It’s 3.30am and way past my bedtime, but I feel this is extremely important and I must highlight this to everyone.
A few days ago, one of my website clients complained that the blog I setup for them on their server using WordPress could not be accessed. When I checked, it appeared to have a PHP header problem and I had no idea why it should occur, but I merely upgraded the WordPress installation and it seemed to solve the problem. Because he had that problem, I thought I had better check on all my other WordPress blogs on our own hosted servers; and they all had the same problem.
I thought that WordPress was probably having a Christmas party and caused all WordPress blogs to fail. I didn’t have time to check if all other WordPress users had the same problem, but since it was solved easily enough by upgrading the installation.
Later though the same client told me that one of their staff who was updating some things on their website (the non-Wordpress main section) discovered a Trojan called JS:Illredir-B [Trj] when she accessed their website. A brief Google search using that name unearthed nothing. I found sites quoting similar issues though.
http://www.prelovac.com/vladimir/warning-website-virus-attack
http://forum.avast.com/index.php?topic=52476.0
About the Trojan
What’s so dangerous about Trojans? Basically, Trojans are harmful software which, while it seems to be doing what you asked it to do, is busy doing other things that you didn’t ask it to do… like, sending information (credit card information, personal information, financial information, etc) secretly to other people. Or they could rewrite certain codes or links in your browsers so that you are redirected to other websites without your knowledge. For example, you may be trying to visit your bank’s website, and you do key in the website URL manually, but you are rerouted to a phishing website which looks identical because of the code rewrite in your browser.
I’m not sure about what this Trojan really does – I’m not a virus expert. If anyone knows, or when I do find out, I’ll update.
Protect Yourself
I haven’t researched enough or spoken to enough people to find out which of their antiviruses work. It’s in the middle of the night so very few people are awake. All I can say here is, I’m using AVG and this antivirus did not detect the trojan. My client himself who uses Avira also said it was not detected. I’m not here to promote any particular antivirus actually, but my client’s staff (the one who detected it) used Avast Antivirus, so perhaps this may be a good one to use.
How Do We Tell Which Websites Are Under Attack?
Well, in my case, all the websites I was taking care of appeared to be have been attacked. I’ve managed to fix them, but I’ll have to keep an eye on them to make sure that they aren’t attacked again.
I’d like to appeal to everyone out there to be aware of this and to help where you can. My guess is that it is possible that there are many websites out there that have been attacked, but the owners or webmasters are unaware of it. This is because the webpage does not look any different from what it usually does, and this is why it’s so dangerous! Please note that the website owners themselves may not be the perpetrators, and are victims. If you have found any website that has been subjected to the trojan attack, please help out by informing the website owner and/or webmaster right away so that action can be taken.
Here is how you can find out whether the website has been attacked:
- Website seems to be loading slower than usual.
- When the website is loading, check the status bar. If the status bar indicates that there is some traffic being routed to websites of unusual names that are not related to the current website in any way, it is very possible that the website has been attacked.
- The easiest way to find out is to take a look at the page source. Go all the way to the bottom. After </html>, if there is something similar to the following, it indicates that the website has been under attack. This code which appears to be gibberish may also appear anywhere INSIDE the website instead of after </html>.
How to view the page source:
- Internet Explorer: View menu > Source
- Firefox: View menu > Page Source
- Google Chrome: Right-click anywhere on the page > View page source
- Opera: View menu > Page Source
- Safari: Right-click anywhere on the page > View Source OR View menu > View source
Fixing The Websites
For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected, I’ve found that mostly the following files are affected:
- Files named index or have the word index in them. E.g. index.html, index.php, index.htm, index_main.htm
- Files named home or have the word home in them. E.g. home.html, homepage.htm
- Files named main or have the word main in them. E.g. main.html, main_page.htm
- Files named header or have the word header in them. E.g. header.php, header.inc, header_main.php
- Files named footer or have the word footer in them. E.g. footer.php, footer.inc, footer_main.php
- All javascript files with the .js extension. E.g. javascript.js, functions.js
All folders in your server will be affected, including the root folder, the subfolders, the subdomains, and the subfolders in the subdomains.
While some forums suggest that only Linux servers are affected, I’ve found some of my clients who use Windows servers are also affected.
I think that there are some scripts available for you to download and use on your server so that it will automatically scan and remove the code from all affected files, but I didn’t look for them because some of the other users warned that the files themselves have the virus in them. It’s tedious to remove the codes one by one, of course. What I did was to check the last modified date of the files – in my case, the files were affected on 24th and 25th December 2009. That way, I easily detected which files were modified, and I either removed the code manually or I reuploaded my local copy onto the server. It’s tedious, but I know it works.
