Avast is blocking access to certain web pages because a “trace of HTML:Iframe-inf” was found, and I’d like to get rid of it. There have also been warnings about a trojan horse but those warnings seem to have stopped as of now.
If anyone has a simpler way, or can explain that link in terms I can understand it would be much appreciated. I am completely computer-illiterate! Imagine you’re talking to a ten-year-old and I should be OK.
The first step was to open up notepad, but I don’t think this PC has it. It’s not my computer.
Any help whatsoever will be gratefully received. Thank-you!
Hi to the original poster, and sorry this doesn’t answer the question, however I have a similar problem and perhaps the info below may also help. I’ll post my problem straight after and hopefully someone knowledgeable will help with both our issues!
What happened yesterday (UK hours)
Yesterday I along with many people had virus/trojan warnings about HTML:lframe-inf when trying to access Yahoo accounts.
If I understand correctly, this report was found to occur because adverts shown on the relevant pages are hosted at a third party address which was, at the time blacklisted (if that’s the correct term) - this being ads.yieldmanager.com.
On investigation, it was concluded that this address was blocked in error and subsequently the Avast virus database was updated and the new version (091227-1) released; this corrected the “false positive”.
After installing the update, I found that I could access my Yahoo account without the warnings. However, some people also reported the same warning from other websites and I don’t know whether those were due to the exact same problem, a different false positive or a genuine infection!
[subject URL changed from http to hXXp at request of respondent (below)]
…and so on to my own report:
I just got the HTML:lframe-inf warning from accessing a Care2 page (hXXp://www.care2.com/send/catxmas1.html) - printscreen attached.
Please could someone advise whether this is also a false positive, or if more investigation needs to be done. Sorry I’m not more savvy to know what exactly is prompting the warning!
Note also the original poster states the same message for ‘certain pages’.
Sorry, just re-read the original post and I think I may have assumed the problem is the same when it’s not???
Sorry if I’ve made things more confusing, I’ll go now…
Iframe tags can be inserted into hacked sites, these are HTML functions and this one is quite powerful in that it can run code from a different site and that can be almost anything as the payload at the other end can change frequently. So there is no easy, this is what it does answer, avast is detecting the injected iframe tag and the other site referenced.
So what is the URL of the detection ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.
When posting URLs to suspect sites, change the http to hXXp so the link isn’t active (clickable) avoiding accidental exposure.
Please ‘modify’ your post change the URL from http to hXXp or www to wXw (as I have in the quoted text), to break the link and avoid accidental exposure to suspect sites, thanks.
Have amended the URL in previous post as you asked (sorry about that). Confession: just accidentally deleted the warnings log and now can’t reproduce the error as given above. Next time it happens though, I’ll follow these instructions and post the address given!
These are only the logs with internet addresses. Following there are logs for other parts of the computer.
09/11/2009 12:22:32 user 3344 Sign of “Win32:Trojan-gen” has been found in “E:\WINNT\system32\TFTP1512” file.
11/12/2009 21:35:27 SYSTEM 1516 Sign of “HTML:IFrame-EC [Trj]” has been found in “hXXp://www.networlddirectory.com/blogs/archives/Entertainment-blog/July-20-2007.html” file.
11/12/2009 21:35:53 SYSTEM 1516 Sign of “HTML:IFrame-EC [Trj]” has been found in “hXXp://www.networlddirectory.com/blogs/archives/Entertainment-blog/July-20-2007.html” file.
13/12/2009 15:59:49 SYSTEM 1524 Sign of “HTML:Script-inf” has been found in “hXXp://stifflergoruepas1411.blogspot.com/2009/06/cheryl-tweedy-topless-super.html{gzip}” file.
13/12/2009 15:59:53 SYSTEM 1524 Sign of “HTML:Script-inf” has been found in “hXXp://stifflergoruepas1411.blogspot.com/2009/06/cheryl-tweedy-topless-super.html{gzip}” file.
27/12/2009 15:30:31 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927830&.rand=4uo87e7n7a1av{gzip}” file.
27/12/2009 15:31:06 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927830&.rand=4uo87e7n7a1av{gzip}” file.
27/12/2009 15:31:12 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927830&.rand=4uo87e7n7a1av{gzip}” file.
27/12/2009 15:31:17 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927830&.rand=4uo87e7n7a1av{gzip}” file.
27/12/2009 15:32:17 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927936&.rand=f418pnp869h3c{gzip}” file.
27/12/2009 15:33:16 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927994&.rand=5i3o6th2hqfj6{gzip}” file.
27/12/2009 15:33:29 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261927994&.rand=5i3o6th2hqfj6{gzip}” file.
27/12/2009 15:34:29 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261928068&.rand=305fd9cpvkg8q{gzip}” file.
27/12/2009 15:43:11 user 3444 Sign of “HTML:Iframe-inf” has been found in “C:\Documents and Settings\user\Local Settings\Temp\A9ZUES4E.htm” file.
27/12/2009 15:43:58 user 3444 Sign of “HTML:RedirBA-inf [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temp\PDWOV2U8.htm” file.
27/12/2009 15:45:06 user 3444 Sign of “HTML:Iframe-inf” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\99CC82M7\index-5[2].htm” file.
27/12/2009 16:24:56 user 3444 Sign of “HTML:Iframe-inf” has been found in “E:\Documents and Settings\June & Bill Sheard\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XGN27CF\nc[2].htm” file.
27/12/2009 16:25:41 user 3444 Sign of “HTML:Iframe-inf” has been found in “E:\Documents and Settings\June & Bill Sheard\Local Settings\Temp\Temporary Internet Files\Content.IE5\61W5U56V\fc[2].htm” file.
