I’m having a problem trying to get to all of my tripod.com websites
in fact every single website that is hosted by tripod.com is picking up a virus HTML:Iframe-gen with my avast. what do I do about this?
I did get ahold of help at tripod.com and they are claiming that it’s not from them.
I’m running vista laptop… with I.E. browser
I would say there is a strong possibility that the site may have been hacked.
Do you have a sample URL change http to hXXP to break active links to avoid accidental exposure and we can try to check the page/s
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
Or probably in this case, Network Shield, Customize, Last Attacks tab, see image.
DavidR though unrelated to the topic, how did you take this fine screen shot?
strange but it don’t seem to be doing that right now I found and ran what is called KL-Detector to see if I have a keylogger on my computer , it said something about I did have one and said something about IM Incredimail. I uninstalled incredmail to try out
hxxp://searching-alberta.tripod.com/index.html and it no longer did that.
so, I rebooted reinstalled Incredmail and it’s still not doing it yet.
I’m lost LOL
here is the results after reinstallation of incredimail on the KL-Detector
[quote author=jollyjas link=topic=41652.msg349428#msg349428 date=1231542353]
There are many screen capture tools, some free, I use a paid option SnagIt 9.1, lots of features and relatively easy to use once you get over the steep learning curve (very configurable), I feel version 8.0 was much easier to get to grips with. The move to 9.0 was extremely frustrating at first as it was completely different.
WinSnap screen capture - version 1 is FREE for personal - http://www.filehippo.com/download_winsnap/?2173 There are others try your friend google.
@ jollyjas
No need to worry about an image, I use them for examples as it makes it easier for people to understand. Trying to a capture the image that shows all the data would make it large both image and file size, a pain for those on dial-up (me) ;D
The network shield last attack s allows you to copy and paste the text of the log.
Some things do log keystrokes for legitimate purposes (some mouse drivers, firewalls, security applications, etc.), so it is hard to say for sure. I would however suggest you try both of these tools.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
- SUPERantispyware On-Demand only in free version.
- MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
No alerts on that page link that you posted, see image. I’m using firefox with noscript add-on, block all scripts by default. I then allowed tripod.com scripts and then lycos.com scripts and still no alerts.
What version of the IE browser are you using ?
There has recently been a security patch for IE ensure that your system is up to date, etc. I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.
[quote author=DavidR link=topic=41652.msg349442#msg349442 date=1231545521]
@ jollyjas
No need to worry about an image, I use them for examples as it makes it easier for people to understand. Trying to a capture the image that shows all the data would make it large both image and file size, a pain for those on dial-up (me) ;D
The network shield last attack s allows you to copy and paste the text of the log.
Some things do log keystrokes for legitimate purposes (some mouse drivers, firewalls, security applications, etc.), so it is hard to say for sure. I would however suggest you try both of these tools.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
- SUPERantispyware On-Demand only in free version.
- MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
No alerts on that page link that you posted, see image. I’m using firefox with noscript add-on, block all scripts by default. I then allowed tripod.com scripts and then lycos.com scripts and still no alerts.
What version of the IE browser are you using ?
I’m using I.E. 7 pretty sure with updates but I will double check on that one tonight.
thank you for checking my website… I feel a bit better about it now. I still really want to know what cause it all to begin with though,??
I’m thinking it could of just been tripod.com they found the problem and fixed it…but it seems that no one else was having the problem or they hadn’t told me because I had sent a few people to that website in my group the same day this happend to me and they hadn’t said that they had detected a virus. I had tried the websites on the other windows XP computer running AVG and nothing popped up to say it detected a virus like mine did… went on at the same time… mine detected it yet the other computer didn’t… running the scans that you suggested above right now it’s going to take a bit by the looks of things.
Also very new laptop so I haven’t a clue yet how to go into safe mode.
will post the results as soon as I have them.
Sending an few images to prove I really did have a virus! lol
here is the one result, the other one I didn’t find where the log file is.
Malwarebytes’ Anti-Malware 1.32
Database version: 1636
Windows 6.0.6001 Service Pack 1
09/01/2009 8:54:33 PM
mbam-log-2009-01-09 (20-54-33).txt
Scan type: Quick Scan
Objects scanned: 47063
Time elapsed: 2 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
First your image doesn’t show the full information (path to the infected file), which is why I suggested it wasn’t a good idea, but to get the data from the network shield, last attacks.
However, the image does show it wasn’t the network shield nor is it being detected by the web shield, this is quite strange as it is being picked up by the standard shield as the file is created in the Temp Internet Files folder.
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
I would also try using firefox or opera for a while rather than IE and see if these alerts continue.
MBAM didn’t find anything serious which is good news.
Open SAS, Preferences, Statistics/Logs tab and select the latest log file to view.
