Sign of "Win32:Malware-gen" found in isqlw.exe, profiler.exe, dtswiz.exe

[sithemac]

Hi, during a scheduled scan on Friday13/11/09...
Sign of "Win32:Malware-gen" has been found in "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\isqlw.exe" file. 
Sign of "Win32:Malware-gen" has been found in "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\profiler.exe" file. 
Sign of "Win32:Malware-gen" has been found in "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\dtswiz.exe" file. 

These are three components of SQL Server 2000 that have been installed for months and never showed up previously. Avast removed the above 3 components from both PCs on the domain that have the MSSQL2000 software.

Unfortunately, in our corporate setup the Avast icon is locked to end-users (even developers) so I can't check the files. I suspect these are FPs but cannot confirm this at present. Avast doesn't even report (to end-users) that it has quarantined or deleted the files. I spent a long time on Friday trying to find out what had happened to the executables before I found the entries in the computer management console in the Antivirus event log.

I'm posting mainly so that others who may suffer the same symptoms may find this by Googling. I'm currently waiting for the helpdesk to confirm whether these were FPs and to re-install the software for me.

[sithemac]

I can now confirm that the files, after being restored from the virus chest and re-scanned using the latest definitions are not infected. It was a FP (False Positive) on Friday.

[Maxx_original]

yes, it has been fixed immediately

[sithemac]

Thanks for the confirmation Maxx.

I know the occasional FP is inevitable. This just emphasized how annoying it is for admins to lock the AV client down to the point where it doesn't report to the user when it has quarantined files, in this case some of my main tools. As we'd had Windows security updates installed in the morning it wasn't immediately clear what the cause of the missing .exes was and there were no desktop support staff on site that day.

In the end it cost my employer 1/2 day of my time tracking the problem down, when a simple notification would have let me get on with something else.

[Maxx_original]

sorry for any inconvenience

[sithemac]

No apology necessary. Twas not the software as much as the way it has been configured in this instance.

[sudhanshu_]

now it happened with me..

i had copied microsoft office 2000 premium set up disk 1 and disk 2 on my system's non system d drive(cd written by friend) around 7 months ago.that time i had AVG free edition.

now after i got Avast free edition and recently i did a standard scan of my d drive and was informed by
Avast : Virus found       sign of malware win32........etc..

i am having doubt.i thought 10 times before moving the file to chest.not deleted yet.

i activated the file properties "Company name" in explorer and it is confirmed this file is not by Microsoft.
whereas all the files in that particular folder has company name "microsoft" in the property company column
this file dtzwiz.exe has no company name mentioned and hence its suspicious.

for the time being i have moved the file to chest and did a search on google and found the above post.

i have tried the online scan of kaspersky and jotti lab but jotti lab says file is empty and not uploads for scan! size of file is 28kb

looking for some clue...for the time being file dtzwiz.exe is in quarantine. along with this file there is another one by similar name dtzwiz.dll but in .dll format and its reported clean.

here was the location of file in my pc:

\MicrosoftOffice2000---Premium\Disk1\SQL\X86\BINN\DTSWIZ.EXE

anyone having any clue..

[Fuzzy John]

I just had the DTSWIZ.EXE flagged as infected with the Win32:Malware-gen virus.
The VPS version is 091128-2. This is the first time the file was flagged. I did not get any alerts around Nov. 16 when the other posts mention it.
For now I left the file as is.

[majoMo]

Same here.

DTSWIZ.EXE flagged as Win32:Malware-gen, VPS version is 091129-1.

It seems to be a False Positive. File is from MS, Office 2000 CD install.

VirusTotal report.

[Milos]

Hi,
thank you for notice False positive will be fixed in next  (091130-0) VPS update.


Milos

[sudhanshu_]

again would like to comment here. i had found this file in the Microsoft office folder but when i went on to check the file attribute under "company" field was blank whereas peer files in that folder had attribute "Microsoft" under attribute "company". so

1) this file is not from Microsoft
2) if it is then perhaps there is a virus which attacks this particular file from Microsoft office.

so shall we delete this file altogether and risk at some point ms office prompting us for this file or
put it in chest for indefinite period
or heal it so that it comes back to original state.

i have this file still in chest lying.

[sithemac]

I restored dtswiz.exe from quarantine and scanned with the new virus definitions and it didn't get flagged again. I don't know why that component isn't signed by Microsoft, but it appears to be working correctly and I have no suspicious activity showing on my computer.

If in serious doubt, leave it in quarantine and do a fresh install of the software, then see if it gets flagged. It was just an issue with that one virus definition file as confirmed by Maxx_original.