VBS:Malware-gen false alarms?

I keep getting VBS:Malware-gen virus alerts when ever I open Internet Explorer. The detected file is in Temporary Internet Files.

Here is the dialog:

Local Settings\Temporary Internet Files\Content.IE5\OW71SRT7\favicon[1].htm

VBS:Malware-gen
VPS version: 080801-0, 08/01/2008

and I keep deleting it and still it pops up back again. I researched a bit and found that the favicon is created by google toolbar. When google toolbar is disabled, avast doesn’t seem to have problem.

BTW I’m using the IE7 and the latest version of google toolbar.

Attached is HijackThis Log.

Thank you.

see this thread
http://forum.avast.com/index.php?topic=10794.0
afterwards you may wish to disregard the following

are you placing these in the chest?
if so
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

thanks for helping whack-a-mole
someone may peek at your HJT

I have also got several (it seems) false positives and have uploaded the files to Virus Total following the above suggestions. Now how do I interpret the results? If only a few of the virus scanners indicate it as a malware/virus, is it a false positive? In most of my cases only GData, Avast and one or two others report it as a virus and total is less than 15%. So are these false positives? Or legit files?

It seems the lastest definition needs to be revised thoroughly guys. No offence, but it seems that its picking up several false positives especially html files for some reason. In my system, these detected files are extremely random(my html template files and so on) ??? and it seems its picking up encoded javascripts as being a virus.

I would be extremely grateful if the avast team could fix this with the next def.
Thanks again for your hard work!!

I second that ???

from the first post

did you guys provide links yo your virus total results
can you do so when you send to avast

If it is indeed a false positive, see
http://forum.avast.com/index.php?topic=34950.msg293451#msg293451

, how to report it to avast! and what to do to exclude them until the problem is corrected.

We must get the samples first to fix it. Either by mailing to virus@avast.com or by providing link to affected sites.
Regarding encoded javascripts - yes, that may be true and I personally always treat encoded javascript as a suspicious, and will take the longest time to be fixed. Encoding legit JS is ehm, not a wise idea. ::slight_smile:

I have done this.
but no reply/effect yet ???

try rescanning your files after the next update
and
thanks for submitting

From what I heard, we got a mail but without samples. You may need to resend.

Jerry… come back :wink: