Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Bub12 on February 27, 2011, 06:50:47 PM

Title: WZCNFLCT.EXE False Positive?
Post by: Bub12 on February 27, 2011, 06:50:47 PM
Avast is detecting & REMOVING, wzcnflct.exe, which I believe is a trusted Windows file. When I restore it, Avast only again removes the file when I am in the containing folder of said file.

Any thoughts on this? Thanks!
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Vlk on February 27, 2011, 07:07:28 PM
I don't have any file of this name on my HDD...
What makes you think it's a file belonging to the OS?
What version of Windows are you running?

Thanks
Vlk
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Gopher John on February 27, 2011, 07:13:05 PM
Found these links.

http://support.microsoft.com/kb/300269 (http://support.microsoft.com/kb/300269)

http://technet.microsoft.com/en-us/library/cc917584.aspx (http://technet.microsoft.com/en-us/library/cc917584.aspx)
Title: Re: WZCNFLCT.EXE False Positive?
Post by: doktornotor on February 27, 2011, 07:13:41 PM
A legit one was shipped with a rather obsolete MS SQL Server version (http://support.microsoft.com/kb/300269/en). Maybe also MS Jet. Anyway, all this stuff is 10+ years old.  ???
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Bub12 on February 27, 2011, 07:35:04 PM
Quote
What makes you think it's a file belonging to the OS?
What version of Windows are you running?

Well, I am XP on a 6 year old pc, & like Gopher John pointed out, there is talk of this file on microsoft.com

So, I thought this to be an FP, & I need Avast to stop removing it, so it would seem.

TY
Title: Re: WZCNFLCT.EXE False Positive?
Post by: doktornotor on February 27, 2011, 07:39:31 PM
So, I thought this to be an FP, & I need Avast to stop removing it, so it would seem.

Unless you installed MSSQL Server 7 then the file should not be on your system at all. A Virustotal (http://www.virustotal.com/) scan would help.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Gopher John on February 27, 2011, 07:50:07 PM
Quote
What makes you think it's a file belonging to the OS?
What version of Windows are you running?

Well, I am XP on a 6 year old pc, & like Gopher John pointed out, there is talk of this file on microsoft.com

So, I thought this to be an FP, & I need Avast to stop removing it, so it would seem.

TY

I don't have wzcnflct.exe on this machine, with up to date WinXP Pro SP3.  Machine is a circa 2005 Dell.  Either something you installed placed it there, or malware is using that filename to stay below the radar.  As doktornotor stated, submit the file to VirusTotal for scanning.  Post the link to the results back here.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: jjavast on February 27, 2011, 08:10:40 PM
hello everyone,

I got same problem today !  

Avast found "WZCNFLCT.EXE"

"Win32:Malware-gen" has been found in "C:\Program Files (x86)\Common Files\microsoft shared\Database Replication\WZCNFLCT.EXE" file. 

"Win32:Malware-gen" has been found in "\\localhost\C$\@GMT-2011.02.25-16.46.09\Program Files (x86)\Common Files\microsoft shared\Database Replication\WZCNFLCT.EXE" file.

I don't know what to do ?!

Thank you


(my OS is WIN 7 HOME)
Title: Re: WZCNFLCT.EXE False Positive?
Post by: danny96 on February 27, 2011, 08:13:13 PM
No problem here.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: jjavast on February 27, 2011, 08:19:38 PM

"WZCNFLCT.EXE" might be infected ??  or that's a False Positive ?

I am lost....
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Gopher John on February 27, 2011, 08:26:41 PM

"WZCNFLCT.EXE" might be infected ??  or that's a False Positive ?

I am lost....

As already stated in this thread, send it to http://www.virustotal.com/ (http://www.virustotal.com/) and post the results link back here in this thread.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: jjavast on February 27, 2011, 08:40:09 PM
hello,

here is the result:

http://www.virustotal.com/file-scan/report.html?id=bf42d743efc3603c8887eed2cb85c8ca8c567bd7dc6c0936bc0f66f1dfc74fd5-1298835254

thanks
Title: Re: WZCNFLCT.EXE False Positive?
Post by: doktornotor on February 27, 2011, 08:43:15 PM
Hmmm, much more clear now...  ;D Not detected there by Avast at all.

