A couple of our members have reported that Avast is reporting iframe-inf virus present on our website.
http://www.skyuser.co.uk/forum/speak-staff/29519-potential-home-page-hack.html
I have checked the page for iframe and any code after /html and cannot find anything at all.
Could you offer any advice or spot anything malicious?
regards
Ged
NOD32 shows zero issues on a server scan.
Well I just connected to skyuser.co.uk/ and no alert at all though in the forum link you provided NewsreadeR mentions having removed the codes for the ads on the homepage, but Steve still reports an alert.
I’m using the latest VPS (virus signatures) version 090403-0, so it would be helpful if Steve ensured he had the latest version also. However, checking the home page html code I see no iframe tags either (anywhere on the page). So I’m not to sure what is going on on Steve’s system, He could clear his browser cache, though if it were in his browser cache avast would be alerting on the temp internet files location.
Ideally we nee the full details of the alert from Steve.
e.g. What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
Obviously I’m not a SkyUser so I can’t log in to see if this is only after the User log-on, but the pages would effectively be the same just that you have permission to post etc.
Perhaps you can post a link to this topic so Steve can post the information that I mentioned above.
I’m a new user to Avast and when I tried to go to my web page: http://www.totacc.com/user/spoonts I got a warning that I had a virus. When I ran Avast on my computer I got the following message:
AME: spoonts[1].htm
ORIGINAL LOCATION: C:\Documents and Settings\Tom Spoonts\Local Settings\Temporary Internet Files\Content.IE5\NW8JSE3Z
LAST CHANGED: 2/3/2010 10:01:34 PM
TRANSFER TIME: 2/3/2010 5:16:16 PM
VIRUS: Iframe-inf
I did the recommended and intered it into the ‘chest’.
I contacted the server for my web page and they could find no virus.
The first page on my web site contains the first line:
This is the only mention to an ‘iframe’ on the page but that page gives the warning.
I opened the page on another computer and then checked that computer with AVG antivirus and id did not register a virus.
Is there really a virus on my web site? I also have a google counter in the page. Is it possibly gettting the virus?
Hi Tom Lloyd,
See here: myndomain.info suspicious 
- displaying 1 of 1
Thanks Polonus, I’m not sure what the line about ‘myndonain.info’ refers to unles it is the counter. The line (first line on my page) was inserted by my brouser when I built the page. the only link I have to an outside domain is the Google counter. Do you think I should I eleminate the counter and reinstall the page?
Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
Yes that is the culprit and considering it is out side of the opening HTML tag a bit of a standards no, no and very suspicious. The targert of the iframe, myndomain.info sends avast into alert again and firefox also gets into the action, it doesn’t like it either, see images. So it looks like your sight may have been hacked.
Hi Tom Lloyd,
Yes take out the http or www there and put hxtp or WxW. If I were you I would not take any chances with an site link that is associated with Adobe malware exploit injections. So the site minus the hidden link to “myndomain dot info” is secure, I would remove that iframe hidden link completely and utterly,
Have a nice day,
polonus (malware fighter)
Hey Polonus, I removed the offending first line in my web page and the page ran the same with no problem. I don’t know what the line did but it seems to have cured the virus. Can you tell me what the Iframe line 'myndomain" did?
Hi Tom Lloyd,
What it did was re-direct to that site that was full of Adobe exploits, so that there this malcode galore could infest the visitors of your site that were re-directed to that malicious site through the iFrame on yours. The site myndomain has a history of being malicious according to Unmask Parasites. If the redirect is no longer taking place and the suspicious iFrame that we now know was also malicious has been removed by you, scanners will no longer alert this,
polonus
Thanks again Polonus, I appreciate your help. I am installing Avast on my older computer and will run it there to make sure I didn’t get the virus on that computer.