MSDEV.exe, infection: Wind32:Malware-gen

[adiamond]

Process,c:\windows\system32\rundll32
The MSDEV.EXE is a MS Visual C app.  The full path was D:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\MSDEV.EXE so I'm, pretty sure this is a legitimate item and probably not infected....of course I can't prove anything of the sort.

[Asyn]

Test it at VT and post the link. -> https://www.virustotal.com/

[Pondus]

and what did avast do With it?
have you tested the file at www.virustotal.com / www.metascan-online.com / www.jotti.org

post link to scan result here

[adiamond]

re: virustotal

The file was moved to the chest.  How do I get at it?

[DavidR]

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.


Now Open the chest - avastUI, Maintenance, Virus Chest - Right click on the file within the chest and select, Extract. From the next window navigate to the newly created C:\Suspect folder and click OK.

A copy of the file will now be in that folder and one remains in the virus chest - now you are good to upload it to virustotal.

[adiamond]

https://www.virustotal.com/en/file/be249b40343786ec15698b9e5872f322590669b50b54178fcff9981ca635ae9f/analysis/1374958767/

In short, avast is the only av that flagged it.

[Asyn]

You can report a possible FP here: http://www.avast.com/contact-form.php

[DavidR]

The Win32:Malware-gen is a generic detection so is more prone to a false positive, but it isn't unusual for avast to be the only one to detect, but also be correct.

From the avast chest, right click on the file and this time select Submit to virus lab... and periodically scan the file from within the chest. If it was an FP then the signature should be modified and the file will no longer be detected.

- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Settings, Exclusions, Add and
avastUI > Settings > Global Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avastUI > Settings > Global Exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.