locked
Exploit:HTML/IframeRef.gen RRS feed

  • Question

  • Dear All,

     

    The above virus kept popping up and I am unable to quarantine it and removal is not successful. Is there anyway to get rid of it?

     

    Regards,

    Voigtlander

    Thursday, June 14, 2007 3:34 PM

Answers

All replies

  • Try deleting your temporary internet files and any stored offline web pages.
    Thursday, June 14, 2007 3:49 PM
    Moderator
  • See this post for reporting an infection to Microsoft and getting help with removal - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2

    -steve

    Friday, June 15, 2007 12:52 AM
    Moderator
  • Dear Friends,

     

    I tried the advice given and still the same virus warning kept popping up and I am still unable to quarantine and delete. Please help me as this problem is really stressing me out.

     

    Regards,

    Voigtlander

    Saturday, June 16, 2007 5:25 AM
  • Try going to www.bleepingcomputer.com and see if they can clean it up.

     

    chuck

    Saturday, June 16, 2007 3:54 PM
  • Hi,

     

    I get this too!  I just installed the OneCare program and found it.  I tried a couple of times and the quarantine failed each time.

     

    No info on "bleepingcomputer".

     

    Any other ideas? 

     

    Caltrop

    Tuesday, June 19, 2007 12:12 AM
  • You may want to try this number for the Microsoft antimalware support -  866 727 2338 - if you are in the US.

    As a OneCare user, you can also contact OneCare support for help - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1183038&SiteID=2

    -steve

    Tuesday, June 19, 2007 12:49 AM
    Moderator
  • Help, Windows Live one care detected this yesterday after I read a message board.   It has popped up again and it can't be quarantined.  I have followed all suggestions, and am hoping I'm safe now? 

    I also emailed for help.

     

    Thank You for any suggestions if anyone has been able to rid themselves of this.  Am I safe?

     

     

    Tuesday, June 26, 2007 2:35 AM
  • o.k. - here is the info on this.

    How can we remove it

    I payed for the program to

    remove it, and it does not!

     

    Type

     

     

     

     

     

    Malware

    Type Description Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
    Category Exploit
    Category Description An Exploit is software or code that targets security vulnerabilities, usually in the operating system or browser, but may also target vulnerabilities in other programs. Exploits are typically used to install malicious software on the victim's computer without the victim's knowledge or consent. An Exploit may be used to install malware that gives the attacker complete access to and control of the affected computer from a remote location.
    Level High
    Level Description High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
    Advice Type Remove
    File Traces  
    Tuesday, June 26, 2007 1:43 PM
  • The easiest way to solve your problem is to first find out where it is. If you are able to look at the report from the scan use it to tell you where the file is that is causing the problem.

    If you cant get into the report from the One Care Utility you can go to the cmd line and run a utility called MpCmdRun.exe which is under the AntiVirus directory of your Microsoft Windows OneCare directory in the Program Files(Default install). This needs to be run with a -GetFiles switch. That will put the logs into the following directory  Documents and Settings\AllUsers\Application Data\Microsoft\OneCare Protection\Support\

    The file you want to look at is called MPSystemEvents.txt and should contain the report items you are looking for including where the file is located. Once you have found the file browse to it and delete it.

     

    Most likely the reason you are not able to quarentine this is because it is part of an archive file or in an outlook archive. You can open the archive and delete the offending file as long as you do not run the offending file you should be fine.

     

    In my case the file was in an outlook archive. I went in found the offending email and deleted it. and poof the problem went away. Obviously I cannot guarantee this will work for you but it did for me. Hope this helps.

    Mike  

    Wednesday, June 27, 2007 1:08 AM
  • Mike,

    You are a genius!!!  Thank you Thank you.   I followed your instructions, and found it listed in my temp files.   I had already deleted all temp files as the instructions stated, but I just wanted to be sure.  So, I did it again, ran another scan, and it is GONE!!!!   Thank You again for making me feel safe again.

