Migwiz.exe

Hi,

Just done a full system scan and a threat was found C:\WINDOWS$NtServicePackUninstall$\migwiz.exe

I’ve sent it to the chest, but Avast says its malware?

I can’t find any conclusive info on this except that migwiz.exe is a file used by files transfer wizard?

Can someone please point me in the right direction.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect* That will stop the File System Shield scanning any file you put in that folder.

According to what I have read, it is a file transfer utility from Microsoft.
Possibly maybe something corrupted the file?
You can google the filename and read about it.

Do what DavidR suggests…this will give another report that can be viewed.

Thanks for the really quick replies 8)

Here’s the link from Virus total:http://www.virustotal.com/analisis/8e4e9f5e172a4948893eb3189786caadce43e47522292324281ba7812b174383-12753128

I thought I’d scan the migwiz.exe file whilst in the suspect folder, and lo and behold a threat was detected. The description was Win32:Malware-gen, which after doing a quick Google search doesn’t look very encouraging!

My daily scheduled scan using Ashquick.exe also found this today. I sent it to the chest and it is also IDd as Win32:Malware-gen. I have submitted it to Avast too.

If you had excluded that folder as I suggested in the above instructions then you shouldn’t have found anything.

The avast Win32:Malware-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

So a search on this malware name is unlikely to reveal any useful ‘specific’ information on what it actually is.

Unfortunately your URL to the VT results doesn’t work, so how many detections and what detected it (only avast and gdata, etc.) ?

The strange thing is that a search of my system for this file only reveals one in the c:\windows\system32 folder and a scan of that with ashquick.exe finds it clean.

I have just done a scan and found the same thing.
I have also looked up Migwiz on Google and am none of the wiser.
Could someone please tell me in simple English.
(1) What is Migwiz
(2) why did the scan find it
(3) should i remove it.At the moment it is locked up in the vault.
(4)If it is not a virus or similar why did Avast pick it up.
(5)What should i do now.

Sorry to sound so stupid but i really don’t understand.
Help would be much appreciated,
Thank you.
Regards.

Hi posters in this thread,

Here it is qualified as benign:
migwiz.exe - Process Information

This component is part of MS Windows Files and Settings Transfer Wizard

Component Name: migwiz.exe

Description of : With the use of a direct connection cable and this program,
you will be able to transfer all settings and files from an old computer to a new one.
info: http://www.liutilities.com/products/wintaskspro/processlibrary/migwiz/
Further: http://www.spyfu.com/Term.aspx/Term.aspx?t=997090

Recommendation for :
.

Trusted: Yes
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No

Company Name: Microsoft Corporation
Platforms Affected:
Methods of Distribution: .
Variants/Versions:
Release Date: ,

polonus

That’s great
Thank you

Is it OK to leave it in the Chest as I have in that case, or is the file needed for the MS process you describe, when the time comes to carry out that process. In other words, will the Wizard fail in the absence of that file?
I was happy enough got it to stay safely in the Chest before knowing that, even if it had been a threat.

I got this today as well, and I moved it to the chest. Is it possible this is just a false positive?

Looks like it.
Polonus knows his malware. :slight_smile:
He posted his source if you would care to check yourself.

I got the same thing with a scan yesterday. Moved migwiz.exe to the chest yesterday. Did a right click avast scan on it inside the chest today (with latest virus database) and it says “migwiz.exe - no virus”, so I assume it was just a false positive in yesterdays virus database release?

That would appear to be the case and the signature has been corrected in a VPS update.

Same happened to me. I put it in Virus Chest pending an outcome and I’m pleased it is a false positive. One question though: I chose to restore the file from the Virus Chest/Infected Files section. A pop up confirmed that my action was successful but the migwiz.exe reference is still in the virus chest. If I have restored it correctly should it not then disappear from the Virus Chest altogether?

Thanks
nightshift

Yes a copy remains in the chest (safety measure), confirm that the restore action was successful by checking the file is back in the original location. If so then you can safely delete the copy in the chest.

Thanks DavidR. Much appreciated :wink:

nightshift

I’ve just done that too - thanks.

Good to know Avast eers on the side of caution, even if a hint of panic at the time, and that we have the support of a good forum.