Author Topic: f.txt  (Read 13346 times)

0 Members and 2 Guests are viewing this topic.

Xedafen

  • Guest
f.txt
« on: November 06, 2014, 03:16:52 am »
Hello, I was not sure if I should have put this here or in the other section of coding. Anyhoo, I have been trying to research what seems to be a virus, but I can find nothing. So I use google chrome on a mac, and adobe shockwave player does not work. I cant watch videos, etc. However, every few minutes a file names f.txt keeps downloading randomly, and now I have over 15 copies of the same file. Since its a .txt file I opened it to see what it was, and I am stumped. I was wondering if anyone could point out what this means, because I cant even recognize what language its written in (code wise) and it looks like gibberish code.
Code: [Select]
if (!window.mraid) {document.write('\x3cdiv class="GoogleActiveViewClass" ' +'id="DfaVisibilityIdentifier_1343211891813310628"\x3e');

}document.write('\x3ca target\x3d\x22_blank\x22 href\x3d\x22https://adclick.g.doubleclick.net/pcs/click?xai\x3dAKAOjstvoayYvErD7aBWQ9Gu5pSTc7TlGbKDPhbp0SeCgmhjm7_U1Q72HAoTqk7DtFgrf8gg2Ggw6thOIcj0KZ7aWsVYP3j9PYBNFK7S_gDW-c_5nFCR6qsDyUq9P4B2a-Ffr19X6FvcRT0\x26amp;sig\x3dCg0ArKJSzLYoVj_99SlW\x26amp;

adurl\x3dhttp://www.togetherwesave.com/%3Futm_source%3DTrivu%26utm_medium%3DDisplay%26utm_term%3DTWS%26utm_campaign%3DTS%2520Q2%25202014\x22\x3e\x3cimg src\x3d\x22https://s0.2mdn.net/viewad/4191887/1-tstone_300x60_TWS.GIF\x22 alt\x3d\x22Advertisement\x22 border\x3d\x220\x22 width\x3d\x22300\x22 height\x3d\x2260\x22\x3e\x3c/a\x3e');if (!window.mraid) {(function() {document.write('\x3c\x3e');

var avDiv = document.getElementById("DfaVisibilityIdentifier_1343211891813310628");

if (avDiv) {avDiv['_avi_'] = 'BP7323nFMVJrzLfGwwQGOsYCwAQAAAAAQATgByAEC4AQCoAY-';

avDiv['_avihost_'] = 'pagead2.googlesyndication.com';

}var glidar = document.createElement('script');

glidar.type = 'text/javascript';

glidar.async = true;

glidar.src = '//pagead2.googlesyndication.com/pagead/js/lidar.js';

var s = document.getElementsByTagName('script')[0];s.parentNode.insertBefore(glidar, s);

})();

}(function(){var f=function(a,c,b){return a.call.apply(a.bind,arguments)},g=function(a,c,b){if(!a)throw Error();

if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);

return function(){var b=Array.prototype.slice.call(arguments);

Array.prototype.unshift.apply(b,d);return a.apply(c,b)}}return function(){return a.apply(c,arguments)}},k=function(a,c,b){k=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?f:g;

return k.apply(null,arguments)};

var l=document,m=window;var n=function(a){return{visible:1,hidden:2,prerender:3,preview:4}[a.webkitVisibilityState||a.mozVisibilityState||a.visibilityState||""]||0},p=function(a){var c;a.mozVisibilityState?c="mozvisibilitychange":a.webkitVisibilityState?c="webkitvisibilitychange":a.visibilityState&&(c="visibilitychange");

return c};var r=function(){this.g=l;this.j=m;this.i=!1;this.h=[];

this.m={};

if(3==n(this.g)){var a=k(this.o,this);

this.n=a;

var c=this.g,b=p(this.g);

c.addEventListener?c.addEventListener(b,a,!1):c.attachEvent&&c.attachEvent("on"+b,a)}else q(this)};

r.p=function(){return r.l?r.l:r.l=new r};var s=/^([^:]+:\/\/[^/]+)/m,t=/^\d*,(.+)$/m,q=function(a){if(!a.i){a.i=!0;

for(var c=0;c<a.h.length;++c)a.k.apply(a,a.h[c]);a.h=[]}};

r.prototype.q=function(a,c){var b=c.target.t();

