Avast show there is a virus: Win32:Spyware-gen

Avast show there is a virus in exe file: Win32:Spyware-gen

I just checked it on online virus scanner http://www.virustotal.com, and few antiviruses, include Avast, show that there is a virus:

Avast 4.8.1195.0 2008.09.17 Win32:Spyware-gen
eSafe 7.0.17.0 2008.09.17 Suspicious File
GData 19 2008.09.18 Win32.Spyware-gen
Ikarus T3.1.1.34.0 2008.09.18 Virus.Win32.Spyware

Is this false positive, or its real danger?

Difficult to say… GData is the same detection as avast (it uses the avast engine/definitions).
I bet on false positive but, can you post the file name and path? Is this file a long time in your computer or it is new?

One person has run this file on my PC without asking me, to prepare bootable floppy.
The file is HDD Sector Scan 3.0 utility (old Floppy Version) from SalvationDATA Technology Inc.
File name is hsr3.0floppysetup.exe It’s SFX RAR archive. I am worry that it can be infected.
I checked EventViewer tasks and find there:

System → Source: Windows File Protection

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 2008.09.17.
Time: 9:59:49
User: N/A
Computer: UserName
Description:
File replacement was attempted on the protected system file setup.exe. This
file was restored to the original version to maintain system stability. The
file version of the system file is 5.1.2600.5512.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

If the EventViewer info is correct, there was attempt to replace setup.exe, that was done at the same time when this application was launched.

I also run HiJackThis and compared the log with old log I have (3 month back), there appears 3 new keys, is it something legit?

O17 - HKLM\System\CCS\Services\Tcpip..{14148331-078A-44D1-8E7D-14F7C7BBAC8C}: NameServer = 192.168.4.1
O17 - HKLM\System\CS1\Services\Tcpip..{14148331-078A-44D1-8E7D-14F7C7BBAC8C}: NameServer = 192.168.4.1
O17 - HKLM\System\CS2\Services\Tcpip..{14148331-078A-44D1-8E7D-14F7C7BBAC8C}: NameServer = 192.168.4.1

Thanks.

I get zero hits on the CLSID {14148331-078A-44D1-8E7D-14F7C7BBAC8C} on google which is a little strange, but not unusual.

The IP 192.168.4.1 if I’m not mistaken are local network IPs or possibly how you connect/configure your Router. Sorry I don’t use a router or network so I can’t be a lot of practical help.

Do you have a network and or router ?

You could try to enter the 192.168.4.1 address into your browser and see if that does in fact load your router configuration.

Also see http://ms-os.com/windows-xp/183408-has-been-file-replaced.html about hsr3.0floppysetup.exe

Yes, that is router. So what I want to clarify now is the Win32:Spyware-gen detected by Avast really virus or false positive.

If hsr3.0floppysetup.exe is the file you sent to virustotal, then yes it is a possibility and the file should be sent to avast for further analysis, see below.

None of the VT detections are by specific virus signature but generic/heuristic which are more prone to FP.

But, you would also have to ask what it is doing there based on some of the google hits about it some others think it at the very least suspicious.

If it is indeed a false positive, possible, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

I have sent file to virus@avast.com for analyzing. Find no helpful info about this file in google.

Yes, that is what surprises me if it is a legit file/process I would expect lots of info.

I asked the program manufacturer, and they believe that the file has been infected by virus, and its not a problem of their original program. I have requested them MD5 checksum of this file, if possible, to compare original with my file.