If anyone has found anything to add to the above, please let me know by email or by commenting. This is pretty dangerous and it’s so malicious… so please be vigilant and do your bit to help out and spread the word.
One more thing I’d like to add: Don’t expect your webhosting provider to inform you or to work on the problem for you. The moment I discovered this, I wrote to all the webhosting providers that my different websites reside on to ask them to check how this could have happened, and to also ask them to inform their clients, and their responses were about the same. They asked me to choose a password that was difficult to guess, and one said I was the only account affected – and this by a company whom I bought several packages from, ALL of which had been attacked.
133 comments
22 pings
Mike says:
December 30, 2009 at 1:33 pm (UTC 8)
Below is the script removing malicious entries from all affected files. Clean one.
As per article the main thing is to change the password and don’t use Total Commander for FTP uploads and/or password storage.
http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz
Mike,
Cheers
Paolo says:
December 30, 2009 at 7:47 pm (UTC 8)
This virus spread through “normal” files. When openend It will edit some of your windows start up files , so you won’t be able to restart windows.
But before that it will look for an ftp progam en log in on each of your sites and do the above.
Not a really nice christmass present.
Removing it is quite easy as stated above.
Good luck.
zyenweb says:
December 31, 2009 at 12:44 am (UTC 8)
Mike, you’re a lifesaver. Thank you so much! There was a problem with the script though but I managed to fix it myself … and it’s cleared up all the files for me. Whoo!!!
Paolo, you are soooo right. What a way to end 2009
You are both right, I’m guessing this trojan has attacked all my websites because I have the passwords saved in my FTP program, so that’s the danger. My main problem was that the antivirus I installed did not catch the virus, hence my laptop was affected … and that’s probably why my laptop slowed down considerably. I reformatted my laptop because it was driving me nuts.
I learn something new everyday.
Mihai says:
December 31, 2009 at 12:47 am (UTC 8)
i need help with this
i changed FTP passwords
i used the removal tool
second i reopen a disinfected file the code is back there
help please
zyenweb says:
December 31, 2009 at 12:59 am (UTC 8)
Mihai, can I know what your website is so we can take a look? I’ll do my best to help you. The script Mike gave above works for me, but I had to modify it because there was a few lines that my server couldn’t process even though they look right.
Mihai says:
December 31, 2009 at 1:16 am (UTC 8)
i checked some of these removal files
and the virus code in them is different than my virus code on my website
Mike says:
December 31, 2009 at 7:08 am (UTC 8)
Hi,
It’s really easy to modify my original script to remove virtually any unwanted code from a file.
I see that website you’ve specified in here is already clean, however if this is not the case let me know and I will modify the script.
Thanks,
Mike
Jorge says:
December 31, 2009 at 11:04 pm (UTC 8)
Dear Mike,
Thanks for the script, and so many thanks to the autor of this article, this save me the life today… Day 26th of December all my websites are infected… and thanks to this i can clear it ( at least one of my webpages ) .
Only one thing, when i start the script i have problems with all files by permissions : Permission denied in xxxxx remove-js-illredir-b.php on line 116 , How can i fix this??? i need to change the rights for all folders???
Regards
@rjen says:
January 1, 2010 at 6:40 pm (UTC 8)
Thanks, I was hit as well and managed to remove the codes from alle files. $%$@#$!.
Does anyone know what the virus does in Wondows exactly?
Dinesh says:
January 1, 2010 at 9:46 pm (UTC 8)
can you help me also please? my website is http://www.institute.org.in and it is a subdomain basically,the main domain is http://www.aieeehelpline.com i have copied the script provided by you and the script is accessible at http://www.aieeehelpline.com/remove-js-illredir-b.php . please help me . i am a newbie
lena says:
January 3, 2010 at 1:20 am (UTC 8)
please help , i’ve tried everything , i’ve deleted the trojan file during virus scan on my pc last week, i’ve cleared my ftp account and reinstalled the website for the fifth time now. , i’ve used the above script which fixed some of the files, but avast is still flashing out warning when viewing the site.
