Avast warns of VBS Malware [html] but SAS doesn't detect it. Help needed!

Discussion in 'malware problems & news' started by bahjan, Jul 31, 2007.

Thread Status:
Not open for further replies.
  1. bahjan

    bahjan Registered Member

    Joined:
    May 18, 2007
    Posts:
    63
    Location:
    U.K.
    Hi
    Today for the first time my Avast Home kicked into life telling me I have a VBS Malware
    HTML:
     worm in 
    C\windows\options\cabs\win98_49cab\tiki.html
    Tiki lounge stationery I assume.
    
    I have both quarantined this file and tried to delete it but Avast Home says the operation is not supported for this type of file and will not delete.
    
    I am confused because SAS does not detect this file as malware, although shortly after infection WinPatrol did detect and delete an attempt to change to the wininit file
    
    What can I do to 
    a. delete this file manually from the CAB file - is there a removal tool out there.
    b. establish whether it's a false alarm  - I have sent the file of Avast and await reply.  I guess it's not false,  or else WinPatrol would not have reported it's change - so I suppose I've answered my own question there.
    
    Furthermore I am concerned because since my infection I have noted icons OE for one have disappeared from icon tray. and my display seems to have changed a little ie when a file box opens in FF there are no icons next to the file names.
    
    I run windows 98se I can preform a system file restore (but I'm not sure what that wins me for this) and have Acronis backups - can I replace the cab file from there?
    
    Any help gratefully received. Thanks.
     
  2. herbalist

    herbalist Guest

    Tiki.htm is one of the files found in Win98_49.cab. Unless it's been replaced by malware, it's clean.

    The MD5 signature of the Win98_49.cab is 3d6e4419a9c5130618f443993b98fc21
    It's size is 1.71mb (1,802,240) bytes.
    Compare the MD5 of yours to these. If the MD5 signatures of the cab matches, it's a false positive.

    I extracted the copy of Tiki.htm from the cab file for comparison. It's size is 393bytes. MD5 is e870841da13872ccdf5d25d429786da6
    You can compare these as well if you want to make doubly sure.

    If you need an MD5 checker, this one is free and works good. Just unzip and use. A shortcut to it in the C:\windows\SendTo folder makes it very convenient.

    If the signatures don't match, run a full system scan with both your installed AV and an online scanner. Replace the cab with a new copy from the windows CD.

    Rick
     
  3. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Sounds like a false positive. Do you think you could send the whole Win98_49.cab file to virus at avast dot com?

    Thanks
    Vlk
     
  4. bahjan

    bahjan Registered Member

    Joined:
    May 18, 2007
    Posts:
    63
    Location:
    U.K.

    Hi,

    I sent the whole Cab_49 file to Avast yesterday - the one Avast was trying to tell me was infected. Odd thing was Avast did not specify a virus name - I thought 'VBS Malware
    HTML:
     worm' seemed a bit vague, but I am a new user so I could be wrong....
    
    It might be a false positive although when I shut down yesterday the system rebooted automatically - at first I wondered  whether it was virus activity,:o, but now I assume it was Avast dealing with the infection as this morning I was able to boot up fine and scanning CAB_49 manually with updated Avast - I am now told the file is clean.  I compared the CAB file size and the tiki file with the Win98 CD and they were the same size.  
    
    Oddly, I was not able to replace either the single offending tiki file or the whole cab from the CD Rom - I use Powerdesk 4  by Ontrack and all attempts came up with error message 'error occurred in extracting archive'.  The file icon was greyed out so I assume it means it was hidden or otherwise no accesible
    I am a bit puzzled as to what to if I need to replace a CAB file in future - but for now Avast seems to have dealt with the issue or stopped giving a false positive.
    
    The alarming thing is that I realise the [B]only [/B]way I may have become infected (if indeed I ever was) was via either the Currys or Comet electrical website in the UK. Both FF & McAfee site advisor indicated that site was OK - but if I was infected, it was due to one of those two sites.
    
    I wait to hear from Avast and will post their reply.....
    Thanks for the software recommendation, Rick.
     
    Last edited: Aug 1, 2007
  5. bahjan

    bahjan Registered Member

    Joined:
    May 18, 2007
    Posts:
    63
    Location:
    U.K.
    Avast Customer Service after examining my CAB file reports this issue as a false positive. Impressed with the swiftness of their reply - within 24hrs.

    Other odd issues re - IMAP email pick up failure and missing task bar icons FF, OE, IE, & Desktop which also materialised yesterday were all solved by using Ontrack's Fix it utilities 4.0 Backup restore. Proving it's worth yet again!!

    These issues were probably associated with the wininit message I got via WinPatrol - I opted to delete the files attempting to re-write, (possibly the wrong choice on my part - but I'm a newbie with Scotty so that's my excuse!) Still a bit confused as to whether I was infected or whether it was an attempt at hijack, or whether it to was a false positive. As far as I know I have all MS patches installed. Maybe the reboot was something odd after all. Still, all's well that end's well, as everything seems back to normal again.
     
    Last edited: Aug 1, 2007
Loading...
Thread Status:
Not open for further replies.