Question

system · September 29, 2007, 8:20am

Hello,

I have a problem with my Avast 4.7 home edition.
Every time i look at a site with a text like: echo y|for mat c: /q
It triggers Avast with the message that there is a trojan found.
(Between for and mat i left a space, otherwise it triggers Avast)

My system is:
OS: Windows XP pro
Avast version 4.7 home
VPS file version: 000777-2

oldman960 · September 29, 2007, 8:31am

Welcome to the forum/

What sites are you going to? Those dos commands bring up a host of hits on google. There is a trojan that can add that command to the autoexec.bat. Sopos calls it Troj/Winlock-C.

Which avast provider detected it?

system · September 29, 2007, 9:22am

This happens on a normal forum message like http://forum.fok.nl/topic/1080376

oldman960 · September 29, 2007, 9:32am

Ok. I just tried that site and get a warning from wedshield “BV:SilentFormat [trj]”

Now that code could very well be embedded in the forum. Dr. Web or another site analyer may be the best to see if it’s really infected or just a false positve.

Please break up your link with spaces, just in case it is an infected site.

http: // forum .fok .nl/ topic/1080376

Any other sites?

system · September 29, 2007, 10:40am

That is not embedded in the forum, the admin of this forum has posted a message about the problem.
It only happens when someone posts a message with the text echo y|for mat c: /q (without the space between for and mat)
So it seems to be a false positive.

oldman960 · September 29, 2007, 10:45am

This code can used for for authoring viruses. Do a google search for “echo y\ format c: /q” without the quote marks. It’s the second or third in the list. Perhaps avast is picking up this command?

system · September 29, 2007, 11:28am

I just tried Dr web link checker and it came up clean.

If i click the link i get warning from avast wedshield “BV:SilentFormat [trj]” , but it is nice that you can abort before it can infect your computer. (maybe false positive)

Cheers crofty

oldman960 · September 29, 2007, 11:29am

Maybe some pissants posting the command just to drive avs crazy???

DavidR · September 29, 2007, 1:10pm

I remember this happening on Wilders recently and that was what was happening some text string in the post with a f o r m a t command and that was resolved on a VPS update very quickly. So I don’t know if this is the same thing (sounds like it) but gwreijman has the latest VPS.

@ gwreijman
You can submit a False Positive to avast in the normal way without having to attach a file, just put a link to the page/s that are being detected. DrWeb link checker doesn’t find anything on the page, see image.

Send the email to virus@avast.com with False Positive as the Subject title, give a brief outline of the problem (possibly a link to this thread and the suspect URLs), the fact that you believe it to be a false positive. Some info on the avast version and VPS number will also help.

Question

Announcements