Nemo says:
January 3, 2010 at 8:07 pm (UTC 8)
A website I am currently working on for a friend was infected with ‘JS:Illredir-B [Trj]‘ which my outdated NOD32 had missed but my friend had detected with Avast. There isn’t much to the site yet so we manually removed the script. The file infected was ‘home.html’. I have used CuteFTP to upload to the server and had the program remember the user-name and password. How was the file infected? Did the infection start from my end?
Within the same day my computer received some odd message that a ‘security update has been successfully installed’ and my computer instantly restarted itself. No longer able to boot into windows I did a scan with hijackthis in safe mode and discovered ‘siszyd32.exe’, a nasty new virus, in my windows startup. I saw paoplo’s post so I thought I would share this as its possible that there is a link between these two occurrences.
Now, should I reinstall windows or buy a mac?
Libraium says:
January 3, 2010 at 9:44 pm (UTC 8)
Hi, I have the same problem with my website, www . librarium . altervista . org
I tried the Mike’s script, but it doesn’t work, it tells me:
Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or ‘}’ in /membri/librarium/remove-js-illredir-b.php on line 59
Can you help me?
zyenweb says:
January 3, 2010 at 10:36 pm (UTC 8)
Hi everyone. Sorry for not approving your comments earlier; I hadn’t checked my dashboard the past few days. In view of the many comments, I’ve decided to temporarily allow all comments to be approved since this is a serious issue.
@Jorge – I managed to clear out my files with Mike’s script without any change in permissions. The standard permissions on my folders and subfolders are 755 and the files 644. Are those your permissions too? Maybe Mike can comment to help you out on this.
@rjen – I’m not sure what the trojan this… still reading up to find out more!
@Nemo – I think you were infected the same way I was. All my sites which I accessed via Filezilla were infected, as I had Filezilla remember the usernames and passwords, which now obviously is a dangerous thing to do. I think it is very probably that we were infected by another website that our anti-virus did not detect, and hence affected all our websites! About your computer – perhaps you ought to consider reformatting it? Back everything up first, of course. Mac has less virus attacks, but that doesn’t mean there are none. It also comes down to how comfortable you are with using Macs. I’m not sure what the price difference is where you are, but here in Malaysia, a Mac cost about 50-100% more than a PC of equivalent specs, so we’d only get a Mac if we really, really want one (and can afford it).
@Dinesh – I ran the script on your website but your subdomain doesn’t seem to be listed, so maybe that’s why. Can you try uploading it to the root of your subdomain and then run it from there?
@Lena – I accessed your website and it seems to be clean now. Are you still facing the same problem?
@Libraium – I had the same problem too. What I did was I put lines 59-62 in comments (envelope them with /* and */) and then it worked like a charm. I’m not sure why those lines don’t work, as they look correct; still looking into it.
Mike says:
January 4, 2010 at 2:32 am (UTC 8)
@All
Latest version of the script so far is from 2010-01-01 23:40 and it has 4545 bytes.
I tried this version on all virus mutations referenced here (basically I accessed websites, extracted the virus entry from html/js page and run my script) all above virus versions have been successfully removed by this version of the script. If something doesn’t work on your website the reasons may be as follows: incompatible php version < 5.0, other virus mutation, you don't have permission (latest version of the script will report that).
I will try to include version number going forward. Please check your version and if it is not the latest one try to re-download and re-run the script . When reporting errors please post first two digits of your php version (for example 5.1), script version or size in bytes and error details.
@Libraium
This message usually means that you're trying to run php 5 script on php 4 engine.
You can try to invoke php5 command instead of just plain php command. If you have php 5 installed on the server box this should execute the php 5 engine.
@Jorge
Script is modifying files on the server. If you execute script manually it assumes the permissions from the user executing it. If you execute script via http it assumes permissions of your HTTP server user. In general folder write permission is not needed unless you create new files which is not the case here. All you should need is write permission to a file being healed. As far as folder permissions go you have to be able to read folders, so you can navigate the folder tree. Again you need o have write permissions to all infected files and read permission to all folders. ("You" means user executing the script via HTTP or manually)
Jorge says:
January 4, 2010 at 3:29 am (UTC 8)
Dear Mike,
I´m executing the script via http because i don´t have rights to execute manually.
Anyway… i clean all my files for my websites… but today again the virus in in all webpage… really i don´t know how can free of it… i´m thinking in change the hosting company, because i can´t clean it every 2 dates….:(
Jorge says:
January 4, 2010 at 3:33 am (UTC 8)
Can you give to us the last version of the script??? in the first post we can get the first version.