People having the problem here should post exact Avast and virus database versions at least.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: danny96 on February 27, 2011, 08:46:40 PM
G-Data Engine B (avast!) detect It as generic type of Malware. But avast! not.  ???
It should be FP.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: jjavast on February 27, 2011, 08:58:15 PM
???  ???

Ok, with VirusTotal.com result, only for GData that's a Malaware.

But why my "Avast 4.8" found that file is infected by Malware ??

- as you said maybe a False Positive...

I am going to upgrade to Avast 5, and I ll check again.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Epsi on February 27, 2011, 08:59:35 PM
Same here. Running Avast 6.0.1000 on Windows 7 64bit and it just flaged

C:\Program Files (x86)\Common Files\microsoft shared\Database Replication\WZCNFLCT.EXE

as Win32:Malware-gen

Tested the files with TotalVirus and got 1/43, only GData flags it as Win32:Malware-gen

http://www.virustotal.com/file-scan/report.html?id=bf42d743efc3603c8887eed2cb85c8ca8c567bd7dc6c0936bc0f66f1dfc74fd5-1298836376
Title: Re: WZCNFLCT.EXE False Positive?
Post by: mag on February 27, 2011, 09:04:02 PM
Virustotal seems to be using out of date definitions for avast but up to date for Gdata, which probably explains the difference
Title: Re: WZCNFLCT.EXE False Positive?
Post by: jjavast on February 27, 2011, 09:06:22 PM
I am thinking to Delete WZCNFLCT.EXE....

but I can't find if Win 7 Home really need it....


what do you think ?
Title: Re: WZCNFLCT.EXE False Positive?
Post by: mag on February 27, 2011, 09:12:18 PM
I am thinking to Delete WZCNFLCT.EXE....

but I can't find if Win 7 Home really need it....


what do you think ?

I would be inclined to do nothing until after the next avast definition update (or two or three).

Have you reported the file as a suspect fp via the chest report function?
Title: Re: WZCNFLCT.EXE False Positive?
Post by: danny96 on February 27, 2011, 09:19:08 PM
Just keep It in virus chest and after the next 1-3 VPS updates you should test It and when It will be reported as malware, delete It. When It will report that it's clean you will can restore file

And as @mag said you should send It to a lab using virus chest...
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Bub12 on February 27, 2011, 10:37:14 PM
Hi again...I am the OP, so here's what VT has come up w/, as previously reported:

http://www.virustotal.com/file-scan/report.html?id=bf42d743efc3603c8887eed2cb85c8ca8c567bd7dc6c0936bc0f66f1dfc74fd5-1298840655

When I went in the chest to restore the file so that I could submit it to VT, I noticed another detection in the chest pertaining to system restore...see attached screen shot. Mind you, I haven't run any more Avast scans, yet there was a new detection. I did however run MBAM & SAS scans & they detected nothing. I also use hard & soft firewalls & also use some other network security features & practice extremely safe internet, so the chance that I picked up a bug are not likely!

FYI, I updated to the new version of Avast a couple of days ago & now suddenly I am experiencing problems. Comodo was blocking attempts by Avast to update, & I of course allowed all.

Would love it if Avast would verify these supposed FP's or can somehow confirm if in fact they are malicious in nature. According to Avast as listed on VT, the suspect file is clean. I am confused! 
Title: Re: WZCNFLCT.EXE False Positive?
Post by: jjavast on February 27, 2011, 10:41:15 PM
Just keep It in virus chest and after the next 1-3 VPS updates you should test It and when It will be reported as malware, delete It. When It will report that it's clean you will can restore file

And as @mag said you should send It to a lab using virus chest...


I can't move it ( WZCNFLCT.EXE) to chest !

