HTML:iframe-inf infection (logs added)

[REDACTED]

Hello all,

I have a problem similar to one discussed two years ago (https://forum.avast.com/index.php?topic=165280.0). In my case though it’s not the navigator that’s being attacked, but my torrent client (qBittorrent). Update: Chrome was induced to spontaneously open a suspect URL too, but only once

Actually, I think the infection took place through a website and now it’s trying to process something through my torrent client.

Anyway, Avast notices HTML:iframe-inf infection when qBittorrent is running, but cannot find any threat while scanning.

MBAM’s scan identified nothing either. However, as it’s now installed, it took the place of Avast in notifying me something is wrong when I run qBittorrent (I added a log generated by it too).

Neither FRST.

ASWMBR did found something. While it is scanning, even in safe mode without internet connection, it shows:
Service ESProtectionDriver C:\WINDOWS\system32\drivers\mbae64.sys **LOCKED**
after some seconds, Windows shows a blue screen. It says that aswmbr.sys has failed.

Could someone please help me?
Thank you in advance

[Pondus]

  Anyway, Avast notices HTML:iframe-inf infection when qBittorrent is running, but cannot find any threat in its scanning. 

Because infection is located on the URL that your torrent program is connecting to

What does the avast message say (all info) you may post a screenshot

[REDACTED]

  Anyway, Avast notices HTML:iframe-inf infection when qBittorrent is running, but cannot find any threat in its scanning. 

Because infection is located on the URL that your torrent program is connecting to

What does the avast message say (all info) you may post a screenshot

Asked screenshot is attached.

Avast blocked yesterday an attempt of connecting to a URL not through qBittorrent, but through Chrome. Unfortunately I didn’t a screenshot at the moment.

[Pondus]

URL blacklist check
https://www.virustotal.com/#/url/b322eb6d691c7c91dc94e2f5319a5b56719f60d2322001a517a7886521fd354e/detection

file check
https://www.virustotal.com/#/file/5ab44f257a83c18ca426028e0bf03b9bf2c194c0138c5c704f018cec98bd7650/detection

[REDACTED]

Well, file check detected a Trojan, so It is not a false positive, right?

Is there something I can do? I’m not trying to access these URLs, something in my computer is generating a command to do it

[Pondus]

   something in my computer is generating a command to do it

As your screenshot say ... your torrent program

Risk info  >>  http://www.informationsecuritybuzz.com/articles/torrenting-know-risks-take/

[REDACTED]

I think this is not the case. As I’ve already said, Chrome was induced to it too

[Pondus]

I think this is not the case. As I’ve already said, Chrome was induced to it too

Same URL?
Same detection?

[REDACTED]

Same detection (HTML:iframe-inf) but on another URL, which I didn’t take note

[Pondus]

Malware expert is notified and will check your attached logs. It may take hours before he is online


Iframe info  >>  https://www.theguardian.com/technology/2008/apr/03/security.google
Iframe info  >>  https://en.m.wikipedia.org/wiki/Iframe_virus

[REDACTED]

Thank you

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

cmd: type C:\IORRT\IORRT.bat

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[REDACTED]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

cmd: type C:\IORRT\IORRT.bat

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Thank you, it did work! I put qBittorrent to run and it's working fine

[Sass Drake]

I didn't do anything. I only checked file that turns to be MS Office activator. In qBittorrent, find in trackers blocked URL and remove it from tracker list.


• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.