False Positive? in Ypops

Hi.
I logged into my home system today, virus database update message was heard, I now have a warning when Ypops starts to load:

“X:\Program Files\Ypops\libcurl.dll has a trojan” :o ??? ???

Until today’s update, not a peep from Avast!. Downloaded from a trusted site. I’ve been using for years.

Tried to download and reinstall, again from a trusted site, no joy. Avast! still blocking the above *.dll! >:(

Any insight appreciated!

Question: How to send to avast to notify of potential (probable) false positive?

Dave

Dave, you can open the AVAST Virus Chest, right click on the suspect file, and select email to ALWIL Software. Then it will either email the file or give you a message that states

The following file cannot be sent by email:
nanoPEG-Editor-hpg.exe (FileID: 6)
The file is bigger than the limit: 1024 kB.

Good luck.

What was the malware name, I suspect win32:trojan-gen ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

I have no idea how to interpret this data. I ran the tool against the whole install file s it considered the *.dll file too small
(0 bytes uploaded message)
Virus Tool results:

File ypops-win-0.9.5.1.exe received on 07.24.2008 23:21:18 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 2/35 (5.72%)
Loading server information…
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.7.25.0 2008.07.24 -
AntiVir 7.8.1.12 2008.07.24 -
Authentium 5.1.0.4 2008.07.24 -
Avast 4.8.1195.0 2008.07.24 Win32:Trojan-gen {Other}
AVG 8.0.0.130 2008.07.24 -
BitDefender 7.2 2008.07.24 -
CAT-QuickHeal 9.50 2008.07.24 -
ClamAV 0.93.1 2008.07.24 -
DrWeb 4.44.0.09170 2008.07.24 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5980 2008.07.24 -
Ewido 4.0 2008.07.24 -
F-Prot 4.4.4.56 2008.07.24 -
F-Secure 7.60.13501.0 2008.07.24 -
Fortinet 3.14.0.0 2008.07.24 -
GData 2.0.7306.1023 2008.07.24 -
Ikarus T3.1.1.34.0 2008.07.24 Trojan.Win32.Agent.voq
Kaspersky 7.0.0.125 2008.07.24 -
McAfee 5346 2008.07.24 -
Microsoft 1.3704 2008.07.24 -
NOD32v2 3296 2008.07.24 -
Norman 5.80.02 2008.07.24 -
Panda 9.0.0.4 2008.07.24 -
PCTools 4.4.2.0 2008.07.24 -
Prevx1 V2 2008.07.24 -
Rising 20.54.32.00 2008.07.24 -
Sophos 4.31.0 2008.07.24 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.24 -
TheHacker 6.2.96.387 2008.07.23 -
TrendMicro 8.700.0.1004 2008.07.24 -
VBA32 3.12.8.1 2008.07.24 -
ViRobot 2008.7.24.1309 2008.07.24 -
VirusBuster 4.5.11.0 2008.07.24 -
Webwasher-Gateway 6.6.2 2008.07.24 -
Additional information
File size: 1551014 bytes
MD5…: 46dc0a3400e63b81bdcdfcc47e1dbf79
SHA1…: cc8e5bc4a0ba7f0036194c755bd83cc79d621493
SHA256: 5e42fcc4e9ae43725ae2b05038d05a6868b5043b33b9c614390a115a8ba85f27
SHA512: fb6b5b05b7e3098b2f6302e61a25cebddaa143eb404204a92bdfa9618e6e04b5
160ae11010bf5ca63b0abb1d9605adfddbdf3863fd5f0206bd9f0637cc99fc7b
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4097f0
timedatestamp…: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x8f14 0x9000 6.58 19aec1c1a4ef2fb9fe30b219ab07ddb2
DATA 0xa000 0x248 0x400 2.72 6344b5e22b5b2675be150744885e2671
BSS 0xb000 0xe34 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xc000 0x942 0xa00 4.42 563cb4ae07a81b0403d850851e368293
.tls 0xd000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xe000 0x18 0x200 0.20 d293bf8d4ebe9826d58e1d27c25fe4b6
.reloc 0xf000 0x880 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x10000 0x2800 0x2800 4.34 349f3412dd5404eabf53cea3c86a4267

( 8 imports )

kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll: MessageBoxA
oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll: InitCommonControls
advapi32.dll: AdjustTokenPrivileges

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=46dc0a3400e63b81bdcdfcc47e1dbf79

Dave, only 2 scanners out of 35 (Avast and Ikarus) reported a virus. This leads me to suspect strongly that your finding is indeed a False Positive, and therefore probably not actually an infection.

Same here. That and until today 7/20 AM EDT (USA) there was NO issue.

Follow the actions in the “how to report it to avast! and what to do to exclude them until the problem is corrected” link in my first reply.

How do you know when a false positive has been corrected by Avast! ?

By periodically scanning the file in the chest as mentioned in the info in the link.

periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Which version of YPOPs! do you have? I check 3 latest version form http://sourceforge.net/project/showfiles.php?group_id=52835&package_id=52066&abmode=1 and no alarm was trigged…