Problem with ThreatFire

Everyhting worked fine on my computer until a few minutes ago when Avast reported that the file TFMisc.dll (from ThreatFire) was infected with a Trojan. Since then ThreatFire has stopped functionning. Windows (Vista) shows that there has been a problem and that ThreatFire has to close down. The service istself is therefore stopped but the tray icon remains and it is says “initiating”, but nothing ever happens. Clicking on Threatfire brings back the same problem and closes.
I uninstalled ThreatFire, got the latest version from the web and installed it…but the problem remains, though this time the file is obviously not the same…
I’ve scanned the .EXE and it states that TFMisc.dll is infected…
But what is even stranger is that a scan on an older version of the .EXE (the date is October 28th, 2007) reports the same result: same infection on the same file…
So, is the file really infected or is it a false positive detected by Avast?

Similar thread
http://forum.avast.com/index.php?topic=34951.msg293449#msg293449

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.

If it is indeed a false positive (only detected by avast in VT above), add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). The new submission process doesn’t actually email it but uploads it to avast during the Auto or Manual update process.

So no need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Thanks, DavidR. Very helpful info on adding to exclusions! I have the same TF detection problem and this is the fix for now. :slight_smile:

You’re welcome, it has been acknowledged as an FP so it shouldn’t take long to correct in the VPS updates.

Apparently it seems to be a false positive: VirusTotal reports nothing whatsoever.
Avast keeps stating the file is infected. So I put it in the exclusions list.
I also delayed Avast startup.
Now everything seems to work fine again!
Thanks for your help!

No problem, as I mentioned it has been acknowledged by one of the avast Virus Labs team, so it should be corrected soon.

There is no need to delay the avast startup if you have the file in the exclusions.
If you have a copy in the chest, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Welcome to the forums.

I also encountered the same problem (avast detected ThreatFire as trojan) after updating the virus database last night.

But, this morning after updating the database to version 080422-1, the “false positive” did not occur again.

Tks for the quick response from Avast team ;D

Thanks for the feedback, the Alwil team are usually quick to correct them once analysed and acknowledged.

Same here, Avast gave me an alert that Tfmisc.dll is win32:Rbot-FTK trojan. Anybody know how to put Threatfire on an exclusion list so its files wont be scanned.

Yes Id ;D

First ensure you have the latest VPS update as I believe 080428-0 corrects this problem.

If not, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions this is the most important one for you, the on-access scanner, as it is what detects the file when it is executed.

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

I had some strange detection today too!

This morning out of the blue, Avast detects a file in my mirc script (nbs-irc).
So I go to their webpage and download the latest install… but avast wont let me.
It says the installer also is infected.

I ran the installer through the virustotal thing and got 6/36 positives.
I used this nbs-script for many years now and now out of the blue it gets detected.

http://www.imagebam.com/image/282bf713357170 <— from the nbs site.

I quarantined the files on my comp… but now i can’t use mirc :E
I want to find out wether it’s a real or false alarm… cause if it’s for real that installer should be taken down over at nbs.

This is unrelated to the original topic about Threatfire other than you believe your problem might be a false positive.

You should post this in a new topic - Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

In the new topic if you can post the results of the VirusTotal scans, you could just copy and past the URL of the Results page. There we can see what else is detecting it and what they think it is also.