IFrame warning from chrome's address bar

Lately, as soon as I start typing into Chrome’s address bar, avast throws up the following warning (with my username removed):

File name: C:\Users--------\AppData\Local\Temp\etilqs_UtcCsORgWit3Oj4
Malware name: HTML:Iframe-inf
Malware type: Virus/Worm
VPS version: 090514-0, 05/14/2009

Whatever option I choose the file is removed and another replaces it with another file named “etilqs_” followed by jibberish as above. Some Googling suggests that these files are used to detect malware and phishing so they contain examples of malware and such but should be stored in such a way as to not trigger virus scanners. I’ve cleared my browsing data through Chrome and emptied my Temp folder and the issue remains. So do I have a legitimate problem here, or is avast just being oversensitive. Also, who should I contact about this issue (assuming it isn’t a real infection): Chrome or avast?

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Neither program detected anything using their latest versions and complete scans. My guess is that it is just avast being hypersensitive because I only get the warning when the standard shield is set to high. If I slide it back to normal everything is fine. Also, the “infected” files disappear when Chrome is closed.

Does anyone else have any idea what it could be? Has anyone else run into this issue? If it helps I’m running Vista64 SP1, Chrome 1.0.154.65, avast 4.8.1335 with VPS 090514-0.

Well setting avast’s Standard Shield will make it hyper/over sensitive as you say as it effectively scans ‘all’ files you access, even those considered to be of little risk.

So it could be the way that Chrome works that avast is alerting on possibly inserting effects using iframe, or how it isolates tabs, etc. I don’t know I tried Chrome once and didn’t like it. I also don’t set the Standard Shield as the Normal sensitivity provides the best compromise between performance and protection.

I have no idea what Chrome is doing that avast doesn’t like, as far as I’m aware Chrome isn’t a supported browser yet, so did you have to modify the avast4.ini to have avast scan its content ?

I’m just using a standard avast install. The web shield is showing that it’s scanning though, so it does seem to be working. It should be noted though that my issue is coming from the standard shield as the Iframe stuff is being detected in local files created in my temp directory when Chrome is running and I type in the address bar. I guess I’ll just leave things at normal sensitivity for now.

Yes I know, in the Temp folder, presumably chrome’s browser cache ?

But something is replacing it after you clear the temp/cache, which is why I gave the other two applications to try and find what is restoring the file/s. Since they haven’t found anything, it could be that what it is is hidden by rootkit.

If this is a genuine alert, I would want to know what it is, rather than ignore the message, see #### below.

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.

To confirm the detection:
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to Extract it to a temporary (not original) location first, see below.

I tried out two of the files and GData and Avast report HTML:Iframe-inf, everything else says they are clean.
http://www.virustotal.com/analisis/d3eb8a48a26faca3a348a182f706d0f8
http://www.virustotal.com/analisis/604b1dc84cdb1a217c9e5e26d8b272af

None of the rootkit detectors you linked to run on 64 bit OSes. I did find one called SanityCheck that would run, and it didn’t detect anything.

GData uses avast as one of its two AV engines, so looks like a false positive.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also send it from the Infected Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Periodically scan the file within the avast chest (after a VPS update) and when it is no longer detected, Restore it from within the chest.