BleepingComputer.com: HTML : Iframe - inf

Hello Gringo,

The Kaspersky VRT seemed to find something.

The original notification called it; Worm.Win32.AutoRun.dftf

I did not attempt to remove it. Rather, I just skipped it, and copied the report below (as you instructed).

Status: Detected (events: 1)
2/3/2012 2:57:05 PM Detected virus Worm.Win32.AutoRun.dftf M:\Media Types\Utorrent Downloads\NCH WavePad Sound Editor Master's Edition 4.24 + Keygen [RH]\NCH.WPSEME.4.24_[RH].rar//NCH WavePad Sound Editor Master's Edition 4.24/Keygen/Wavepad Sound Editor 4.24- Keygen.exe//UPX High

_________________________________________

Some Additional Info


This file was downloaded onto my computer in 2009, and has not (to my knowledge) ever caused problems before.
The Key Generator that came with the program file may be identified as a threat by virus detectors, as (from what I understand) this is common for Key Generators.

Thus, is there any way of being sure that this is the source of the recent Avast warnings/blocks?

Whether or not we can can determine if this is the source of current problems (for sure), I have no problem deleting the file - and the entire NCH program. I virtually never use it.

________________________________________

Regarding your last set of instructions

Your last set of instructions included the following:

put check mark in

system memory
hidden objects
disk boot sectors
computer
os

I checked off the system memory, hidden objects and disk boot sectors (as instructed).
But in the current version of Kaspersky VRT, there was no option for "computer" . so I selected ; "My Computer"

There was also no box or option to select "os" (or operating system), so I did not check off anything to specifically instruct the program to scan my os.
I hope that the scan was performed as you wanted.

What should I do now?

- Dave

Hello

I think you are right about it not being the source - but what disturbs me is it did not finding anything out


Create and Run Batch File

Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results

gringo

Gringo,

Here is the scan report that you requested.



Windows IP Configuration



Host Name . . . . . . . . . . . . : dell1

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : mj.shawcable.net



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : mj.shawcable.net

Description . . . . . . . . . . . : Intel® PRO/1000 MT Network Connection

Physical Address. . . . . . . . . : 00-0F-1F-9A-0C-78

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 70.64.215.133

Subnet Mask . . . . . . . . . . . : 255.255.252.0

Default Gateway . . . . . . . . . : 70.64.212.1

DHCP Server . . . . . . . . . . . : 64.59.176.40

DNS Servers . . . . . . . . . . . : 64.59.176.13

64.59.176.15

64.59.177.226

Lease Obtained. . . . . . . . . . : Friday, February 03, 2012 9:11:08 AM

Lease Expires . . . . . . . . . . : Sunday, February 05, 2012 9:11:08 AM

Server: nsc1.nr.wp.shawcable.net
Address: 64.59.176.13

Name: google.com
Addresses: 74.125.225.113, 74.125.225.116, 74.125.225.115, 74.125.225.114
74.125.225.112

Server: nsc1.nr.wp.shawcable.net
Address: 64.59.176.13

Name: yahoo.com
Addresses: 72.30.2.43, 209.191.122.70, 98.139.180.149, 98.137.149.56



Pinging google.com [74.125.225.113] with 32 bytes of data:



Reply from 74.125.225.113: bytes=32 time=37ms TTL=58

Reply from 74.125.225.113: bytes=32 time=36ms TTL=58



Ping statistics for 74.125.225.113:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 36ms, Maximum = 37ms, Average = 36ms



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=82ms TTL=55

Reply from 72.30.2.43: bytes=32 time=80ms TTL=55



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 80ms, Maximum = 82ms, Average = 81ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0f 1f 9a 0c 78 ...... Intel® PRO/1000 MT Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 70.64.212.1 70.64.215.133 20
70.64.212.0 255.255.252.0 70.64.215.133 70.64.215.133 20
70.64.215.133 255.255.255.255 127.0.0.1 127.0.0.1 20
70.255.255.255 255.255.255.255 70.64.215.133 70.64.215.133 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 70.64.215.133 70.64.215.133 20
255.255.255.255 255.255.255.255 70.64.215.133 70.64.215.133 1
Default Gateway: 70.64.212.1
===========================================================================
Persistent Routes:
None

Hello


I want you to pursue the idea of the add/ons in firefox - you can see how to disable them from here - http://support.mozilla.org/en-US/kb/Safe%20Mode

this seems to be the most likely problem at this time


gringo

Hello Gringo,

I have disabled all add-ons, but it may be days before a pop-up occurs if this did not help. Thus, I ask that you please keep this thread open, until I contact you with a report.

PS. This is very awkward to work without my add-ons. My start page is an add-on, and it had all of my frequently visited sites on it. It took me 10 mins just to find this page to make this post without my start page. My Firefox bookmarks shared a file with IE favorites (but this also used an add-on), so I lost all of my Bookmarks. Now I have to search for websites that I used to visit daily. My planning and notification calendar is also gone. It is almost like using someone else's computer. But I will try it for a few days at least.

I still have the option of using Norton Ghost and restoring my system back to a time before the Avast pop-ups started. However, I am not sure this will work. And, if I can figure out the cause or the source of this problem (without using Norton Ghost), I should be able to eliminate it easier if it ever happens again.

A gracious thank-you for all of your help to date Gringo.

I will contact you right away if I get another pop-up. Otherwise, I will contact you in a few days to a week, to let you know that all is clear.

