Joe -

Nothing that I can think of that should trigger an AV alarm. We've seen a few funny things like "blank" pages that look like someone has tried to post an "amended stylesheet" fragment, or has attempted to "script" illegal actions; but so far as I've seen they just fail to do anything.

Most of the nasty stuff has to include some binary content, so far as I've heard.

I'm probably not the expert on what can be done though, since those who operate websites will likely have seen more tricks than I can think of.

I'll note that a friend who was bragging about his "MySpace" page led me to take a look there, and they're getting hit really hard by spammers, both posting pages under false idents and hacking existing pages to put up links to porn. There have been reports of other of the "big name" sites being under a lot of pressure. The evildoers are trying really hard.

Older AV systems usually relied on catching incoming stuff, and deleting it before it could get launched to install itself. For stuff that was easy to catch and delete, they didn't look for "installed bits" associated with the evil incoming stuff. If something got on a machine, and managed to poke it's control kernel in, deleting the original file - which is all the AV would usually do - usually breaks the worm, but the bit that it installed may still try to open a port, which will trigger a firewall warning, or you may get a "file not found" when the installed bit tries to call up the file that was deleted. I suspect that something like that triggered leenia's warning; although it's tough to say exactly what happened. For the worm she named, there probably will be a registry entry; but she may want to get pro help to look.

It's also possible that she got "hit" from outside by someone just scanning the web for machines with ports that could be opened, and by coincidence it happened when she was trying to open that thread.

John