     

    Cali

    Wednesday, June 27, 2007 2:48 AM
  • Thanks for reporting back, Cali, and thanks to you, Mike. :-)

    -steve

    Wednesday, June 27, 2007 12:40 PM
    Moderator
  • I tried this and get "access denied" error.  Any idea how to resolve this?
    Friday, June 29, 2007 2:08 AM
  • What did you try? What OS are you running? If it is Vista, you may need to open the command prompt to run as administrator.

    -steve

    Saturday, June 30, 2007 3:30 AM
    Moderator
  • Anon Mike,

    I performed this process a few times to no avail.  The messages from onecare continue to pop up while i'm working - now with more and more frequency.  My latest events log now has more and more files listed.  Example:

    *******************************************************************************
    7/3/2007 05:40:12 AM OneCareMP Warning  3004 RCDN_X1
    Windows OneCare Live Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. Windows OneCare Live can't undo changes that you allow.
     For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:HTML/IframeRef.gen&threatid=2147536539
      Scan ID: {7C4731AF-CD4E-4EAC-BA8F-D7DF2B964338}
      Agent: On Access
      User: RCDN_X1\RCDN
      Name: Exploit:HTML/IframeRef.gen
      ID: 2147536539
      Severity: Severe
      Category: Exploit
      Path Found: file:C:\Documents and Settings\RCDN\My Documents\Logitech Projects\Offline Viewer\GPkg_Offline.htm->(IframeRefI)
      Alert Type:
      Process Name: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
      Detection Type: Generic
      Status: Suspend
    *******************************************************************************

    What do you think is happening?

     

    RCDN

     

     

    Tuesday, July 3, 2007 1:45 PM
  • RCDN, you should contact support for help with removal of this threat - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1183038&SiteID=2

     

    -steve

    Tuesday, July 3, 2007 6:56 PM
    Moderator
  • Yeah, I've been seeing the same problem. Looking at the mysterious log in "All Users\Application Data\Microsoft\OneCare Protection\Support" did the trick in that it named the offending file explicitly. If the "view details" dialog simply had the same info the "hidden" log had then I'd have solved this problem weeks ago and without the help of the forums (no offense guys; we all love ya).
    This is the second time that the design of OneCare, trying to err on the side of usability, has lacked functionality (I've been posting in the backup functionality forum as well). Microsoft, you need to move that "easy/powerful" needle decidedly more into the "power" side of things to make this product competitive. Whether or not I renew my OneCare subscription or go back to Norton will depend on how well the next release of OneCare addresses such issues.
    Tuesday, July 17, 2007 3:12 AM
  • Hey RCDN : Your Google indexer is opening the GPkg_Offline.htm which has the IFrameRef exploit in it. Each time Google indexer opens this file onecare scans it and flags it as a virus. You will need to do one of two things. 1) if you are sure that the Logetech "offline viewer" is good and trusted software then you can tell the onecare virus scanner to ignore it (see the "onecare live settings|Viruses and Spyware|Exclusions). 2) If you do not trust the software or yourself then you'll need to delete the C:\Documents and Settings\RCDN\My Documents\Logitech Projects\Offline Viewer\GPkg_Offline.htm file. This may cause the Logitech "offline viewer" to stop working but more likely this will just break one of it's help pages. Logitech should be informed that Microsoft does not like their HTML in this file.The good thing is this a fairly benign exploit when found in files like these. Mostly the malicious use of this exploit will come when the html is running in a trusted process from a malicious source like that shareware you downloaded last week. I should stress if you got this software from the web you might have been spoofed and might be better off getting rid of the entire package. If it is legitimately something from a manufacturer like logitech then it's mostly their web monkeys using a feature they don't realize has been abused to the point of being declared "malicious".

    Hope that helps.

    PS, you shouldn't leave your path to your "my documents" folder up on a public web page. Not a huge thing but for the paranoid it is a leg up for a potential attacker to find your most valuable and lucrative data without the need for scanning your entire C volume.


