system32\carpserv.exe Avast says it is Win32:Malware-gen is it false positive?

[Tobias4051]

Hi,

During a quick scan avast found carpserv.exe in system32, and labelled it as Threat: Win32:Malware-Gen.

This file carpserv.exe has been on the laptop computer for as long I remember. Even straight after a format.

I ran MBAM full scan found nothing but while it was running, Avast found the system32\carpserv.exe file and put it in the chest. Avast then also found and moved a file in _restore and a .tmp file in system32, and moved both these to the chest also.

When looking up the carpserv.exe file, it seems to be to do with a conexant modem.
The virus database was updated before the scan. Current Version: 110621-0 Release date: 21/06/2011 09:19:30
Is this a false positive?

Many thanks.

[DavidR]

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

[Tobias4051]

Thank you for your reply and for the suggestion. I did not know about the VirusTotal website.

At the moment I feel unsure about pulling this potentially dangerous file out the virus chest, even though it might be a FP.
Is there another way to check it?

Avast definitions have been updated to version 110621-1
I right clicked on the carpserv.exe file in the chest and scanned it. It came up with a box that said win32:malware-gen

About the other 2 files that also got sent to the chest, (the one in _restore and the .tmp file) Could they be to do with the carpserv.exe file?  
All 3 files, in the virus chest list, say they last changed 21/05/2003 15:35:50

Has anyone else got this carpserv.exe file in system32?
It might be to do with conexant modems.
Is it showing as a virus on other machines?

Many thanks for your assistance.

---edit---

After a boot scan the virus database was automatically updated to 110622-0

Right clicking on the carpserv.exe file, and the other 2 files in the virus chest, now labels them as -- no virus--

[DavidR]

There is virtually no risk involved, that is why I said extract it to a temporary location, not restore, which sends it back to the original location. As I said it can't be checked whilst it is in the chest as it is a protected area.

If it were a good detection and active, having it in the original location would make it active again.

In a temporary location there is no associated registry entry or other possible file to run it, so in that temp location it is inert, provided you don't go trying to execute it and this won't happen by uploading it.

The updated virus database not detecting it would support this being an FP and that was what we were seeking to do by uploading it to VT, whilst it isn't essential the file could be submitted to avast only for analysis from the chest. But I prefer to conform before sending it for analysis and give the URL to the VT results in the report.

You can Restore it from the chest now, confirm it is back in the original location and you can remove the copy that remains in the chest.