Avast WEBforum
Other => Viruses and worms => Topic started by: websnail on December 03, 2009, 02:04:30 AM
-
Just a heads up...
Within seconds of the VPS completing a database update Avast immediately identified:
c:\program files\webroot\webrootsecurity\spysweeperui.exe
c:\program files\mamutu\a2handler.dll
as being the Win32:Delf-MZG[Trj] trojan...
Bearing in mind these are both programs that have been working just fine for quite some time, I feel pretty confident this is one of those rogue VPS updates that wasn't quite as thorough as it might have been.
-
I just got the same by trying to update CA Yahoo Anti-Spy
-
I go the same with older "special" version of The Bat!. Few minutes after that I got the same alert about some html editor and PSpad text editor ???
-
Add to the Win32:Delf-MZG[Trj] False Positive List.......
A-Squared Free
SpyBot Search and Destroy
SpywareDoctor.
Seriously, what's up with this? ???
-
add e/pop professional (WiredRed) to the list.
-
I got the same thing with it updating the avast prog to the latest just a few minutes ago. All of a sudden pspad, skype-pm, wordweb, hardware audio program realtekhd and quite a few others.
ran mbab and sas and they didn't report anything. When I was running mbab avast kept reporting errors and mbab said nothing was wrong.
-
the same critical FP in many programs and extensions. In my computer detect PowerArchiver as Delf:mzg
-
SpyBotSD, Realtek audio driver, MailWasher Pro, some Adobe components which I've been using for some years now. After all that long now detected as trojan even for the paid licensed ones ?!?
What da hell is going on ??? ??? ??? This is insane !!!
-
Add WeatherEye.dll from The Weather Network. Somethings messed up with the latest update me thinks. ???
-
Also add JingProject_nat.dll from Techsmith's Jing Project screen capture program...
This is getting ugly fast...
-
Also add Cobian Backup 9.5.1.212 from CobianSoft and AutoExit For
Windows HomeServer(SengCore.dll) from ASoft.
-
The same here as well. After the update I got the warnings, and thinking it was legit I clicked on the option to put the virus in the chest. First it said access denied then it said it needed to scan after a re-boot. So I allowed it to re-boot. It scanned and scanned and scanned my system making it seem like a virus had run amok. When it finally finished I ended up with over 40 so-called infected files in the chest.
Webroots SpySweeper and IObit 360 Security are now toast. A scan with Malwarebyte's, which was already installed, showed no problem. I figure MBAM wasn't affected because it doesn't update automatically or run in real time as SpySweeper and IObit do.
When I realized this had to be a false positive I tried restoring the files from the virus chest, but Avast would not cooperate. I highlighted each file one at a time and clicked restore but nothing happened. Judging from the postings in other forums this issue with Avast is wide-spread. I hope Avast will be able to post a solution on how to restore things back to they were. I for one cannot afford to take my PC in for repairs.
-
I have just experienced the same problem, but it looks as if a fix is out for this already. I just updated my iAVS and Program, and now it is not reporting any occurrances of DELF-MZG :D
-
A new VPS update (091203-1) has been publihed. The false poitive detections seems to be gone now.
-
Add MediaMonkey (http://www.mediamonkey.com/ (http://www.mediamonkey.com/)) and USBSafelyRemove (http://safelyremove.com/ (http://safelyremove.com/)) to that list.
I still have the standard shield paused cuz I just switched on my PC and it killed Spybot. I just tried to update and it says already up to date.
Guess I'll wait...
-
I came online just before Midnight and my automatic AVAST update came up normally. There were no alerts. Did my normal work until I visited a forum where to find word about this trojan.
The poster reported this on Dec. 2, 8:17pm (MST) to anyone using AVAST there. After reading the warning, I disabled my AVAST (to be safe) until I knew a "repair" was made and came here. Sooooo, my update included the repair and missed being struck if I had gone online a few hours earlier.
Whew! Thanks to the AVAST team for working so quickly and getting the "fix" out.
-
I have just experienced the same problem, but it looks as if a fix is out for this already. I just updated my iAVS and Program, and now it is not reporting any occurrances of DELF-MZG :D
It took me a few hours to get to this point, because Avast (or maybe I thought the virus) really slowed my system drastically when I tried to start "Edit Pad Lite". So I let it scan and remove to chest...
...I made sure none of the files were critical. Some were installers for MySQL, Realtek drivers, even similar executables hidden in my System Restore points! Also a couple programs like EditPadLite, ImgBurn, and DevC++. (Also, I don't have it, but people are reporting Avast thinks Spybot S&D is infected, too.)
Now I see it's a false positive, but people on Yahoo! Answers are saying Avast will keep finding stuff over and over again, so go ahead and move reported files to chest, then restore them after the bug is fixed. Avast updated just before I logged in here, so all should be fine, I hope!
-
ShellyCat, just make sure that you re-scan each quarantined file, and restore it when it scans clean.
Do this earlier rather than later.
