HTML:Iframe-inf doing a Google image search

Greetings to the forum. :slight_smile:

The other day I was doing an image search on Google, and as I clicked on one of the images listed in the search, Avast issued a warning that “HTML:Iframe-inf” had been found in a number of links. I was reading that these infections should be reported about here, so I thought of adding my post.

The link to the image I clicked on is the following:

hxxp://images.google.pt/imgres?imgurl=hxxp://i234.photobucket.com/albums/ee29/tony1888/ants%252001/nescafewb4.jpg&imgrefurl=hxxp://21-albums-daily.blogspot.com/2008_05_01_archive.html&usg=__QGdtSgHJJiBe5DY-1Siefzl4pUY=&h=350&w=348&sz=50&hl=pt-PT&start=5&um=1&tbnid=vMMQRQUngTopmM:&tbnh=120&tbnw=119&prev=/images%3Fq%3Droxette%2Bmilk%2Band%2Btoast%2Band%2Bhoney%2Bcd%2Bcover%26imgsz%3Dm%26imgtbs%3Dz%26hl%3Dpt-PT%26sa%3DG%26um%3D1

And Avast’s warning was as follows:

16-11-2009 2:04:54 1258337094 SYSTEM 1432 Sign of "HTML:Iframe-inf" has been found in "hxxp://pixhost.eu/avaxhome/avaxhome/2008-05-30/coverucnoktaqk9_341.jpg\{gzip}" file. 16-11-2009 2:04:58 1258337098 SYSTEM 1432 Sign of "HTML:Iframe-inf" has been found in "hxxp://pixhost.eu/avaxhome/avaxhome/2008-05-30/inine_.jpg\{gzip}" file. 16-11-2009 2:05:35 1258337135 SYSTEM 1432 Sign of "HTML:Iframe-inf" has been found in "hxxp://pixhost.eu/avaxhome/avaxhome/2008-05-30/Ashanti_X_The_Declaration.jpg\{gzip}" file. 16-11-2009 2:05:39 1258337139 SYSTEM 1432 Sign of "HTML:Iframe-inf" has been found in "hxxp://pixhost.eu/avaxhome/avaxhome/2008-05-30/KungFuPanda_777.jpg\{gzip}" file. 16-11-2009 2:05:41 1258337141 SYSTEM 1432 Sign of "HTML:Iframe-inf" has been found in "hxxp://pixhost.eu/avaxhome/avaxhome/2008-05-26/velvetbarucnoktapl7_871.jpg\{gzip}" file. 16-11-2009 2:05:43 1258337143 SYSTEM 1432 Sign of "HTML:Iframe-inf" has been found in "hxxp://pixhost.eu/avaxhome/avaxhome/2008-05-27/boxucnoktacz1_348.jpg\{gzip}" file. 16-11-2009 2:05:43 1258337143 SYSTEM 1432 Sign of "HTML:Iframe-inf" has been found in "hxxp://pixhost.eu/avaxhome/avaxhome/2008-05-27/40537482cdf5_177.jpg\{gzip}" file.

Promptly I chose “abort connection” to each warning and exited that Google image search page I was at. (Further I exited Firefox all along and cleaned its cache.)

I got somewhat in doubt, then, though… Hmm… As far as I can understand, from what I’ve been reading here in the forum, getting this warning while browsing does not imply that one’s computer got infected, as Avast actually prevents such iframe infections from reaching one’s computer if connection to the infected website is duly aborted, correct? Or in other words, one is safe from any such eventual infection, since Avast preventively blocks the connection to the infected website, thus, as long as one doesn’t allow the connection to be made, no harm is nor can be done to the local computer, right? As I say, this is how I understand it, yet I just kinda need to ear it “loud and clear” from the experts mouths, so to speak, (also so that I don’t panic any next time I eventually run into any such warning from Avast), thus thanks for any additional clarification… :slight_smile:

To be on the safe side anyway, after getting those warnings, I already ran full thorough scans, both with the on-demand scanners we have installed (Avast + Malwarebytes Anti-Malware + SUPERAntiSpyware + Spybot) as well as a number of additional online scanners (ESET + Kaspersky + F-Secure + BitDefender + Dr.Web) and all came back clean. So I believe there’s in the end no reason for me to worry, or?..

Thanks in advance for your time. :slight_smile:

You basically hit the nail on the head as aborting the connection will stop any infected data from going further then the cache that Avast uses to scan webpages (basically the web shield has a cache of sorts where it scans all the incoming data before it releases it to your browser and if it finds anything malicious it’ll warn you and if you select abort connection it’ll dump the relevant data and not send it to the browser and if that infection relates to the whole site then you’ll get a “couldn’t connect to server” notice).

I also suggest if you haven’t done so already to disable the prefetch feature in firefox since that feature can leave your computer open to attack during searches as it fetches all the data for the first result on any search and if that site is compromised then your computer might end up being so as well.

Follow these instructions

  1. open a new tab and enter “about:config” (without the quotation marks) into the address bar then click the button that appears
  2. type “network.prefetch-next” (again without the quotation marks) into the filter search box
  3. right click on the result (there should only be one) that is listed and select toggle to disable that item

Thank you, demonix00, for the added explanation on web infections and how Avast handles those, and also the heads up regarding link prefetching and the network.prefetch-next setting in Firefox. Wasn’t aware of that, so, thanks twice. :slight_smile: