# Virus Issue



## TheMailMan78 (Feb 11, 2010)

I have no idea where I got this from but I got nailed with a Trjoan. Does anyone know anything about the *TrojanClicker:JS/Iframe.F* ? MSE was able to fix it but I have no idea if it got anything from my system.


----------



## blkhogan (Feb 11, 2010)

Trojan-Clicker.JS.Iframe.dq is a hazardous trojan that may exploit securtiy vulnerabilities and install other threats onto your computer. The trojan can open illicit network connections without your consent or knowledge. Usually Trojan-Clicker.JS.Iframe.dq is spread through unsolicited spam email, free song, game or movie downloads or via adult websites. Trojan-Clicker.JS.Iframe.dq can result in serious security and privacy issues.

Just got rid of it on a friends system last week. She can be a nasty one.


----------



## TheMailMan78 (Feb 11, 2010)

blkhogan said:


> Trojan-Clicker.JS.Iframe.dq is a hazardous trojan that may exploit securtiy vulnerabilities and install other threats onto your computer. The trojan can open illicit network connections without your consent or knowledge. Usually Trojan-Clicker.JS.Iframe.dq is spread through unsolicited spam email, free song, game or movie downloads or via adult websites. Trojan-Clicker.JS.Iframe.dq can result in serious security and privacy issues.
> 
> Just got rid of it on a friends system last week. She can be a nasty one.



Mine is .f not .dq


----------



## blkhogan (Feb 11, 2010)

Its just a weaker spin off. You been surfen p0rn Mr. Mailman?  I found some info on it the other day. Ill see if I can find it again. Its not as deadly as its big sister .dq


----------



## TheMailMan78 (Feb 11, 2010)

blkhogan said:


> Its just a weaker spin off. You been surfen p0rn Mr. Mailman?  I found some info on it the other day. Ill see if I can find it again. Its not as deadly as its big sister .dq



Honestly no man. I havent. I think I may have gotten it from that Cysis bench file to be honest. When I went to that site I got a bunch of pop ups. I NEVER get pop ups. I thought it was fishy.


----------



## blkhogan (Feb 11, 2010)

Here is some good info on it. http://www.windowsbbs.com/malware-virus-removal/90987-resolved-trojanclicker-js-iframe-f.html


----------



## TheMailMan78 (Feb 11, 2010)

Shit man Im worried now. MSE said it removed it but Im running spybot now and am going to DL malwarebytes.


----------



## blkhogan (Feb 11, 2010)

Its removable, you just have to look for its entries (if they are still there). It slipped past Avast on my friends system. Ive always had good luck with Avast. I think they have a update for it already. Virus's move so freaking fast nowadays its scary.


----------



## TheMailMan78 (Feb 11, 2010)

blkhogan said:


> Its removable, you just have to look for its entries (if they are still there). It slipped past Avast on my friends system. Ive always had good luck with Avast. I think they have a update for it already. Virus's move so freaking fast nowadays its scary.



I wonder what it does exactly. Ill change my passwords just to be safe.


----------



## blkhogan (Feb 11, 2010)

TheMailMan78 said:


> I wonder what it does exactly. Ill change my passwords just to be safe.


That would be good for now. I should have taken some screens when I was cleaning his up. Malwarebytes should clean it up, you might have to run it a few time though. I would shut your network down till you know for sure its gone. She spreads like wildfire. It will send out emails with out you even knowing it.


----------



## TheMailMan78 (Feb 11, 2010)

Here is what MSE says.....


----------



## blkhogan (Feb 11, 2010)

What did SB come up with?


----------



## TheMailMan78 (Feb 11, 2010)

blkhogan said:


> What did SB come up with?



SB says its clean


----------



## blkhogan (Feb 11, 2010)

Hmmmm... they must not have a fix for it yet, or its gone. Run malwarebytes and see what it says.


----------



## TheMailMan78 (Feb 11, 2010)

blkhogan said:


> Hmmmm... they must not have a fix for it yet, or its gone. Run malwarebytes and see what it says.



