Page 7 of 8

Re: Is my ISP injecting JS line ?

Posted: Fri Feb 01, 2008 12:50 pm
by pankaj-knj
I am facing the same problem since last 4 weeks. I was using AVG free 7.5 and AVG Anti AVG Anti-Spyware. Whenever I was trying to open any webpage in IE AVG was giving me warning of a virus "JS/Downloader.Agent". The file was locating in subfolder of "Temporary Internet Files" folder with the filename ads.htm/ads.js. After deleting it, It was coming back when ever I was trying to visit next page.

I run full scan several times, formated my PC twice but didn't worked nothing is working. Then I informed my situation to my cable operator, and asked if it is possible that I'm getting this virus from our LAN. They clearly said no it's not possible.

I posted my problem on a tech forum. They said I may be getting infected after visiting any infected site, or may be AVG is identifying a normal file :wink: as virus.

Someone suggest me to use Avast anitvirus so installed latest version of Avast. Now it giving me the warning of 'g.asdafdgfgf.com/ads.js' each time visiting any site.

When I goggled 'g.asdafdgfgf.com/ads.js' I found this thread.

Seems finally I've found answer of my problem and something to share with my cable operator. Just can't wait talk with them.

This thread is going to help thousands of users/operator. Thanks to everyone who contributed in this thread, specially Mr. Rohit, and Mr Anjanesh.

Regards,

Pankaj :)

Re: Is my ISP injecting JS line ?

Posted: Fri Feb 01, 2008 7:51 pm
by anjanesh
pankaj-knj wrote:Seems finally I've found answer of my problem and something to share with my cable operator. Just can't wait talk with them.
Same here. Its quite difficult to get this through because a lot of tech stuff needs to be explained and they just wont accept it.
Fortunately, Rohit has a very good relationship with his cable-operator.

Re: Is my ISP injecting JS line ?

Posted: Tue Feb 05, 2008 12:18 am
by netoptima
Your ISP is not injecting JS line. I can tell you for sure, as we are a broadband service provider in Secunderabad, India and facing same problem.

The problem is ARP spoofing by PCs in your physical network that are infected.

We have developed a windows application that will identify the PC infected with this virus.
We are releasing the application as freeware. You can download the application from http://www.netoptima.in/arprotect

Anil Chandra K

Re: Is my ISP injecting JS line ?

Posted: Thu Feb 21, 2008 8:08 am
by netoptima
Your ISP is not injecting JS line. I can tell you for sure, as we are a broadband service provider in Secunderabad, India and facing same problem.

The problem is ARP spoofing by PCs in your physical network that are infected.

We have developed a windows application that will identify the PC infected with this virus.
We are releasing the application as freeware. You can download the application from http://www.netoptima.in/arprotect

Anil Chandra K
Your ISP is not injecting JS line. I can tell you for sure, as we are a broadband service provider in Secunderabad, India and facing same problem.

The problem is ARP spoofing by PCs in your physical network that are infected.

We have developed a windows application that will identify the PC infected with this virus.
We are releasing the application as freeware. You can download the application from http://www.netoptima.in/arprotect

Anil Chandra K

Re: Is my ISP injecting JS line ?

Posted: Thu Feb 21, 2008 9:01 am
by matthijs
netoptima wrote: We have developed a windows application that will identify the PC infected with this virus.
We are releasing the application as freeware. You can download the application from http://www.netoptima.in/arprotect
Anil Chandra K
Windows user: of course you're very careful and do some research before downloading and installing some freeware like this.

Re: Is my ISP injecting JS line ?

Posted: Thu Feb 21, 2008 9:22 am
by anjanesh
netoptima - if you could release the source for this prorgram, you would get a better feedback, as they wouldnt doubt the program itself to do something not intended to.

Re: Is my ISP injecting JS line ?

Posted: Sat Apr 05, 2008 10:11 am
by crazy
Hi, I'm from Hyderabad, India and just searched thru to this page from google. I have this exact same problem since 3 days :(

Strange not much info on this on the net and also this thread inactive since a month? The problem is I am a newbie when it comes to most computer issues and my cable operator is useless. I do have a constantly updated Avast antivirus which warns me of the js (calls it HTML:Malware in the same u:/asadgfgf...) and aborts the connection.

The scary part for me is reading on this thread that even on format and re-install of OS the problem wont go away! Anyway, what I wanted to ask Anjanesh and Rohit is, suppose I format C: and re-install the OS, AND CHANGE THE ISP (luckily there are at least 10 ISPs in my area), at least then will the problem be gone? Because i am a novice and cant do many of the things outlined in the posts above and my work is at a complete standstill because of this...

Many thanks

Re: Is my ISP injecting JS line ?

Posted: Sat Apr 05, 2008 10:28 am
by anjanesh
If you are using Internet Explorer with ActiveX enabled & have Real Player installed on your machine, then its safer to format C drive. This attack is totally harmless to your computer if cant run any of the ActiveX objects.

Changing this ISP may solve the issue, if their network hardware is not prone to such attacks.

Use FireFox with AdBlockPlus & you're all set.

Re: Is my ISP injecting JS line ?

Posted: Sat Apr 05, 2008 11:42 am
by crazy
Thanks Anjanesh, you say "This attack is totally harmless to your computer if cant run any of the ActiveX objects." does this mean that Avast is blocking it out sucessfully before it can do damage? one symptom is that when i unplug the internet cable and run a complete virus scan (using Avast, Spybot, Adaware, etc), i am 100% clean

Re: Is my ISP injecting JS line ?

