11/29/2007 8:48:33 PM SYSTEM 1412 Sign of “Win32:Mhtplo-10 [trj]” has been found in “C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I4GUG4E9\t-4230[1].htm” file.
The prompt told me not to panic and to move the file to the virus chest. But when I tried… I got another prompt from Avast! telling me that the file was in use and that I was not able to move the file to the chest. So I clicked “no action”. I then shut down my browser and scanned the folder where the trojan was found and it was found again… this time I ~was~ able to move the file to the chest.
Since then I ran another full Avast! scan… and it came up clean.
I also did a scan with AVG’s Anti-Spyware and Spybot’s Search and Destroy… both also came up clean.
Does this mean I have nothing to worry about?
I just have a funny feeling that this was a false positive on Avast’s part because I’ve gone to the DIgital Trends site before and it seems like a reputable site. Could someone tell me if this site was really infected with this trojan?
Thank you SO very much for the reply Tech! This had me worried for most of the night.
Well I did a full thorough scan with Avast! and nothing showed up.
And I also ran scans with AVG’s Anti-Spyware and Spybots’s Search and Destroy… and those scans were also negative.
Is it really necessary is try yet another Anti-Spyware program?
Well it’s still in Avast’s virus chest. I’m not sure how I would take it out to send it to Jotti.
I did a quick seach on this forum and found this post.
What happened to this person seems to be the same thing that happened to me. Except his alert was for warning for Win32.Mhtplo-30 [trj] where as mine was an alert for Win32:Mhtplo-10 [trj]. I noticed at the end of this thread someone said…
The name of my file is 4-230[1].htm which is very similar. Is there any way I can be certain this is a false positive?
It’s up to you. But a second/third opinion is not bad…
You need to extract the file (maybe to an USB drive), zip it with a password like virus and send it to analysis. Or send the file from Chest with a link to this thread in the comment.
I was able to extract the file from the virus chest. I zipped up the file and submitted it to Jotti. These were the results…
A-Squared Found nothing
AntiVir Found HTML/Exploit.Mhtml
ArcaVir Found nothing
Avast Found Win32:Mhtplo-10
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Exploit.HTML.MHTRedir-8
CPsecure Found Troj.Exploit.HTML.Mht
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
The file is no longer on my computer, it’s still in Avast’s virus chest. And as I said before… all scans come up clean. Do I have anything to worry about?
11/30/2007 11:54:13 AM SYSTEM 1404 Sign of “Win32:Mhtplo-10 [trj]” has been found in “C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9I66EBDU\search[1].htm” file.
11/30/2007 11:54:41 AM SYSTEM 1404 Sign of “Win32:Mhtplo-10 [trj]” has been found in “C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9I66EBDU\search[2].htm” file.
Now, I’m not so sure it’s not an exploit and you should stay away from this file. But, could be also a false positive.
Can you submit it to Virustotal?
Virus Total is the best, in our opinion because:
It uses the Windows version of the AVs so avast has more unpackers for windows and that is the version most are using.
There are 27 different scanning engines greater than the others.
It also has an email submission option for periods when they are busy and you get a reply.
It can cue the submission and you can carry on browsing and you will eventually (not to long) get your result displayed.
Thank you so much for taking the time to answer my questions!
Yes, I will try VirusTotal.
But I’m curious, I can see an alert like this popping up when I’m browsing unknown sites. But to see this alert pop up when I’m on a Google search page or when I’m at other reputable sites like Digital Trends just doesn’t make sense.
Even if I submit these .htm files to VirusTotal and they come up positive, isn’t it still possible that they could be a false positive? I mean, the .htm file could contain lines that make it ~look~ like a trojan when in fact it’s not. Why else would Avast detect this trojan on a Google search page? I didn’t even click any links on it. It was even detected as a trojan on 4 of the virus detectors on Jotti… though the majority of them found nothing.
Isn’t it possible that the Web Shield is just a bit sensitive?
Also… IF my computer does have this Win32:Mhtplo-10 [trj], what would happen? My computer is acting fine and I don’t see any unusual processes running. And the files in question are still in the Avast! virus chest.
WebShield detects virus on-the-fly, before saving files to your disk, before you click…
About sure, there is no sure, but depending on VirusTotal results we can make a good guess.
If it is an avast false positive, no problem, you can restore the files later.
If it is a real infection, no problem, it is already on Chest.