Regards
Mike says:
January 4, 2010 at 12:40 pm (UTC 8)
The url is the same I’ve only replaced the archive, so if you download it again its going to be the latest version size should be 4545 bytes. Also you have to stop using Total Commander and change your FTP password.
Mike says:
January 4, 2010 at 4:44 pm (UTC 8)
Uploaded latest version. Please clear the browser cache before downloading: http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz
Let me know.
Jorge says:
January 5, 2010 at 3:46 am (UTC 8)
Great Mike,
Finally i get ssh acess to my webserver and i can execute the script ( new version looks great
)
I can view that all bad code is out of my files, but yet there is a small line there in my case : ( in the end of the php and js files ) is necessary to delete it manually??? or is enough with the deletion of script command with yous script.
Thanks i will make a donation at last, in fact is less that we can do for this great script!!!!!
Mike says:
January 5, 2010 at 5:02 am (UTC 8)
@Jorge – I’m glad I could help. The remaining part is a commented out string which is probably some kind of a key used to generate virus (seed) or identify your website by the virus. Without the main virus code it is harmless. I did not remove it because it is hard to distinguish valid website comments from a virus entries and this might do more harm than good. I wouldn’t worry too much because of this, however if you could reveal your website address or show us a sample I might be able to verify that and eventually modify the script.
Thanks !
Jorge says:
January 5, 2010 at 5:38 am (UTC 8)
Ok Mike,
You can see it in http://www.promotecno.es/enfermeria
http://www.promotecno.es/cofares
http://www.promotecno.es/asepeyo
http://www.proyectorpro.com
Thanks for your help & Regards!
P.D i will hope that not enter again this virus..
Aidee says:
January 5, 2010 at 12:52 pm (UTC 8)
Hi Mike..
Thanks a lot….My website has been attacked too…I used the script to remove the trojan and now it looks fine…
Thanks again
Mike says:
January 5, 2010 at 2:18 pm (UTC 8)
Nice to hear this !
Uploaded version 0.93.
Fixed some ajax issues and directory permission issues.
Have fun
helio says:
January 5, 2010 at 10:12 pm (UTC 8)
Hi Guys
How do i run the file: remove-js-illredir-b.php.tar to remove the virus?
I have tones of files and dont want to do it manually
helio says:
January 5, 2010 at 10:21 pm (UTC 8)
I worked it out.
Unzip, upload, run and removes the issues.
Thanks a million
Randy says:
January 6, 2010 at 3:50 am (UTC 8)
I am getting this – it isnt correcting any files, any ideas why.
PHP version: 5.2.9-2
Starting …
Cannot open directory ./ASP Compiled Templates
Cannot open directory ./History
Files processed: 2
Files fixed: 0
Mike says:
January 6, 2010 at 5:54 am (UTC 8)
It looks like user running the script has no permissions to navigate those folders. Is is a Windows server ? Does anybody have asp files infected ? The script currently fixes php, htm, html, js files but not asp files. This can be easily changed just e-mail me samples. My e-mail is specified on the contents tab.
Thanks!
Mike says:
January 6, 2010 at 5:56 am (UTC 8)
I should be on the contact tab
Janine says:
January 6, 2010 at 1:37 pm (UTC 8)
Hello,
My site has also been affected and I’ve taken it off line. I haven’t read all the messages or instructions but will try the script tomorrow.
@Nemo my netbook was also infected with Security Tool Malware. I was able to remove it with instructions from:
http://www.bleepingcomputer.com/virus-removal/remove-security-tool.
Thanks for all the information. I’ll let y’all know how it goes. jwb
Randy says:
January 7, 2010 at 12:51 am (UTC 8)
Sorry Mike, no asp files infected but it didnt correct any files either. I did correct some files i found but I didnt think it was all of them.
Jorge says:
January 7, 2010 at 7:54 am (UTC 8)
Is “easy” to clean manually ( take a long time ) you only need to see the time and date for the modified files ( all files are modified more or less at same time ) , then if you find a modifie file, make a search for last time of modification and you can see easily the files modified.
Regards
Jon says:
January 7, 2010 at 3:56 pm (UTC 8)
Hi…
I’m facing the same issue as well.. but according to the virus scanner, I was infected with the
JS/TROJANDOWNLOADER.AGENT.NRL.TROJAN.
Mike, do you have a file for this?