-
Yea, I got hit hard on this (well my wifes laptop did anyway) thought crap was hittin the fan. i couldnt even get her icons, start menu etc to load up when the computer was restarted. Had to go in safe mode and run anti virus programs there. i ran avast and sure enough, i had the Delf-MZG [Trj] showing up ALL OVER THE PLACE. i allowed it to restart and run a scan as it re-booted and it came up with about 70-some "infected files" once the scan was over the computer turned on and everything seemed to be back to normal except the files that were put into the quarantine needed to be scanned and restored after i performed the update.
everything seems to be okay now. (im assuming the files were restored? i clicked restore and it said it was successful but the files were still showing up in the quarantine.)
By the way, this website saved my life because I normally try to delete the infected files (at first it was in other anti-virus/ anti-malware programs) but then it showed in bigger files that i was not comfortable pressing the delete button... glad i didnt now. after surfing the web trying to find out what this "Delf-MZG [Trj]" is, i found this website and noticed a lot of people were saying to quarantine and re-scan after the update because of the false-positive. Thank you!!
-
While browsing in the beta board, I came across the threads about the false positives. I also noticed that Prague was midnight. So, I stopped the update of Avast! 5 and went to a family member's room to do the same only to find the VPS had already been updated to 91203-0. Simply, I turned off Standard Shield. After the release of 91203-1, I turned it on.
Personally, I'm not surprised so many people are tempted to delete suspected files immediately rather than sending to the chest. In fact, that's why I set Avast! 4.8 to automatically send them to the chest on my family member's computer. I hope Alwil team will make Avast! 5 more user-friendly...I know I can configure it for the others but, after seeing so many people are not accustomed to how to deal with detection, I guess it would be suitable for them to do something with it...
-
While browsing in the beta board, I came across the threads about the false positives. I also noticed that Prague was midnight. So, I stopped the update of Avast! 5 and went to a family member's room to do the same only to find the VPS had already been updated to 91203-0. Simply, I turned off Standard Shield. After the release of 91203-1, I turned it on.
Personally, I'm not surprised so many people are tempted to delete suspected files immediately rather than sending to the chest. In fact, that's why I set Avast! 4.8 to automatically send them to the chest on my family member's computer. I hope Alwil team will make Avast! 5 more user-friendly...I know I can configure it for the others but, after seeing so many people are not accustomed to how to deal with detection, I guess it would be suitable for them to do something with it...
yea, i gotta admit, i was really nervous when it repeatedly came up saying that there was a Trojan. no matter what i hit when the warning screen came up, it would just come up again and again. thats when all he11 broke lose and stuff wouldn't respond and i couldnt get anything to cooperate. I tried to reboot the computer and all the stuff happened that i said above. I didnt know what the heck was going on.
-
I have to agree with you Rumpel. Please, please make the next version of Avast auto-quarantine and see if there's a way to let us know what file it is, I mean what software it's associated with. (If that made sense. Kindsa early here in TX. LOL)
Anyway, am glad I didn't have any major disasters from this, but lesson learned well.
-
Im pretty new to using Avast! what is supposed to happen once you restore the files in the "infected" section of the chest? will they stay in there or are they supposed to empty off the list?
just wanna make sure that it did what its supposed to do. thanks for any help!
UPDATE... found the answer to my own question... http://forum.avast.com/index.php?topic=51643.msg436955#msg436955 (http://forum.avast.com/index.php?topic=51643.msg436955#msg436955)
-
Cool. well done. Once you are confident they have been restored, they can be deleted from the chest.
Only process the "infected" section of the chest.
-
Yep, thanks! I'm glad this website exists...
Also, this may be unrelated but when i tried to shut down, it couldnt do it the whole way. I have XP and when it got to the blue screen where it has the Windows XP "Shutting Down..." it just kinda got stuck there. is that something that maybe may have been messed up?
i did a hard re-boot ( i think thats what its called) and everything loads up okay. Just can't do the shut down properly.
-
I have the same problem with windows not closing or even going to screensaver. According to the bright red warning notice at the top the coders will have a fix for this hopefully.
ret
-
How long are you guys leaving it before trying a power off?
Try leaving it at least two minutes.
-
In answer to your how long did I leave it I can tell you it had been in the shutdown mode for 9 hours before I unplugged it. I have since done a disk error check with no results. I have now set the screensaver to 1 minute and the desktop sidebar is flashing occasionally but the screensaver fails to activate. What pisses me off is this pc does not have a xp disk, but instead a partitioned hard drive with xp on it and no way to reload missing files that I am aware of.
Just an update. Did a restore point and now the pc shuts off and restarts normally. Still cannot get the screensaver to activate. More reading to be done.
Last update. Got things running normally again. Selected another theme for screensaver and it is working find. Still somebody at Avast needs a kick in the pants. ;D
-
How long are you guys leaving it before trying a power off?
Try leaving it at least two minutes.
well the first time it got stuck for about 5 minutes. i did the hard re-boot (?) and then it shut down fine the second time i tried (although it still took longer than usual)
-
Well that was "fun"
Seems I wasn't completely mad then after all...
