Using home edition 4.8, build 4.8.1229
Virus def file 081030-0 dated 10/30/08

10/30/2008 9:54:24 AM SYSTEM 1708 Sign of “Win32:PureMorph [Cryp]” has been found in “C:\Program Files\VMware\Infrastructure\VirtualCenter Server\SYSPREPDECRYPTER.exe” file.

This is a legit portion of the Virtual Center program and is not a virus. I although I was just testing Virtual Center with VMWare Player and Workstation editions, neither of those other programs (Player or Workstation) were detected has having any viruses, just the Center.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

As expected, it is indeed a false positive. It is a functional component of VMWare Virtual Center.

File sysprepDecrypter.exe received on 10.30.2008 17:57:31 (CET)
Result: 2/36 (5.56%)

Antivirus Version Last Update Result
AhnLab-V3 2008.10.30.1 2008.10.30 -
AntiVir 7.9.0.10 2008.10.30 -
Authentium 5.1.0.4 2008.10.30 -
Avast 4.8.1248.0 2008.10.30 Win32:PureMorph
AVG 8.0.0.161 2008.10.30 -
BitDefender 7.2 2008.10.30 -
CAT-QuickHeal 9.50 2008.10.29 -
ClamAV 0.93.1 2008.10.30 -
DrWeb 4.44.0.09170 2008.10.30 -
eSafe 7.0.17.0 2008.10.30 -
eTrust-Vet 31.6.6180 2008.10.29 -
Ewido 4.0 2008.10.30 -
F-Prot 4.4.4.56 2008.10.29 -
F-Secure 8.0.14332.0 2008.10.30 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.30 Win32:PureMorph
Ikarus T3.1.1.44.0 2008.10.30 -
K7AntiVirus 7.10.512 2008.10.30 -
Kaspersky 7.0.0.125 2008.10.30 -
McAfee 5418 2008.10.30 -
Microsoft 1.4005 2008.10.30 -
NOD32 3570 2008.10.30 -
Norman 5.80.02 2008.10.30 -
Panda 9.0.0.4 2008.10.29 -
PCTools 4.4.2.0 2008.10.30 -
Prevx1 V2 2008.10.30 -
Rising 21.01.32.00 2008.10.30 -
SecureWeb-Gateway 6.7.6 2008.10.30 -
Sophos 4.35.0 2008.10.30 -
Sunbelt 3.1.1764.1 2008.10.29 -
Symantec 10 2008.10.30 -
TheHacker 6.3.1.1.134 2008.10.30 -
TrendMicro 8.700.0.1004 2008.10.30 -
VBA32 3.12.8.9 2008.10.30 -
ViRobot 2008.10.30.1445 2008.10.30 -
VirusBuster 4.5.11.0 2008.10.30 -
Additional information
File size: 80896 bytes
MD5…: 1ef15d66dfd385f0de1981fd01b27a51
SHA1…: 45cb974713dcc96500b29c5419397d83de69c64b
SHA256: 053f8ef1e0c8d6dedcd77e8b7d24e990fb82fbcc238f975e2c36b0d095e13871
SHA512: c856fb6e857548d352482d1932268ed3e40268402cf193f696d5806051af0027
e784c1ef8d5e7e00e96a6f9e5a541a25e6069accd3b9d454a17460316dd5dd99
PEiD…: -
TrID…: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402980
timedatestamp…: 0x471004bc (Fri Oct 12 23:35:24 2007)
machinetype…: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb352 0xb400 5.78 014f1f4a839ae43abd5839f55bd7d6bd
.rdata 0xd000 0x6625 0x6800 6.45 acddbced39015ea313daba5abe21fb60
.data 0x14000 0x48 0x200 0.74 5f2b33a8903f9112feea6d6c7bcb94ca
.reloc 0x15000 0x1822 0x1a00 6.41 98659979ee626ef6f5d40623d382bd7c

( 1 imports )

ntdll.dll: RtlAllocateHeap, RtlFreeHeap, NtDisplayString, RtlInitUnicodeString, swprintf, NtWriteFile, _vsnprintf, _chkstk, memmove, strncpy, ZwQueryValueKey, ZwSetValueKey, ZwOpenKey, ZwCreateFile, ZwClose, ZwReadFile, ZwQueryInformationFile, strspn, strstr, wcscat, wcscpy, wcslen, RtlCreateHeap, RtlDestroyHeap, NtInitializeRegistry, ZwWriteFile, NtTerminateProcess

( 0 exports )

Whilst it might be as expected, it still had to be confirmed.

Send the sample to avast for analysis as in the how to report and exclude from scans link in my first post.