Two virus warnings in two days-false positives?

My computer is a Compaq Presario running Windows SP2. Yesterday Avast told me that C:\HP\recovery\wizard\swr_wizard.exe was malware: win32:trojan-gen. Today I got the same message for C:\System Volume Information_restore{88A97…}RP1217\A70004.exe (I didn’t type the entire long string inside the {}, I can give it to you if needed). I put them in the chest, and I uploaded them to virustotal.com; the links are

http://www.virustotal.com/reanalisis.html?727115e394d7e12562198bc466f723bc and

http://www.virustotal.com/reanalisis.html?55af20e5f5c4bb92cd25a63f90ed3e5f

Unfortunately, I don’t understand what the reports mean. Are these really malware, or is Avast giving me false positives? I’ve been using Avast for at least 8 months and I’ve never had any viruses detected before. These were both detected by the scanner that runs as a screen saver.

Any help would be much appreciated. Thank you.

Unfortunately the links you gave only show links to previously scanned results, which are inconclusive.

You should always elect to scan the files again as these old scans date from June and a) more scanners might now detect them or b) some might now consider the detection false and have corrected the detection.

So you should upload them again and have them rescanned.

Okay, sorry, didn’t realize. I reuploiaded and had them reanalyzed; results are at:

http://www.virustotal.com/analisis/18db5190f2d6ea28c95dd0db7687ddbd and
http://www.virustotal.com/analisis/83ef1bd908247c2be7fa1bdadd0c9e92

(I forgot to say that I’m also running the free version of ZoneAlarm).

Thanks very much.

Well that seems to confirm the detections as there are now a greater number of detections from the old scans.

Though I’m somewhat surprised by the HP Recovery Wizard file being detected, though the detections on this with one exception are either generic or heuristic, which are more prone to false positives.

So I would suggest submit the sample swr_wizard.exe file to avast for further analysis.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

You could if you wish send the other file for analysis, but I don’t feel it is of much value. I will tell you why:
a) it is a restore point and that is usually there because the file has at one point been deleted from a system folder.
b) even if it is a false positive (and we can’t be sure on that) I don’t know how successful avast would be in trying to put it back (harder than removing I feel) as it is a protected area.
c) if there is even the slightest doubt about a restore point the last thing I would want is it to remain and possibly bite me in the rear at some time in the future.

Welcome to the forums.

DavidR,

Thank you so much for your prompt replies and your help. I have zipped/password protected the HP recovery wizard file and sent it to virus@avast.com. (I was unable to e-mail it from the infected files area of the chest; the error message said it was too big). Your explanation about the other restore point file was very helpful, and I understand why its analysis wouldn’t be useful.

I look forward to hearing your results.

You can change the Max file size to be sent in the avast Program Settings, Chest, and adjust the file size to cater for the size of file.

They won’t be my results, I’m just an avast user like yourself.

You normally won’t get a reply unless they require any more information, periodically scan the copy of the file in the chest (after VPS updates), when it is no longer detected you can right click on it and select Restore. This will send it back to its original location, confirm that it is in that location and delete the copy from the chest.

Okay, DavidR, I’ll check that file periodically. Thanks again-you’ve been a big help.

No problem, glad I could help.

Today avast! detected C:\hp\recovery\wizard\SWR_Wizard.exe as Win32 Trojan-gen {Other}.

It seems this apparent fp still hasn’t been fixed.

I would say it probably was fixed, but the generic win32:trojan-gen signature could revisit the detection after some tweaking/refining, so it needs to be reported again as a possible FP if you have confirmed the detection is false at virustotal.