If getting rid of the add-ons seems to eliminate the problem, I suppose I could add them back in, one at a time, with a few days between each re-enabling - to try to put a finger on which one is causing the problem.

I might also try to find an Avast forum, to see if any other Avast users have had and reported this problem (and have located the source). If I find any further info on the problem, I will give you an update.

If you come up with any further ideas of what we might try - please post it and I will respond as soon as I can.

Regards and appreciation,
- Dave

Greetings

I have disabled all add-ons, but it may be days before a pop-up occurs if this did not help. Thus, I ask that you please keep this thread open, until I contact you with a report.
that is fine - I will check on you in a couple of days

PS. This is very awkward to work without my add-ons. My start page is an add-on, and it had all of my frequently visited sites on it. It took me 10 mins just to find this page to make this post without my start page. My Firefox bookmarks shared a file with IE favorites (but this also used an add-on), so I lost all of my Bookmarks. Now I have to search for websites that I used to visit daily. My planning and notification calendar is also gone. It is almost like using someone else's computer. But I will try it for a few days at least.
for now put that one back if the pop-ups come back then disable for a short time to see if that is the problem

I still have the option of using Norton Ghost and restoring my system back to a time before the Avast pop-ups started. However, I am not sure this will work. And, if I can figure out the cause or the source of this problem (without using Norton Ghost), I should be able to eliminate it easier if it ever happens again.

I understand - but I least you do have that option

If getting rid of the add-ons seems to eliminate the problem, I suppose I could add them back in, one at a time, with a few days between each re-enabling - to try to put a finger on which one is causing the problem.

yes that is the way to do it

Let me know if they come back

gringo

Hello Gringo,

I have 2 new considerations that may be of help with my problem:

1) The problem is not in the Firefox add-ons, unless the add-ons could still be responsible even when they are disabled. Last night I rec'd another one of the same Avast warning & blocking pop-ups, even though none of my add-ons were enabled. I have not re-enabled a single add-on since I disabled them, as per your instructions. Here is the (typical) info that was included in that specific pop-up:


Infection Details

URL:http://www.zoosexshow.com/?x
Process:file://C:\Program Files\Common Files\Com...
Infection:html:Iframe-inf

Reminder: The complete Process pathway that Avast reports as implicated is C:\Program Files\Common Files\ComObjects\update (where the update file has a Firefox logo beside it).

However, I rec'd only 1 pop-up, which is fewer than the usual bunch that they come in. I don't know if that has any significance.

____________________________________________________


2) I found a thread on the Avast Forum, regarding another person who recently had the exact same problem that I am having. However;
- He had Windows 7 on a 64 bit machine (whereas I have XP Pro 32 bit)
- He was given what appears to be a custom made fix - with bold red letters saying that; "Warning: This fix is only for this system!".... so I did not want to try it on my system.
- The person with the problem seemed to leave without giving feedback at the end (pg 2) of his thread, regarding whether or not the fix worked.

(Note: In his messages the person with the problem had been toying with the idea of reinstalling from scratch, as his computer was just a few days old anyway - so few files or settings would have been lost. He may have done this and abandoned the attempt to clean out the virus or malware responsible, or , perhaps the fix worked - but he did not have the decency to even bother informing the Forum Consultant. I don't know).

Here is the address of the Avast Forum posting (which includes the Custom fix that the Forum Consultant asked him to try). Perhaps you could assess the viability of a similar script (altered if necessary, to work for XP 32 bit) to possibly help me?

http://forum.avast.com/index.php?topic=92407.0

Note: I am trying to register on the Avast Support Forum, but it was finicky, and after several tries, I was notified that I was shut out as "Spam". I am trying to contact their Forum Administrator (as per their direction) so I can get registered - so I can post a message that tells them that I am having the same problem as the fellow with the thread above, and to let them know all of the programs we have tried that did not identify or fix it, and then to ask them if they have any idea what the source is?, and/or how it can be fixed or cleaned out? But I don't know if I will even manage to get registered.

I hope this may be of help Gringo. Thank-you again for your considerations, and thank-you for your patience with this elusive bug.

- Dave

Hello


that fix was very general and not targeted at anything but it does sound like your problem so we will keep an eye on that thread to see what it is (essexboy also helps here all the time)


Gringo

I have been reading up on this


does this happen at all web pages or just one?


gringo

Hello Gringo,

Thank-you for keeping this thread open. In response to your last question, the problem was occurring even if no browser was open. Thus, I did not have to be on any particular webpage (or any webpage at all) for the Avast malicious website block notification to pop-up. Furthermore, when the Avast program did block me from connecting to a malicious website, the infection was not always trying to take me to the same web site.

I think the problem has finally been solved, by Essexboy on the Avast forum - who said the problem was new to him as well. The link to my thread on the Avast forum (to see the approach that was used to fix the problem), is provided below.

http://forum.avast.com/index.php?topic=92616.0

While working on this problem on the Avast forum, another person contributed to my thread who thought that they may have had the same (or a similar) problem. I think the problem was solved for them as well.

This seemed to be a new and perplexing problem to everyone, and I am very thankful to everyone who graciously put so much time and effort into finding its solution.

I tip my hat with respect. Keep up the great work (without which, so many people would be hopelessly infected, and helpless to fix it - short deleting and re-installing their entire operating systems and all programs and data).

With regards and appreciation,

- Dave

Hello

It does look like he has fixed it for you and a tip of the hat to essexboy who did a great job on it.

and thank you for comeing by and letting me know tyhe outcome and I will read it again so I can help next time


gringo

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.