Han wrote:

> Avira warned me that <http://www.zedtek.com/download/ztw22x86.exe> would be
> accessing a malware site. zedtek.com itself didn't get flagged. Is Ztree
> malware? It seemed nice to have a modern tool similar to the old Xtree
> program, but I don't need malware ...

So are you talking about Avast's Web Shield issuing an alert? If so,
does that site permit 3rd party content on their site? Do links go
through some "selector", especially an offsite redirector, rather than
provide a direct link to the content? I didn't notice (visually, not by
HTML inspection) this stuff at http://www.ztree.com/html/download.htm
(would've been nice if you gave the web page where is the link you
gave).

Did the warning about "accessing a malware site" come when you visited
the download page, when you clicked on the link for the file, during the
download of the file, or after you tried running the file from a local
copy deposited on your host after the download completed?

I downloaded (but did not run) the ztw22x86.exe file. No alert from
Avast (Web Shield or File Shield). I don't want the product so I didn't
run the installer. You never mentioned running the installer so
presumably just downloading the file cause the alert for you. I didn't
get one. I right-clicked on the file and scanned again. No alert.

I have Avast Free 6.0.1125 installed. You never mentioned which version
you have and if free or paid version. For me, signatures were updated
6/16/2011 @ 3:16:05AM, version 110616-0. You didn't mention when was
your last signature update. It's also possible you have your instance
of Avast configured to be more aggressive than mine.

Submitting the .exe file to VirusTotal. Got 1 hit: VBA32
(Trojan.SB.0505). Haven't a clue what is VBA32. After 5 minutes of
drilling around their site looking for a list of AV vendors, I gave up
and did a Google Search. Never heard of VirusBlokAda before today
(http://en.wikipedia.org/wiki/Vba32_AntiVirus). With the preponderance
of well-known AV products not triggering on this file, it doesn't look
infected (using only signatures for detection).