    Tuesday, July 17, 2007 3:25 AM
  • Windows live onecare will get rid of this automatically. There is a free installation for 56 days on the microsoft site and the beta version is currently testing. This virus tries to attack my computer at least once a day and the above has alwtays quarantined it.
    Sunday, July 22, 2007 9:34 AM
  • Actually no virus scanner can "quarantine" this exploit as found because it is a file within a larger binary blob. The design of the dialog is very unfortunate here because it makes the user think, "huh; I had a virus. That's scarry. Oh well; looks like onecare got it." But then the same time the next day when their disk indexer task kicks off it happens again and they think, "wow, I keep getting the same virus over and over again. Yikes! HELP!" This then costs Microsoft in telephone support time. The truth is they don't have a virus they have a single file that is dangerous if run but it's always the same file. The dialog needs to be a little more explicit in showing the filename, the package that "owns" the file and explaining, "you'll need to uninstall this software or delete the file (the binary file the offending .htm is within) to stop getting this message or you can choose to ignore this specific file".

    Interesting enough; my entrance into this little conundrum was due to the confluence of my backup practices and my virus scanning practices. The exploit was found within a binary file that was a backup of very old data I had. My disk indexer was set to index my local backup (or "archives") so I could find old stuff.

    cheers,
    -scott a dixon
    Monday, July 23, 2007 5:16 PM
  •  basedissonance wrote:
    Yeah, I've been seeing the same problem. Looking at the mysterious log in "All Users\Application Data\Microsoft\OneCare Protection\Support" did the trick in that it named the offending file explicitly. If the "view details" dialog simply had the same info the "hidden" log had then I'd have solved this problem weeks ago and without the help of the forums (no offense guys; we all love ya).
    This is the second time that the design of OneCare, trying to err on the side of usability, has lacked functionality (I've been posting in the backup functionality forum as well). Microsoft, you need to move that "easy/powerful" needle decidedly more into the "power" side of things to make this product competitive. Whether or not I renew my OneCare subscription or go back to Norton will depend on how well the next release of OneCare addresses such issues.

     

    I totally agree that the messaging in OneCare needs to improve, particularly when a threat is found and not dealt with completely. The Support Log within the Change OneCare Settings area has lots of details, but who really thinks to go there? And it doesn't always include enough information there.

    -steve

    Monday, July 23, 2007 11:45 PM
    Moderator
  • HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    I have followed all the instructions and deleted the file indicated by the log BUT OneCare stills says (every few minutes) that Exploit:HTML/IframeRef.gen is a problem and does a scan.  If i go back into the Support log, it says the same file in the same place, but it is not there.

    ANY SUGGESTIONS???

    And I cant seem to go through the Help on OneCare as it fails half way through

     

    Friday, July 27, 2007 6:47 AM
  •  

    You can use the instructions here to contact support - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1183038&SiteID=2

    If you are a subscriber, you can sign on at http://support.windowsonecare.live.com to see your support options.

    -steve

    Friday, July 27, 2007 7:17 PM
    Moderator
  • Might want to just make a habit of deleting your temporary Internet files weekly... or daily, depending on your browsing proclivity (Tools ->Internet Options ->Delete->Delete Files).  It will take care of the files most of the exploits are buried in.

     

    Saturday, August 4, 2007 11:29 PM
  • Hi,

     

    Its very easy to get rid of this virus. Don't waste your time and do the following:

     

    1. Delete all Temporary Internet Files, Cookies, Form Data etc. through Internet Explorer.

    Tools > Internet Options

    Click on General Tab and in section Browsing Histroy click the Delete button.

    Delete all Temporary Files, Cookies, History.

     

    2. Goto My Computer and right click on C: drive and perform a complete system clean up.

    Right Click on C:

    Select Properties

    Click on Disk Cleanup button

    Select all options and Press OK.

     

    Thats it. Hope this will help you all.

     

    Thank you.

    Friday, August 10, 2007 2:07 PM
  • HI i have the same problem but im not a techie, could you please explain how to get that report that you talk about? thanks

    Thursday, January 10, 2008 3:47 PM
  • Hopefully, you are subscribed to forum alerts for this post, as I am expecting that the folder you posted to will be removed shortly.

