iframeexploit

system · January 7, 2005, 1:26pm

Rec’d this from a web site yesterday and it started to spread through all my “cleaning” utility programs such as Ccleaner, Popupblocker etc.

Most of the occurrences found their way to the chest but now, having done a low level restore of op sys (XP sp1) and a system virus check, I notice that Avast is only running four of the usual six scanning operations.

Network Shield tells me that “No task is currently using this provider” and Outlook/Exchange is “waiting for a subsytem to start”. Does this need a re install of Avast (Home edition) ? or should I be looking for a more simple solution ?

system · January 7, 2005, 2:19pm

go to add/remove software

and repair avast.

Why not upgrade to SP2?

system · January 7, 2005, 2:52pm

Thanks Duke - but didn’t work even after rebooting.

I have already started the windows update process by downloading 21 critical security updates !!! Good old Bill. I’ll move on to SP2 afterwards.

I also have a message regarding a missing audio card suggesting that I should reinstall the hardware. Think I read somewhere the frameexploit uses audio and video settings for some reason or another ?

I think I’ll reinstall Avast but any suggestions on how to clean this system as there’s obviously still problems somewhere ?

system · January 7, 2005, 3:03pm

Best to install SP2 on a clean install of xp that has had no updates applied to it.

or this way, (Which i highly recommend)

http://www.winsupersite.com/showcase/windowsxp_sp2_slipstream.asp

just make sure your pc is clean (virus free) before making the cd.

raman · January 7, 2005, 3:07pm

Through this exploit several other Malware got to your System. You should post a Hijackthis log so somebody is able to help you. http://hjt.klaffke.de/en

system · January 7, 2005, 6:36pm

Ok First things first

Uninistalled and reinstalled Avast and now have five operations scanning except for Outlook Exchange which still states that its “waiting for a subsystem to start” here’s a HJT log

2nd
Logfile of HijackThis v1.98.2
Scan saved at 18:29:46, on 07/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\system32\svchost.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\system32\spoolsv.exe
C:\XP\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE
C:\XP\System32\devldr32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\XP\System32\CTsvcCDA.exe
C:\XP\System32\nvsvc32.exe
C:\XP\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\EBG\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\XP\System32\msdxm.ocx
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM..\Run: [UpdReg] C:\XP\Updreg.exe
O4 - HKLM..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\XP\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: Launch High Impact eMail 3.0 - {670F87A1-88B0-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra ‘Tools’ menuitem: Launch High Impact eMail 3.0 - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\XP\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\XP\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105104981403

Will look into slipstreaming when I’m happy that I have no problems on my system

raman · January 7, 2005, 6:49pm

Your Log looks pretty clean. Except this:

Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000)

You did not have any Servicepack installed.

system · January 7, 2005, 9:40pm

Raman

You’re right I remember having a memory problem last year (Nov) and had to reinstall XP when I lost 256Mb Ram. Forgot to reinstall the updates.

But having looked at the log file already and cleared a lot of Cr*p out including most of the “Creative” dross - is it not possible that some backdoor programs could operate via SVCHost or any of the memory resident dll’s ?

raman · January 8, 2005, 5:40pm

Yes, of coourse it could be, but this will not be shown in a Hijackthis log. You may try eScan free as a backupscanner. It is not neccessary to install it. It will just uninstall and will not modify or add something to the Registry.

Eddy · January 8, 2005, 5:46pm

mikeydee,

ofcourse the Outlook/Exchange provider is waiting for a subsystem. It only will become active if you use Outlook (NOT Express) or Exchange. This has been told multiple times in many many threads.

I suggest you spend some time reading the help and this board to make yourself familiar with the way Avast is working and what settings/options Avast is offering the user.

And please use always the latest version of HijackThis to create a log, unless specifically asked for otherwise.

system · January 9, 2005, 9:42pm

OK Thanks Eddy but this is a “Support” Forum.

So people post questions that they dont know the answer to - hence the term “SUPPORT FORUM”.

You are not obligated to answer any post if you don’t wish to so please don’t give people a hard time just because they choose to use the Forum facility.

PS. I now recognise that the Outlook/Exchange scan operation only works when Outlook is initiated - and HJT is updated as of now.

Happy ?

bob3160 · January 10, 2005, 1:33am

mikeydee
Help on this forum is offered freely and willingly.
It isn’t necessary to flame someone on this forum just because he asked you to look at the help file.
Thanks

iframeexploit

Announcements