Regards
Muki says:
January 9, 2010 at 3:23 am (UTC 8)
Hi ppl,
thx for comments. really apreciate it. I have downloaded Mike’s script, and when I started it, firsty, it said “Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or ‘}’ in /membri/librarium/remove-js-illredir-b.php on line 84″. I put lines 84-87 in comments, and after that, nothing happend, only blank screen. Of course, server use PHP 4.3.1 version and is there any solution for this kind of problem??
Best Regards,
mache says:
January 9, 2010 at 12:15 pm (UTC 8)
hi
i also got this virus and i’ve been working on cleaning the mess for days. and i just found this information.
i got the script. THANKS!
just… i don’t really know how to run it. i unzipped and i read the instructions, but they are not clear.
(sorry, i’m not a programmer, and i have not much experience on websites, and this is scaring me a lot to try to find it out playing options of how to make it work)
would you please tell me how to run the scritp.
and again… thanks thanks thanks a lot! for all the info, the help, and the support.
Tom Colvin says:
January 9, 2010 at 12:17 pm (UTC 8)
I’ve been fighting this infection since 31 Dec. I was noticed by WinPatrol that siszyd32 was trying to get into my start up folder. My blog site administrator has managed to clean out a lot of the infected plug-ins and the /js/ folder, and I’ve reformatted my HD and upgraded to Win 7.
I’ve also switched to Avast, and it now alerts me of a Trojan [the JS one] whenever I try to write a new blog post or page, or even edit a past page. I’ve posted about this virus on the Word Press Forum, and the moderator responded, saying he’s referred this problem to the WP Security team. Hopefully, we’ll have an “official” response from WP soon.
The support people at Hostgator intimate that they are getting a lot of “script injections” recently. They’ve been responsive and helpful — but my problems are still not resolved.
mache says:
January 9, 2010 at 7:26 pm (UTC 8)
hey!
i just went for it. and i did it. ran it. cleaned it.
i’m going to go out to party to celebrate it’s done. and we survived it.
THANK YOU!!!!!!!!
Mike says:
January 10, 2010 at 3:41 am (UTC 8)
@Muki
You need PHP5 to run the script hence the message.
Brief instructions
Download the script http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz, unzip to root folder of your website. Access the script http://yoursite.com/remove-js-illredir-b.php, click start. If all went ok remove the script. Otherwise correct the file permissions (or other errors the script has reported) and re-run the script (to re-run click start tab then click start button again)
Mike says:
January 10, 2010 at 7:07 am (UTC 8)
@Georgi please give me the url
Georgi says:
January 10, 2010 at 7:57 am (UTC 8)
http://www.gamezspot.net this is the Url.
zyenweb says:
January 10, 2010 at 3:02 pm (UTC 8)
@Georgi I had to delete your earlier comment with the JS trojan because it was loading the trojan into my Administrative panel.
Georgi says:
January 10, 2010 at 11:09 pm (UTC 8)
How to fix my website i try .php file but they don’t work for me ?
Georgi says:
January 11, 2010 at 12:20 am (UTC 8)
Avast detects virus as JS:Illredir-C [Trj] not B version.
@rjen says:
January 11, 2010 at 12:25 am (UTC 8)
Maybe redundant info, but I thought I’d leave the message here anyway: MAKE SURE TO CHANGE YOUR FTP PASSWORD(S)
After cleaning the mess manually I forgot to do this, and even though my PC is clean, the next day my sites were infected AGAIN. So the trojan really tries again from remote source with the stole password!
After changing the passwords (which I should have done immediately of course) all stays well…
Mike says:
January 11, 2010 at 2:23 am (UTC 8)
Uploaded version 0.94 http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz url stays the same. Clear browser’s cache before downloading and verify that you’ve actually downloaded version 0.94. This version supports both IllRedir-B and IllRedir-C.
Also fixed some minor issues.
Thanks,
Mike
akire says:
January 12, 2010 at 2:42 am (UTC 8)
I fix it with “Mass Text Replacer”
download trial…
-add all files
-from 1 suspicious file copy virus code
-in program looking for “code” and replace with “” or ” ”
-done
Jeff Namnum says:
January 12, 2010 at 9:39 pm (UTC 8)
@Mike, I so love you right now
I’m not sure if you wrote the original file I used when ths happened (remove-virus.php) but this new one is fantastic. The gui and the fact that it ran thru every subdirectory is amazing. I can’t believe how much of this crap virus I missed by cleaning manually. THANK YOU!!
