HTML:iframe-inf infection

Last week I opened up an email attachment from support@cavtel.net my isp about an airline ticket and it was HTML:iframe-inf.

My computer is infected with HTML:iframe-inf and or Trojan.js.iframe.app.
Repeated attempts to “save image…” from right click disable Firefox download box and freezes system.
Avast first found it on Aug 16th boot scan but it disabled hard drive setting in cmos, which I changed back to 32bit. It also deleted all my restore points. I tried a 2009 solution online to copy userinit.exe, svchost.exe, spoolsv.exe, explorer.exe from
C:\WINDOWS\ServicePackFiles\i386\ to their c:\windows\system32\ for the first three and c:\windows\ for explorer in the recovery console, and turn off system restore before going to the recovery console. The FireFox test after boot had negative results. I thought as much might happen from a 2009 solution. I can’t find a current solution. Can anyone on this forum? Online searches usually lead to some magic software online scan or download which does not resolve the problem. I know this problem is probably in the registry and I need to find the entries.

Windows XP Professional Service Pack 3 (build 2600)
2.40 gigahertz Intel Pentium 4
8 kilobyte primary memory cache
512 kilobyte secondary memory cache
Hyper-threaded (2 total)
2048 Megabytes Usable Installed Memory
Slot ‘DIMM0’ has 512 MB
Slot ‘DIMM1’ has 512 MB
Slot ‘DIMM2’ has 512 MB
Slot ‘DIMM3’ has 512 MB

Board: ASUSTeK Computer Inc. P4P800-E Rev 1.xx
Bus Clock: 200 megahertz
BIOS: American Megatrends Inc. 1007.003 04/26/2005
Hitachi External USB TeraByte HD(\storage backup)
WDC WD3200JB-00KFA0 [Hard drive] (320.07 GB) – drive 0
WDC WD1600JB-00GVA0 [Hard drive] (160.04 GB) – drive 1
c: (NTFS on drive 1) * 160.03 GB 145.13 GB free
e: (NTFS on drive 0) 320.07 GB 165.69 GB free

_NEC DVD_RW ND-3540A [Optical drive]
3.5" format removeable media [Floppy drive]
U.S. Robotics 56K Fax PCI [Modem]
1394 Net Adapter
↑ Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
HP Photosmart 8200 Series (DOT4USB
HID Keyboard Device
HID-compliant mouse
NVIDIA GeForce FX 5900XT (Microsoft Corporation) [Display adapter]
Westinghouse LCM-22w3 [Monitor] (22.0"vis, February 2007)
Logitech USB Camera (Messenger)
Samsung ML-1430 Series on USB002
WinFax (Photo Quality) on FaxModem (Photo Quality)

avast! Internet Security Version 5.0.117441968
Virus Definitions Version Up To Date
Realtime File Scanning On

Hi there first I will need a quick look at the system

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

essexboy aka lightning :slight_smile:

:beer:

thank you essexboy:
maximum allowed length (10000 characters)

OTL.Txt 46,097 characters
Extras.Txt 17,083

I attached the files.

Please attach all information that essexboy asks. :slight_smile:

I won’t be back until 7am EST. I got to go to work.

I came home this morning to find my system stuck in boot up mode. This bug rewrote my cmos settings again. My disk drives were disabled and I set them back to 32 bit. My boot drive was changed. The system clock was set to 2002. So I re-enabled security on CMOS.
This bug actually tried to make Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter a boot drive.

OK now that is intriguing information

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
FF - prefs.js..extensions.enabledItems: {5835466c-49af-4cbe-b102-a8c8b6313749}:1.0.25
[2012/07/16 19:58:23 | 000,000,000 | ---D | M] (ShopToWin2) -- C:\Documents and Settings\Carman\Application Data\Mozilla\Firefox\Profiles\ea2gmjif.default\extensions\{5835466c-49af-4cbe-b102-a8c8b6313749}
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1659004503-839522115-725345543-1003\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-1659004503-839522115-725345543-1003\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
[2011/04/16 20:14:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2011/04/16 20:22:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Winferno

:Files
ipconfig /flushdns /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

essexboy:

Thank you. My computer is running well and even better than before the HTML:iframe-inf infection.
However I forgot to lower the CMOS password supervisor security settings before I executed the OTL and ComboFix programs. Sorry.
ComboFix initiated a message in the command prompt window stating that it could not find the “Recovery Console” and tried downloading it unsuccessfully from MS. From there it proceeded upon about 40 steps to clean my drives. After it rebooted I went into CMOS using Supervisor password and found the recovery console was there. However, there appears to be settings left over from the HTML:iframe-inf on the Recovery Console boot device and Bios setup utility both as “Yukon PXE”(Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45). Please advise my mistake. Indecently I had shut down my external USB TB drive before I opened the HTML:iframe-inf.
However the device was on when I came home from a Avast virus scan last week and when the system drives were disabled. I know the switch was off because I switched the switch on the drive itself before this happened. I turned it back off at that time. I’m thinking if this virus was able to disable internal drives and turn on a drive that is off it could be there. The drive is still off, however COMODO firewall repeated messages to access the registry from the Buffalo drive utility which most attempts I think I blocked for the drive utility access last week. The drive is still off.
I recorded the data as follows:

