Author Topic: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))  (Read 43823 times)

0 Members and 1 Guest are viewing this topic.

Offline Bama158

  • Newbie
  • *
  • Posts: 9
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #75 on: December 04, 2009, 07:32:32 AM »
Most virus alert questions seem to be here, and I have one.

I have one restored file that belongs to a Security Program. That program would not work till I extracted the file from the Virus chest. Now the program works just fine I did a scan etc etc., and all seemed fine, but here is the kicker. I downloaded the same security program in prep for a new install and was going to remove the old one since it was involved in this thing. I went to add/remove it tells me I cannot because it has already been uninstalled, and wants to know do I want to remove it from the list. I tell it NO of course. Went to CCleaner to use their tools to uninstall got same message of sorts that they cannot find it?

Now the big Q? Will It be safe to do a system restore, and have it back the way it was before this occured. I only had two files in the chest. One security and the other a file from Irfanview, which is no big concern, but the security program sure is. Even though the program is working I want it out of the computer because I dont trust it now, and I know the thing is not right yet, or I could uninstall it in add/remove.

Thanks very much for any info here,

Bama :)

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #76 on: December 04, 2009, 11:31:23 AM »
Bama158,
what is the program concerned? There might be a purpose built uninstaller for it.
Or you could try (using the original installed- not the new one) re-installing it.

Why do you no longer trust this program?
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline jayweb44

  • Newbie
  • *
  • Posts: 2
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #77 on: December 04, 2009, 02:54:37 PM »
Well this has been the worst thing possible for my computer but I was able to get it somewhat restored after many hours fixing everything.  Unlike some others, I did let it reboot to scan the memory since I really like to deal with virus's when they hit.  After 8 hours of scanning and checking the options for each virus found, Avast had found a total of 848 files infected!  Most of these were system files that could not be restored from the chest and most of these were deleted right away by Avast.  I only had a handful of programs that needed to be restored but I'm not sure of the long term effects of this Avast error.  As of now Windows is finally bootable with little or no visible problems.  So time will tell.  I'm just glad that it was false and that I really didn't have this bad trojan on my system.  I'm usually very careful with my system and I hadn't had a major virus for over a year.

Offline Bama158

  • Newbie
  • *
  • Posts: 9
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #78 on: December 04, 2009, 05:54:56 PM »
Good Morning Tarq,

The program is the FREE Iobit360. I have installed and uninstalled this program on many computers. There is no special uninstall for it. The reason  (although it is working just fine as I checled the whole program ...ran a quick scan etc) After I extracted the file to the desktop and saw that the program was working..I had previously downloaded a new copy to the desktop for installation after I removed the old copy of the program. When I went to add/remove and also in the tools of CCleaner both tell me it is not there, and do I want to remove it from the list. These are not exact words of the popup but essentially the same. Do you think that it is possible that because I extracted the file to the wrong place is the cause I am getting this message. Maybe it is in the wrong place and is not recognized by add/remove ..etc. The file was not originally on the desktop and maybe thats the problem.

When this attack was happening Iobit360 would not work, and I knew why because the file was in the chest, but a member had put it there before she came to chatroom for help. I was in remote on her computer when the thing was at its worst, and I realized this is bogus, and I never put anything in chest. There was only two files in the virus chest. I assume she sent there before she came in. If I can go to add/remove and not get that popup that the program is not there.. then I have no problem with keeping the program, but being security program I don't like the fact that it was involved in this.

Thank you very much for the help,

Bama

Offline oddfunk

  • Newbie
  • *
  • Posts: 4
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #79 on: December 04, 2009, 06:18:52 PM »
What error message (or code) did you get for these files?

FileID: 0000000044  Program cannot restore the following file, because the original location is not defined: C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swxcacls.exe
FileID: 0000000043  Program cannot restore the following file, because the original location is not defined: C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swreg.exe
FileID: 0000000057  Program cannot restore the following file, because the original location is not defined: C:\hp\recovery\wizard\SWR_Wizard.exe
FileID: 0000000138  Program cannot restore the following file, because the original location is not defined: C:\WINDOWS\system32\swxcacls.exe
FileID: 0000000137  Program cannot restore the following file, because the original location is not defined: C:\WINDOWS\system32\swreg.exe
FileID: 0000000113  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023644.exe
FileID: 0000000104  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023635.exe
FileID: 0000000094  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023625.exe

Interesting. I'd recommend using the "Extract" feature (instead of "Restore") and put the files in their respective locations manually. At least for the files outside System Volume Information, it should work OK.