@zyenweb, thanks for hosting this converation and taking up your time and bandwidth to host this conversation and make it easy for us to find the solution we need. THANK YOU!!
sean walsh says:
January 13, 2010 at 6:26 am (UTC 8)
I found it on a link to buy tickets to see THE NEW MASTERSOUNDS who are absolutely fantastic band on Facebook. I doubt very much they have anything to to with fraud though… I also have Avast.
zyenweb says:
January 13, 2010 at 8:23 pm (UTC 8)
@Jeff No problem – I don’t mind hosting the conversation as long as it helps people out there! And I’m so glad it did. This trojan is one pain in the neck! A million thanks to Mike, his script is a life-saver
cenzi says:
January 14, 2010 at 6:14 am (UTC 8)
http://takingflightinternational.com
This is amazing. you guys are so ahead of anyone right now. I looked and looked everywhere for this info. great website too btw!
I ran into a major issue. First, the fact that the last wordpress update forced me to get php5. I wasn’t aware that 1and1.com did not update for me. I was stuck in the same php4 database since I signed up.
So I installed phpmyadmin myself and am now running the database with php5 from there.
My problem is that the root is still under php4.
sooo.. what I did was move ALL The files from the website under root/phpmyadmin/check to check for viruses… but all I get is this:
Running… PHP version: 5.2.12
Starting …
processed: 353
Files fixed: 0
and nothing more.
any suggestions?
Trojan Attack: JS:Illredir [Trj] | MFSec says:
January 30, 2010 at 7:19 am (UTC 8)
[...] Link al post en ZyenWeb Tool: Remover JS:Illredir-B/C/D/E [...]
Cah Sleman Blog's » Blog Archive » >Trojan Attack: JS: Illredir-B [Trj] says:
March 17, 2010 at 6:52 pm (UTC 8)
[...] Sumber : http://www.zyenweb.com/ [...]
Wordpress: au secours, on attaque mon blog ! | Fantablog says:
April 13, 2010 at 4:32 pm (UTC 8)
[...] Le blog de Zyen qui à eu exactement la même désagréable expérience, beaucoup de commentaires d’autres victimes et des conseils: http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj/ [...]
Site Vital is a resource for PHP clone scripts, where all products cost only 19.95$ says:
October 27, 2011 at 5:32 pm (UTC 8)
Site Vital is a resource for PHP clone scripts, where all products cost only 19.95$…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Virus Support says:
October 31, 2011 at 2:39 am (UTC 8)
Virus Support…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Jasa Adsense says:
October 31, 2011 at 6:34 am (UTC 8)
Jasa Adsense…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
dépannage informatique says:
November 3, 2011 at 5:20 pm (UTC 8)
dépannage informatique…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
domains says:
November 5, 2011 at 9:22 pm (UTC 8)
domains…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Wheel Alignment Coupon says:
December 6, 2011 at 7:40 pm (UTC 8)
Free Backlink!…
We loved your website so much we added it to http://www.usbhubreview.net/sites-we-like-2. Just fill in the offer and your backlink is permanent….
Free tattoo removal specialist in Boston MA says:
December 23, 2011 at 5:04 am (UTC 8)
Free tattoo removal specialist in Boston MA…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Free tattoo removal specialist washington d.c. says:
December 23, 2011 at 5:26 am (UTC 8)
Free tattoo removal specialist washington d.c….
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Remove Browser Hijacker says:
December 27, 2011 at 4:05 pm (UTC 8)
Remove Browser Hijacker…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
syllubus says:
January 2, 2012 at 2:41 pm (UTC 8)
syllubus…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
giao di?n Vi?t - giao dien website says:
January 2, 2012 at 11:46 pm (UTC 8)
giao di?n Vi?t – giao dien website…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
IT Support for small Businesses in Berkshire says:
January 6, 2012 at 6:28 pm (UTC 8)
IT Support for small Businesses in Berkshire…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Web Hosting says:
January 7, 2012 at 2:19 pm (UTC 8)
Web Hosting…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
UK Price Comparison says:
January 9, 2012 at 7:52 am (UTC 8)
UK Price Comparison…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
soft for windows says:
January 12, 2012 at 1:07 am (UTC 8)
soft for windows…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
joomla says:
January 12, 2012 at 1:51 am (UTC 8)
joomla…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
antivirus protection says:
January 12, 2012 at 4:21 pm (UTC 8)
antivirus protection…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
how to root droid x2 says:
January 18, 2012 at 5:56 pm (UTC 8)
how to root droid x2…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
ESET smart security 5 says:
January 24, 2012 at 3:45 am (UTC 8)
ESET smart security 5…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…