Author Topic: How to remove" HTML:Iframe-inf" malware question from a total novice  (Read 24326 times)

0 Members and 1 Guest are viewing this topic.

10651

  • Guest
Avast is blocking access to certain web pages because a "trace of HTML:Iframe-inf" was found, and I'd like to get rid of it. There have also been warnings about a trojan horse but those warnings seem to have stopped as of now.

I have found this http://forums.majorgeeks.com/showthread.php?t=181483, where an answer that appears to be helpful has been given, but it's far too complicated for me to understand.

If anyone has a simpler way, or can explain that link in terms I can understand it would be much appreciated. I am completely computer-illiterate! Imagine you're talking to a ten-year-old and I should be OK.

The first step was to open up notepad, but I don't think this PC has it. It's not my computer.

Any help whatsoever will be gratefully received. Thank-you!

Garrog

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #1 on: December 28, 2009, 04:58:07 PM »
Hi to the original poster, and sorry this doesn't answer the question, however I have a similar problem and perhaps the info below may also help. I'll post my problem straight after and hopefully someone knowledgeable will help with both our issues!

What happened yesterday (UK hours)
-------------------------------------------
Yesterday I along with many people had virus/trojan warnings about HTML:lframe-inf when trying to access Yahoo accounts.

If I understand correctly, this report was found to occur because adverts shown on the relevant pages are hosted at a third party address which was, at the time blacklisted (if that's the correct term) - this being ads.yieldmanager.com.

On investigation, it was concluded that this address was blocked in error and subsequently the Avast virus database was updated and the new version (091227-1) released; this corrected the "false positive".

After installing the update, I found that I could access my Yahoo account without the warnings. However, some people also reported the same warning from other websites and I don't know whether those were due to the exact same problem, a different false positive or a genuine infection!

Second post follows...

Garrog

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #2 on: December 28, 2009, 05:03:57 PM »
[subject URL changed from http to hXXp at request of respondent (below)]

...and so on to my own report:

I just got the HTML:lframe-inf warning from accessing a Care2 page (hXXp://www.care2.com/send/catxmas1.html) - printscreen attached.

Please could someone advise whether this is also a false positive, or if more investigation needs to be done. Sorry I'm not more savvy to know what exactly is prompting the warning!

Note also the original poster states the same message for 'certain pages'.

Thanks....
« Last Edit: December 28, 2009, 05:21:09 PM by Garrog »

Garrog

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #3 on: December 28, 2009, 05:06:21 PM »
Sorry, just re-read the original post and I think I may have assumed the problem is the same when it's not???
Sorry if I've made things more confusing, I'll go now...

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #4 on: December 28, 2009, 05:11:51 PM »
Hacked sites present a high risk now as it is becoming more prevalent and one of the common means of infection. See http://www.scmagazineus.com/Every-36-seconds-a-website-is-infected/article/140414/.

Iframe tags can be inserted into hacked sites, these are HTML functions and this one is quite powerful in that it can run code from a different site and that can be almost anything as the payload at the other end can change frequently. So there is no easy, this is what it does answer, avast is detecting the injected iframe tag and the other site referenced.

So what is the URL of the detection ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.
####
When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #5 on: December 28, 2009, 05:15:46 PM »
...and so on to my own report:

I just got the HTML:lframe-inf warning from accessing a Care2 page (hXXp://www.care2.com/send/catxmas1.html) - printscreen attached.
<snip>

Please 'modify' your post change the URL from http to hXXp or www to wXw (as I have in the quoted text), to break the link and avoid accidental exposure to suspect sites, thanks.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Garrog

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #6 on: December 28, 2009, 05:28:26 PM »
Hi DavidR,

Have amended the URL in previous post as you asked (sorry about that). Confession: just accidentally deleted the warnings log and now can't reproduce the error as given above. Next time it happens though, I'll follow these instructions and post the address given!

Thanks for your help.

Garrog

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #7 on: December 28, 2009, 05:31:58 PM »
ps to the original poster, sorry if I hijacked your post - you might want to post again if you have updated the database but still have problems?

10651

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #8 on: December 28, 2009, 06:23:21 PM »
Quote
So what is the URL of the detection ?
These are only the logs with internet addresses. Following there are logs for other parts of the computer.

