Well I was surfing the web in Firefox and when I closed out the browser, I suddenly got some alerts of a trojan from the resident protection of Avast! I have the latest Firefox version, and I haven’t downloaded anything for the past few days. I just find it odd that Avast is warning me of some trojan when I close out my browser, and just to be safe, I quarantined the files in question. I haven’t had any other alerts or problems with Firefox before today…I have 4 alerts in the log, and since then I haven’t received any more alerts. Should I be worried?
I’m running Windows XP SP2 with all security updates, Avast! with today’s definition updates, and Ad-aware, Spybot S&D, SpywareBlaster, and Ewido Anti-Malware.
Here are the entries in the log
5/4/2006 5:44:47 PM SYSTEM 1796 Sign of “Win32:Agent-RO [Trj]” has been found in “C:\Program Files\Opera\Program\Plugins\npupd62.dll” file.
5/4/2006 5:45:06 PM SYSTEM 1796 Sign of “Win32:Agent-RN [Trj]” has been found in “C:\Program Files\Opera\Program\Plugins\UPD62INT.dll” file.
5/4/2006 5:45:19 PM SYSTEM 1796 Sign of “Win32:Agent-RO [Trj]” has been found in “C:\Program Files\Mozilla Firefox\Plugins\npupd62.dll” file.
5/4/2006 5:48:32 PM SYSTEM 1796 Sign of “Win32:Agent-RN [Trj]” has been found in “C:\Program Files\Mozilla Firefox\Plugins\UPD62INT.dll” file.
Since the files have been on your system for a little while, it could either be that this new detection is picking up previously undetected viruses or it could be a false positive detection.
You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner
If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.
Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives
Thanks for the quick reply. I scanned all four files at Jotti, and only Avast! detects it as a trojan, none of the other scanners detect anything. I think it could be false positives, so I’ll send it to Avast…thanks for the help.
Also see this thread http://forum.avast.com/index.php?topic=20978.0 same issue, I have sent both firefox files off to avast. If you can send the the opera plugin files to avast as mentioned above.
Both of the false positive detections that I sent in have now been corrected with the 0618-3 VPS update.