Author Topic: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))  (Read 43235 times)

0 Members and 1 Guest are viewing this topic.

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3061
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #60 on: December 03, 2009, 08:54:03 PM »
@GoldenSt8r

Quote
C:\Program Files\Alwil Software\Avast4\DATA\report

it will be available there if you have done a boot scan.

nmb
« Last Edit: December 03, 2009, 09:56:00 PM by nmb »

Offline mikereid

  • Newbie
  • *
  • Posts: 14
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #61 on: December 03, 2009, 09:51:19 PM »
a boot scan? sorry im not the most literate computer user!

Offline mikereid

  • Newbie
  • *
  • Posts: 14
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #62 on: December 03, 2009, 11:37:13 PM »
Any suggestions? :(
Im all out of ideas
Computers fine bu still no internet since this

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #63 on: December 04, 2009, 12:08:07 AM »
mikereid,
Alureon and Malotob (which you say are in the chest) are a right pain to remove.
Seems a funny coincidence, but until you know otherwise, those infections should be treated as real.
They could be the reason you have no internet, or it could be some files that were deleted causing it.

Best thing first is to make sure the infection is not still present, look at replacing lost files second.
I'd try MBAM or SAS. (SAS has a toolkit that can effect certain internet-based repairs.) Get MBAM Here (free version - blue) and SAS here (free version, lower download.)
The instructions below are for MBAM.

-Download the installer file,"mbam-setup.exe" using a good computer, to a clean USB stick (Flash drive.)
-Copy the installer to the good computer (desktop), and install it on that computer, by double clicking the file and following the prompts.
-Update it on that computer.
-Once the update is complete, locate the folder ''C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware" (if using vista the path may start with "users" rather than "documents and settings" and locate the file "rules.ref". This file will be about 3.2MB in size. OR, run a computer search for the same file.
-Once the file is found, copy it to the flash drive.
-Check on the sicj computer which database is currently installed in Avast. Right click the tray icon, left click "about" and look to the VPS version. If that version is 091203-0, (ie: it hasn't updated to the version that fixed this) stop the on-access protection in Avast, and pause all providers.
-On the good computer,do the "safely remove hardware" thing, remove the flash drive, plug it into the sick computer.
-Copy the installer file "mbam-setup.exe" to this computer.
-Run the file by double clicking it.
-Once it has installed, navigate to the same folder C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware and copy the "rules.ref" file from the flash drive to the sick computer. Windows will produce a prompt: "File already exists; do you want to replace this file (date) with this file(date)?" Click yes. If you don't get this warning, you are in the wrong location. Find the right location. (The above path is for Windows XP.)
-Open MBAM by double clicking on the desktop icon. (It is cerise/maroon in colour, with a white M)
-Command it to run a quick scan. At the end of the scan it will produce a report.
-Place a tick in the box beside everything it finds and select "remove selected". If you are prompted to reboot to finish removal, please do so promptly.
-Try your computer for connection.
-Please post the scan report.

Hope this works.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline mikereid

  • Newbie
  • *
  • Posts: 14
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #64 on: December 04, 2009, 12:23:41 AM »
good idea on getting the latest version of mbam onto the other computer but ive installed it and not seeing this rules.ref file in the folder at all?
appreciate the help

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #65 on: December 04, 2009, 12:38:11 AM »
What OS is the good computer, mike?
Try clicking "start" then "search", and typing in "rules.ref" (in category all files and folders). Command it to look in hidden and system files.
Should produce a result.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline mikereid

  • Newbie
  • *
  • Posts: 14
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #66 on: December 04, 2009, 12:42:20 AM »
yeah im not seeing the usual option to search hidden files :/
its windows 7

Offline Tipton

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 796
  • That 70's Car
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #67 on: December 04, 2009, 12:44:03 AM »
This is the perfect example as to WHY everyone should be using imaging software. I constantly push imaging software, and seem to get ignored. It must be that people would rather have disasters on their system so they can complain about them. Imaging software is so common place now that they include it in Vista and Win 7 as part of the OS. In my opinion, if you are not using imaging software, then you have no right to complain about any of this. And for all the people going off on a rant and wanting compensation for what happened, I hope you get back exactly what you gave........nothing if you are using the free version.

I got all the popups last night warning me, and I just clicked the X up in the corner and kept using my system. I knew right away they were FP's, and that it would get fixed. So, this morning I restored from an image I created two days ago, updated Avast virus data base, and it was just like nothing happened.

Take control of your PC people, and quit complaining. If your system got trashed by this human mistake, then shame on you for not backing up your operating system and software.  
"I have lived through alot of horrible things in my life.......some of which actually happened"

Offline mikereid

  • Newbie
  • *
  • Posts: 14
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #68 on: December 04, 2009, 12:48:57 AM »
Got it, wasn't showing hidden files

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #69 on: December 04, 2009, 01:02:34 AM »
Excellent.
I'd be interested in the path to that file in Windows7, for sure. Just copy and paste it from the address bar, if you wouldn't mind.
Let me know how the scan goes, as per previous lengthy instructions post.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline mikereid

  • Newbie
  • *
  • Posts: 14
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #70 on: December 04, 2009, 01:17:10 AM »
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware   was the location of the rules.ref

Did all that, ran a quick scan with the updated version and it found nothing at all malicious, worth a full scan or not?

Offline mikereid

  • Newbie
  • *
  • Posts: 14
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #71 on: December 04, 2009, 01:24:24 AM »
That Alureon sounds pretty malicious!

Offline crumply

  • Newbie
  • *
  • Posts: 6
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #72 on: December 04, 2009, 01:50:27 AM »
Goldenst8r did a good job articulating what happened.  Avast told me to do a boot scan.  It then filled up the virus chest.  The only option is saw was to delete infected files.  I cannot post the list of deleted files, because it exceeds the allowable character limit.  It's about 1,000 files.  What should I do now?  Reformat and start over?  Are the deleted files really deleted?






Offline mikereid

  • Newbie
  • *
  • Posts: 14
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #73 on: December 04, 2009, 02:08:51 AM »
Full scan done, nothing found. I assume you dont want the log posting as it didn't find anything?

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #74 on: December 04, 2009, 02:26:14 AM »
mikereid,
Yes, that Alureon does look pretty nasty. (Fortunately, I've never encountered the beast.)
It would be good to post the scan report, it might contain information that is of use.
Next thing, what VPS version does your Avast have (on the sick computer)? If it is 091203-1 it can be re-enabled (if it had been disabled), the providers resumed, and started.
Once it is started, go to the chest and please post the original filenames/locations of the malotob and alureon detections. Re-scan them, and post the result.

crumply, see your similar question. Since no-one has added to it, it would appear that my answer is probably correct, or at least a reasonable way to proceed.
Deleted files, AFAIK, simply have the headers removed, so that they can not be read by the OS. The file body remains on the hard drive until over-written by new data. (Windows does not see the file there, so happily considers it free space.)
You could also try a program like Recuva, by Piriform, to attempt recovery of these files. It would stand a fairly good chance of working, I'd think, but could be a laborious process. If it were me, I'd only do that for files I couldn't afford to loose.
But I also use a backup imaging program so I am not particularly knowledgeable about recovery programs. Haven't had to use one in a long time.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.