09/11/2009 12:22:32   user   3344   Sign of "Win32:Trojan-gen" has been found in "E:\WINNT\system32\TFTP1512" file. 
11/12/2009 21:35:27   SYSTEM   1516   Sign of "HTML:IFrame-EC [Trj]" has been found in "hXXp://www.networlddirectory.com/blogs/archives/Entertainment-blog/July-20-2007.html" file. 
11/12/2009 21:35:53   SYSTEM   1516   Sign of "HTML:IFrame-EC [Trj]" has been found in "hXXp://www.networlddirectory.com/blogs/archives/Entertainment-blog/July-20-2007.html" file. 
13/12/2009 15:59:49   SYSTEM   1524   Sign of "HTML:Script-inf" has been found in "hXXp://stifflergoruepas1411.blogspot.com/2009/06/cheryl-tweedy-topless-super.html\{gzip}" file. 
13/12/2009 15:59:53   SYSTEM   1524   Sign of "HTML:Script-inf" has been found in "hXXp://stifflergoruepas1411.blogspot.com/2009/06/cheryl-tweedy-topless-super.html\{gzip}" file. 
27/12/2009 15:30:31   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927830&.rand=4uo87e7n7a1av\{gzip}" file. 
27/12/2009 15:31:06   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927830&.rand=4uo87e7n7a1av\{gzip}" file. 
27/12/2009 15:31:12   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927830&.rand=4uo87e7n7a1av\{gzip}" file. 
27/12/2009 15:31:17   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927830&.rand=4uo87e7n7a1av\{gzip}" file. 
27/12/2009 15:32:17   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927936&.rand=f418pnp869h3c\{gzip}" file. 
27/12/2009 15:33:16   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927994&.rand=5i3o6th2hqfj6\{gzip}" file. 
27/12/2009 15:33:29   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927994&.rand=5i3o6th2hqfj6\{gzip}" file. 
27/12/2009 15:34:29   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261928068&.rand=305fd9cpvkg8q\{gzip}" file. 
27/12/2009 15:43:11   user   3444   Sign of "HTML:Iframe-inf" has been found in "C:\Documents and Settings\user\Local Settings\Temp\A9ZUES4E.htm" file. 
27/12/2009 15:43:58   user   3444   Sign of "HTML:RedirBA-inf [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temp\PDWOV2U8.htm" file. 
27/12/2009 15:45:06   user   3444   Sign of "HTML:Iframe-inf" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\99CC82M7\index-5[2].htm" file. 
27/12/2009 16:24:56   user   3444   Sign of "HTML:Iframe-inf" has been found in "E:\Documents and Settings\June & Bill Sheard\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XGN27CF\nc[2].htm" file. 
27/12/2009 16:25:41   user   3444   Sign of "HTML:Iframe-inf" has been found in "E:\Documents and Settings\June & Bill Sheard\Local Settings\Temp\Temporary Internet Files\Content.IE5\61W5U56V\fc[2].htm" file. 
27/12/2009 16:26:57   user   3444   Sign of "HTML:Iframe-inf" has been found in "E:\Documents and Settings\June & Bill Sheard\Local Settings\Temporary Internet Files\Content.IE5\YZ4RAPCR\welcome[1].htm" file. 
27/12/2009 16:27:24   user   3444   Sign of "HTML:Iframe-inf" has been found in "E:\Documents and Settings\June & Bill Sheard\Local Settings\Temporary Internet Files\Content.MSO\5D15FAB7.htm" file. 
27/12/2009 16:30:31   user   3444   Sign of "Win32:VB-EIJ [Trj]" has been found in "E:\pagefile.sys" file. 
27/12/2009 16:46:23   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261932380&.rand=ffqfk9mliv28m\{gzip}" file. 
27/12/2009 16:48:58   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/showMessage?.rand=1027517391&mid=1_18019_ANCxktkAAP33Szd9xAqi9FRbqoA&fid=Inbox\{gzip}" file. 
27/12/2009 16:52:47   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261932766&.rand=741kndd8mjvsp\{gzip}" file. 
27/12/2009 17:29:16   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261934954&.rand=dhrib5aul1ljh\{gzip}" file. 
27/12/2009 17:31:20   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261934954&.rand=dhrib5aul1ljh\{gzip}" file.
27/12/2009 19:08:42   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261940920&.rand=75rntokilglt7\{gzip}" file. 
27/12/2009 19:13:49   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261941227&.rand=4b8fk37v6gf8t\{gzip}" file. 
27/12/2009 21:14:04   SYSTEM   1504   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261948439&.rand=44n42g2u8ga4r\{gzip}" file. 
27/12/2009 21:32:37   SYSTEM   1508   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261949553&.rand=735e8ove2d2oc\{gzip}" file. 
27/12/2009 21:44:16   SYSTEM   1508   Sign of "HTML:Script-inf" has been found in "hXXp://englishrussia.com/banners/adsens728.php" file. 
27/12/2009 21:44:25   SYSTEM   1508   Sign of "HTML:Script-inf" has been found in "hXXp://englishrussia.com/banners/adsens160.php" file. 
27/12/2009 21:44:34   SYSTEM   1508   Sign of "HTML:Script-inf" has been found in "hXXp://englishrussia.com/banners/adsens728.php" file. 
27/12/2009 23:09:50   SYSTEM   1568   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261955387&.rand=4t9sho5kf0aq6\{gzip}" file. 
28/12/2009 09:58:47   SYSTEM   1500   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261994324&.rand=et1fdk8eclgr3\{gzip}" file. 
28/12/2009 09:59:17   SYSTEM   1500   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261994324&.rand=et1fdk8eclgr3\{gzip}" file. 
28/12/2009 10:55:50   SYSTEM   1500   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261997747&.rand=bdi5qat0al7kp\{gzip}" file. 
28/12/2009 12:49:17   SYSTEM   1512   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262004554&.rand=9p77pspsprevu\{gzip}" file. 
28/12/2009 12:58:55   SYSTEM   1512   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262004554&.rand=9p77pspsprevu\{gzip}" file. 
28/12/2009 13:17:48   SYSTEM   1512   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262006266&.rand=e5v12oqn8nbf9\{gzip}" file. 
28/12/2009 13:27:38   SYSTEM   1512   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.news.yahoo.com/5/20091228/tuk-death-row-briton-learns-he-faces-exe-45dbed5.html\{gzip}" file. 
28/12/2009 13:28:07   SYSTEM   1512   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262006886&.rand=f7qpbfkcfo3kj\{gzip}" file. 
28/12/2009 13:28:21   SYSTEM   1512   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262006886&.rand=f7qpbfkcfo3kj\{gzip}" file. 
28/12/2009 14:40:49   SYSTEM   1512   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262011247&.rand=1pimfojv6ptrs\{gzip}" file. 
28/12/2009 16:37:09   SYSTEM   1496   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262018226&.rand=ergpmf74l6jpv\{gzip}" file. 
28/12/2009 16:38:02   SYSTEM   1496   Sign of "HTML:Iframe-inf" has been found in "hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262018226&.rand=ergpmf74l6jpv\{gzip}" file.   

