Hi,
I have purchased a license and am using a Pro version which is updated daily. I recently did a scan of my laptop hard disk and found my htm and html files were infected with win32: Mefir-c worm which Avast Pro was only detecting and not repairing. Is there any way I can disinfect my PC without deleting my files? Please help!!! ???
Thanks!
when you look at the files through some text editor, is there something significantly suspicious?
Hey you’re absolutely right!!!
Here is the story… I made the pages myself a year ago (all was well then), and edited a few (and did not edit some pages) a few days ago using Microsoft Front Page… Interestingly the pages i touched (or didn’t!), have this at the bottom
I know previously Avast has given me some warnings coming from such .info sites. Once, one .info site even put a trojan which made all .exe files non-functional…but thanks to Avast I got rid of that virus…
I am really impressed with Avast and feel my purchase is worth it!
Now the question is: how do I get rid of this script? shall I use Front Page to delete the code and sanitize my html files??? Pl advise…
Thx
first you should be sure, that the html infector is inactive (before you start to repair your pages)… it would be helpful to run HiJackThis and post the log here
I have already edited my HTML files and deleted a few which I did not need.
Log file attached. I would be grateful if you could tell me if the script generator is active or not! THx
i can’t see any process, which would be related to the html infector… this probably mean, that it is not active or is not present anymore… can you send one (or two) sample(s) of the infected page(s) to virus[at]avast[dot]com in a password protected archive? we’ll analyse where the infection begins and where is terminated (these features may differ a bit across virus variants)… // don’t forget to mention the password in message body
Hi Maxx,
As directed on the forum, I have emailed the virus sample (you will see a frame script with “.info” website in it).
I have edited such pages in FrontPage, but in case you can invent a functionality in Avast such that it can edit the webpages (seems like an unreasonable request)! and remove the virus, it would be great!!
THx a ton!
the disinfection of script viruses is something like a russian roulette… you can do more harm, when disinfecting in a generic way… so we can’t add a serious disinfection routine to avast cleaner… but why i wanted the files is that i want to see if there’s not present some binary garbage (invisible in frontpage and other text editors)… i’ll take a look
ook, checked that… there’s no garbage… so, all you need to do is to search all files containing “ntkrnlpa.info” and manually remove the iframes… it’s better to look at each file, because the iframe could be present more than once…
You are right, the frame was present upto 4 times in a file… had to painstakingly edit each file!!!
But thx for the help… seems all the intellectuals are employed with Avast ;D
it is also possible to do a batch search & replace, but when you want to be sure, i can only suggest to do it manually
I used to use a little tool called HTMLKit (a manual html editing tool) and that had a find and replace function so you could enter the and say replace it with nothing and it will remove it in every file it finds an exact match for it (so you have to get the find right).
You can give it a folder location and it will search all files and replace when found, it will also create a .bak file so if you make a hash of things there is a recovery.
I haven’t used this for a long time so I don’t know if it is available, but I’m sure there are other html editors that would do the job. Not much help if you have done them all now but something for the future.