(b=t.exec(b))&&(this.m[a]=b[1])};

r.prototype.k=function(a,c){var b;

if(b=this.s)i:{try{var d=s.exec(this.j.location.href),e=s.exec(a);

if(d&&e&&d[1]==e[1]&&c){var h=k(this.q,this,c);

this.s(a,h);b=!0;

break i}}catch(y){}b=!1}b||(b=this.j,b.google_image_requests||(b.google_image_requests=[]),d=b.document.createElement("img"),d.src=a,b.google_image_requests.push(d))};

r.prototype.o=function(){if(3!=n(this.g)){q(this);var a=this.g,c=p(this.g),b=this.n;

a.removeEventListener?a.removeEventListener(c,b,!1):a.detachEvent&&a.detachEvent("on"+c,b)}};

var u=function(a,c){var b=/(google|doubleclick).*\/pagead\/adview/.test(a),d=r.p(),e=a;if(b){b="&vis="+n(d.g);c&&(b+="&ve=1");

var h=e.indexOf("&adurl"),e=-1==h?e+b:e.substring(0,h)+b+e.substring(h)}d.i?d.k(e,c):d.h.push([e,c])},v=["pdib"],w=this;

v[0]in w||!w.execScript||w.execScript("var "+v[0]);for(var x;v.length&&(x=v.shift());

)v.length||void 0===u?w=w[x]?w[x]:w[x]={}:w[x]=u;})();pdib("https://googleads4.g.doubleclick.net/pagead/adview?ai\x3dB_i6a3nFMVJrzLfGwwQGOsYCwAQAAAAAQASAAOABQivOSQljG1pocYMnG2438pKgTggEJY2EtZ29vZ2xlsgEPd3d3LnlvdXR1YmUuY29tyAECqAMB4AQCmgUZCN3pWRDb2vA0GJT5s4cBIMbWmhwoj-3_AdoFAggBoAY-\x26sigh\x3dc8gVmk1_-7Q\x26adurl\x3d");


I also noticed something fishy about this file, it executes a .exe file (which was not downloaded) when clicking on an image on google images, I think. Thats the only bit of code I understand. I thought it was cool and was wondering if anyone would shed some light.
« Last Edit: November 06, 2014, 04:17:02 am by Xedafen »

Offline HTH

  • Official EZ Slut
  • Administrator
  • Knight
  • *
  • Posts: 395
  • Cookies: 158
  • EZ Titan
    • View Profile
Re: f.txt
« Reply #1 on: November 06, 2014, 03:22:06 am »
plz insert line breaks at all semi colons for even the slightest of help.
<ande> HTH is love, HTH is life
<TurboBorland> hth is the only person on this server I can say would successfully spitefuck peoples women

Xedafen

  • Guest
Re: f.txt
« Reply #2 on: November 06, 2014, 04:04:41 am »
plz insert line breaks at all semi colons for even the slightest of help.


I tried twice, this was still the outcome.

Offline p_2001

  • Royal Highness
  • ****
  • Posts: 684
  • Cookies: -64
    • View Profile
Re: f.txt
« Reply #3 on: November 06, 2014, 04:06:48 am »
Javascript. Apparently serves ads.
"Always have a plan"

Xedafen

  • Guest
Re: f.txt
« Reply #4 on: November 06, 2014, 04:15:59 am »
plz insert line breaks at all semi colons for even the slightest of help.
Fixed.

Xedafen

  • Guest
Re: f.txt
« Reply #5 on: November 06, 2014, 04:16:32 am »
Javascript. Apparently serves ads.


Thank you. Also i cleaned it up a bit, could you tell me anything more about it?
« Last Edit: November 06, 2014, 04:17:33 am by Xedafen »

Offline p_2001

  • Royal Highness
  • ****
  • Posts: 684
  • Cookies: -64
    • View Profile
Re: f.txt
« Reply #6 on: November 06, 2014, 05:31:27 am »
There isn't much to say.  This script seems to get ads from Google. Get image,  hyperlink it.   Also display it.
You should see it in action in chrome or Firefox.  Just use a debugger to step in.
add http debugger to monitor the data.  use  fiddler to see the data sent/received.
"Always have a plan"

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: f.txt
« Reply #7 on: November 06, 2014, 07:42:11 am »
It's probably part of some poorly coded adware, injects JS into websites or something to display LOTS of ads. I suggest to scan your puter with malwarebytes.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: f.txt
« Reply #8 on: November 06, 2014, 09:37:17 am »
If you want help to remove the malware: Create a FRST log and post it here. DL link: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

If you think you can handle it alone, I suggest you run at least AdwCleaner, Junkware Removal Tool and Malwarebytes Antimalware.