MSE says its gone. It was in my internet temp files.


----------



## blkhogan (Feb 11, 2010)

MSE is some good stuff. It might have killed it. I would run malwarebytes just to make sure.


----------



## TheMailMan78 (Feb 11, 2010)

blkhogan said:


> MSE is some good stuff. It might have killed it. I would run malwarebytes just to make sure.



Malware quick scan said I was clean. Im running a full scan now. Think I should format and reinstall after all this?


----------



## blkhogan (Feb 11, 2010)

I didnt have to when I removed it. He was running XP x86, not sure if it "morph's" from os to os. I dont think its that smart but Im not sure.
edit: are you running the freeware version of malware, or the full?


----------



## TheMailMan78 (Feb 11, 2010)

blkhogan said:


> I didnt have to when I removed it. He was running XP x86, not sure if it "morph's" from os to os. I dont think its that smart but Im not sure.
> edit: are you running the freeware version of malware, or the full?



Freeware of malwarebytes, MSE and Spybot. So far they all say I am clean.


----------



## blkhogan (Feb 11, 2010)

I think your alright. They do hold some back with the freeware version, so you will by their full version. I went ahead and bought the full for future use. I would reboot and run MSE again.


----------



## TheMailMan78 (Feb 11, 2010)

blkhogan said:


> I think your alright. They do hold some back with the freeware version, so you will by their full version. I went ahead and bought the full for future use. I would reboot and run MSE again.



Malware said Im clean now after a full scan. Only thing it found was the false hit it always finds.



> Malwarebytes' Anti-Malware 1.44
> Database version: 3723
> Windows 6.1.7600
> Internet Explorer 8.0.7600.16385
> ...


----------



## blkhogan (Feb 11, 2010)

I thought I was the only one that got that hit, must be something with Win7. Another way to watch this bugger is to check your "sent box" in your prefered email program. If its still alive you will see odd emails that you did not compose.


----------



## 95Viper (Feb 11, 2010)

I wouldn't sweat that one to much... it is of the variant that runs in java script and pulls up an HTML frame(pop up) to get you to click on it to goto a nefarious site that would then get you to click on something...then you are screwed.

Glad you are clean,  how is the computer? Just kidding....


----------



## blkhogan (Feb 11, 2010)

95Viper said:


> I wouldn't sweat that one to much... it is of the variant that runs in java script and pulls up an HTML frame(pop up) to get you to click on it to goto a nefarious site that would then get you to click on something...then you are screwed.
> 
> Glad you are clean,  how is the computer? Just kidding....


I think so to. The one he got is a weak spin off of the original .dq.


----------



## TheMailMan78 (Feb 11, 2010)

95Viper said:


> I wouldn't sweat that one to much... it is of the variant that runs in java script and pulls up an HTML frame(pop up) to get you to click on it to goto a nefarious site that would then get you to click on something...then you are screwed.
> 
> Glad you are clean,  how is the computer? Just kidding....



Thanks man. How do you know about this?


----------



## blkhogan (Feb 11, 2010)

I would do a complete shutdown. Then cold boot it. There have been some reports of "reset files" or what ever they call em. They are files that sit dormate and are only triggered @ Windows startup. I didnt see any proof of that when I was dealing with .dq version.


----------



## TheMailMan78 (Feb 11, 2010)

blkhogan said:


> I would do a complete shutdown. Then cold boot it. There have been some reports of "reset files" or what ever they call em. They are files that sit dormate and are only triggered @ Windows startup. I didnt see any proof of that when I was dealing with .dq version.



Well I did reboot. Nothing so far.


----------



## blkhogan (Feb 11, 2010)

I wouldnt worry. Your virus software will have a patch for it real soon (if you havent already got one). Just do a good scan every so often just to keep on top of it (if its even there). Its "traces wont be there long after that.


----------



## TheMailMan78 (Feb 11, 2010)

This is my first real PC trojan and for someone with OCD this is pure tourture.


