false positive? Vundo.gen.42 found in Pidgin Portable

Actually, of the four, 3 of them have had false positives in the past: AVG, F-Secure and NOD32. AVG has frequent false positive issues. Plus the fact that all of the bigger AV products rate it as clean. Add to that the fact that this was released 3 weeks ago, so if there were an actual problem in it, it would have cropped up quite a while ago.

You can recreate this issue yourself if you'd like. Grab a thinice.dll from a standard local install of the version of GTK that ships with Pidgin. You'll notice it scans clean. Then UPX compress it using the open source UPX software compression utility with the following options:

upx.exe --best --compress-icons=0 --nrv2e --crp-ms=999999 -k thinice.dll

Scan that file and you'll notice that Norman will think it is infected with malware. Now, uncompress the file using UPX again:

upx.exe -d thinice.dll

Scan the result and it will again come up as clean.

Basically, what this means is that whatever value these 4 products are using as a check for this particular malware just happens to coincide with a part of that file when compressed. Some antivirus/antimalware products aren't checked for false positives as well as they should be. Even the ones that are will occasionally ship bad definitions files.