"acces denied"   ???
Title: Re: WZCNFLCT.EXE False Positive?
Post by: DBone on February 27, 2011, 10:42:11 PM
Hi again...I am the OP, so here's what VT has come up w/, as previously reported:

http://www.virustotal.com/file-scan/report.html?id=bf42d743efc3603c8887eed2cb85c8ca8c567bd7dc6c0936bc0f66f1dfc74fd5-1298840655

When I went in the chest to restore the file so that I could submit it to VT, I noticed another detection in the chest pertaining to system restore...see attached screen shot. Mind you, I haven't run any more Avast scans, yet there was a new detection. I did however run MBAM & SAS scans & they detected nothing. I also use hard & soft firewalls & also use some other network security features & practice extremely safe internet, so the chance that I picked up a bug are not likely!

FYI, I updated to the new version of Avast a couple of days ago & now suddenly I am experiencing problems. Comodo was blocking attempts by Avast to update, & I of course allowed all.

Would love it if Avast would verify these supposed FP's or can somehow confirm if in fact they are malicious in nature. According to Avast as listed on VT, the suspect file is clean. I am confused! 



Have you changed any settings? Pup? Heuristics level?
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Bub12 on February 27, 2011, 10:44:38 PM
Nope! Left them at default...

FYI..Avast just updated! Let's run another scan...stay tuned!
Title: Re: WZCNFLCT.EXE False Positive?
Post by: mag on February 27, 2011, 10:46:54 PM
Nope! Left them at default...

FYI..Avast just updated! Let's run another scan...stay tuned!
Just right click scan it in the chest, and if it's clean restore it.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: jjavast on February 27, 2011, 11:19:32 PM
It's OK NOW  :)

after updating  ;)

Finally it was just a False Positive.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Bub12 on February 27, 2011, 11:21:24 PM
I am about to run a boot scan! Just went thru all the settings of Avast 6.0 & adjusted to my liking.

Oh, & BTW...Avast seems to have fixed the issue!! Just scanned the two files in question & now they are clean...well they were always clean, but you get the point. Let's see what the boot scan turns up...I hope nothing, as I believe should be the case.

I am curious now though why I have WZCNFLCT on my machine  ??? Seems like I can delete it anyway...stay tuned...
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Gopher John on February 27, 2011, 11:33:34 PM
A0043371.EXE from the restoration files and WZCNFLCT.EXE are likely the same files.  They are both the same size at 45130 bytes.

You should be able to find out what program install put the file there.  It would be better to uninstall that program if you don't want/need it rather than just deleting the file.  It seems that it was a false positive, anyway.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Bub12 on February 28, 2011, 12:59:08 AM
Gopher John

Quote
They are both the same size at 45130 bytes.

Curious, how do you know how large WZCNFLCT is, exactly?

Quote
You should be able to find out what program install put the file there.

Any suggestions as to how I might discover that?  ???

Thanks!!
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Gopher John on February 28, 2011, 01:06:25 AM
Gopher John

Quote
They are both the same size at 45130 bytes.

Curious, how do you know how large WZCNFLCT is, exactly?

Quote
You should be able to find out what program install put the file there.

Any suggestions as to how I might discover that?  ???

Thanks!!

The VirusTotal results link you posted has a "Show All" button.  Clicking that gives the filesize and checksums, among other information about the file.

Visiting the links I posted earlier lists one candidate.  Searching Google for WZCNFLCT.EXE and comparing the results with your Add/Remove Programs list on your machine should give you the answer.
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Bub12 on February 28, 2011, 01:15:21 AM
Ahh...must have missed the Show All button.

In regards to the program that installed WZCNFLCT, if you are referring to the SQL Server, I don't have that. I don't have all that many programs installed & other than one of the other MS ones, I can't imagine how it would have got there. I keep a pretty clean system.

UPDATE: Unless it is part of "The Microsoft Visual C++ 2008 Redistributable Package"
Title: Re: WZCNFLCT.EXE False Positive?
Post by: Gopher John on February 28, 2011, 01:38:50 AM
UPDATE: Unless it is part of "The Microsoft Visual C++ 2008 Redistributable Package"

It's not that one.  I have it installed and don't have any WZCNFLCT.EXE.  Maybe others more knowledgeable than I can offer some insight.