27/12/2009 16:26:57 user 3444 Sign of “HTML:Iframe-inf” has been found in “E:\Documents and Settings\June & Bill Sheard\Local Settings\Temporary Internet Files\Content.IE5\YZ4RAPCR\welcome[1].htm” file.
27/12/2009 16:27:24 user 3444 Sign of “HTML:Iframe-inf” has been found in “E:\Documents and Settings\June & Bill Sheard\Local Settings\Temporary Internet Files\Content.MSO\5D15FAB7.htm” file.
27/12/2009 16:30:31 user 3444 Sign of “Win32:VB-EIJ [Trj]” has been found in “E:\pagefile.sys” file.
27/12/2009 16:46:23 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261932380&.rand=ffqfk9mliv28m{gzip}” file.
27/12/2009 16:48:58 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/showMessage?.rand=1027517391&mid=1_18019_ANCxktkAAP33Szd9xAqi9FRbqoA&fid=Inbox{gzip}” file.
27/12/2009 16:52:47 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261932766&.rand=741kndd8mjvsp{gzip}” file.
27/12/2009 17:29:16 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261934954&.rand=dhrib5aul1ljh{gzip}” file.
27/12/2009 17:31:20 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261934954&.rand=dhrib5aul1ljh{gzip}” file.
27/12/2009 19:08:42 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261940920&.rand=75rntokilglt7{gzip}” file.
27/12/2009 19:13:49 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261941227&.rand=4b8fk37v6gf8t{gzip}” file.
27/12/2009 21:14:04 SYSTEM 1504 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261948439&.rand=44n42g2u8ga4r{gzip}” file.
27/12/2009 21:32:37 SYSTEM 1508 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261949553&.rand=735e8ove2d2oc{gzip}” file.
27/12/2009 21:44:16 SYSTEM 1508 Sign of “HTML:Script-inf” has been found in “hXXp://englishrussia.com/banners/adsens728.php” file.
27/12/2009 21:44:25 SYSTEM 1508 Sign of “HTML:Script-inf” has been found in “hXXp://englishrussia.com/banners/adsens160.php” file.
27/12/2009 21:44:34 SYSTEM 1508 Sign of “HTML:Script-inf” has been found in “hXXp://englishrussia.com/banners/adsens728.php” file.
27/12/2009 23:09:50 SYSTEM 1568 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261955387&.rand=4t9sho5kf0aq6{gzip}” file.
28/12/2009 09:58:47 SYSTEM 1500 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261994324&.rand=et1fdk8eclgr3{gzip}” file.
28/12/2009 09:59:17 SYSTEM 1500 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261994324&.rand=et1fdk8eclgr3{gzip}” file.
28/12/2009 10:55:50 SYSTEM 1500 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1261997747&.rand=bdi5qat0al7kp{gzip}” file.
28/12/2009 12:49:17 SYSTEM 1512 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262004554&.rand=9p77pspsprevu{gzip}” file.
28/12/2009 12:58:55 SYSTEM 1512 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262004554&.rand=9p77pspsprevu{gzip}” file.
28/12/2009 13:17:48 SYSTEM 1512 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262006266&.rand=e5v12oqn8nbf9{gzip}” file.
28/12/2009 13:27:38 SYSTEM 1512 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.news.yahoo.com/5/20091228/tuk-death-row-briton-learns-he-faces-exe-45dbed5.html{gzip}” file.
28/12/2009 13:28:07 SYSTEM 1512 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262006886&.rand=f7qpbfkcfo3kj{gzip}” file.
28/12/2009 13:28:21 SYSTEM 1512 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262006886&.rand=f7qpbfkcfo3kj{gzip}” file.
28/12/2009 14:40:49 SYSTEM 1512 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262011247&.rand=1pimfojv6ptrs{gzip}” file.
28/12/2009 16:37:09 SYSTEM 1496 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262018226&.rand=ergpmf74l6jpv{gzip}” file.
28/12/2009 16:38:02 SYSTEM 1496 Sign of “HTML:Iframe-inf” has been found in “hXXp://uk.mc275.mail.yahoo.com/mc/welcome?.gx=1&.tm=1262018226&.rand=ergpmf74l6jpv{gzip}” file.
Logs for other parts of the computer. There may be more but I won’t post them unless you say it’s useful.
27/12/2009 18:33:11 user 1328 Sign of “HTML:Script-inf” has been found in “E:\Documents and Settings\June & Bill Sheard\Local Settings\Temporary Internet Files\Content.IE5\YZ4RAPCR\m.uk.yahoo[2]” file.
27/12/2009 18:33:11 user 1328 Sign of “HTML:Iframe-inf” has been found in “E:\Documents and Settings\June & Bill Sheard\Local Settings\Temporary Internet Files\Content.IE5\YZ4RAPCR\welcome[1]{gzip}” file.
27/12/2009 17:50:44 user 1328 Sign of “JS:ScriptIP-inf [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Y4XY89EH\st[9]” file.
27/12/2009 18:06:31 user 1328 Sign of “JS:ScriptIP-inf [Trj]” has been found in “C:\RECYCLER\S-1-5-21-1202660629-1284227242-1644491937-1004\Dc2” file.
I hope this information helps you help me, and thank-you for your efforts so far.
PS: I updated Avast successfully but I’m still getting this warning from Yahoo, and since then it’s even showed up on my hotmail account.
Thanks for the suggestioon. Ran full scans with Malware bytes and SAS. SAS picked up some cookies but that’s it. I’m also running a thorough scan with Avast, and it’s picked up the same bug I started the thread about. Any ideas what to do next?