----------



## 95Viper (Feb 11, 2010)

Well, had one once.  There are a couple of variants. .F is what your virus scanner company labeled that one, which is an Iframe variant of .E, .D and so on.  Another virus scanner may call it something else.

Some info here and here and here.The last one talks of .E which would be .F's older brother.

Remember the .F and stuff is just a naming convention for the virus companies, so the can keep track of what is what.

Sorry, slow typer.


----------



## TheMailMan78 (Feb 11, 2010)

95Viper said:


> Well, had one once.  There are a couple of variants. .F is what your virus scanner company labeled that one, which is an Iframe variant of .E, .D and so on.  Another virus scanner may call it something else.
> 
> Some info here and here and here.The last one talks of .E which would be .F's older brother.
> 
> ...



Oh no problem man. Any info or advice is being taken at this point. I just would rather not format.


----------



## blkhogan (Feb 11, 2010)

TheMailMan78 said:


> This is my first real PC trojan and for someone with OCD this is pure tourture.


Hahahahahaha..... Not laughing at your OCD, thats just a great quote.  May I use that?


----------



## TheMailMan78 (Feb 11, 2010)

blkhogan said:


> Hahahahahaha..... Not laughing at your OCD, thats just a great quote.  May I use that?



Feel free. Lots of people quote me on TPU.


----------



## 95Viper (Feb 11, 2010)

Also,  do not run any java apps or apps that use java script, while you scan.  Less likely, you will be required to do a re-boot after the scan.  Sometimes the Virus programs have a hard time removing a file( if it cannot repair it) in use. 

If you OS acts up; try re-installing the latest java. Remember, if you are on a 64 bit os install, both 32 bit and 64 bit.

Goodluck.


----------



## blkhogan (Feb 11, 2010)

To this day it still amazes me the complexity of some of these programs, I'm not a programmer though (shit might be easy for some). Its kinda fun to play with, when its someone else's computer and not yours.


----------



## 95Viper (Feb 11, 2010)

Ain't really complex.  Some idiot that knows a little programming writes the crap and then someone else copies it... makes a little change and viola; new variant.

Some of the lazy Dicks will go to the baddies sites and download a virus kit.  Basically a program that lets you tailor a virus or trojan to your needs.


----------



## blkhogan (Feb 11, 2010)

95Viper said:


> Ain't really complex.  Some idiot that knows a little programming writes the crap and then someone else copies it... makes a little change and viola; new variant.
> 
> Some of the lazy Dicks will go to the baddies sites and download a virus kit.  Basically a program that lets you tailor a virus or trojan to your needs.


I should have guessed. Most people are too freaking lazy nowadays to do something "new" or "on their own". I really know nothing about programing :shadedshu I'm more of what you would call a "hardware whore".


----------



## TheMailMan78 (Feb 11, 2010)

I think Im just going to reformat my whole system. I just hope nothing spread to my backup drive.


----------



## WhiteLotus (Feb 11, 2010)

TheMailMan78 said:


> I think Im just going to reformat my whole system. I just hope nothing spread to my backup drive.



little OTT? If you've ran the scans and not getting any more symptoms of a virus then safe to say you're in the clear.


----------



## dr emulator (madmax) (Feb 11, 2010)

TheMailMan78 said:


> This is my first real PC trojan and for someone with OCD this is pure tourture.



welcome to the club


----------



## TheMailMan78 (Feb 11, 2010)

WhiteLotus said:


> little OTT? If you've ran the scans and not getting any more symptoms of a virus then safe to say you're in the clear.



OTT?


----------



## Loosenut (Feb 11, 2010)

I'm guessing here.  OTT = Over the top


----------



## WhiteLotus (Feb 11, 2010)

Loosenut said:


> I'm guessing here.  OTT = Over the top



correct


----------



## Loosenut (Feb 11, 2010)

He he, the old man's still got it...   As my daughter would say


----------



## Delta6326 (Feb 11, 2010)

Loosenut said:


> He he, the old man's still got it...   As my daughter would say



Just saying that sounds strange 

my cousin just got this about 1 week ago she used malwarebytes and it took care of the trojan you can get it if your not up to date with your java.


