Avast false trojan alarm for Hot conference

[Applepie]

My home edition of Avast 4 is not allowing me to enter a HotConference chatroom.  Every time I click on the link, there is a false Trojan warning.  The only people who are having this problem all have Avast.  Hot Conference is a legitimate website.  What can I do?

Any suggestions would be appreciated.

Apple

[DavidR]

What is the malware name, the infected file name, where was it found e.g. (malware name , http: // www . hotconference.com / index.htm), etc. ? 
Note I have broken the link using spaces so it isn't clickable, use this format when posting suspect site/urls.

Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

[Lisandro]

Hot Conference is a legitimate website.  What can I do?

1. Scan the link (url) against Dr. Web antivirus: http://online.drweb.com/?url=1
2. If it is clean, you can use as a workaround the adding of this url to the WebShield Exceptions (left click the 'a' blue icon, click Details button to expand).

[Applepie]

Hi,

Thanks for your help everyone.  I have scanned the url on Dr Web, Mr. Tech,  and it is clean.. but I can't find the place to add the url for hotconference to the exceptions.  When I click on the Avast desktop icon,  2 things pop up..the Simple User Interface...that's not it..I don't think.  Then the big icon that looks like a camera..the one you use to click on scan.  I can't find anyplace that mentions   "exceptions."   

I would appreciate more  detailed instructions. I also don't see a blue "a"..maybe my color vision is not as sharp as it should be.

Thanks so much!!

Applepie

[DavidR]

Left click on the 'a' icon on the system tray (bottom right of your screen), The pop-up On-Access Protection Control.

If it looks like image 1, click the Details button and select the Web Shield provider, image 2.
Click the Customize button, Exceptions tab, Add.

[Lisandro]

I can't find the place to add the url for hotconference to the exceptions.

See the picture..

I also don't see a blue "a"..maybe my color vision is not as sharp as it should be.

It could be hidden by XP system tray feature, it could not be exactly blue depending of your video card, etc.
Does it have a red cross on it? If not, it's ok. The providers are there running...

[Applepie]

Hi David,

I found the 2nd image you posted on Web Shield. I clicked on Exceptions and typed in the url, then clicked ok.  When I went to the url, I had the trojan horse warning again.  On this popup, it gives me several options:  move/rename; Delete or Move to Chest.  Under that there is another section that says Processing... There is a place that I can click on that says No Action.     Am I supposed to click on this No Action box?

O rebooted and went through the same steps again.  When I clicked on the hotconference link, I got the Trojan Warning again.

When I closed the warning window and went ahead...when the downloading of that hotconference link was done..I tried to open it and another popup window came up that said :An external application must be launched to handle this file.    Then it gives a Requested link.  It gave me the option of launching the link  or cancel.  When I clicked launch the link, nothing happened.  It brought me back to the previous popup which showed that I had downloaded the hotconference link.

What do I do now ?  Thanks so much for your patience!

Applepie

[DavidR]

Hi David,

I found the 2nd image you posted on Web Shield. I clicked on Exceptions and typed in the url, then clicked ok.  When I went to the url, I had the trojan horse warning again.  On this popup, it gives me several options:  move/rename; Delete or Move to Chest. 

This is an alert from the standard shield, if it were the web shield then the alert would only have given you the option to Abort the Connection.

So it would appear that your exception for the web page/site is working because it is getting down to your hard disk, browser cache.

Under that there is another section that says Processing... There is a place that I can click on that says No Action.     Am I supposed to click on this No Action box?

O rebooted and went through the same steps again.  When I clicked on the hotconference link, I got the Trojan Warning again.

No action just means don't sent it to the chest, delete, etc. but avast won't allow a detected file to be run. Now we at least have a suspect file we can check.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?  Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

When I closed the warning window and went ahead...when the downloading of that hotconference link was done..I tried to open it and another popup window came up that said :An external application must be launched to handle this file.    Then it gives a Requested link.  It gave me the option of launching the link  or cancel.  When I clicked launch the link, nothing happened.  It brought me back to the previous popup which showed that I had downloaded the hotconference link.

