Avast is False Detecting an iWin file that prevents download

Hello,

When I try to download any game from iWin.com Avast pops up a big warning and prevents the download - but Symantec and McAfee allow it on my other machines.

The Avast message is

Adware Was Found
filename: http://dl.iwin.com/games/v2/1736765502542321936/1737081773154888594/13/0/jewel-quest-iiiSetup.exe?ACDCMD=PF/1736765502542321936/1737081773154888594/13/0\$INSTDIR\iWinGamesHookIE.dll

Maleware name: Win32:AdMedia-J [Adw]
VPS Version: 080818-0. 08/18/2008

How can I allow this download to take place?

I have entered http://www.iwin.com/ and http://dl.iwin.com in the Exceptions

Thanks,

David

Thanks for reporting the false positive.
Can you send a sample to virus (at) avast (dot) com for analysis?
Generally they correct the false positives very soon.

Hi Tech,

I did send a ticket in to Avast through the website on Friday and the ticket was closed with no comment visible to me. I re-opened the ticket and sent in the same message that I shared on this forum.

I’m not sure if it was a file or url that was the issue as the error message did not give a file name like I expected. The file name may be: iWinGamesHookIE.dll

Which is commonly seen as generic adware but not flagged as malicious.

I ran that file through the VirusTotal site and it passed on some software and failed with others.

The Avast version that site has is very old. It showed:
Avast 4.8.1195.0 2008.08.18 Win32:AdMedia-J

I will send the file in the ticket I have open with Avast.

Thanks for the help.

David

Hi Tech,

I sent the file: iWinGamesHookIE.dll
to virus@avast.com

Thanks,

David

Thanks to you.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

The virustotal scan is pretty conclusive, this is adware.
http://www.virustotal.com/analisis/4dc96d622117a059d5dca1d933cbfb23

With 25/36 detections most reporting it as adware and some scanners detecting something a little more sinister.

This is why you should always confirm the detections.

Oppss, I need to be more careful. I think David is correct…

The actual version of avast isn’t critical (in this case) the critical part is the date under Version as this is the virus signature date and that is today’s date.

I think it’s the BHO it maybe detecting.

It isn’t the BHO it is detecting, it is the file you are uploading not a BHO (registry string) to VT, I uploaded the iWinGamesHookIE.dll file. VT hasn’t got a clue how the file might be called.

OP What now?

Hi Tech,

Thanks for the tip on how to send this in to Avast support!

I received this note from Avast today:

Hello David,

Please accept our apologies for our false alarm message. Our virus specialists have been working on the problem and our virus definitions have now been updated.

Please therefore update your virus database, which should prevent any recurrence of this problem.

Best Regards,

Hi DavidR,

I do use the VirusTotal website - thanks.

David

You are honoured to receive a direct reply, two down (as GData uses two scanners one of them being avast) only 23 other detections of the original 25 from VT to correct ;D

I have to say I have never seen a detections with so many VT hits being confirmed as a false positive.

can you confirm that the false was succesfuly fixed?

I can confirm the FP was fixed, I had a sample of theiWinGamesHookIE.dll file, no longer detected.

Hello Maxx,

I agree with DaveR - the false detect issue was corrected in the update.

This forum and the people here were very helpful in helping me resolve this issue.

We had the same issue with AVG. AVG also corrected the problem with an update today.

If you ever have the time, please try our games at www.iwin.com.

Thanks again,

David

Welcome to one of the best on-line active forums :wink:


While avast has fixed this as a FP, you should be aware that sites such as iWin are ad supported and as such, you likely to “aquire” some kind of ad generator.