    Per the post above yours:

    "Its very easy to get rid of this virus. Don't waste your time and do the following:

     

    1. Delete all Temporary Internet Files, Cookies, Form Data etc. through Internet Explorer.

    Tools > Internet Options

    Click on General Tab and in section Browsing Histroy click the Delete button.

    Delete all Temporary Files, Cookies, History.

     

    2. Goto My Computer and right click on C: drive and perform a complete system clean up.

    Right Click on C:

    Select Properties

    Click on Disk Cleanup button

    Select all options and Press OK."

    And to view exactly where OneCare is detecting this threat, open OneCare, click on Change Settings, select the Loggng tab, and click on create support log. A report will open in your web browser. Scroll down to the virus and spyware section of the report.

    -steve

    Thursday, January 10, 2008 5:23 PM
    Moderator
  • I did all of the above...and today i called onecare.  

     

    See, Ive had this virus for about a month, so then i got onecare.  it kept finding the virus over and over everytime i deleted it.  then when i went to download photoshop recently (while i still had virus)  I kept getting a BSOD with a stop error and file listed as fishpe2.sys , everytime i tried to load photoshop.     

     

    I wasnt sure if that file fishpe2.sys was bad or not,but onecare said it was, so i deleted it.  I then deleted a suspicious jinstall  file that had been modified on or about the date i got the virus.  Then onecare had me do a scan in safe mode, so now im hoping that i am rid of the dang thing.  I still keep dumping my temp files for good measure. By the way, i dont use outlook express as i have seen others cite their problem as being involved with email from outlook.

     

    The thing though, was after i did the onecare scan in safe mode, a DEP message came up when i started in normal mode.  It said windows closed the program called tcpdiss to prevent blah blah.  I didnt see that program in my add/remove in control panel.  I think it is a registry thing.  (as you can see im a novice at all this).   Do i need to get rid of that tcpdiss?  Thanks for any help.

     

    hope this makes sense, and thanks again

    Mae

    Friday, January 11, 2008 10:42 PM
  • p.s.  if i DO have to get rid of tcpdiss, how might i do it?

     

    Friday, January 11, 2008 10:44 PM
  •  MaePartna wrote:
    p.s.  if i DO have to get rid of tcpdiss, how might i do it?

     

    Mae, see if this helps:

    http://www.bleepingcomputer.com/startups/tcpdiss.exe-21363.html

    If not, contact support again. :-)

    -steve

    Sunday, January 13, 2008 9:18 PM
    Moderator
  •  

    i use that lastest version windows live onecare. they have updated there software. it has quartined the virus everytime it comes up....live onecare does work...the beta version is 90days free use.
    Friday, March 21, 2008 6:44 PM
  • When I visit a friends website One Care always askes me if I want to quaratine HTML/IframeRef.gen

    I say yes and then clear our quarantine

    My friends says his site is safe and secure and that the problem must be with my computer. However OneCare and Norton's Online Scanner say my computer is fine

    Could this be a false positive from OneCare or should my friend be worried?

    Since getting a router with a hardware firewall OneCare has reported no malicious activity except when I visit this particular site.

     

    Thursday, March 27, 2008 4:24 PM
  • It may be coming via an ad hosted on the site.
    Can you provide a URL?
    -steve
    Thursday, March 27, 2008 4:49 PM
    Moderator
  • Steve

    The URL is www.wibsey.net

    It would be interesting and helpful if this could be explained

    Thursday, March 27, 2008 5:08 PM
  • i get the problem when i visit varies ad sites for online business.. the other trojan virus that comes up is the js/agent.FA...

     would liek to get rid of it while im doing business....

     

     

    thanx

    meghan

    Thursday, March 27, 2008 5:14 PM
  • There may be an issue with the website. Besides One Care detecting the threat, this is a log file generated by NOD32:

    3/27/2008 10:14:26 AM Real-time file system protection file C:\Users\James\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JRKH560G\wibsey_net[1].htm HTML/TrojanClicker.IFrame.AG trojan cleaned by deleting  Event occurred during an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.

     

    Thursday, March 27, 2008 5:26 PM
    Moderator