What do I do now ?  Thanks so much for your patience!

You should check the offending/suspect file at (you may have to pause the standard shield to achieve this, enable again once uploaded): VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out. Let us know the result of the scans.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject. Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.

Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

[Applepie]

Hi David,

I am technologically challenged so I am having some difficulty understanding how to execute some of these steps you mentioned...(so sorry )

1.  The hotconference website is a legitimate one .  Many businesses utilize their services to conduct conferences online.   I checked it on Dr. Web already and others have also checked it via other methods and said it was clean.   I will follow your instructions and recheck it if you think it is necessary but I don't understand fully how to do it and am afraid to make a mistake.

2.  What do you mean by:  you can't scan with the file in the chest, you will need to move it out.  How do you move the file out of the chest?

3.  So presuming it is a false positive..I right clicked the Avast icon by the clock..I saw many entries of this  so called trojan virus on that page..not all of them are on the same path but I can't see the whole path..part of the right hand side is cut off.  Most of the listings are on C\Documents and Settings\Apple\LocalSettings\TemporaryInternetFiles\Content.IE5\572TT4XP\Conference(1)exe.

4.  So at this point.. is it ok if I don't try to redetermine if it is a clean link?  I'm comfortable feeling it is clean.

5.  I need to go to Standard Shield now and type in customize, Advanced.  There are 2 sections under advanced.  In the lower area next to ADD, I can type in a link so that they will not scan it in the future. I presume this is where I should type it in...do I type in the path I just typed above in # 3 or do I type in the link I click on to go to the conference room?

6.  How do I restore it to the original location ?

7.  "When it's no longer detected, then you can also remove it from the Standard Shield and Program Settings, exclusions"    Where do I find Program Settings under Standard Shield?  I don't see that tab.

8.  also, how do I remove it from the Standard Shield and Program Settings, exclusions?

So sorry for needing more detailed instructions.

Thanks so much, David.

Applepie

[Lisandro]

1.  The hotconference website is a legitimate one .  Many businesses utilize their services to conduct conferences online.   I checked it on Dr. Web already and others have also checked it via other methods and said it was clean.   I will follow your instructions and recheck it if you think it is necessary but I don't understand fully how to do it and am afraid to make a mistake.

Which url (exactly) did you add to exceptions? Did you use wildcards like ? or * or didn't?

2.  What do you mean by:  you can't scan with the file in the chest, you will need to move it out.  How do you move the file out of the chest?

You can scan a file with other product (on-line scanning, antispyware, etc.) while it is into avast Chest. It will be encrypted and protected. That is the reason of the Chest (Quarantine): the infection can't get out of there, can't be detected (unless by avast itself, right clicking the file and scanning again...).

3.  So presuming it is a false positive..I right clicked the Avast icon by the clock..I saw many entries of this  so called trojan virus on that page..not all of them are on the same path but I can't see the whole path..part of the right hand side is cut off.  Most of the listings are on C\Documents and Settings\Apple\LocalSettings\TemporaryInternetFiles\Content.IE5\572TT4XP\Conference(1)exe.

If you change the column size of that table (moving the separator of the column to the right side...) you'll be able to see the full path. The files you're talking are temporary files, probably false positives (as you're self confident on the cleaning of that application).

4.  So at this point.. is it ok if I don't try to redetermine if it is a clean link?  I'm comfortable feeling it is clean.

I hope Alwil team correct this false positive soon, so, if you rescan the files into Chest avast could show that files are clean in the future.

5.  I need to go to Standard Shield now and type in customize, Advanced.  There are 2 sections under advanced.  In the lower area next to ADD, I can type in a link so that they will not scan it in the future. I presume this is where I should type it in...do I type in the path I just typed above in # 3 or do I type in the link I click on to go to the conference room?

Standard Shield scans files.
The url exception is on WebShield.
The contrary won't work.

