cannot find source - JS:Iframe-CLO [Trj]

When the computer starts, a Windows Script Host dialog says “C:\Users<user>\miscrosofts.vbs” script can’t be loaded because it is being accessed by another process.

After that, every once in a while avast shows the alert “trojan horse blocked”.
Object : some address
Infection : JS:Iframe-CLO [Trj]
Process : notorious iexplorer.exe

miscrosofts.vbs text - http://pastebin.com/Yfk4G6hb

From what I gather the script is visiting the sites mentioned in miscrosofts.vbs through IE.

I can’t delete it with File Assassin. Deleted from the linux, reappeared after starting windows.

Avast seems to block its actions but not the source it self.

Please advise.

attach the requested logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done removal experts will be notified and help you…

Ah something new

Attached logs of AdwCleaner, OTL, aswMBR, malwarebytes. Thank you for your interest.

Let me know if this kills it please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKLM..\Run: [Microsofts.vbs] C:\Users\HALL\Microsofts.vbs ()
O4 - HKU\S-1-5-21-1532200517-3797863708-157561833-1000..\Run: [Microsofts.vbs] C:\Users\HALL\Microsofts.vbs ()
[2013-07-20 22:35:21 | 000,024,610 | ---- | C] () -- C:\Users\HALL\Microsofts.vbs
[2013-07-20 21:17:07 | 000,000,000 | ---- | C] () -- C:\Users\HALL\miscrosofts.vbs
[2013-07-20 01:47:52 | 000,024,610 | ---- | C] () -- C:\Users\HALL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsofts.vbs

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thank you soo much essexboy! It worked. :slight_smile:

Any further problems ?

I like the way the author signed the file, I think I have tracked them down to thebotnet.com

There are no problems. :slight_smile:

Are you talking about ‘<[ coded bY mareyole ]>’ line? Searched the name, its French. I never thought people sign their virus files.

I am sure they offer ‘SEO Services’!

Nope they had to put there name there to collect the money per click

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

https://dl.dropbox.com/u/73555776/disc%20clean.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Did clean up for good. Malwarebytes already installed from doing logs for the post. 8) I use Avast, so software updater is there.

Do you know a free firewall that shows usage statistics (d/w speed, connections etc)? I used Comdo Firewall but it became bloated. So none right now.

Unfortunately no as I use AIS

OK. I found Sunbelt Firewall. Its simple and easy.

Once again thank you. :slight_smile:

:wave:

okay hi all, am new in here,

ill copy another thread i found while searching for some info on that threat

It's been a couple of days when I ran into an advertising network that offers a very good e-CPM (Cost per Millennium). The site seems well and I incorporated their ad script into my personal website.

Couple of seconds later, I tried to access may main page but it was blocked by avast antivirus, saying that my site is infected with JS:iFrame-CLO [trj], a Java Script Trojan. I suspected that it came from the paid-to-promote.net advertising script so I hurriedly deactivated and removed their script unto my site and viola, when I reloaded my page after deactivating the said script, it loads without any problem.

I contacted the advertising network but it seems they don’t care about it, so I run a quick search on Google and found similar problems with different webmasters who installed the same script on their website.

There are however, more posts saying that they encounter no problem using different anti-virus software, and only Avast detects the said threat. Sound strange duh! :S

With my curiosity, I made various searches and found the same result. Only, and only avast antivirus said it was a threat. Norton, McAfee, Kaspersky and other reputable antivirus companies doesn’t know about it.

Could it be a false positive report? or could it be because It is relatively new threat and only avast had detected it yet? There is an argument whether it is a real threat or not, but the truth is, there’s not much information about this new threat (if that is the right term). I can’t even find information on what it does, not even avast can give detailed information.

Well, afraid to destroy my website’s reputation on Search Engines Ranking, I decided not to use paid-to-promote.net advertising network script anymore, so I’d rather find a bit lower e-CPM and use it instead.

If there’s anybody who had encountered this kind of issue, kindly post a comment and tell me whether it is a false possitive or is a real threat.

well on my side i didnt get infected since avast blocked the access before it happen, but as stated by the other guy : its mostly that i cant find any info on that threat, and it seem that only avast report it as a threat.

since my avast is the free version and the paid antivirus dont find it as a threat is it possible its a false positive ?

if u have any info on the js:iframe-clo could you share it ?

thanks in advance

Read the second post. Attach the logs.

Hello, please help me. :slight_smile: Thanks in advance…

I am having a similar problem…

  • Rogue iexplore.exe processes appear on every boot

  • Windows gives this error on boot:
    Loading script:
    c:\users\admin\appdata\local\temp\Microsoft.vbs failed (the process cannot access the file because it is being used by another process)

The above mentioned VBS file also contains a reference to “coded bY mareyole”, so its probably the same file the OP had.
Malware bytes did not find anything suspicious so there is no log to attach.
aswMBR.exe log attached in next post down.

(Update: for my privacy attachments now deleted as some of them contained private references, names, filenames etc)

Final log attached. (sorry I could not seem to edit my previous post to add this file to that post)

hi RowanDDR,

Reason you could not add to previous post is that there is a limit of four file attachments per post and a max file size of 512 kb.

I’ve gone and notified the same malware expert as the one that he just finished with. Normally, we’d ask you to start your own topic, but, seeing as the OP is now satisfied and is now cured, no problem with you carrying on here. It’s the interruptions to the OP and expert that we mind, so… expect essexboy to come in soon.

Try this :slight_smile:

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKLM..\Run: [Microsofts.vbs] C:\Users\Admin\AppData\Local\Temp\Microsofts.vbs ()
O4 - HKU\S-1-5-21-3416235843-3300280858-2496140176-1003..\Run: [Microsofts.vbs] C:\Users\Admin\AppData\Local\Temp\Microsofts.vbs ()
O4 - Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsofts.vbs ()

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks essexboy I think I’m clean at last. :smiley:

If the log looks strange it might be because prior to running your solution, I’d taken some other steps:

  • Manually deleted the VBS files
  • Manually deleted the VBS shortcuts in Startup folder
  • Manually deleted the VBS shortcuts in msconfig startup items

Thanks again.

No problem, run OTL and press the cleanup button to remove it :slight_smile: