Exploit:HTML/IframeRef.gen -- how do I get rid of this?

Live OneCare stops this from executing but can't seem to quarantine it or
remove it, in any way. It also turns off Windows Defender. Spyware Doctor
doesn't even find it. It's crazy that two Microsoft products don't protect
against this! I don't understand. If anyone has a way to explain a removal
process in an easy-to-comprehend way, I would really appreciate it. I am not
someone who is used to digging around in my computer's innards, but this
thing is really interfering with how my machine runs. Thanks!

** cheryl **

"Frazzled Cheryl" wrote:

Live OneCare stops this from executing but can't seem to quarantine it or
remove it, in any way. It also turns off Windows Defender. Spyware Doctor
doesn't even find it. It's crazy that two Microsoft products don't protect
against this! I don't understand. If anyone has a way to explain a removal
process in an easy-to-comprehend way, I would really appreciate it. I am not
someone who is used to digging around in my computer's innards, but this
thing is really interfering with how my machine runs. Thanks!

** cheryl **

Hil Cheryl,
Try this steps he
1.Click Start Control Panel and in Control Panel click Network and
Internet connections, then open Internet Options.
2. Click the General tab, and then under Temporary Internet files, click
Delete Files.
3. In the Delete Files dialog box, click to select the Delete all off-line
content check box if you want to delete all Web page content that you have
made available offline.
4. Click OK.
Scan from here and you can get the free Avast AV for home user only:
http://www.avast.com/eng/wmf_exploit.html

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Then I think there is not any thing ( may be) on your computer but it could
be a security Hole left opened because you didn't get the latest updates for
your IE or a Malicious Software installed or code opened a security hole in
your Browser, so get the latest security updates for your computer.
August 2002, Cumulative Update for Internet Explorer (Q323759)
http://www.microsoft.com/windows/ie/...e/default.mspx

Microsoft Security Bulletin MS04-013
http://www.microsoft.com/technet/sec.../ms04-013.mspx
Here is the link for ZA download all versions get yourself a firewall:
http://download.zonelabs.com/bin/fre...seHistory.html

From: "Frazzled Cheryl" Frazzled

| Live OneCare stops this from executing but can't seem to quarantine it or
| remove it, in any way. It also turns off Windows Defender. Spyware Doctor
| doesn't even find it. It's crazy that two Microsoft products don't protect
| against this! I don't understand. If anyone has a way to explain a removal
| process in an easy-to-comprehend way, I would really appreciate it. I am not
| someone who is used to digging around in my computer's innards, but this
| thing is really interfering with how my machine runs. Thanks!
|
| ** cheryl **

This is Exploit code in a HTML file. There is NOTHING to quarantine. Basically as you
browsed a malicious web page Live OneCare stopped thfile in its tracks and wasn't even
written to the TIF.

Windows Defender and Spyware Doctor wouldn't have found this even if OneCare failed to do
its job as these are non-viral anti malware software applications and Exploit code is
found/detected by anti virus packages such as OneCare.

Actually you are quite lucky. Overall OneCare falls way below its peers as anto virus
software and its catch rate is very poor. Luckily OneCare stopped this IFrame Exploit.
However, we don't know what OneCare missed !

In the future, please use the news group; microsoft.public.security.virus for this kind
of subject matter.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Thanks for all the help, everyone, I really appreciate it. I got an email
today from PC Tools -- they said this was a new variant on a known malware
threat, and they are currently working on a resolution. I hope my Microsoft
products will be similarly updated to help protect from sites w/future
exploits.

I'm sorry I posted this in the wrong place... it was very hard for me to
discern from that long list of choices just where I should post. I think I
need Microsoft Communities for Dummies! ;-)

** cheryl **



"David H. Lipman" wrote:

From: "Frazzled Cheryl" Frazzled

| Live OneCare stops this from executing but can't seem to quarantine it or
| remove it, in any way. It also turns off Windows Defender. Spyware Doctor
| doesn't even find it. It's crazy that two Microsoft products don't protect
| against this! I don't understand. If anyone has a way to explain a removal
| process in an easy-to-comprehend way, I would really appreciate it. I am not
| someone who is used to digging around in my computer's innards, but this
| thing is really interfering with how my machine runs. Thanks!
|
| ** cheryl **

This is Exploit code in a HTML file. There is NOTHING to quarantine. Basically as you
browsed a malicious web page Live OneCare stopped thfile in its tracks and wasn't even
written to the TIF.

Windows Defender and Spyware Doctor wouldn't have found this even if OneCare failed to do
its job as these are non-viral anti malware software applications and Exploit code is
found/detected by anti virus packages such as OneCare.

Actually you are quite lucky. Overall OneCare falls way below its peers as anto virus
software and its catch rate is very poor. Luckily OneCare stopped this IFrame Exploit.
However, we don't know what OneCare missed !

In the future, please use the news group; microsoft.public.security.virus for this kind
of subject matter.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Well, today I can't seem to get the Question function to work... have allowed
PopUps on the browser, and I press the Ctrl key to override any other pop up
zapper, and all it does is blink at me... I can't open the Question box, yet
I did it before, just fine. I tried to post in the group you directed me to,
but for whatever reason, I can't, I can only Reply.

I guess I just don't understand how this Exploit works. I inadvertantly left
my browser open last nite to a site I certainly trust, and this morning woke
up to the same msg from OneCare saying it had blocked this, yet the browser
(tho open) wasn't doing anything/moving around, anywhere. It still acts (to
me) like something is resident on my computer. The system is still sluggish,
and things don't work like they're supposed to, ie, this not being able to
bring up the new Question window, yet I did it before. I suppose this sounds
nuts, but I feel like I don't have total control over my own computer, as I
notice little changes, here and there. Went to my homepage yesterday, and
found it didn't go there, anymore.

I'm completely baffled, scared, and frustrated.

** cheryl **


"David H. Lipman" wrote:

From: "Frazzled Cheryl" Frazzled

| Live OneCare stops this from executing but can't seem to quarantine it or
| remove it, in any way. It also turns off Windows Defender. Spyware Doctor
| doesn't even find it. It's crazy that two Microsoft products don't protect
| against this! I don't understand. If anyone has a way to explain a removal
| process in an easy-to-comprehend way, I would really appreciate it. I am not
| someone who is used to digging around in my computer's innards, but this
| thing is really interfering with how my machine runs. Thanks!
|
| ** cheryl **

This is Exploit code in a HTML file. There is NOTHING to quarantine. Basically as you
browsed a malicious web page Live OneCare stopped thfile in its tracks and wasn't even
written to the TIF.

Windows Defender and Spyware Doctor wouldn't have found this even if OneCare failed to do
its job as these are non-viral anti malware software applications and Exploit code is
found/detected by anti virus packages such as OneCare.

Actually you are quite lucky. Overall OneCare falls way below its peers as anto virus
software and its catch rate is very poor. Luckily OneCare stopped this IFrame Exploit.
However, we don't know what OneCare missed !

In the future, please use the news group; microsoft.public.security.virus for this kind
of subject matter.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "Frazzled Cheryl"

| Well, today I can't seem to get the Question function to work... have allowed
| PopUps on the browser, and I press the Ctrl key to override any other pop up
| zapper, and all it does is blink at me... I can't open the Question box, yet
| I did it before, just fine. I tried to post in the group you directed me to,
| but for whatever reason, I can't, I can only Reply.
|
| I guess I just don't understand how this Exploit works. I inadvertantly left
| my browser open last nite to a site I certainly trust, and this morning woke
| up to the same msg from OneCare saying it had blocked this, yet the browser
| (tho open) wasn't doing anything/moving around, anywhere. It still acts (to
| me) like something is resident on my computer. The system is still sluggish,
| and things don't work like they're supposed to, ie, this not being able to
| bring up the new Question window, yet I did it before. I suppose this sounds
| nuts, but I feel like I don't have total control over my own computer, as I
| notice little changes, here and there. Went to my homepage yesterday, and
| found it didn't go there, anymore.
|
| I'm completely baffled, scared, and frustrated.
|
| ** cheryl **


Did you run any of the scans suggested from the Multi AV Scanning Tool ?

The most important thing to realize is that Exploits take advantage of vulnerabilities. If
vulnerabilities are properly patch Exploits Codes become impotent and unable to take
advantage. Since this is an IFram Internet Explorer Exploutation, you need to make sure
that Internet Explorer in Windows XP is completely and fully patched by installing *all*
critical updates provided by the Windows Update web site.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Frazzled Cheryl wrote:
Live OneCare stops this from executing but can't seem to quarantine it or
remove it, in any way. It also turns off Windows Defender. Spyware Doctor
doesn't even find it. It's crazy that two Microsoft products don't protect
against this! I don't understand. If anyone has a way to explain a removal
process in an easy-to-comprehend way, I would really appreciate it. I am not
someone who is used to digging around in my computer's innards, but this
thing is really interfering with how my machine runs. Thanks!

