False positive with Win32:Delf-MZG[Trj] for Spysweeper and Mamutu

[mkis]

While browsing in the beta board, I came across the threads about the false positives.  I also noticed that Prague was midnight.  So, I stopped the update of Avast! 5 and went to a family member's room to do the same only to find the VPS had already been updated to 91203-0.  Simply, I turned off Standard Shield.  After the release of 91203-1, I turned it on.

Personally, I'm not surprised so many people are tempted to delete suspected files immediately rather than sending to the chest.  In fact, that's why I set Avast! 4.8 to automatically send them to the chest on my family member's computer.  I hope Alwil team will make Avast! 5 more user-friendly...I know I can configure it for the others but, after seeing so many people are not accustomed to how to deal with detection, I guess it would be suitable for them to do something with it...

My first detection alert went to the chest but from then the chest would turn them down and you were left with either leave the alerted files on and keep getting alerts, or delete and move forward which would be to next alert. I tried straight off to bring MWSnap for a screenshot of first alert, but didn't come up in time and I had gone Restart with a prompt from avast. Oops I had already deleted a couple of OA files.

I tried to bring up Revo up as well to wipe OA and try out some others firewalls. By the time I had the OS running again, everything seemed fine, but I had to do other things. Obviously it wouldn't have been okay until the next avast update had gone through. I havent been back to that computer yet. These things happen.

http://forum.avast.com/index.php?topic=51664.msg437071#msg437071

Like you say above Rumpel, have to refrain from deleting anything no matter how much want to mover forward. That computer was just for testing things so bit different situation from users with their personal computers. Best advice from Tarq to look first to a manual update.

[Starfireca]

I am just sick over this ...... 135+ files gone! Programs that can not be replaced. My Windows isn't too stable either.

I can't remember all the files Avast told me HAD to be deleted since it wouldn't send them to my chest. I figured the Trojan was spreading.

I sure won't be so trusting of a program any time soon!!!!

[Frasier]

@Starfireca

Try Recuva or Pandora Recovery to restore deleted files, AFAIR both are freeware and sometimes do work in even hopeless situations.

[wormbog]

I deleted a lot of stuff during a boot-time scan (when it wouldn't let me move them to chest).  Luckily, I don't think it was anything too important.  Mainly a lot of system restore points, freeware programs I recognized, and some other stuff.  My computer seems to be basically working ok now.  I don't think any critical system files were injured, just a bunch of .exe's.

Using the virus chest, I've restored a lot of the false positives as explained in the directions.  For some of the programs that got screwed up, I just downloaded a fresh new copy and reinstalled over the screwed up install and they seem to work fine now.

I'm crossing my fingers at this point and I'm not seeing any serious damage yet.   

Should I bother trying a system restore at this point (or an ERUNT restore?) or would I be better off deleting all windows xp restore points and starting a new fresh one? 

[mkis]

yes I think if there is any damage it will be amongst Programs. Two computers that had suffered damage did not show that Windows files are affected, although viruses being what they are.

I do not seem to have lost OS performance. But considering my OA is premium and I've already been through one re-install, the intrusion could be costly. I still have yet to run a Secunia on that computer

So with uninstall / reinstall - especially if you deleted files - best go to Secunia and see if any damage.

I do not think any damage amongst Windows files. Freeware programs affected like in my case, hostman, can easly be uninstall / reinstall. I noticed that while hostman was affected my hostsfile wasn't.

Hard if your affected Programs are paid. OA re -installs are as okay as any. Im going to Secunia now.

[nmb]

I guess secunia won't help in checking if a program works or not. but only checks if the latest version is installed. the only way would be to check by opening all the applications one by one. 

nmb

[mkis]

Secunia turned up google Chrome. So have now installed Chrome up to date. Hostman is okay. I will look to uninstall / reinstall OA I've done it before. And then like you say one by one. Java is okay, internet okay. I watched the bootscan through when I first got alerts. I will post it to the forum with some screenshots sometime soon. I have my own thread going on this.

http://forum.avast.com/index.php?topic=51664.msg437071#msg437071

I've disabled OA in Services so far and downloaded WinPatrol to fill the gap. Hosts file has just updated and Scotty has beamed up to advise about request for changes to be made.

[wormbog]

Wondering whether or not to do xp system restore...

What happens to the DELETED files/programs if a system restore is done? (will they magically reappear or reinstall?)

What happens to the MOVED TO CHEST files/programs if system restore is done? (do they leave the chest and go back to where they belong?)

Are there other related considerations about doing system restore vs. not doing it?

Thanks for any input.

[Vlk]

I'm afraid that in most cases, System Restore will not cut it either.
The problem is that avast probably quarantines the System Restore files as well (these are the files located in C:\System Volume Information).

So... I probably wouldn't bother at this stage (provided everything looks OK, as per your previous post).


Thanks
Vlk

[brokencrystal]

I didn't do anything when I got the alert, but I was wondering how to report the false positive so they know I was affected. There's nothing in my chest but I do have something on the log viewer. I can't get the filter to work or select anything so I can send it in.