EvilZone
Hacking and Security => Hacking and Security => Topic started by: Xedafen on November 06, 2014, 03:16:52 AM
-
Hello, I was not sure if I should have put this here or in the other section of coding. Anyhoo, I have been trying to research what seems to be a virus, but I can find nothing. So I use google chrome on a mac, and adobe shockwave player does not work. I cant watch videos, etc. However, every few minutes a file names f.txt keeps downloading randomly, and now I have over 15 copies of the same file. Since its a .txt file I opened it to see what it was, and I am stumped. I was wondering if anyone could point out what this means, because I cant even recognize what language its written in (code wise) and it looks like gibberish code.
if (!window.mraid) {document.write('\x3cdiv class="GoogleActiveViewClass" ' +'id="DfaVisibilityIdentifier_1343211891813310628"\x3e');
}document.write('\x3ca target\x3d\x22_blank\x22 href\x3d\x22https://adclick.g.doubleclick.net/pcs/click?xai\x3dAKAOjstvoayYvErD7aBWQ9Gu5pSTc7TlGbKDPhbp0SeCgmhjm7_U1Q72HAoTqk7DtFgrf8gg2Ggw6thOIcj0KZ7aWsVYP3j9PYBNFK7S_gDW-c_5nFCR6qsDyUq9P4B2a-Ffr19X6FvcRT0\x26amp;sig\x3dCg0ArKJSzLYoVj_99SlW\x26amp;
adurl\x3dhttp://www.togetherwesave.com/%3Futm_source%3DTrivu%26utm_medium%3DDisplay%26utm_term%3DTWS%26utm_campaign%3DTS%2520Q2%25202014\x22\x3e\x3cimg src\x3d\x22https://s0.2mdn.net/viewad/4191887/1-tstone_300x60_TWS.GIF\x22 alt\x3d\x22Advertisement\x22 border\x3d\x220\x22 width\x3d\x22300\x22 height\x3d\x2260\x22\x3e\x3c/a\x3e');if (!window.mraid) {(function() {document.write('\x3c\x3e');
var avDiv = document.getElementById("DfaVisibilityIdentifier_1343211891813310628");
if (avDiv) {avDiv['_avi_'] = 'BP7323nFMVJrzLfGwwQGOsYCwAQAAAAAQATgByAEC4AQCoAY-';
avDiv['_avihost_'] = 'pagead2.googlesyndication.com';
}var glidar = document.createElement('script');
glidar.type = 'text/javascript';
glidar.async = true;
glidar.src = '//pagead2.googlesyndication.com/pagead/js/lidar.js';
var s = document.getElementsByTagName('script')[0];s.parentNode.insertBefore(glidar, s);
})();
}(function(){var f=function(a,c,b){return a.call.apply(a.bind,arguments)},g=function(a,c,b){if(!a)throw Error();
if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);
return function(){var b=Array.prototype.slice.call(arguments);
Array.prototype.unshift.apply(b,d);return a.apply(c,b)}}return function(){return a.apply(c,arguments)}},k=function(a,c,b){k=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?f:g;
return k.apply(null,arguments)};
var l=document,m=window;var n=function(a){return{visible:1,hidden:2,prerender:3,preview:4}[a.webkitVisibilityState||a.mozVisibilityState||a.visibilityState||""]||0},p=function(a){var c;a.mozVisibilityState?c="mozvisibilitychange":a.webkitVisibilityState?c="webkitvisibilitychange":a.visibilityState&&(c="visibilitychange");
return c};var r=function(){this.g=l;this.j=m;this.i=!1;this.h=[];
this.m={};
if(3==n(this.g)){var a=k(this.o,this);
this.n=a;
var c=this.g,b=p(this.g);
c.addEventListener?c.addEventListener(b,a,!1):c.attachEvent&&c.attachEvent("on"+b,a)}else q(this)};
r.p=function(){return r.l?r.l:r.l=new r};var s=/^([^:]+:\/\/[^/]+)/m,t=/^\d*,(.+)$/m,q=function(a){if(!a.i){a.i=!0;
for(var c=0;c<a.h.length;++c)a.k.apply(a,a.h[c]);a.h=[]}};
r.prototype.q=function(a,c){var b=c.target.t();
(b=t.exec(b))&&(this.m[a]=b[1])};
r.prototype.k=function(a,c){var b;
if(b=this.s)i:{try{var d=s.exec(this.j.location.href),e=s.exec(a);
if(d&&e&&d[1]==e[1]&&c){var h=k(this.q,this,c);
this.s(a,h);b=!0;
break i}}catch(y){}b=!1}b||(b=this.j,b.google_image_requests||(b.google_image_requests=[]),d=b.document.createElement("img"),d.src=a,b.google_image_requests.push(d))};
r.prototype.o=function(){if(3!=n(this.g)){q(this);var a=this.g,c=p(this.g),b=this.n;
a.removeEventListener?a.removeEventListener(c,b,!1):a.detachEvent&&a.detachEvent("on"+c,b)}};
var u=function(a,c){var b=/(google|doubleclick).*\/pagead\/adview/.test(a),d=r.p(),e=a;if(b){b="&vis="+n(d.g);c&&(b+="&ve=1");
var h=e.indexOf("&adurl"),e=-1==h?e+b:e.substring(0,h)+b+e.substring(h)}d.i?d.k(e,c):d.h.push([e,c])},v=["pdib"],w=this;
v[0]in w||!w.execScript||w.execScript("var "+v[0]);for(var x;v.length&&(x=v.shift());
)v.length||void 0===u?w=w[x]?w[x]:w[x]={}:w[x]=u;})();pdib("https://googleads4.g.doubleclick.net/pagead/adview?ai\x3dB_i6a3nFMVJrzLfGwwQGOsYCwAQAAAAAQASAAOABQivOSQljG1pocYMnG2438pKgTggEJY2EtZ29vZ2xlsgEPd3d3LnlvdXR1YmUuY29tyAECqAMB4AQCmgUZCN3pWRDb2vA0GJT5s4cBIMbWmhwoj-3_AdoFAggBoAY-\x26sigh\x3dc8gVmk1_-7Q\x26adurl\x3d");
I also noticed something fishy about this file, it executes a .exe file (which was not downloaded) when clicking on an image on google images, I think. Thats the only bit of code I understand. I thought it was cool and was wondering if anyone would shed some light.
-
plz insert line breaks at all semi colons for even the slightest of help.
-
plz insert line breaks at all semi colons for even the slightest of help.
I tried twice, this was still the outcome.
-
Javascript. Apparently serves ads.
-
plz insert line breaks at all semi colons for even the slightest of help.
Fixed.
-
Javascript. Apparently serves ads.
Thank you. Also i cleaned it up a bit, could you tell me anything more about it?
-
There isn't much to say. This script seems to get ads from Google. Get image, hyperlink it. Also display it.
You should see it in action in chrome or Firefox. Just use a debugger to step in.
add http debugger to monitor the data. use fiddler to see the data sent/received.
-
It's probably part of some poorly coded adware, injects JS into websites or something to display LOTS of ads. I suggest to scan your puter with malwarebytes.
-
If you want help to remove the malware: Create a FRST log and post it here. DL link: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
If you think you can handle it alone, I suggest you run at least AdwCleaner, Junkware Removal Tool and Malwarebytes Antimalware.