Yezinki -
This is the one I use. It is free and easy to use. It is adware, spyware, and nag screen free. It will take very nice screen shots of any size … whole screen or any size part of a screen.
http://www.snapfiles.com/get/mwsnap.html
[quote author=DavidR link=topic=41652.msg349509#msg349509 date=1231594653]
First your image doesn’t show the full information (path to the infected file), which is why I suggested it wasn’t a good idea, but to get the data from the network shield, last attacks.
However, the image does show it wasn’t the network shield nor is it being detected by the web shield, this is quite strange as it is being picked up by the standard shield as the file is created in the Temp Internet Files folder.
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
I don’t like firefox… had it for a bit… gives tons of crap not needed on it.
I found that logv.exe file… and have it open right now but I don’t know how to copy/paste it to you.
Note from tripod.lycos… still had NOT told me what happend??
Thank you for notifying us of the troubles you’re having.
Our engineering team is currently evaluating the root cause of the issue that you’re experiencing, and will hopefully have it resolved as soon as possible.
We ask you to remain patient during this time, and hope to have it resolved very shortly.
If you have any additional questions, please contact us so that we can assist you further.
Frank
http://www.help.lycos.com
Customer Service - Lycos Services.
Well I wasn’t asking you to fall in love with firefox (which is why I also suggested opera) just to try it to see if this is an IE related issue, anything like the last IE exploit. Personally IE comes with more than enough baggage, activeX, BHOs and full integration ‘into’ the OS, all of which make it very attractive to malware writers. This was also why I suggested a visit to secunia.com/software_inspector/.
I don’t understand the {gzip} tagged onto the end of some of the URLs the \ could mean a switch, though if you try to check the link you get a custom 404 error page, see image. Removing the {gzip} gets me to your site and no alerts all with firefox. I’m sorry but I don’t go looking for trouble using IE, so I can’t help outside of firefox.
I don’t know what is tagging the {gzip) on the end of the url, I presume you just enter the hXXp://searching-manitoba.tripod.com/index.html (XX to break active link) now all I can think is that it is the {gzip} bit that may be injecting code into the page and it is that injected code that avast is picking up when it gets into your browser cache.
I also don’t know what the significance of the \Low\ in the path to your browser cache, if it has anything to do with security settings
Sign of “HTML:Iframe-gen” has been found in “C:\Users\RockysGirl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G5YR7U7J\index[1].htm” file.
I wouldn’t normally expect to see and iFrame alert in a non htm or html page, so to find it in image files is strange.
Sign of “HTML:Iframe-gen” has been found in "hXXp://build.tripod.lycos.com/img/3pod/gradient_bar.png\gradient_bar - [i] XX to breack active link and again here we see something tagged on the the end of a url, \Gradient_bar. Again I get a custom 404 error for this url and even when I remove the \Gradient)bar bit at the end.
I have however seen an image file modified so it had and iFrame tag added to the end of the image code, so I don’t know if this is the case here also.
JAVA is most certainly something to keep up to date as it is a frequent route of entry for JAVA exploit malware.
It is possible that something has been cleaned up at tripod.com, though that is hard to say as they would be unlikely to confirm that. Also if there was a malicious iFrame tag then avast would have notified me even with firefox. Many sites use iFrame tags legitimately to load dynamic content or most commonly adverts. So just seeing an iFrame tag doesn’t mean it is infected the content is the thing.
I believe there were some other image files in the list you posted that were also detected as iframe-gen, I just used that one as an example.
I think it is now a monitoring game to see if it appears again. Tripod in the past had a bit of a bad rep mainly for ads and data gathering (for marketing, delivery of targeted ads), not to mention many of the hosted sites were iffy.
As for switching your site that depends on what/where you switch to, there is no guarantee that it couldn’t happen again unless you pay for a good hosting provider with good proactive service. many sites are hacked because the hosting service has out of date software and in some cases weak passwords, etc.
The other case is is it a linux or windows server doing the hosting, I always went for linux server hosting as it tended to be more secure.
Good luck.
Thank you for your help 
jollyjas, consider using JavaRa to manage your Java installation. http://raproducts.org/javara.html
[quote author=jollyjas link=topic=41652.msg349430#msg349430 date=1231543090]
[quote author=jollyjas link=topic=41652.msg349428#msg349428 date=1231542353]
strange but it don’t seem to be doing that right now I found and ran what is called KL-Detector to see if I have a keylogger on my computer , it said something about I did have one and said something about IM Incredimail. I uninstalled incredmail to try out
hxxp://searching-alberta.tripod.com/index.html and it no longer did that.
so, I rebooted reinstalled Incredmail and it’s still not doing it yet.
I’m lost LOL
here is the results after reinstallation of incredimail on the KL-Detector
No suspicious files were found in your hard disk