** cheryl **



When you browse any suspicious sites turn off Javascript. This exploit
is run in Javascript. Some Web sites will try to lure you in and tell
you that their features operate only with Javascript enabled. Don't do it.
Such as downloading files from Depositfiles.com. In order to download
them for free you have to watch a clock count down and that only happens
as a Javascript applet. While it is counting down the clock it is
installing the Trojan Horse program Exploit:HTML/IframeRef.gen.
When you later do a scan read the logs and it should tell you exactly
where the Iframe reference is. I found it in an obsolete mail Inbox.
Copy the old folder to a CD and then delete the whole folder.
Live OneCare does not want to quarantine folders or files that it thinks
you want to use daily such as your mailbox, otherwise you would not be
able to read your mail.

Frazzled Cheryl wrote:
Live OneCare stops this from executing but can't seem to quarantine it or
remove it, in any way. It also turns off Windows Defender. Spyware Doctor
doesn't even find it. It's crazy that two Microsoft products don't protect
against this! I don't understand. If anyone has a way to explain a removal
process in an easy-to-comprehend way, I would really appreciate it. I am not
someone who is used to digging around in my computer's innards, but this
thing is really interfering with how my machine runs. Thanks!

** cheryl **



Another favorite trick of the hackers is to put up a pop up which warns
you that your computer is running very slowly and may be infected. So it
asks you if you'd like to run a program to clean it or check for
viruses. No matter what you click it then installs its own Trojan Horse.
Your only protection is when you see a message like that, use Task
Manager to shut down your browser.

I was an idiot and know have the Trojain Horse. I ran Live OneCare virus
scan but I can't find the log to read where the Trojain Horse is so I can
delete it. Where can I find the log?

"Anthony Marsh" wrote:

Frazzled Cheryl wrote:
Live OneCare stops this from executing but can't seem to quarantine it or
remove it, in any way. It also turns off Windows Defender. Spyware Doctor
doesn't even find it. It's crazy that two Microsoft products don't protect
against this! I don't understand. If anyone has a way to explain a removal
process in an easy-to-comprehend way, I would really appreciate it. I am not
someone who is used to digging around in my computer's innards, but this
thing is really interfering with how my machine runs. Thanks!

** cheryl **



When you browse any suspicious sites turn off Javascript. This exploit
is run in Javascript. Some Web sites will try to lure you in and tell
you that their features operate only with Javascript enabled. Don't do it.
Such as downloading files from Depositfiles.com. In order to download
them for free you have to watch a clock count down and that only happens
as a Javascript applet. While it is counting down the clock it is
installing the Trojan Horse program Exploit:HTML/IframeRef.gen.
When you later do a scan read the logs and it should tell you exactly
where the Iframe reference is. I found it in an obsolete mail Inbox.
Copy the old folder to a CD and then delete the whole folder.
Live OneCare does not want to quarantine folders or files that it thinks
you want to use daily such as your mailbox, otherwise you would not be
able to read your mail.

Hi, i am also receiving this and am in a loop of "administrator"/remove, then
it says re-scan. This scan then finds the same Trojan. Can anybody tell me
how to remove it please?

"Anthony Marsh" wrote:

Frazzled Cheryl wrote:
Live OneCare stops this from executing but can't seem to quarantine it or
remove it, in any way. It also turns off Windows Defender. Spyware Doctor
doesn't even find it. It's crazy that two Microsoft products don't protect
against this! I don't understand. If anyone has a way to explain a removal
process in an easy-to-comprehend way, I would really appreciate it. I am not
someone who is used to digging around in my computer's innards, but this
thing is really interfering with how my machine runs. Thanks!

** cheryl **



Another favorite trick of the hackers is to put up a pop up which warns
you that your computer is running very slowly and may be infected. So it
asks you if you'd like to run a program to clean it or check for
viruses. No matter what you click it then installs its own Trojan Horse.
Your only protection is when you see a message like that, use Task
Manager to shut down your browser.