HTML:IFrame-hw

[henryf72]

I am in the process of carrying out a clean installation of Windows XP SP3.
After installing Avast 4 I am unable to install any further programmes because avast detects the installation of htm or html files as being infected with the above Trojan.
A boot time scan of the installation finds that every htm or html file on the machine is infected.
The only internet connection which has been made on this machine was to uodate avast4 and all the installations was from original CD's understood to be clean.
Is this a false positive.
Any advice on how to proceed would be welcome

[DavidR]

This could have been as a result of having been infected by Gumblar, win32:Virut and or win32:Vitro which infect htm/html files inserting an iframe tag and this tag redirects/tries to run malicious programs.

If you are unable to use a text editor to find and edit these iframe tags (remove them) or don't have the knowledge to know if the iframe tag which may be legit or malicious then you could damage the file. So essentially without experience you could end up failing to clean these and if and when these are run your system could be reinfected. So you may be forced to add them to the chest, but if you are going to do a clean install of SP3 you might just as well save the data files you can't do without and start completely from scratch.

Also see, Automatic removal of Gumblar/Martuz trojan http://www.danielansari.com/wordpress/2009/05/automatic-removal-of-gumblarmartuz-trojan/. Obviously this assumes the infecter was Gumblar.

####
I don't believe this is a false positive:
You could also check a few of the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[Lisandro]

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

[henryf72]

Thank you DavidR
The reason for the new installation was an infection of Vitro, which is notoriously difficult toget rid of. It looks as if it is still around
The number ofinfected files is too great to start cleaning.
I will go back to the beginning and start again.Data files already backed up

[Lisandro]

The reason for the new installation was an infection of Vitro, which is notoriously difficult toget rid of. It looks as if it is still around
The number ofinfected files is too great to start cleaning.

I see... but some variants of Vitro stay on MBR (master boot record) and they're not removed by formating, you need to delete and rebuilt the partition itself. At least it's what I've read about.

[DavidR]

Thank you DavidR
The reason for the new installation was an infection of Vitro, which is notoriously difficult toget rid of. It looks as if it is still around
The number ofinfected files is too great to start cleaning.
I will go back to the beginning and start again.Data files already backed up

I thought that was probably the case, Vitro is even worse than Virut which makes cleaning very difficult if not impossible with many (in forum topics) having to fdisk, format and reinstall. You have to scan your back-up data before putting it back on or you could just be reinfecting your system. Virut/Vitro infect, .exe, .scr, .htm/l files so care has to be taken in what you backed up previously.