Logs for other parts of the computer. There may be more but I won't post them unless you say it's useful.

27/12/2009 18:33:11   user   1328   Sign of "HTML:Script-inf" has been found in "E:\Documents and Settings\June & Bill Sheard\Local Settings\Temporary Internet Files\Content.IE5\YZ4RAPCR\m.uk.yahoo[2]" file. 
27/12/2009 18:33:11   user   1328   Sign of "HTML:Iframe-inf" has been found in "E:\Documents and Settings\June & Bill Sheard\Local Settings\Temporary Internet Files\Content.IE5\YZ4RAPCR\welcome[1]\{gzip}" file. 
27/12/2009 17:50:44   user   1328   Sign of "JS:ScriptIP-inf [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Y4XY89EH\st[9]" file. 
27/12/2009 18:06:31   user   1328   Sign of "JS:ScriptIP-inf [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1202660629-1284227242-1644491937-1004\Dc2" file. 

I hope this information helps you help me, and thank-you for your efforts so far.

PS: I updated Avast successfully but I'm still getting this warning from Yahoo, and since then it's even showed up on my hotmail account.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #9 on: December 28, 2009, 06:28:19 PM »
Check your computer for Malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button "remove selected" to quarantine anything found, and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found other than cookies you may post the scan logs here

10651

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #10 on: December 28, 2009, 09:46:35 PM »
If anything is found other than cookies you may post the scan logs here

Thanks for the suggestioon. Ran full scans with Malware bytes and SAS. SAS picked up some cookies but that's it. I'm also running a thorough scan with Avast, and it's picked up the same bug I started the thread about. Any ideas what to do next?

10651

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #11 on: December 28, 2009, 11:42:00 PM »
If anything is found other than cookies you may post the scan logs here

Avast has finished, here's the result:

Name: welcome[1].txt

Original Location: C:\Documents and settings\user\local settings\temporary internet files\content.IE5\EM7YVTH1

Virus: HTML:Iframe-inf

10651

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #12 on: December 31, 2009, 09:02:27 PM »
I followed your first step, any further ideas?

CharleyO

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #13 on: January 02, 2010, 09:24:33 AM »
***

If you delete ... temporary internet files\content.IE5\EM7YVTH1 ... does it come back?


***

YoKenny

  • Guest
Re: How to remove" HTML:Iframe-inf" malware question from a total novice
« Reply #14 on: January 02, 2010, 11:02:31 AM »
Download CCleaner then install and run it:
http://www.ccleaner.com/download/builds <==  get Slim with no Yahoo Toolbar