----------



## TheMailMan78 (Feb 11, 2010)

Delta6326 said:


> Just saying that sounds strange
> 
> my cousin just got this about 1 week ago she used malwarebytes and it took care of the trojan you can get it if your not up to date with your java.



I shouldn't have to manually update my java.


----------



## TheMailMan78 (Feb 11, 2010)

Delta6326 said:


> Just saying that sounds strange
> 
> my cousin just got this about 1 week ago she used malwarebytes and it took care of the trojan you can get it if your not up to date with your java.



What do you think? Reformat? Change all my passwords or f#$K it. Im clean now.


----------



## Delta6326 (Feb 11, 2010)

your clean but you can always change your passwords i have never gotten a trojan. i use Trendmicro


----------



## Binge (Feb 11, 2010)

Glad this has gotten squared away MailMan, from what I've read you've done a great job at making sure you're clean.  Changing passwords is good to do regularly regardless of a trojan, but just remember to keep it on a piece of paper.  Otherwise the offense is facepalmable 

Again thanks to everyone and your own diligence you look good.  I've had pop-up/spam e-mail trojans before.  They don't have the sort of meat that some of the worse computer bugs have.  You're doing the right thing in being precautious.


----------



## Goodman (Feb 11, 2010)

Try this... http://www.superantispyware.com/?tag=GOOGLE-SUPERANTISPYWARE
(It may detect what other softwares miss Superantispyware is good for that..lol!)

If all clean then nothing to worry about


----------



## Wile E (Feb 12, 2010)

Don't reformat. That's asinine. If your virus scanners recognized it, and it's still clean after a reboot, you should be fine.


----------



## TheMailMan78 (Feb 12, 2010)

Wile E said:


> Don't reformat. That's asinine. If your virus scanners recognized it, and it's still clean after a reboot, you should be fine.



OCD is a hellava disorder.


----------



## Nick89 (Feb 12, 2010)

From what I can tell its a brand new virus thats just been released. Here is some info I found:


TrojanClicker:JS/Iframe.F 

*Encyclopedia entry*
Updated: Feb 11, 2010  |  Published: Feb 11, 2010 

*Aliases*
HTML/Inor (AhnLab) 
Trojan-Downloader.JS.Inor.a (Kaspersky) 
JS.Psyme.AX (VirusBuster) 
HTML/Framer.CP (AVG) 
HEUR/HTML.Malware (Avira) 
Trojan.Script.252764 (BitDefender) 
VBS.Psyme.377 (Dr.Web) 
Trojan-Downloader.JS.Psyme (Ikarus) 
JS/Wonka (McAfee) 
Mal/ObfJS-H (Sophos)


----------



## TheMailMan78 (Feb 12, 2010)

Nick89 said:


> From what I can tell its a brand new virus thats just been released. Here is some info I found:
> 
> 
> TrojanClicker:JS/Iframe.F
> ...



Any idea WTF is does EXACTLY?


----------



## Nick89 (Feb 12, 2010)

TheMailMan78 said:


> Any idea WTF is does EXACTLY?



*Symptoms*

*Network behavior*

The following network behavior may indicate the presence of this malware:

    *
      Your browser is redirected to visit any of the following domains:
      youdetoxtest.net
      ad.103092804.com
    *
      There may be no common symptoms associated with this threat - links are activated within IFrames while viewing Web content on maliciously modified pages. Alert notifications from installed antivirus software may be the only symptom(s).

*Technical Information *(Analysis)

TrojanClicker:JS/Iframe.F is a detection for specially-formed obfuscated IFrame tags, which point to remote Web sites containing adware or unwanted content. It requires that the user view the Web site or open the HTML page in which it is located before it can perform its malicious actions.

about all I could find.


----------



## TheMailMan78 (Feb 12, 2010)

Nick89 said:


> *Symptoms*
> 
> *Network behavior*
> 
> ...



