This started today on almost all my network machines:
Sample:
avast! []: File “C:\WINDOWS\setpwr32.exe” is infected by “Win32:Malware-gen” virus.
“Quick scan” task used
Version of current VPS file is 110902-0, 09/02/2011
95% of my machines are reporting this same infection today. It looks and smells like a false positive, but can I get confirmation from someone that this is, indeed, a false positive.
you are not alone, and it is also detected on VT http://www.bleepingcomputer.com/forums/topic417139.html but he does not post the scan link to VT so we can see
upload suspicious file(s) to www.virustotal.com and test with 44 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see
alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
also see this guide http://forum.avast.com/index.php?topic=53253.0
That site is a great tool. I didn’t know about it until now…
Here are the results:
http://www.virustotal.com/file-scan/report.html?id=dcffdad15721b3d450f4e7c9e84e4678ddf761697878e6384ed0f7564106f4f0-1314975947
4 out of 44 detect it…
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP, even given that non-specific detection by vba32.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
@@@@
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.
Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the * to \file_name.exe where file_name.exe is the file you want to exclude.