Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTML/Infected.WebPage.Gen HTML script virus


  • Please log in to reply
4 replies to this topic

#1 Tamy

Tamy

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:04:48 PM

Posted 23 December 2010 - 10:07 PM

Hi all,
My problem started a few weeks ago! I caught a Virus and Dr. Web got rid of it as well as some trojan downloaders that Malwarebytes killed.
The virus ruined my Avast as well as Google Chrome - so I installed Avira and Zone Alarm Firewall as well as ZA Forcefield browser. Avira continues to tell me I have a virus and quarantines it. I contacted Avira and they say it looks like a Zone Alarm problem - I contacted ZA - and am still waiting - I also uploaded these to Avira to be checked for a false positive and have not heard back from them either.
I was wondering - if I still have a problem or if this is a false positive?
Here is what Avira's log says on the last catch:


Avira AntiVir Personal
Report file date: Thursday, December 23, 2010 18:30

Scanning for 2292269 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 x64
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : TAMHBRIH-PC

Version information:
BUILD.DAT : 10.0.0.609 31824 Bytes 12/13/2010 09:43:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 12/8/2010 12:49:25
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 20:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 12/8/2010 12:49:28
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 12:08:36
VBASE002.VDF : 7.11.0.1 2048 Bytes 12/14/2010 12:08:36
VBASE003.VDF : 7.11.0.2 2048 Bytes 12/14/2010 12:08:36
VBASE004.VDF : 7.11.0.3 2048 Bytes 12/14/2010 12:08:37
VBASE005.VDF : 7.11.0.4 2048 Bytes 12/14/2010 12:08:37
VBASE006.VDF : 7.11.0.5 2048 Bytes 12/14/2010 12:08:37
VBASE007.VDF : 7.11.0.6 2048 Bytes 12/14/2010 12:08:37
VBASE008.VDF : 7.11.0.7 2048 Bytes 12/14/2010 12:08:37
VBASE009.VDF : 7.11.0.8 2048 Bytes 12/14/2010 12:08:37
VBASE010.VDF : 7.11.0.9 2048 Bytes 12/14/2010 12:08:37
VBASE011.VDF : 7.11.0.10 2048 Bytes 12/14/2010 12:08:37
VBASE012.VDF : 7.11.0.11 2048 Bytes 12/14/2010 12:08:38
VBASE013.VDF : 7.11.0.52 128000 Bytes 12/16/2010 01:08:46
VBASE014.VDF : 7.11.0.91 226816 Bytes 12/20/2010 12:31:58
VBASE015.VDF : 7.11.0.122 136192 Bytes 12/21/2010 00:32:53
VBASE016.VDF : 7.11.0.123 2048 Bytes 12/21/2010 00:32:53
VBASE017.VDF : 7.11.0.124 2048 Bytes 12/21/2010 00:32:53
VBASE018.VDF : 7.11.0.125 2048 Bytes 12/21/2010 00:32:54
VBASE019.VDF : 7.11.0.126 2048 Bytes 12/21/2010 00:32:54
VBASE020.VDF : 7.11.0.127 2048 Bytes 12/21/2010 00:32:54
VBASE021.VDF : 7.11.0.128 2048 Bytes 12/21/2010 00:32:54
VBASE022.VDF : 7.11.0.129 2048 Bytes 12/21/2010 00:32:55
VBASE023.VDF : 7.11.0.130 2048 Bytes 12/21/2010 00:32:55
VBASE024.VDF : 7.11.0.131 2048 Bytes 12/21/2010 00:32:55
VBASE025.VDF : 7.11.0.132 2048 Bytes 12/21/2010 00:32:55
VBASE026.VDF : 7.11.0.133 2048 Bytes 12/21/2010 00:32:56
VBASE027.VDF : 7.11.0.134 2048 Bytes 12/21/2010 00:32:56
VBASE028.VDF : 7.11.0.135 2048 Bytes 12/21/2010 00:32:56
VBASE029.VDF : 7.11.0.136 2048 Bytes 12/21/2010 00:32:56
VBASE030.VDF : 7.11.0.137 2048 Bytes 12/21/2010 00:32:57
VBASE031.VDF : 7.11.0.153 113664 Bytes 12/23/2010 00:08:22
Engineversion : 8.2.4.126
AEVDF.DLL : 8.1.2.1 106868 Bytes 8/2/2010 23:09:54
AESCRIPT.DLL : 8.1.3.48 1286524 Bytes 12/5/2010 23:26:03
AESCN.DLL : 8.1.7.2 127349 Bytes 12/5/2010 23:25:58
AESBX.DLL : 8.1.3.2 254324 Bytes 12/5/2010 23:26:05
AERDL.DLL : 8.1.9.2 635252 Bytes 12/5/2010 23:25:57
AEPACK.DLL : 8.2.4.5 512375 Bytes 12/17/2010 01:09:08
AEOFFICE.DLL : 8.1.1.10 201084 Bytes 12/5/2010 23:25:47
AEHEUR.DLL : 8.1.2.57 3142008 Bytes 12/17/2010 01:09:05
AEHELP.DLL : 8.1.16.0 246136 Bytes 12/5/2010 23:25:30
AEGEN.DLL : 8.1.5.0 397685 Bytes 12/5/2010 23:25:28
AEEMU.DLL : 8.1.3.0 393589 Bytes 12/5/2010 23:25:24
AECORE.DLL : 8.1.19.0 196984 Bytes 12/5/2010 23:25:22
AEBB.DLL : 8.1.1.0 53618 Bytes 8/2/2010 23:09:48
AVWINLL.DLL : 10.0.0.0 19304 Bytes 8/2/2010 23:09:56
AVPREF.DLL : 10.0.0.0 44904 Bytes 8/2/2010 23:09:55
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 22:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 8/2/2010 23:09:55
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 12/8/2010 12:49:26
AVARKT.DLL : 10.0.22.6 231784 Bytes 12/8/2010 12:49:15
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 8/2/2010 23:09:55
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 22:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 8/2/2010 23:09:56
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 22:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 21:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 8/2/2010 23:10:08

