Avast is False Detecting an iWin file that prevents download

[david_gamer]

Hello,

When I try to download any game from iWin.com Avast pops up a big warning and prevents the download - but Symantec and McAfee allow it on my other machines.

The Avast message is

Adware Was Found
filename: http://dl.iwin.com/games/v2/1736765502542321936/1737081773154888594/13/0/jewel-quest-iiiSetup.exe?ACDCMD=PF/1736765502542321936/1737081773154888594/13/0\$INSTDIR\iWinGamesHookIE.dll

Maleware name: Win32:AdMedia-J [Adw]
VPS Version: 080818-0. 08/18/2008

How can I allow this download to take place?

I have entered http://www.iwin.com/ and http://dl.iwin.com in the Exceptions

Thanks,

David

[Lisandro]

Thanks for reporting the false positive.
Can you send a sample to virus (at) avast (dot) com for analysis?
Generally they correct the false positives very soon.

[david_gamer]

Hi Tech,

I did send a ticket in to Avast through the website on Friday and the ticket was closed with no comment visible to me. I re-opened the ticket and sent in the same message that I shared on this forum.

I'm not sure if it was a file or url that was the issue as the error message did not give a file name like I expected. The file name may be: iWinGamesHookIE.dll

Which is commonly seen as generic adware but not flagged as malicious.

I ran that file through the VirusTotal site and it passed on some software and failed with others.

The Avast version that site has is very old. It showed:
Avast   4.8.1195.0   2008.08.18   Win32:AdMedia-J

I will send the file in the ticket I have open with Avast.

Thanks for the help.

David

[david_gamer]

Hi Tech,

I sent the file: iWinGamesHookIE.dll
to virus@avast.com

Thanks,

David

[Lisandro]

Thanks to you.

[DavidR]

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

[DavidR]

Hi Tech,

I sent the file: iWinGamesHookIE.dll
to virus@avast.com

The virustotal scan is pretty conclusive, this is adware.
http://www.virustotal.com/analisis/4dc96d622117a059d5dca1d933cbfb23

With 25/36 detections most reporting it as adware and some scanners detecting something a little more sinister.

This is why you should always confirm the detections.

[Lisandro]

Thanks for reporting the false positive.

Oppss, I need to be more careful. I think David is correct...

[DavidR]

<snip>
I ran that file through the VirusTotal site and it passed on some software and failed with others.

The Avast version that site has is very old. It showed:
Avast   4.8.1195.0   2008.08.18   Win32:AdMedia-J
<snip>

The actual version of avast isn't critical (in this case) the critical part is the date under Version as this is the virus signature date and that is today's date.

[Jtaylor83]

I think it's the BHO it maybe detecting.

[DavidR]

It isn't the BHO it is detecting, it is the file you are uploading not a BHO (registry string) to VT, I uploaded the iWinGamesHookIE.dll file. VT hasn't got a clue how the file might be called.

[wyrmrider]

OP What now?

[david_gamer]

Hi Tech,

Thanks for the tip on how to send this in to Avast support!

I received this note from Avast today:

Hello David,

Please accept our apologies for our false alarm message. Our virus specialists have been working on the problem and our virus definitions have now been updated. 

Please therefore update your virus database, which should prevent any recurrence of this problem.

Best Regards,

[david_gamer]

Hi DavidR,

I do use the VirusTotal website - thanks.

David

[DavidR]

You are honoured to receive a direct reply, two down (as GData uses two scanners one of them being avast) only 23 other detections of the original 25 from VT to correct

I have to say I have never seen a detections with so many VT hits being confirmed as a false positive.