MW97 infection

[dana]

During boot scans with Avast Home edition 4.8 it has located something called MW97(then says something about a table broken) and after initially sending to the virus chest and finding during the next boot scan it would show up again..I deleted it during the boot scan.
But this MW97 keeps reappearing in newer boot scans..what is it and how do I get rid of it?
Thank you.

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again.
What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version. MalwareBytes Anti-Malware freeware version http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml.

[dana]

I had the MW97 sent to the virus chest the first two times it showed up..only after it reappeared did I try to delete it, twice now.
I use Comodo firewall.
I checked the "warning" page but it doesn't reveal the entire file path in which it was found..it just shows the MW97:1 tablebroken/data/products/archetype/tests/input/word.doc....

[kubecj]

This is known false of avast in Plone install. The word example file they have there is broken. The false won't be fixed, though.

[dana]

thank you for this information. I am relieved to have this knowledge now.

It is strange to me as I don't have Plone installed on my computer.
All I had done was visit their site to find out about it.

But if this is a false warning and even though as you say it can't be fixed, should I not worry about it?
It seems now to be showing up in my WINXP restore system..and I was worried it would affect any future restore I might need to do to overcome some other error?

[kubecj]

Eh, so why do you have the unpacked Plone install on your computer? Or what package is the file part of?

No, the file is harmless (and broken). And it's broken in the very same way as some exploited documents.

[dana]

Okay..so I should not worry about the file showing up during a scan, nor if using system restore, then? That would be great to know. Thank you.
But, please, what does that mean, an "exploited" file?

I honestly do not know why that file is on my computer.
I have never downloaded plone nor installed plone.
I was only curious about it and visited the site.
I am the only person to use this computer and bought it new right before windows vista became the intergral OS for PC's...as I prefer WinXP.
I ran a complete spyware terminator scan before coming to the forum and after the first time vast scan found it and it did not find anything.
I ran a search on my hard drive for anything related to plone and it came up zero.
I am now running a superantispyware scan.
I searched through my program files as well..no plone.

[DavidR]

Exploits are how much of the malware found on systems get in, they exploit a weakness in the parent programs processing (e.g. word in this case). Because avast is on the look out for these types of exploits is why as they can't change the detections.

[dana]

             Thank you very much, David.

[DavidR]

You're welcome.

[wyrmrider]

is your os and word up to date?
run secunia advisor if NT or later
or
Belarc Advisor with any Windows

Would not hurt to run the programs (SAS, MBAM) that DavidR recommended
let us know

[tusitala]

First scan, and I get repeated instances of MW97:1TableBroken [Expl], which I assume is what dana was referencing. Every problem file has been a .doc originally created in Pocket Word 2003. (Haven't seen a problem with files created in Word Mobile 6.1.) Is there perhaps a problem with PW2003 files converted to desktop format that avast is picking up on?

[Lisandro]

First scan, and I get repeated instances of MW97:1TableBroken [Expl], which I assume is what dana was referencing. Every problem file has been a .doc originally created in Pocket Word 2003. (Haven't seen a problem with files created in Word Mobile 6.1.) Is there perhaps a problem with PW2003 files converted to desktop format that avast is picking up on?

Difficult to say. Can you submit the file to www.virustotal.com and post the results?

[kubecj]

This detection is definitely problematic. I do check files which do not conform to microsoft specification. And I'm pretty sure there are legitimate files which do not conform. So either Word is wrong or the specification is wrong. It shouldn't surprise me knowing how sloppy Microsoft is regarding the specs, but nonetheless, right now I don't know what to do with that. Can we please get the samples and description/version of the program which created it? I'll try to fix it, but not immediately, it will take some time...