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\ProgramData\Avira\AntiVir Desktop\TEMP\AVGUARD_4d341db8\guard_slideup.avp
Logging.............................: low
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Deviating archive types.............: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, +ISO,
Macro heuristic.....................: on
File heuristic......................: high
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Thursday, December 23, 2010 18:30

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'FlashUtil10l_ActiveX.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'hpqToaster.exe' - '1' Module(s) have been scanned
Scan process 'hpqwmiex.exe' - '1' Module(s) have been scanned
Scan process 'mbamgui.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'hpwuschd2.exe' - '1' Module(s) have been scanned
Scan process 'HPAdvisor.exe' - '1' Module(s) have been scanned
Scan process 'LightScribeControlPanel.exe' - '1' Module(s) have been scanned
Scan process 'sprtlisten.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned

Initiating scan of system files:
Signed -> 'C:\Windows\system32\svchost.exe'
Signed -> 'C:\Windows\system32\winlogon.exe'
Signed -> 'C:\Windows\explorer.exe'
Signed -> 'C:\Windows\system32\smss.exe'
Signed -> 'C:\Windows\system32\wininet.DLL'
Signed -> 'C:\Windows\system32\wsock32.DLL'
Signed -> 'C:\Windows\system32\ws2_32.DLL'
Signed -> 'C:\Windows\system32\services.exe'
Signed -> 'C:\Windows\system32\lsass.exe'
Signed -> 'C:\Windows\system32\csrss.exe'
Signed -> 'C:\Windows\system32\drivers\kbdclass.sys'
Signed -> 'C:\Windows\system32\spoolsv.exe'
Signed -> 'C:\Windows\system32\alg.exe'
Signed -> 'C:\Windows\system32\wuauclt.exe'
Signed -> 'C:\Windows\system32\advapi32.DLL'
Signed -> 'C:\Windows\system32\user32.DLL'
Signed -> 'C:\Windows\system32\gdi32.DLL'
Signed -> 'C:\Windows\system32\kernel32.DLL'
Signed -> 'C:\Windows\system32\ntdll.DLL'
Signed -> 'C:\Windows\system32\ntoskrnl.exe'
Signed -> 'C:\Windows\system32\ctfmon.exe'
The system files were scanned ('21' files)

Starting the file scan:

Begin scan in 'C:\Users\tamhbrih\AppData\Roaming\#ISW.FS#\Normal\ffffffffffff5ee7.isw'
C:\Users\tamhbrih\AppData\Roaming\#ISW.FS#\Normal\ffffffffffff5ee7.isw
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '49b65909.qua'.
Begin scan in 'C:\Users\tamhbrih\AppData\Roaming\#ISW.FS#\Normal\ffffffffffff5f36.isw'
C:\Users\tamhbrih\AppData\Roaming\#ISW.FS#\Normal\ffffffffffff5f36.isw
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '512176ae.qua'.


End of the scan: Thursday, December 23, 2010 18:30
Used time: 00:08 Minute(s)

The scan has been done completely.

0 Scanned directories
22 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
20 Files not concerned
0 Archives were scanned
0 Warnings
2 Notes


The scan results will be transferred to the Guard.

Any help would really be appreciated!

Thank You
Tammy

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,385 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:48 PM

Posted 23 December 2010 - 10:36 PM

A common attack against the web infrastructure can be the infection of harmless web pages. Some malware changes every HTML file stored on the disc and adds a link (very often an IFrame) to a site hosting malicious code. Other attacks can aim for the web servers and try to insert forwarding to the pages hosted there. The owner of these pages is advised to take them offline. Fix the hole (either on his own PC or on the server), check the pages for infections, clean them and go online again. Infected Web Pages often contain additional Iframe, Object or Script Tags. The Script Tags often contain encrypted Code.

Special detection HTML/Infected.WebPage.Gen

Since Avira is making the detection and you submitted samples, I suggest you wait on a reply from them or follow up by contacting them again with a reminder.

See this Avira link for a discussion of a similar report.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:04:48 PM

Posted 23 December 2010 - 10:41 PM

Thank you Quietman7
I will go back to Avira!
I so appreciate your quick answer!

Merry Christmas!

Tammy

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,385 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:48 PM

Posted 23 December 2010 - 10:44 PM

And a Merry Christmas to you.

Please post back here when they reply back with an answer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:04:48 PM

Posted 23 December 2010 - 11:00 PM

I sure will!


:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users