My system needed a restore point to 2 days back to sort it out as it borked my network settings thanks to some behind the scenes settings I'd included to take care of things without bothering to tell me... Lesson learned there!
-
While browsing in the beta board, I came across the threads about the false positives. I also noticed that Prague was midnight. So, I stopped the update of Avast! 5 and went to a family member's room to do the same only to find the VPS had already been updated to 91203-0. Simply, I turned off Standard Shield. After the release of 91203-1, I turned it on.
Personally, I'm not surprised so many people are tempted to delete suspected files immediately rather than sending to the chest. In fact, that's why I set Avast! 4.8 to automatically send them to the chest on my family member's computer. I hope Alwil team will make Avast! 5 more user-friendly...I know I can configure it for the others but, after seeing so many people are not accustomed to how to deal with detection, I guess it would be suitable for them to do something with it...
My first detection alert went to the chest but from then the chest would turn them down and you were left with either leave the alerted files on and keep getting alerts, or delete and move forward which would be to next alert. I tried straight off to bring MWSnap for a screenshot of first alert, but didn't come up in time and I had gone Restart with a prompt from avast. Oops I had already deleted a couple of OA files.
I tried to bring up Revo up as well to wipe OA and try out some others firewalls. By the time I had the OS running again, everything seemed fine, but I had to do other things. Obviously it wouldn't have been okay until the next avast update had gone through. I havent been back to that computer yet. These things happen.
http://forum.avast.com/index.php?topic=51664.msg437071#msg437071
Like you say above Rumpel, have to refrain from deleting anything no matter how much want to mover forward. That computer was just for testing things so bit different situation from users with their personal computers. Best advice from Tarq to look first to a manual update.
-
I am just sick over this ...... 135+ files gone! Programs that can not be replaced. My Windows isn't too stable either.
I can't remember all the files Avast told me HAD to be deleted since it wouldn't send them to my chest. I figured the Trojan was spreading.
I sure won't be so trusting of a program any time soon!!!!
-
@Starfireca
Try Recuva or Pandora Recovery to restore deleted files, AFAIR both are freeware and sometimes do work in even hopeless situations.
-
I deleted a lot of stuff during a boot-time scan (when it wouldn't let me move them to chest). Luckily, I don't think it was anything too important. Mainly a lot of system restore points, freeware programs I recognized, and some other stuff. My computer seems to be basically working ok now. I don't think any critical system files were injured, just a bunch of .exe's.
Using the virus chest, I've restored a lot of the false positives as explained in the directions. For some of the programs that got screwed up, I just downloaded a fresh new copy and reinstalled over the screwed up install and they seem to work fine now.
I'm crossing my fingers at this point and I'm not seeing any serious damage yet.
Should I bother trying a system restore at this point (or an ERUNT restore?) or would I be better off deleting all windows xp restore points and starting a new fresh one?
-
yes I think if there is any damage it will be amongst Programs. Two computers that had suffered damage did not show that Windows files are affected, although viruses being what they are.
I do not seem to have lost OS performance. But considering my OA is premium and I've already been through one re-install, the intrusion could be costly. I still have yet to run a Secunia on that computer
So with uninstall / reinstall - especially if you deleted files - best go to Secunia and see if any damage.
I do not think any damage amongst Windows files. Freeware programs affected like in my case, hostman, can easly be uninstall / reinstall. I noticed that while hostman was affected my hostsfile wasn't.
Hard if your affected Programs are paid. OA re -installs are as okay as any. Im going to Secunia now.
-
I guess secunia won't help in checking if a program works or not. ??? but only checks if the latest version is installed. the only way would be to check by opening all the applications one by one. :(
nmb
-
Secunia turned up google Chrome. So have now installed Chrome up to date. Hostman is okay. I will look to uninstall / reinstall OA I've done it before. And then like you say one by one. Java is okay, internet okay. I watched the bootscan through when I first got alerts. I will post it to the forum with some screenshots sometime soon. I have my own thread going on this.
http://forum.avast.com/index.php?topic=51664.msg437071#msg437071
I've disabled OA in Services so far and downloaded WinPatrol to fill the gap. Hosts file has just updated and Scotty has beamed up to advise about request for changes to be made.
-
Wondering whether or not to do xp system restore...
What happens to the DELETED files/programs if a system restore is done? (will they magically reappear or reinstall?)
What happens to the MOVED TO CHEST files/programs if system restore is done? (do they leave the chest and go back to where they belong?)
Are there other related considerations about doing system restore vs. not doing it?
Thanks for any input.
-
I'm afraid that in most cases, System Restore will not cut it either.
The problem is that avast probably quarantines the System Restore files as well (these are the files located in C:\System Volume Information).
So... I probably wouldn't bother at this stage (provided everything looks OK, as per your previous post).
Thanks
Vlk
-
I didn't do anything when I got the alert, but I was wondering how to report the false positive so they know I was affected. There's nothing in my chest but I do have something on the log viewer. I can't get the filter to work or select anything so I can send it in. ???