js"language="javascript">
appears;
at the end of the code (even after the </html>) <script
language="javascript">
<!--bmi_SafeAddOnload(bmi_load,"bmi_orig_img");//--></script> is added.
You can click for the <http://1.2.3.4/bmi-int-js/bmi.js> address. The
javascript
code will appear in your browser window.

With _all_ turned off (no Norton AV running, no ZoneAlarm active et
cetera) I get this same result. One exception I found: URLs with
<https://foo.bar/> come to me whithout anything noticable happening to
them.

I have no idea what so ever where this comes from, what causes it and how
I can stop it (or even if I have to stop it at all). I've searched and
Googled all over, but came up with nothing I can understand (in Hungarian,
Chech, Italian). I've tried in other newsgroups, but to no avail. So
please,

Can anyone please fill me in. What is all that script stuff about?

TIA,
Barbara

--
PretLetters <http://home.wanadoo.nl/b.de.zoete/>
Zweefvliegen <http://home.wanadoo.nl/b.de.zoete/html/vliegen.html>
Webontwerp <http://home.wanadoo.nl/b.de.zoete/html/webontwerp.html>
DTD <http://home.wanadoo.nl/b.de.zoete/dtd/not_so_strict.dtd>

Barbara de Zoete

unread,
Oct 23, 2004, 5:12:00 PM10/23/04
to
Op Sat, 23 Oct 2004 22:40:10 +0200, schreef Barbara de Zoete
<b_de_...@hotmail.com>:

> My system:
> - OS Windows XP SP1;
> - various graphical browsers (IE6, OP7.54, Firefox 0.9);
> - protection from Norton AntiVirus 2001 (up to date);
> - firewall ZoneAlarm Pro (up to date);
> - running Ad-Aware, Spybot S&D, SpywareBlaster regularly;
> - UMTS connection to the internet.
>
> If I visit html- or xml-pages, two things happen:
> 1. All code gets 'compressed', that is all white space is taken out of
> the pages which
> is particularly harmful with xml-pages (error 'not well formed').
> 2. Some javascript gets called on:
> in the head of the page
> <script src="http://1.2.3.4/bmi-int-js/bmi.js"language="javascript">
> appears;
> at the end of the code (even after the </html>) <script
> language="javascript">
> <!--bmi_SafeAddOnload(bmi_load,"bmi_orig_img");//--></script> is
> added.
> You can click for the <http://1.2.3.4/bmi-int-js/bmi.js> address.
> The javascript
> code will appear in your browser window.

As it happens, this is not true. The 1.2.3.4 is not approachable from the
internet. Meanwhile I have uploaded the content of the script to
<http://home.wanadoo.nl/b.de.zoete/_test/bmi.js.txt> and added
document.write(' to the first line, so it doesn't do anything.

> With _all_ turned off (no Norton AV running, no ZoneAlarm active et
> cetera) I get this same result. One exception I found: URLs with
> <https://foo.bar/> come to me whithout anything noticable happening to
> them.
>
> I have no idea what so ever where this comes from, what causes it and
> how I can stop it (or even if I have to stop it at all). I've searched
> and Googled all over, but came up with nothing I can understand (in
> Hungarian, Chech, Italian). I've tried in other newsgroups, but to no
> avail. So please,
>
> Can anyone please fill me in. What is all that script stuff about?

On second thought: my guess is that comp.lang.javascript is probably a
better group, so follow-up set. Appologies for putting this in
ms-windows.misc, if that was not appropriate.

Colin Wilson

unread,
Oct 23, 2004, 6:59:20 PM10/23/04
to
> Can anyone please fill me in. What is all that script stuff about?

Not a clue, but it might be worth trying "HijackThis!" which lets you
control everything that loads on startup, as well as letting you disable
BHOs (browser helper objects) - be a little wary as this can be dangerous
if you remove something your machine needs to boot up correctly :-}

I`ve only got 2 BHOs listed - one for adobe acrobat, and the other is for
a Spybot S&D helper.

The other suggestion would be to try cwshredder - which I don`t think you
have (but just to make sure) which is a nasty little suite of IE kludges.
Sadly development on cwshredder stopped a couple of months ago, but it
removes CoolWebSearch, which AFAIK can`t be removed by Spybot or Adaware
(at least it couldn`t as of a few months ago)

I`ve got links from my page up here: www.phoenixbbs.co.uk

The links are not to the home page for HijackThis! as it is often offline
due to the spyware community trying to DDoS the site to death :-} but
they were legitimate versions as of a couple of months ago.

You could also try this generic test to see if it detects anything...

http://www.aumha.org/a/noads.php

--
Please add "[newsgroup]" in the subject of any personal replies via email
--- My new email address has "ngspamtrap" & @btinternet.com in it ;-) ---

Colin Wilson

unread,
Oct 23, 2004, 7:01:40 PM10/23/04
to
> Can anyone please fill me in. What is all that script stuff about?

Really clutching at straws here, since it sounds like you know how to
lock down your PC - could it be getting forced on you by your ISP ?

Barbara de Zoete

unread,
Oct 23, 2004, 8:42:00 PM10/23/04
to
Op Sun, 24 Oct 2004 00:01:40 +0100, schreef Colin Wilson
<vo...@btinternet.com>:

>> Can anyone please fill me in. What is all that script stuff about?
>
> Really clutching at straws here, since it sounds like you know how to
> lock down your PC - could it be getting forced on you by your ISP ?

This is almost the answer. It seems to be a script which is used by my
UMTS-connection to compress images and data (the latter mainly by deleting
all white space; so that's accounted for now too). I'm not too happy about
it. I'll contact Vodafone on the subject.

Thanks for thinking with me,

Jan Schlößin

unread,
May 12, 2005, 4:12:03 AM5/12/05
to
Barbara de Zoete wrote:
> Op Sun, 24 Oct 2004 00:01:40 +0100, schreef Colin Wilson
> <vo...@btinternet.com>:
>
>>> Can anyone please fill me in. What is all that script stuff about?
>>
>> Really clutching at straws here, since it sounds like you know how to
>> lock down your PC - could it be getting forced on you by your ISP ?
>
> This is almost the answer. It seems to be a script which is used by my
> UMTS-connection to compress images and data (the latter mainly by
> deleting all white space; so that's accounted for now too). I'm not too
> happy about it. I'll contact Vodafone on the subject.
>
> Thanks for thinking with me,
>

i also use vodafone umts and i'm not very happy about this lossy
'compression feature'. espacially during presentations it's not very
nice to press always a key combination according

"Shift+R improves the quality of this image.
CTRL+F5 reloads the whole page."

to get the real content. vodafone isn't able to / won't deactivate it.

so i have to do it myself. i studied the script bmi.js and found out
that it appends the string "bmi_orig_img" to images for the uncomressed
ones. that means there is a transparent proxy in the vodafone net which
filters all jpeg and gif images from a port 80 (http) (maybe some other
ports too: 8080, etc.) and compresses it with a data lossy encoding. :(

the script changes the url of the image to get the uncompressed version.
if the user presses a key combination (s.a.) for example the url
http://foo.bar/images/img1.jpeg
changes to
http://foo.bar/images/img1.jpeg/bmi_orig_img/img1.jpeg

and for images generted dynamically
http://foo.bar/file.php?image
changes to
http://foo.bar/file.php?image&bmi_orig_img=1

so, to get instantly the uncompressed images i have to change the html
source (according above) before loading the images. for example in a
local modified proxy or the browser.

any ideas how to do this?

thanks, jan

Reply all
Reply to author
Forward
0 new messages