Possible false alarm in DPPLensViewer.exe (Win32:Dialer-HE [Trj])

Hello,

I have downloaded an official Canon software upgrade from the following link:
http://de.software.canon-europe.com/files/soft27549/software/k7a06dex.exe

This is an upgrade for Canons Digital Photo Professional software for Canon cameras.
During installation avast comes up with the following line:

Sign of "Win32:Dialer-HE [trj]" has been found in "C:\DOKUME~1\User\LOKALE~1\Temp\UIW\DPP\common\program\DPPLensViewer.exe" file.

DPPLensViewer.exe is a regular part of the software package.
Is it a false alarm? Or is it really an infected file?

Greetings
Dr.Judge

I am getting the same alarm, and it renders Digital Photo Pro’s lens adjustment function inoperable. Is there any workaround? I think that this is an erronious detection.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If avast is the only one reporting this then send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if you didn’t already send it to the chest) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

If it is indeed a false positive, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Hello,

just tried your weblink. Only 2 out of 32 scanners “found” the trojan inside (see below). Seems to be a false positiv.
I also mailed the file from my chest to avast.

AhnLab-V3 2008.3.4.0 2008.03.07 - AntiVir 7.6.0.73 2008.03.07 - Authentium 4.93.8 2008.03.07 - Avast 4.7.1098.0 2008.03.07 Win32:Dialer-HE AVG 7.5.0.516 2008.03.07 - BitDefender 7.2 2008.03.07 - CAT-QuickHeal 9.50 2008.03.06 - ClamAV 0.92.1 2008.03.07 - DrWeb 4.44.0.09170 2008.03.07 - eSafe 7.0.15.0 2008.03.06 - eTrust-Vet 31.3.5595 2008.03.07 - Ewido 4.0 2008.03.07 - FileAdvisor 1 2008.03.07 - Fortinet 3.14.0.0 2008.03.07 - F-Prot 4.4.2.54 2008.03.07 - F-Secure 6.70.13260.0 2008.03.07 - Ikarus T3.1.1.20 2008.03.07 Virus.Win32.Dialer.HE Kaspersky 7.0.0.125 2008.03.07 - McAfee 5246 2008.03.06 - Microsoft 1.3301 2008.03.06 - NOD32v2 2930 2008.03.07 - Norman 5.80.02 2008.03.06 - Panda 9.0.0.4 2008.03.06 - Prevx1 V2 2008.03.07 - Rising 20.34.42.00 2008.03.07 - Sophos 4.27.0 2008.03.07 - Sunbelt 3.0.930.0 2008.03.05 - Symantec 10 2008.03.07 - TheHacker 6.2.92.235 2008.03.07 - VBA32 3.12.6.2 2008.03.05 - VirusBuster 4.3.26:9 2008.03.07 - Webwasher-Gateway 6.6.2 2008.03.07 - weitere Informationen File size: 155648 bytes MD5: 798b1b468a7ad5a30080bbcad2de52ff SHA1: 285f709df032e8ecbd3f46dfb5082fe7ab7abed1 PEiD: -

Thanks for reporting.
Sorry the inconvenience.
Hope they correct it soon.

Thanks for the update does look like it will be an FP, which hopefully after analysis will be corrected quickly.

Welcome to the forums.

the FP is fixed internally already :wink:

Thanks, everybody.

Thanks…keep up the good work :wink: