Help Needed

[paul]

My computer has been playing up for a few weeks and today I found that all web pages have the following, in the source code:

<script language='javascript' src='http://127.0.0.1:1025/js.cgi?pca&r=18598'></script>

has anyone come across this before?



Paul




Breakdown Cover

 

[ONExFOUR]

Port 1025 is Microsoft Remote Procedure Call (RPC) service.
Currently inbound scans are likely RPC and LSA exploit attempts against the Windows, which by default should be blocked by your firewall. Ensure that your systems have the latest patches installed from Microsoft.

Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated.

 

[aqls]

Just guessing, but perhaps look for and delete (rename) anything called js.cgi on your machine, and check periodically if it pops up again?

-aqls-

 

[FisherMan]

Looks like it something to do with ZoneAlarm ...

what's this? 'http://127.0.0.1:1043/js.cgi?p

 

[paul]

Thanks all for the replies.

FisherMan I think you are right it started about the time I installed zonealarm, and the link you posted describes exactly what I am seeing.

Anyone else hear using zonealarm? and if so, do you see the same thing when you view the source of any web page?

Thanks

Paul

 

[grantw]

I'm using it and I don't see it. v strange, suppose you may have something turned on that I dont?

Grant

 

[grantw]

Reading around it souns like it is something to do with an ad blocker setting being turned on, possibly the popup blocker?

Grant

 

[grantw]

WebDeveloper.com - View Single Post - How to Force client press Refresh to view content of webpage ?

 

[paul]

Hi Grant

yes does seem strange, I can only guess it's a problem with my machine. Here's the first few lines of source code from DomainPrices.co.uk as I see it:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Domain Name Sales Prices from DomainPrices.co.uk</title>
<meta name="description" content="Domain Sales values for UK Domain Names. Domain Prices lists all publically know domain sales in the UK market. Use this information to find out how much your website address is worth.">
<meta name="keywords" content="Domain Name Sales Prices, domain sales, domain name sales, co uk, internet address, internet addresses, company names, domain value, domain appraisal, sedo, sedopro, namedrive, domain name parking">
<link rel="stylesheet" type="text/css" href="acorndomains.css" />



<script language='javascript' src='http://127.0.0.1:1025/js.cgi?pca&r=25734'></script>

<script>
<!--
function land(ref, target).....................



and the last few lines

........................</div>
</body>
</html>
<script language='javascript'>postamble();</script>


I guess you see the same but without the highlighted bit?

 

[grantw]

Did you see the link I posted above. The code links to the file on your pc that zonealarm uses to filter out advertising etc. on web pages so I assume you must have some of the ad blocking options turned on.

Grant

 

[grantw]

I just changed the ad blocking setting from off to medium and can now see it too

Grant

 

[paul]

turned mine off now and rebooted my machine.

Still seeing the code at the top of the page but the code at the bottom has now gone.

I guess it must be to do with another setting and nothing too much to worry about

Thanks for your help Grant.

 

[grantw]

Cookie control setting also does it

grant

 

[paul]

Cookie control setting also does it

grant

You're a star, thanks