Recovery Console:
Please Select Boot Device
Floopy Drive
PM-WDC WD3200JB-00KFA0
PS-WDC WD1600JB-00GVA0
SM_NEC DVD_RW ND-3500A
Yukon PXE

Bios Setup Utility:
Boot Device Utility
1st Boot Device [1st Floppy Drive]
2nd Boot Device [PS-WDC WD1600JB-00GVA0]
3rd Boot Device [SM_NEC DVD_RW ND-3500A]
4th Boot Device [Disabled]
options(I clicked disabled to see if Yukon PXE was there)
1st Floppy Drive
PS-WDC WD1600JB-00GVA0
SM_NEC DVD_RW ND-3500A
Yukon PXE

Bios Setup Utility:
Main
Primary Master [WDC WD3200JB-00KFA0]
Primary Slave [WDC WD1600JB-00GVA0]
Secondary IDE Master [NEC DVD_RW ND-3500A]
Secondary IDE Slave [Not Detected]
Third IDE Master [Not Detected]

Bios Setup Utility:
Security Settings
Supervisor Password : Installed
User Password : Not Installed
User Access Level [No Access]
Password Check [Always]
Boot Sector Virus Portection [Enabled]

Lets get the recovery console properly installed first

Go to Microsoft’s website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that’s appropriate for your Operating System. Download the file & save it as it’s originally named.

Note: If you have SP3, use the SP2 package.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

[*]Drag the setup package onto ComboFix.exe and drop it.

[*]Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

http://img.photobucket.com/albums/v706/ried7/whatnext.png

[*]At the next prompt, click ‘Yes’ to run the full ComboFix scan.

[*]When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

essexboy:

The MS page does not appear to be there anymore.
I looked up the: Step 1: Download the Setup disk program
Windows XP Professional SP2
From:

http://support.microsoft.com/kb/310994

Steps to download, create, and use the Setup disks
There are six Windows XP Setup boot floppy disks. You must have the files and the drivers that these disks contain to access the CD drive and to start the Setup process.

Step 1: Download the Setup disk program
Download the version of Setup disks that corresponds to your version of the Windows XP CD-ROM. The version should be displayed on the CD-ROM disk, and the version will indicate if a Service Pack is included.

Windows XP Service Pack 2 (SP2)
For information about the Setup boot disk versions that are available for download, visit the following Microsoft Web sites:

Windows XP Home Edition SP2
http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464&displaylang=en

Windows XP Professional SP2
http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124&displaylang=en

When I went to the above link I got:

We are sorry, the page you requested cannot be found.
The URL may be misspelled or the page you’re looking for is no longer available.

Anyway i suppose this “Windows XP Service Pack 2 (SP2)” will create the Recovery Console?
From what I read this will create multiple floppies unless ComboFix will recognize it and use it to create write over the recovery console?

I cleared the CMOS Bios Setup Utility Supervisor Password and disabled the Boot Sector Virus Protection.

I have a Windows CD in my DVD drive. It states on the disk
MicroSoft Windows Professional “includes service pack 2” Version 2002
@2005 Microsoft Corporation all rights reserved.

Yes drop the MS programme on to combofix, it should recognise it… I will check my links thanks

Do you mean drop or paste the Windows CD in my DVD drive onto the ComboFix?

Ooops missed the bit about you having the CD

To install the Recovery Console, follow these steps:

1.Insert the Windows XP CD into the CD drive.
2.Click Start, and then click Run.
3.In the Open box, type d:\i386\winnt32.exe /cmdcons where d is the drive letter for the CD drive.
4.A Windows Setup Dialog Box appears. The Windows Setup Dialog Box describes the Recovery Console option. To confirm the installation, click Yes.

I tried to run it 3 times. I dragged the windows cd to ComboFix on my desktop and closed Avast and COMODO firewall. Each time I got the Message:

{Command prompt window}
C:
Combo Fix is preparing to run.

(the program loads after two windows opened up)
Then I get a message window:

CFScript Error
i Were you trying to run CFScript?
The name CFScript appears to incorrectly spelt.

I’m going to sleep. I have to work tonight.

I got more error messages(two jpg file attachments)when trying to run the Windows CD with the command:
d:\i386\winnt32.exe /cmdcons

On the second image where it asks to install the recovery console click yes

I executed the command “d:\i386\winnt32.exe /cmdcons” and said yes to the second message. then I got another message windows was going to contact MS I guess to verify or update the Recovery console. Then I got a message(attachment) to on the recovery console. I rebooted and Bios CMOS and the Recovery Console still has the “Yukon PXE” still listed.
Getting ready for work now. I check for messages before I leave in about an hour.