hi…i think it is but avast detected two such files,viz.
1.C:\System Volume Information_restore{4F8ED45C-9EF4-4A8B-B07D-AA1B696CFB11}\RP27\A0042967.dll [L] Win32:Trojan-gen {Other}
2.c\windows\system32\wr12515.dll
virus total link result is… http://www.virustotal.com/analisis/97dac865ec01b7ba389b3a477ca95fa4
it states…
File wr12515.dll received on 10.10.2008 02:38:03 (CET)
Current status: finished
Result: 0/36 (0.00%)…
The C:\System Volume Information\ folder is the System restore one.
If you move that file to Chest, only that particular restore point will be destroyed. You can create a new, clean, one. But, indeed, seems a false positive.
This really is a strange one as a goggle search for wr12515.dll only finds 4 hits two at avast and two at WildersSecurity all relating to a detection on this file that could be an FP. I believe the avast detection in the _restore point also related to this file.
Now that for me is very suspicious for a file in the system32 folder not to get many hits relating to what the file is about, e.g. what program or company, etc.
What avast is detecting this with is a generic signature which is designed to detect what isn’t caught in a normal signature. The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. So even though there are no hits on VT even from avast (see below) I’m still suspicious of this file.
It isn’t unusual to not have avast detect on VirusTotal when it does so on your system. VT isn’t able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false possible positive in the subject. you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
This will at least have avast analyse this file in detail and may well be that it will still be detected but by a different name (or it will be confirmed as an FP and the VPS corrected).