6.  How do I restore it to the original location ?

Right click the file into Chest and choose restore.

7.  "When it's no longer detected, then you can also remove it from the Standard Shield and Program Settings, exclusions"    Where do I find Program Settings under Standard Shield?  I don't see that tab.

It's the Advanced tab into Standard Shield. This is for resident (on-access) exclusion list on scanning.
On the Program settings there is another tab called Exclusions. This is for on-demand scanning.

8.  also, how do I remove it from the Standard Shield and Program Settings, exclusions?

Click on button 'Remove' at the right side of the window.

So sorry for needing more detailed instructions.

No need to be sorry, we're here to help...

[Applepie]

Hi Tech,

Thanks for your help. 

1.  The url I added to WebShield exceptions was:  www.hotconference.com/software/conference.php?id=xxxxxxxx   ..the x's are numbers.   

       a.  Is this what I should have typed in ?
       b.   or should I have typed in the C:\Documents and Settings\Apple\LocalSettings\TemporaryInternetFiles\Content.IE5\572TT4XP\Conference(1)exe  ?

       c.  IF, IF  your response is that I should have typed in b...then I should go back to WEbshield and type in b?  Do I need to delete what I typed in for exceptions before?

2.  On one occasion, as I got that trojan warning popup..I selected delete rather than send to Chest...  is this going to be a problem?

ok let me get this part answered by you first , then write again.

Thanks.

Applepie

 

[Lisandro]

1.  The url I added to WebShield exceptions was:  www.hotconference.com/software/conference.php?id=xxxxxxxx   ..the x's are numbers.

   
I suggest into WebShield:
www.hotconference.com/software/conference.php*

or should I have typed in the C:\Documents and Settings\Apple\LocalSettings\TemporaryInternetFiles\Content.IE5\572TT4XP\Conference(1)exe

Into Standard Shield settings I suggest:
C:\Documents and Settings\Apple\LocalSettings\TemporaryInternetFiles\Content.IE5\572TT4XP\Conference*

Do I need to delete what I typed in for exceptions before?

Yes, it will be good.

2.  On one occasion, as I got that trojan warning popup..I selected delete rather than send to Chest...  is this going to be a problem?

If the file is temporary, not, it won't be a problem.

[Applepie]

Hi Tech,

I have done those 2 steps..added the url to the Web Shield and the STandard Shield as you suggested. 

What is my next step?

Thanks.

Applepie

[DavidR]

One of the problems as I see it is that the file that is being downloaded that avast objects to (and did so before the web shield exclusion), is a temporary file, in that it goes into the Temporary Internet Files folder/s is likely to change (see below).

"C:\Documents and Settings\Apple\LocalSettings\TemporaryInternetFiles\Content.IE5\572TT4XP\Conference*"

So you will be shooting at a moving target, which would force you the add further wildcards to take account of that moving target. This I believe is a pointless exercise as you should be treating the disease and not the symptom, curing the possible false positive.

So the next step is scanning the file and submitting it to avast is it confirmed as a false positive.

Most of the listings are on C\Documents and Settings\Apple\LocalSettings\TemporaryInternetFiles\Content.IE5\572TT4XP\Conference(1)exe.

So if that file is still in that location, upload it for scanning at VirusTotal and let us know the results, if it is a false positive, then it needs to be submitted to avast for analysis and correction (as in my third reply). This will not only help you but others with this problem.

By move it out of the chest (assuming you sent it to the chest) I mean, from the infected files section of the chest, right click on the infected/suspect file and select Export, choose a location to save it in. Otherwise upload it form the temporary internet files location, as I said before you will probably have to pause the standard shield to avoid another alert, possibly not if your exclusion is working.

[Applepie]

Hi David,

I'm not sure I know how to send the information to Avast about the false positive and i don't have a scanner.

If I were to uninstall Avast.. do you think the problem will be ok if the new antivirus doesn't have this problem?  I didn't know if the problem will linger even if I uninstall Avast.

Thanks.

Applepie