Avast html:script-inf

[DavidR]

I sure wish I missed that faulty definition update, too. Now I have 3000+ files in the chest.

They all are program files that came from either Tax Cut or my flight simulator game.

Since I'm not too advanced as a user, I don't know if these files will be missed if I don't restore them.

Any advice would be appreciated.

Check the info I have given in Reply #32 (reproduced below).

Check out this post as you don't want to restore all files (existing ones in the chest before this and any temp internet files, pointless, etc. It also shows how to speed up the process of restoring those that you have to.

http://forum.avast.com/index.php?topic=75999.msg628755#msg628755

Remember that restoration only moves a copy back to the original location, it doesn't remove the item from the chest. That is effectively a back-up until you know the file is back in the original location, then you can delete those files from the chest, also using the same shortcut process in the post link above.

[em_em]

This is what my scan log is showing me after last night ,when i did a boot scan(that i stopped at 60% because the drive was full),not knowing about the update...what can i do next? the only thing i haven't tried is deleting them...restore or move to chest is not working,the error is still there.I don't want to lose any important files,there are like 1000 files "infected"...pls help,thanks

[DavidR]

Since those detections are on .htm files within .cab (cabinet, archive file) and since you tried to repair, that option couldn't be done it failed. So the .cab files and their contents should still be in the original location.

If you chose any other options and or you managed to send some to the chest then you should try to follow the actions mentioned in my post above yours to restore the relevant files from the chest.

[scythe944]

http://support.microsoft.com/kb/825933

MSOCache files aren't extremely important.

Anyway, take David's advise and restore the files.  If it says the file already exists, tell it to replace the existing files.

[JRV]

Thanks for the help

[TurnerTech]

I have 2 laptops.  This one has the Professional 3 year version of Avast.  My other one has the free version.

This computer has not had a problem with script-inf.

The other computer has had a major problem.

I got the Malware error message as I loaded GoodleChrome. I put it in the Chest.  Then I updated Avast, although it updates every few hours anyway.

The problem continued to occur.

I have tried several Boot Time scans and thousands of my files are reported to be infected with Script-inf.  They all appear to be .htm files.


I do not know why one version of avast has not even reported the Malware and the other did report it but appears to have let it through.

Incidentally after one of the scans, I read my Emails which are read into both computers.  The professional version of avast reported no problems.  The free version reported a Trojan Horse in one email (this was after the malware problem had started occuring).  Again, I do not understand why the free version is identifying situations which the professional version appears not to.

Regards

Roy Turner

[DavidR]

Your difference is likely to be the auto update interval, by default the free auto update check interval is 240 minutes, 4 hours. This was, as far as I'm aware all over in under that time frame.

Once this was noticed to be a problem, under an hour the update servers were blocked to limit spread and only unblocked once a new corrected VPS was uploaded to the update servers.

The default update check interval is shorter on the pro version, so you got the latest (bad) update sooner. I don't thing the email alert was/is related to that update or technically it wouldn't have effected the system which didn't get the 110411-1 update. Plus as you sat was a trojan detection not the -inf ones associated with the FP.

[M.R.]

This one took over my Win7 PC a couple of days ago, and I ended running a boot version of Avast! (under instructions, of course!), which told me that a countless number of files had been infected.
I couldn't find any way of ascertaining precisely HOW the infection occurred; and I should dearly like to know in order to avoid this happening again.
Did I miss something? - was Avast! actually telling me how it had got in?

[M.R.]

DAMMIT! - I forgot to add that I was completely unable to access this forum at the time: not a single link to it on the Avast! site was working.
I sent a grumpy email, to which there was reply; but at least I can get in now...

[DavidR]

With many thousand people trying to access the forums it at the same time it was effectively under a DDoS attack, making it almost inaccessible.

There was an entry on the avast blog http://blog.avast.com/ so should you be unable to access the forums, check the blog or avast on facebook http://www.facebook.com/avast

[M.R.]

Well, DavidR, übertechnical person that you are, I observe you say nothing in response to my actual question.
IS there an answer?

[DavidR]

I only responded to the post directly above mine as I didn't have any information to answer it with any certainty.

Since you said it took over your PC two days ago, I suspect this would probably be related to the FP in the VPS update 110411-1. But without information on what you were doing when the first alert occurred, some examples of effected files, location, etc. and what you subsequently did I guessing ?

But this topic from page 3 starts to give information on that bad VPS update.

Some after getting the web shield alerts on sites they tried to visit, subsequently ran both regular on-demand scans and boot-time scans. This compounded the problem with the bad VPS update as it would then be scanning htm files in your browser cache and possibly other local folders. If they had a matching script content then avast would detect/alert on that as it would if you were browsing.

So people could have hundreds or thousands of htm files in the browser cache, plus whatever might be in local folders or contained within archive files.

So if your case 'could' well be down to this FP - Essentially this wasn't an infection getting into your system but a false positive on scripts that were contained in certain .htm files and running the additional scans compounded it.

[therockstar]

I only responded to the post directly above mine as I didn't have any information to answer it with any certainty.

Since you said it took over your PC two days ago, I suspect this would probably be related to the FP in the VPS update 110411-1. But without information on what you were doing when the first alert occurred, some examples of effected files, location, etc. and what you subsequently did I guessing ?

But this topic from page 3 starts to give information on that bad VPS update.

Some after getting the web shield alerts on sites they tried to visit, subsequently ran both regular on-demand scans and boot-time scans. This compounded the problem with the bad VPS update as it would then be scanning htm files in your browser cache and possibly other local folders. If they had a matching script content then avast would detect/alert on that as it would if you were browsing.

So people could have hundreds or thousands of htm files in the browser cache, plus whatever might be in local folders or contained within archive files.

So if your case 'could' well be down to this FP - Essentially this wasn't an infection getting into your system but a false positive on scripts that were contained in certain .htm files and running the additional scans compounded it.

i have found that a virus has been detected named html script inf while visiting this website
http://howtoformatacomputer.com/ it does seems fake or hacked.... is this warning true or false positive??? is it still my system??how severe can this virus be??

[DavidR]

I have no idea why you quoted my previous post as it would appear unrelated to this issue from April 2011.

The point of the web shield detections are to attempt to block it from getting on to your system, by dropping/aborting the connection considered infected. So it shouldn't be on your system, but you can do an avast scan for confirmation, clear your browser cache/temp internet files folder is also advisable.

When posting a link to a suspect site break the link, please modify your post by changing http to hXXp to prevent accidental exposure to an infected/suspect site.

Whilst only avast detects this, that doesn't mean it is incorrect as many aren't even checking for this much less able to detect it (VirusTotal results). But there appears to be a packed obfuscated {gzip} file being loaded with the home page, see image1 background of the contents of this file and foreground of the alert information.

Another site Securi (http://sitecheck.sucuri.net/scanner/), agrees with avast the site is infected, see image2. So the site may well have been hacked.

[therockstar]

@DavidR

it was my first post ,so i was not sure about how to post for help...won't do that in future