HTML:lframe-inf on my website. Please help

Viruses and worms
1

Hi,

Can somebody please help me find the HTML:lframe-inf script code running in the background of my site. One of my users who have avast complained about it but I can’t seem to find the infected file. Please help me find it.

They said it’s called ‘{gzip}’, and the malware name says HTML:lframe-inf

This is my website…

hxxp://bit.ly/S3N1o

My user said it’s only when she logs on so I made an account for you guys…

username: avast
password: protect

Please help me find this virus. Thank you in advance.

Best Regards,
Jesse

2

Howdy profanitytalker,

Can you give the address in a secure form like hxtp://etc, or wXw. etc.?
The iframe is at the bottom of index.htm. You need to delete that.
Tips for Cleaning & Securing your Website - StopBadware.org
http://www.stopbadware.org/home/security
What is the current listing status for bit.ly?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 667 pages we tested on the site over the past 90 days, 14 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-03-24, and the last time suspicious content was found on this site was on 2010-03-24.

Malicious software includes 23 trojan(s), 2 exploit(s), 1 scripting exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 13 domain(s), including 93.186.127.0/, 188.124.17.0/, lesxgwsfffop.com/.

15 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including av2tv.com/, beporntube.com/, ads.is/.

This site was hosted on 5 network(s) including AS2914 (NTT), AS16509 (AMAZON), AS33070 (RMH).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, bit.ly appeared to function as an intermediary for the infection of 22 site(s) including adebolabentall.blogspot.com/, andruskekaikekai.blogspot.com/, deedgrabber.info/.

I see there is a redirection to: htxP://personalitycafe.com detected…
1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-03-24, and the last time suspicious content was found on this site was on 2009-12-24.

Malicious software is hosted on 1 domain(s), including blogcasino.org/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including centiyo.com/.

This site was hosted on 2 network(s) including AS8001 (NET), AS19066 (WIREDTRE

polonus

3

Oh polonus, can you please click on the link? I am using a url shortner so to make my site anonymous.

4

This page seems to be
http://www.UnmaskParasites.com/security-report/?page=personalitycafe.com

but this link Diagnostic page for uac.advertising.com http://www.google.com/safebrowsing/diagnostic?site=uac.advertising.com
Malicious software includes 3 scripting exploit(s), 3 trojan(s).

This site was hosted on 27 network(s) including AS20940 (AKAMAI), AS4788 (TMNET), AS2914 (NTT).

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 5 domain(s), including group--f9lah.piczo.com/, arabmath.piczo.com/, fantasyfootballjungle.com/.

5

Thank you so much for replying Pondus. The advertising is from aol and I have had it for quite a while. I have never had any problems with them. My problem is with my site getting hacked and getting scripts injected in the files. Just wanted confirmation from avast users that my site is clean. If you think it is clean then I’ll take your word for it. Thank you so much. <3

6

Advertising is the next big thing in being exploited and delivering malware, see http://www.avast.com/pr-online-ads-put-web-users-at-risk and http://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/.

So I guess it is possible on all advert services.

7

Hi profanitytalker,

Make the live link non-clickable, please.
A JS scan can be found here:
http://wepawet.iseclab.org/view.php?hash=139b579d72f0d2dc958369040ca689f0&t=1269519600&type=js

For the future you can watch changes made to your website with Website Cop and be notified, freeware from here: http://downloads.novirusthanks.org/files/websitescop_setup.exe

polonus