Friday, July 16, 2010

Computer Viruses: html framer & exploit; false positives?

The night before last something odd happened - we both got "Resident Shield" warnings on our computers, at about the same time.  Patti Anne got a warning about a virus called "HTML Framer", and I got a warning about a virus called "exploit". 

I'm extremely cautious when things like this pop up, based on my previous experience with rouge ware.  Resident Shield is a valid part of the AVG package, but it can also be mimicked, and if this was rogue ware, nothing good would happen if you clicked quarantine or fix or anything similar.  Although, if it was rogue ware, the very fact that it showed up probably meant that it was too late.

Patti Anne started a Malware-bytes quick scan, then an AVG scan, without replying to the prompt.  Malware came back clean, but AVG found two instances of html framer, both lurking in the temporary files somewhere.  It removed them.

I also started an Malware-bytes quick scan, just for s&g, and that is when Resident Shield popped up saying I had the "exploit" virus.  Exploit creates havoc in excel spreadsheets apparently.  I use excel a fair amount, tracking our eBay income & expenses, so that would not be good.  

By this time I was fairly certain that this was a valid warning.  I also had decided to run a full AVG scan so I clicked the ignore button.  The Malware scan came back clean, but the AVG scan found one instance of "exploit", again in a temporary file.  It removed it.

The next day Patti Anne got the resident shield warning for html framer again, but this time clicked on the quarantine button.  Neither of us has had any problem since.

Turns out, according to an AVG forum, "html framer" was most likely a false positive - and they've already put out a fix.  Don't know about "exploit" but it seems to be gone too.

So there we go.  More fun in computer land.


Heather said...

I guess I need to run some scans too. Earlier this evening I got a page block due to the detection of a "rouge scanner", whatever that is.

A Valdese Blogger said...

I've gotten a couple of those recently, too.