I keep getting VBS:Malware-gen virus alerts when ever I open Internet Explorer. The detected file is in Temporary Internet Files.
Here is the dialog:
Local Settings\Temporary Internet Files\Content.IE5\OW71SRT7\favicon[1].htm
VBS:Malware-gen
VPS version: 080801-0, 08/01/2008
and I keep deleting it and still it pops up back again. I researched a bit and found that the favicon is created by google toolbar. When google toolbar is disabled, avast doesn’t seem to have problem.
BTW I’m using the IE7 and the latest version of google toolbar.
are you placing these in the chest?
if so
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
I have also got several (it seems) false positives and have uploaded the files to Virus Total following the above suggestions. Now how do I interpret the results? If only a few of the virus scanners indicate it as a malware/virus, is it a false positive? In most of my cases only GData, Avast and one or two others report it as a virus and total is less than 15%. So are these false positives? Or legit files?
It seems the lastest definition needs to be revised thoroughly guys. No offence, but it seems that its picking up several false positives especially html files for some reason. In my system, these detected files are extremely random(my html template files and so on) ??? and it seems its picking up encoded javascripts as being a virus.
I would be extremely grateful if the avast team could fix this with the next def. Thanks again for your hard work!!
We must get the samples first to fix it. Either by mailing to virus@avast.com or by providing link to affected sites.
Regarding encoded javascripts - yes, that may be true and I personally always treat encoded javascript as a suspicious, and will take the longest time to be fixed. Encoding legit JS is ehm, not a wise idea. :