Avast and WPS Office Conflict(SOLVED)

I opened my Word Processing Software (that I created and saved) and the following pop-up appeared:

Object: Http:\cdn/adinall.com\js\ssp.\jsl (gZip) (Embedded)
Infection: HTMLScript-inf
Process: C:\Users\User\AppData\Local\Kingsoft\WPSOffice\10.2.0.5820\Office6\wps.exe

What is this HTMLScript-inf Infection?

You can report a suspected FP here: https://www.avast.com/false-positive-file-form.php

Asyn:

The false positive threat was listed under ‘Notifications’ but not in the Virus Vault.

I ran a Smart Scan and Malware Scan but no threats were detected.

I checked for Avast Updates but the latest ones were already installed.

I rebooted and opened the software again but it was not detected as a threat.

a) What is this Object threat and why wasn’t anything placed in the Virus Vault?

b) Why did rebooting resolve the issue?

Wps.exe is my Kingsoft Writer (Word Processing Program) so why did Avast recognize it as a threat?
It did not

this is detected: Object: Http:\cdn/adinall.com\js\ssp.\jsl (gZip) (Embedded)

It seems to be a false positive.

What is this specific Object threat and why wasn’t anything placed in the Virus Vault?

You tell me
Did you open a doc, does it containe that url

anyway the url is none working

a) What is this Object threat and why wasn't anything placed in the Virus Vault?
Did avast say blocked?

Like I already stated, I opened my word processing software (WPS Writer), it was detected as a ‘Threat Blocked,’ and listed in notifications but not in the virus vault.

A Smart Scan and Malware scan did not detect anything and the latest versions of Avast and WPS Writer are installed.

I opened and closed WPS 10 times and Avast blocked as a threat once.

HTML:Script-inf is a website infection, if avast say blocked then there will not be anything in the chest

Pondus:

The pop-up appeared when I opened my word processing software so I do not know about it being a website infection. I only have my Hotmail page and the Avast Forum pages open.

Does the fact that it was ‘Blocked’ mean that there is no infection on my system and nothing to be concerned about?

If so, why is WPS still being detected as a threat periodically?

Does the fact that it was 'Blocked' mean that there is no infection on my system and nothing to be concerned about?
Blocked means you slam the door in its face before it can enter
If so, why is WPS still being detected as a threat periodically?
With the same message?

Basically then, ‘threat blocked’ means that Avast did its job and there is no infection on my system-Correct?

The only webpages that are open are Hotmail and the Avast Forum but the threat blocked pop-up message did not appear on my browser-It was only appearing each time WPS was opened but it is not being displayed anymore

‘If’ the ‘threat blocked’ pop-up does keep appearing when opening WPS, what should I do?

Hi,
First of all, the correct URL is cdn.adinall[.]com/js/ssp.js. I cannot resolve the host, so I cannot check the file itself, but it seems strange that it loads resources from these two (blocked) URLs:

chushoushijian[.]cn
dsp.jiaju933[.]com

Are you sure this is correct behaviour?

HonzaZ-

To summarize: I opened my Word Processing Software (WPS) and the following pop-up appeared even before selecting a file that I created:

Object: Http:\cdn/adinall.com\js\ssp.\jsl (gZip) (Embedded)
Infection: HTMLScript-inf
Process: C:\Users\User\AppData\Local\Kingsoft\WPSOffice\10.2.0.5820\Office6\wps.exe

A Smart Scan and Malware Scan did not detect anything, Avast and Avast and WPS are updated.

Follow-Up Questions:

a) ‘If’ a detected threat ever got into my system, what would the pop-up message state instead of ‘Threat Blocked?’

b) Why did the VBS.Malware-gen infection in mid Feb (that affected all Avast users) and the IDP Generic infection (that I had in late Feb regarding the Gravis Dialer) get placed into the Virus Vault even though they were ‘Blocked Threats’ but this HTMLScript-inf infection, also a ‘Blocked Threat,’ was not placed in the Virus Vault?

That is because the malicious file was blocked while being downloaded to your PC. There is no malicious file in your PC.

I am not the master of GUITM, but the message would be similar. Only the object wouldn’t start with “http” but with “C:/” or something similar.

Once again, these are different files:

  • If you have a file on your PC, and we detect it (by any detection), it goes to vault so you do not lose it.
  • If you try to download a file to your PC, and we detect it (by any detection), the download is interrupted and the “part of the file that was already downloaded” is deleted. We are assuming here that if it was downloaded, there is no reason to fear about “losing” the file, as it can be easily downloaded again.

HonZaz:

To Clarify:

a) What is HTMLScript-inf and why was it detected as a webpage threat when the pop-up appeared when opening my installed word processing program (the pop-up was not displayed on my browser?)

b) Since wps.exe ‘is’ a file on my computer and it was detected as a threat, why wasn’t it placed in my Virus Vault?

c) Each time I open WPS, the ‘Threat Block’ message appears; Should I add it as an Exclusion? If so, how? If not, what step should I take?

d) In general, ‘if’ a detected threat ever got into my system, I understand that it would start with C:\ (not http’) but what would the warning wording be instead of ‘Threat Blocked?’

This is because the “installed word processing program” tried to run JavaScript that was located on a server (specifically, cdn.adinall[.]com/js/ssp.js). Whether that is correct behaviour or not, I cannot say.

wps.exe was not detected as a threat - the JS file it tried to download (cdn.adinall[.]com/js/ssp.js) was.

As I do not have the WPS, or the JS that is being blocked, it is impossible for me to say if it is a false positive (and we should alter the detections) or if it is a true positive (and it should remain blocked and you should contact your admin for further instructions).

I think the message would be the same, but I am not skilled enough to tell for sure.

All I know is that WPS is the equiv of Microsoft Word, WPS is installed on my computer, and I have never had an issue opening documents before now.

a)To be clear, the Javascript file that WPS attempted to download, not Wps.exe itself, was a threat, and my computer is not infected because the threat was blocked-Correct?

b) If so, I still do not understand why Javascript has to be downloaded each time I open my Word Processing software.

c) Before yesterday (Wed), the ‘Threat Blocked’ message had not appeared but now it appears periodically when the software is opened-What would you suggest?

Correct.

Me neither. I am neither familiar with WPS, nor can I access the file it is trying to access.

I would suggest calling your admin to ask why WPS is accessing cdn.adinall[.]com/js/ssp.js at all, and if that is normal, why there are 2 chinese URLs loaded from that JS.

Call what Admin!? I am at home using a personal computer.

WPS is a free packaged bundle of three individual WPS Writer (equiv of Microsoft Word), WPS Presentation (equiv of Powerpoint), and WPS Spreadsheet (equiv of Excel). I opened WPS Presentation and WPS Spreadsheet and the ‘Threat Blocked’ message appears.

maybe switch over to Libre office?

LibreOffice >> https://www.libreoffice.org/