HTML:iframe.inf question

Hi,

Yesterday avast warned me about this html:iframe.inf when i went to following site: hxxp://www.marmatin.com and asked me if I wanted to abort connection. And now i’m a bit paranoid and i think that my computer has been infected cause i’ve been on that site quite often before with no warnings, but when i got this warning i clicked abort connection button.

My question is that is there any chance that my computer is infected? I ran avast scan and found nothing.

-= I am not good at webpage scanning but, so far, what I found was an underlying iFrame somhow related to shopfilmexistence.cn:8080

-= As long as you abort the connection, there is nothing to worry about… If you are still unsure, try downloading Malwarebytes Antimalware, install, update & run a scan…

I scanned my computer with Malwarebyte’s Anti-malware and it didn’t find anything. So i think it’s clean.

Is there anything that the owner of the website can do about it cause i know her in person and i have informed her about this issue and she was unaware of it, but i’m not sure if she is able to solve it by her self.

Your system might be clean as the web shield prevents this element being downloaded and the off-site link being executed.

However, it looks like that site has been hacked as there is a hidden iframe tag, see image inserted after the opening Body tag to what is likely to be another suspect site, shopfilmexistence.cn.

Firefox also doesn’t like the marmatin.com site either listing it as an attack site, see image2.

Google also list it as ‘This site could harm your computer,’ http://www.google.com/search?q=marmatin.com also see http://www.google.com/interstitial?url=http://www.marmatin.com/ and http://www.google.com/safebrowsing/diagnostic?site=http://www.marmatin.com/&hl=en

She most certainly needs to contact her host.

– HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

So how i can be 100% sure that my computer isn’t infected, i’m getting even more paranoid cause you said that my system might be safe.

So far i have scanned my computer with Avast and Malwarebyte’s AS and nothing has been found.

If that html page was downloaded to your browser cache then the standard shield may also have alerted and that is the purpose of the web shield to prevent it getting on your system.

The term 100% and security are not used by many when talking of security as there really is no way you can say you are 100% clear all you can do is take the reasonable precautions you have of scanning after the alert. Not only that you used another program MBAM which compliments avast to further confirm no detections.

You could also use SuperAntiSpyware and or some on-line scanners but then that may be going a little overboard. I said ‘might’ because I simply don’t know anything about your system, and what security software you have already, what firewall as that plays a large part in your overall security.

So having done the scans with more than a single scanner with good rates of detection it is likely (there I go again no 100% guarantee) that your system is clean.

I’m using Comodo as a firewall, avast as antivirus software and today i installed spywareblaster. I’ve never had any viruses or such before.

Oh and i forgot to mention that my friend told me to run some antirootkit program so i used Avast antirootkit and it came up with one hidden entry, but i don’t know if it’s false positive or not.

This is what it tells me:
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows Live\Communications Clients\Shared\986143272\Groups] 瑹瑥楶獳ä=0 HIDDEN

I think you are worrying too much. If you like you can post a HJT log,this will not reveal rootkits.There are lots of legit ’ hidden ’ things on pc’s, so don’t get carried away.
http://filehippo.com/download_hijackthis/ Choose scan and save log file, then copy/paste txt log

I have to agree that i may worry too much, but better safe than sorry. ;D

And there is my hijack log as an attachment.

I see absolutely nothing to worry about in that log :slight_smile:

Okay, thanks to everyone for the help! Maybe i need to be less paranoid from now on. ;D

So you must be running the beta version of the avast stand alone anti-rootkit ?
This was used to develop/progress the anti-rootkit, which is now within the main program. This beta version is well out of date and no longer developed so it really is not worth running because it isn’t being developed.

That you would see in the fact that the main anti-rootkit within avast isn’t alerting (runs 8 minutes after boot) to this.

[quote author=DavidR link=topic=46352.msg389374#msg389374 date=1245863754]

Yes i was running the beta version of the avast stand alone anti-rootkit cause I didn’t know that avast has built in anti-rootkit.

Since there is no alert on the integral anti-rootkit scan, you have nothing to worry about.

I would abandon the beta version of the anti-rootkit.

They have done this :cry:
We can’t even reach the update site :stuck_out_tongue:
Now, to rootkits, only using the full avast installation.

The advice was for onatsu not Alwil.

I know that.
I was just complaining about a situation.