What is Exploit:HTML/IframeRef.AM?

[polonus]

See: http://zulu.zscaler.com/submission/show/eb71b5436884864926b377c4192b580e-1335287746
See: cyanmite dot com/ benign
[nothing detected] cyanmite dot com/
     status: (referer=http:/twitter.com/trends/)saved 2664 bytes 6db79d370a173e04908b3752d3be605ca499d50b
     info: [img] cyanmite dot com/pix/KCS-Website-072110.png
     info: [decodingLevel=0] found JavaScript
     suspicious:
Delete browser history and it appears to be gone.
Bitdefender TrafficLight flags it: htxp://trafficlight.bitdefender.com/info?url=http://www.cyanmite.com/
Also see: htxp://www.webutation.net/go/review/cyanmite.com#
HTML related but non-malicious?

polonus

[!Donovan]

Zulu says the css file is malicious, however, I do not see anything malicious about it. The analysis times 04/24/2012 at 17:15 PST. The time differences are close, yet the malware appears to have been taken down from this potentially malicious css file.

[polonus]

Hi !Donovan,

This is more or less speculative on my site, but analyzing the IP range, cleansed malware could have been an attempt to get more backlinks through an IE vulnerability. This could have meant that a "SutraTDS HTTP GET request" was being flagged, a known browser hijacker to redirect to questionable sites,

polonus

[Bob-BH]

Polonus,
After reading your posts on several threads, please apply your excellent expertise to following:
1) I installed AVAST a few days ago, and am sorry I hadn´t done so sooner  .... excellent!
2) Avast has detected HTML:Framer-D and I could not find a Avast User Forum regarding this particular type of Framer (-D),  but assume it is as bad as the others, right.
3) Any suggestions on the best way to remove?
4) I did try a few freewares that promised to remove it ... didn´t (!) and caused pc to freeze. Thank goodness for windows  system restore!
 

[polonus]

Hi Bob-BH,

Did you do a scan with MBAM? An additional emptying of all temp files using CCleaner is also preferred. Then reboot.
This seems a koobface variant. To cleanse it further you need the assistance of a qualified malware remover. I have informed jeffce.
He will soon look into this issue, and will propose a specific scan to obtain the log results thereof,

polonus

[Bob-BH]

MBAM quick scan log attached ... hope it helps!

[jeffce]

Hi and welcome!

Please visit the site located here.  Follow the directions
for running OTL, aswMBR.exe and Malwarebytes and then attach the logs that are created to your next reply. 

[Bob-BH]

Done ..... logs attached.

Please confirm that OTL is to be run 3 times w/Custom scan

first time:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.exe
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop

second time:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK /s
CREATERESTOREPOINT

third time:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK /s
CREATERESTOREPOINT /b

Also, OTL did not create Extras.txt file

I did note in line 015 of OTL report

//@surf.mar@/     = looks suspicious ??
itau.com.br       = refers to my bank´s website ... ok?


O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: itau.com.br ([bankline] https in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: itau.com.br ([guardiao] https in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: itau.com.br ([www] http in Trusted sites)

[jeffce]

Thanks...

While I am looking over these please do the following and we will get an Extras.txt log. 

Please open OTL.

• Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, click the None button near the top (it may looked greyed out)
  
• In the Extra Registry section change it to All
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  

When the scan completes, it will open 2 notepad windows, OTL.Txt and Extra.txt. Please post the Extra.txt.

[Bob-BH]

as requested

[jeffce]

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes

• Open the scanner and select the Protection tab
  
• Remove the tick from "Start Protection Module with Windows" as seen below

Once complete continue with the instructions...
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YKman000&ptnrS=YKman000&ptb=B93EF59B-8E38-4310-A503-B116B8A4D752&psa=&ind=2012041912&st=sb&n=77ed52b8&searchfor={searchTerms}
IE - HKU\S-1-5-21-602162358-1801674531-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F4 37 FC 8B AD C7 CA 01  [binary data]
IE - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?FORM=IEFM1&q={searchTerms}&src={referrer:source?}
[2012-06-29 20:51:17 | 000,000,000 | ---D | M] (uTorrentControl2 Community Toolbar) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKU\.DEFAULT..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\.DEFAULT..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: itau.com.br ([bankline] https in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: itau.com.br ([guardiao] https in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: itau.com.br ([www] http in Trusted sites)
O33 - MountPoints2\{81019e87-32ef-11df-ae5e-e29dd75b0cf6}\Shell - "" = AutoRun
O33 - MountPoints2\{81019e87-32ef-11df-ae5e-e29dd75b0cf6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{81019e87-32ef-11df-ae5e-e29dd75b0cf6}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
[2012-06-29 20:51:14 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2012-06-29 20:50:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Local Settings\Application Data\Conduit
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Bob\*.tmp files -> C:\Documents and Settings\Bob\*.tmp -> ]
[2010-03-20 15:29:30 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Bob\Application Data\inst.exe
[2010-03-20 08:15:50 | 000,109,568 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
C:\WINDOWS\tasks\At*.job
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[Bob-BH]

Jeff ..... both logs attached.
Looking forward to your comments!

Also, Avast regular scans (quick + full) do not pick up virus.
Virus is reported when running Boot-time scan and reports:

C:\Documentos and Settings\Mami\local settingds\Application Data\Identities\{711E9619-D929-445F-B16F-3E5FCA6B3980}\microsoft\OutlookExpress\Inbox.dbx|>60Segundos_Bellisimo06_C.eml#62042144|>60Segundos_Bellisimo06_C.pps#1890203406|>Pictures

[jeffce]

Hi,

Even though you might like to do so, please don't run any scans unless asked to.  You may inadvertently remove something that we need to see.  Thanks. 


Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

----------

In your next reply please attach the logs made by Malwarebytes and ESET.  :)

[Bob-BH]

ok ...no more scans.

ESET run on IE8 with serious problems as expected.
Crashed and froze before generating attached log on third attempt!
IE8 has not NOT run well for several months, prompting move to Chrome.
Every time I open IE8 for any reason it crashes ... no problems w/Chrome.

logs attached.

BTW ... Googled for info on IE8 problem and did a  Tools > INternet OPtions > Advanced > Reset and apparently IE8 is now working fine. Hope this doesn´t effect our actions here.

[jeffce]

So let me know exactly how your system is behaving now?  Any malware related problems?