Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: dellboy on May 31, 2010, 04:20:13 PM

Title: Migwiz.exe
Post by: dellboy on May 31, 2010, 04:20:13 PM
Hi,

Just done a full system scan and a threat was found C:\WINDOWS\$NtServicePackUninstall$\migwiz.exe

I've sent it to the chest, but Avast says its malware?

I can't find any conclusive info on this except that migwiz.exe is a file used by files transfer wizard?

Can someone please point me in the right direction.
Title: Re: Migwiz.exe
Post by: DavidR on May 31, 2010, 04:29:04 PM
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder.
Title: Re: Migwiz.exe
Post by: PapaSmurf on May 31, 2010, 04:32:33 PM
According to what I have read, it is a file transfer utility from Microsoft.
Possibly maybe something corrupted the file?
You can google the filename and read about it.

Do what DavidR suggests..this will give another report that can be viewed.
Title: Re: Migwiz.exe
Post by: dellboy on May 31, 2010, 04:46:16 PM
Thanks for the really quick replies 8)

Here's the link from Virus total:http://www.virustotal.com/analisis/8e4e9f5e172a4948893eb3189786caadce43e47522292324281ba7812b174383-12753128



Title: Re: Migwiz.exe
Post by: dellboy on May 31, 2010, 04:52:21 PM
I thought I'd scan the migwiz.exe file whilst in the suspect folder, and lo and behold a threat was detected.  The description was Win32:Malware-gen, which after doing a quick Google search doesn't look very encouraging!
Title: Re: Migwiz.exe
Post by: rob24 on May 31, 2010, 08:45:14 PM
My daily scheduled scan using Ashquick.exe also found this today. I sent it to the chest and it is also IDd as Win32:Malware-gen. I have submitted it to Avast too.
Title: Re: Migwiz.exe
Post by: DavidR on May 31, 2010, 09:13:03 PM
I thought I'd scan the migwiz.exe file whilst in the suspect folder, and lo and behold a threat was detected.  The description was Win32:Malware-gen, which after doing a quick Google search doesn't look very encouraging!

If you had excluded that folder as I suggested in the above instructions then you shouldn't have found anything.

The avast Win32:Malware-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

So a search on this malware name is unlikely to reveal any useful 'specific' information on what it actually is.

Unfortunately your URL to the VT results doesn't work, so how many detections and what detected it (only avast and gdata, etc.) ?
Title: Re: Migwiz.exe
Post by: DavidR on May 31, 2010, 09:15:44 PM
My daily scheduled scan using Ashquick.exe also found this today. I sent it to the chest and it is also IDd as Win32:Malware-gen. I have submitted it to Avast too.

The strange thing is that a search of my system for this file only reveals one in the c:\windows\system32 folder and a scan of that with ashquick.exe finds it clean.
Title: Re: Migwiz.exe
Post by: rambo1940 on May 31, 2010, 10:14:50 PM
I have just done a scan and found the same thing.
I have also looked up Migwiz on Google and am none of the wiser.
Could someone please tell me in simple English.
(1) What is Migwiz
(2) why did the scan find it
(3) should i remove it.At the moment it is locked up in the vault.
(4)If it is not a virus or similar why did Avast pick it up.
(5)What should i do now.

Sorry to sound so stupid but i really don't understand.
Help would be much appreciated,
Thank you.
Regards.
 
Title: Re: Migwiz.exe
Post by: polonus on May 31, 2010, 10:31:51 PM
Hi posters in this thread,

Here it is qualified as benign:
 migwiz.exe - Process Information

This component is part of  MS Windows Files and Settings Transfer Wizard


Component Name: migwiz.exe

Description of : With the use of a direct connection cable and this program,
you will be able to transfer all settings and files from an old computer to a new one.
info: http://www.liutilities.com/products/wintaskspro/processlibrary/migwiz/
Further: http://www.spyfu.com/Term.aspx/Term.aspx?t=997090

Recommendation for :
.

Trusted: Yes
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No

Company Name: Microsoft Corporation
Platforms Affected: 
Methods of Distribution: .
Variants/Versions: 
Release Date: ,

polonus
Title: Re: Migwiz.exe
Post by: rambo1940 on May 31, 2010, 10:35:13 PM
That's great
Thank you
Title: Re: Migwiz.exe
Post by: rob24 on May 31, 2010, 10:42:59 PM

Here it is qualified as benign:
 migwiz.exe - Process Information

This component is part of  MS Windows Files and Settings Transfer Wizard
Is it OK to leave it in the Chest as I have in that case, or is the file needed for the MS process you describe, when the time comes to carry out that process. In other words, will the Wizard fail in the absence of that file?
I was happy enough got it to stay safely in the Chest before knowing that, even if it had been a threat.
Title: Re: Migwiz.exe
Post by: fernbomb on May 31, 2010, 11:41:09 PM
I got this today as well, and I moved it to the chest. Is it possible this is just a false positive?
Title: Re: Migwiz.exe
Post by: Gargamel360 on May 31, 2010, 11:58:28 PM
Looks like it.
Polonus knows his malware. :)
He posted his source if you would care to check yourself.
Title: Re: Migwiz.exe
Post by: MAG on June 01, 2010, 06:08:24 PM
I got the same thing with a scan yesterday. Moved migwiz.exe to the chest yesterday. Did a right click avast scan on it inside the chest today (with latest virus database) and it says "migwiz.exe - no virus", so I assume it was just a false positive in yesterdays virus database release?
Title: Re: Migwiz.exe
Post by: DavidR on June 01, 2010, 06:36:17 PM
That would appear to be the case and the signature has been corrected in a VPS update.
Title: Re: Migwiz.exe
Post by: nightshift on June 01, 2010, 09:33:05 PM
Same happened to me. I put it in Virus Chest pending an outcome and I'm pleased it is a false positive. One question though: I chose to restore the file from the Virus Chest/Infected Files section. A pop up confirmed that my action was successful but the migwiz.exe reference is still in the virus chest. If I have restored it correctly should it not then disappear from the Virus Chest altogether?

Thanks
nightshift
Title: Re: Migwiz.exe
Post by: DavidR on June 01, 2010, 09:46:17 PM
Yes a copy remains in the chest (safety measure), confirm that the restore action was successful by checking the file is back in the original location. If so then you can safely delete the copy in the chest.
Title: Re: Migwiz.exe
Post by: nightshift on June 01, 2010, 10:52:08 PM
Thanks DavidR. Much appreciated  ;)

nightshift
Title: Re: Migwiz.exe
Post by: rob24 on June 01, 2010, 11:04:03 PM
Yes a copy remains in the chest (safety measure), confirm that the restore action was successful by checking the file is back in the original location. If so then you can safely delete the copy in the chest.
I've just done that too - thanks.

Good to know Avast eers on the side of caution, even if a hint of panic at the time, and that we have the support of a good forum.
Title: Re: Migwiz.exe
Post by: DavidR on June 01, 2010, 11:14:29 PM
You're welcome.