Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK

Hi Folks

This morning my Avast found a trojan with “TheatFire” (from PC Tools) for the 1st time. I am assuming this is false. Here is the Avast warning.

=====================
Event Type: Warning
Event Source: avast!
Event Category: Client
Event ID: 90
Date: 04/22/2008
Time: 06:24:00 AM
User: N/A
Computer: CHRISTOPHER1
Description:
Sign of “Win32:Rbot-FTK [trj]” has been found in “C:\Program Files\ThreatFire\TFMisc.dll” file.

======================================================================

ThreatFire is a rootkit finder/stopper that I have used for quite sometime without any problems of threats. I am curious if anyone else has had this trojan found. I did not delete or put this “TFMisc.dll” in the chest.

Thanks, Christopher

Maybe you could test TFMisc.dll with www.virustotal.com
If it is clean, you can add it to avast Exclusion lists.
Sorry if I’m saying what you’ve already know…
Similar thread: http://forum.avast.com/index.php?topic=34950.0

False positive alert Win32:Rbot-FTK [trj] in file TFMisc.dll will be fixed in next VPS update

@ Misak
You might want to take a look at this one while you are on the forums, http://forum.avast.com/index.php?topic=34949.msg293448#msg293448. Probable FP on a shockwave.com download.

I came home today after bieng gone 24 hours and updated my programs. After I rebooted TF would not load, it just said “Initiating” and it’s icon couldn’t be clicked on, etc. I thought it might have been a glitch at boot so I rebooted. This time avast! indicated that it found a trojan in TFMisc.dll “Win32:Rbot-FTK [trj]” (reported to be a false positive by PC Tools TF). I initially had quarantined the file but after submitting it to avast and checking at PC Tools I restored it.

What I have discovered is that after restoring the file and rebooting avast did not detect it again. However TF would still not load. I went into avast’s troubleshooting section and set avast to “Delay loading of avast! services after other system services” and rebooted. TF will now load to a normal state although it does show the “initiating” indicator for a few seconds first. I tested again by setting avast to load normally and rebooted and avast killed TF again. Resetting avast to delay loading and rebooting again solved the problem.

So as a work around until this is fixed, if you want to you can make avast delay loading and TF will load.

You should exclude the file from scanning until the FP is corrected, rather than delay the start of avast as that is no guarantee that it won’t get in before threatfire and detect it.

See http://forum.avast.com/index.php?topic=34950.msg293451#msg293451.

On my system even when avast! doesn’t detect the file it still won’t allow TF to load normally unless I set avast! to delay loading.

If avast isn’t physically detecting it, whether or not it is loading as normal or delayed, then avast isn’t stopping it, there is something else in the loop. As the post on the TF Forum indicates another has excluded the file and that was the only solution that worked for him, http://www.pctools.com/forum/showpost.php?s=b295c5604cce9ed7b276eefaa80ee358&p=183034&postcount=13

avast! doesn’t block but scans and alerts if if infection is found.

When avast first detected this what action did you take ?
If you said ignore/no action, I don’t know if that might have any future impact, but it shouldn’t.

What other security software do you have ?

I answered for avast to “Continue” when it issued the alert since I was sure it was a false positive, so maybe it is already excluding the file? I still couldn’t get TF to load normally without delaying avast startup though. The only realtime protections I am running are avast! and TF.

OK, DavidR, you were correct that excluding the TF folder from being scanned did correct the problem. Avast wasn’t detecting the file on my system after I answered the initial prompt so I thought it wasn’t that interfering with it. I excluded the file from scanning and allowed avast! to start normally and it did allow TF to run normally. Sorry for my error. :-[

The Continue action, as you have found won’t cut it as no matter what avast won’t allow an infected/detected file to be executed, even if you chose continue/no action, etc. (it simply isn’t going to let you get infected by allowing you to run the file, assuming it isn’t an FP as in this case).

Don’t exclude the complete TF folder as that could leave a hole in your security, you should just exclude the specific file being detected.

In fact, my personal experience is that ThreatFire has a bad integration - too aggressive - into the system. I have very bad experiences using Firefox, installing extensions… I’ve install software very often and ThreatFire messes its installation, i.e., it does its job alerting you but it does not allow normal functions of the computer without alerting you… this is not good.

I just updated my definitions and avast! no longer detects the file. TF loads fine again without excluding any of it’s files. Thanks for the fast work avast! team. ;D

As far as TF goes, I have never had any problems with it and Firefox, extensions, or any other program, but I do usually suspend TF when installing a program I trust. Avast! I leave running though.

Again, thanks for the assistance and the quick fix.

Thanks for the feedback, if you haven’t already done so you can remove the exclusions.

Edit - oops wrong topic!