I see. So if I had clicked on the "pop-up" it would have taken me to a site and thats were the real fun would have began. That sounds like what Viper said. Basically this trojan is a cookie that redirects you constantly to bad shit. Am I correct?


----------



## Nick89 (Feb 12, 2010)

TheMailMan78 said:


> I see. So if I had clicked on the "pop-up" it would have taken me to a site and thats were the real fun would have began. That sounds like what Viper said. Basically this trojan is a cookie that redirects you constantly to bad shit. Am I correct?



You got it down.


----------



## TheMailMan78 (Feb 12, 2010)

Nick89 said:


> You got it down.


 So there is not really of a chance this thing highjacked any personal info. Passwords and such.


----------



## Wile E (Feb 12, 2010)

Sound like an annoyance, like most trojans.


----------



## Nick89 (Feb 12, 2010)

TheMailMan78 said:


> So there is not really of a chance this thing highjacked any personal info. Passwords and such.



Thats very rare mailman, I would only worry if you clicked the pop up and then continued using the computer for months.


----------



## TheMailMan78 (Feb 13, 2010)

Nick89 said:


> Thats very rare mailman, I would only worry if you clicked the pop up and then continued using the computer for months.



Thanks Nick. Im not formatting. Im going OCD on my OCD this time.  However I will be watching this thing like a hawk.


----------



## 95Viper (Feb 13, 2010)

Just for TheMailMan78...Special delivery!






Just joking...Click Burn Dammit.

You are 99.2% safe.

I know, I'll just  myself.


----------



## TheMailMan78 (Feb 14, 2010)

I was just on shack news and it took me to this. Of course I didnt click anything. Just closed the windows but DAMN IT! WTF is going on?!


----------



## Goodman (Feb 14, 2010)

TheMailMan78 said:


> I was just on shack news and it took me to this. Of course I didnt click anything. Just closed the windows but DAMN IT! WTF is going on?!



That is False Positive...pretty sure of it you're running Win7 & it shows you a WinXP windows...

But if you want to make sure try SuperAntiSpyware
http://www.superantispyware.com/

But If you're to paranoid about it or want to make 100% sure that it's clean then delete MBR & reinstall...


----------



## TheMailMan78 (Feb 14, 2010)

Goodman said:


> That is False Positive...pretty sure of it you're running Win7 & it shows you a WinXP windows...
> 
> But if you want to make sure try SuperAntiSpyware
> http://www.superantispyware.com/
> ...



Um yeah I know dude. Its a fishing site. My point was is that I seem to be a target for "cyber attacks" lately.


----------



## Clement (Feb 15, 2010)

TheMailMan78 said:


> Um yeah I know dude. Its a fishing site. My point was is that I seem to be a target for "cyber attacks" lately.



Well, now you know where your enemy lays, or at least a latent by-product. Maybe you could sniff a trail and take the battle to them .


----------



## YautjaLord (Feb 15, 2010)

Tell me if it helps, i handle Trojans & s**t like this : i had the pleasure to get both by pluging in the USB mass storage devices - once it was Lumix (a video/stills camera & Vista calls it mass storage, wtf ? ) & yesterday evening the external harddrive. With Lumix i was greated with raidhost.exe (i wondered then - "WTF? I don't have any RAID setup, just single HDD !!!!" ) & today it was herss.exe. The cure ? RegScanner. The only prob you'll have is once [the] RegScanner detects it, you have to _manually_ search & delete the values in RegEdit. The f***ers most likely sit in HKCU/HKLM/HKU/etc..... roots. Hope it helps.


----------



## Goodman (Feb 15, 2010)

What happen?
How come TheMailMan78 got banned 

Must be in another thread...


----------



## eidairaman1 (Feb 16, 2010)

blkhogan said:


> I would do a complete shutdown. Then cold boot it. There have been some reports of "reset files" or what ever they call em. They are files that sit dormate and are only triggered @ Windows startup. I didnt see any proof of that when I was dealing with .dq version.



I would also clear out any system restore files after the ordeal as some virus do infect those files.


----------