Posted: Sat Apr 05, 2008 12:03 pm
by anjanesh
crazy wrote:Thanks Anjanesh, you say "This attack is totally harmless to your computer if cant run any of the ActiveX objects." does this mean that Avast is blocking it out sucessfully before it can do damage? one symptom is that when i unplug the internet cable and run a complete virus scan (using Avast, Spybot, Adaware, etc), i am 100% clean
I dont know if Avast is blocking it or not. But even if it isnt, the injected JS line could do harm to your PC if you are using Internet Explorer with ActiveX enabled. If you have RealPlayer & some other toolbar installed, it can cause a lot of damage.

Login to Windows as Administrator
Open notepad
Open this file: C:\WINDOWS\system32\drivers\etc\hosts
Add the following at the end:

Code: Select all

127.0.0.1       222360.com
127.0.0.1       a.222360.com
127.0.0.1       b.222360.com
127.0.0.1       c.222360.com
127.0.0.1       d.222360.com
127.0.0.1       e.222360.com
127.0.0.1       f.222360.com
127.0.0.1       g.222360.com
127.0.0.1       h.222360.com
127.0.0.1       i.222360.com
127.0.0.1       j.222360.com
127.0.0.1       k.222360.com
127.0.0.1       l.222360.com
127.0.0.1       m.222360.com
127.0.0.1       n.222360.com
127.0.0.1       o.222360.com
127.0.0.1       p.222360.com
127.0.0.1       q.222360.com
127.0.0.1       r.222360.com
127.0.0.1       s.222360.com
127.0.0.1       t.222360.com
127.0.0.1       u.222360.com
127.0.0.1       v.222360.com
127.0.0.1       w.222360.com
127.0.0.1       x.222360.com
127.0.0.1       y.222360.com
127.0.0.1       x.222360.com
 
127.0.0.1       asdafdgfgf.com
127.0.0.1       a.asdafdgfgf.com
127.0.0.1       b.asdafdgfgf.com
127.0.0.1       c.asdafdgfgf.com
127.0.0.1       d.asdafdgfgf.com
127.0.0.1       e.asdafdgfgf.com
127.0.0.1       f.asdafdgfgf.com
127.0.0.1       g.asdafdgfgf.com
127.0.0.1       h.asdafdgfgf.com
127.0.0.1       i.asdafdgfgf.com
127.0.0.1       j.asdafdgfgf.com
127.0.0.1       k.asdafdgfgf.com
127.0.0.1       l.asdafdgfgf.com
127.0.0.1       m.asdafdgfgf.com
127.0.0.1       n.asdafdgfgf.com
127.0.0.1       o.asdafdgfgf.com
127.0.0.1       p.asdafdgfgf.com
127.0.0.1       q.asdafdgfgf.com
127.0.0.1       r.asdafdgfgf.com
127.0.0.1       s.asdafdgfgf.com
127.0.0.1       t.asdafdgfgf.com
127.0.0.1       u.asdafdgfgf.com
127.0.0.1       v.asdafdgfgf.com
127.0.0.1       w.asdafdgfgf.com
127.0.0.1       x.asdafdgfgf.com
127.0.0.1       y.asdafdgfgf.com
127.0.0.1       x.asdafdgfgf.com

Re: Is my ISP injecting JS line ?

Posted: Sat Apr 05, 2008 12:04 pm
by Benjamin
Can't you do:
127.0.0.1 *.asdafdgfgf.com
Dunno if winblows can figure out what the * means though.

Re: Is my ISP injecting JS line ?

Posted: Sat Apr 05, 2008 12:15 pm
by anjanesh
astions wrote:Can't you do:
127.0.0.1 *.asdafdgfgf.com
Dunno if winblows can figure out what the * means though.
Nope. But this is possible in Windows Server by editing a different config DNS file. Dont remember which config section it is.

Re: Is my ISP injecting JS line ?

Posted: Sat Apr 05, 2008 1:04 pm
by crazy
thanks anjanesh,
i have uninstalled real player and 3 toolbars (google, yahoo and another).

About those lines of code, do they block those addresses?

Re: Is my ISP injecting JS line ?

Posted: Sat Apr 05, 2008 1:12 pm
by anjanesh
crazy wrote:About those lines of code, do they block those addresses?
Yes.

Most important of all - use FireFox instead of IE.

Re: Is my ISP injecting JS line ?

Posted: Sat Apr 12, 2008 11:52 am
by crazy
I formatted the hard disk. On reinstall of OS, I updated the hosts file as explained by Anjanesh above. I changed the ISP to a large, reputed one. Now I dont have this problem anymore, the computer is clean of viruses and not crashing (it was crashing in the battle between that malicious ads.js and Avast antivirus which was trying to protect me from it). I have also re-installed Real Player and those toolbars and using IE7 again and still no problems since 6 days. I will try and come back again after some days to confirm, but Im sure the problem is fixed now that I have switched ISPs.

This post might seem unnecessary but its just for the benefit of computer novices like me - because this is a special virus which cant be cleaned by any AntiVirus software or format of comp. Also, this thread's page is now the 1st Google result for most search strings on this subject. It confirms the things mentioned in the thread. I thank Anjanesh, Rohit and others - I wouldn't have been able to get back to work without this thread.