Now for the files in System Volume Information is may be a bigger problem because you won't have access rights to write to this location (only the SYSTEM account has them). But the files are not important anyway, unless you plan to do a system restore (in which case it wouldn't restore the three executables)..

Thanks
Vlk

For the most part, this is what happened with mine last night during the boot scan so I will follow your advice when I get home.  As soon as Avast notified me of a virus warning, it suggested and do a bootscan which I did.  "Ignore" was the only option that worked during the scan.  Once I logged in, I ran Malwarebytes, but during this time I guess Avast was still running in the background and alertiing me from time to time that I had a virus was found in such-n-such file.  I believe that a couple of the files could not be moved to chest and were therefore renamed with the "vir" extension and then moved to chest.  Are these files possible to extract and/or restore since they have been renamed?  How do I get the original file name for them?  Sorry if the questions seem stupid, but I'm really not an advanced user and just converted to Avast about a week ago.  I was only on my computer for about 30 minutes after everything was moved over to chest and everything seemed to be working OK.  I haven't looked at or done anything with the files that are in the chest yet so please advise.   Thank you.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #80 on: December 04, 2009, 08:12:45 PM »
Bama158,
Any file that belonged to a particular program, once quarantined (sent to the chest) must be extracted back to it's original location for the program to work correctly. Personally I would re-scan the file to make sure it is clean, and then restore it. If the original location was a "moved" location, ie: you had already placed it somewhere else like the desktop, it needs to be restored to its correct program directory.
(I hope you know where that is, there are a few different folders it could belong in.)

What is the full name (and original path, if you have it) of the file concerned?

The fact that Iobit was involved in this seems purely collateral to me. An innocent bystander that just happened to step into the path of a bullet.
The fact that it won't uninstall may not be its fault.
The recent controversy about Iobit somehow happening to fluke the same definitions as MBAM would probably be enough incentive for me to not install it. But that's just me.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline jwwing

  • Newbie
  • *
  • Posts: 1
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #81 on: December 04, 2009, 08:26:42 PM »
I was loading WordPerfect Office X4 when the avast updated apparently and immediately got the Win32:DELF-MZG trojan. I thought from the install CD! So I moved the affected file, and received a dozen or so more warnings. Some of the files wouldn't move so I deleted them. When I was done, since I had just cloned my drive in this computer, I put the old drive back in and tried again. I updated the avast and immediately got a virus warning so thought that the drive had already been infected before. I stopped the action and told it to restart with a boot scan etc. I immediately started getting errors, so I decided if they had been there all this time they wouldn't hurt, so I terminated the boot scan and after the computer was up, I went out to the internet for info on the trojan. There I found the false positive notice on some blogs.

I put the old hdd back in, but there were several deleted files which didn't seem to bother anything - I restored what would, several would not restore. If I knew which they were, I would try the extract. 1) Is there any way that I can find out which files were deleted? 2) If I do another restore, will that affect the files if they have changed since (this would be so that I know which files to extract)?

I did find that the bug had caused me to not be able to read from the cd to fix the install of the WP X4 so after several hours of trying I gave up and tried to remove it. That wouldn't work either. By the next day I got the update of avast and tried again to remove the WP. This time I discovered that I could copy the missing files, reinstalled them and got the WP to install correctly. Now it would not stay up, WP has encountered a problem and must close. I found the file that they would report to MS and read it. The file was an HP printer dll which I got another copy of and saved to the machine. Now it works again!!

I sure hope this problem doesn't kill the company who provides avast! I know I am pretty put out, but would be incensed if I had had more debilitating problems.


Offline Bama158

  • Newbie
  • *
  • Posts: 9
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #82 on: December 04, 2009, 08:56:06 PM »
Thank you very much Tarq, and I understand you are a bystander. I work for a FREE computer helps website, and lots of our help comes from members who have either used a program, and can help with an issue another member posts for help. Not to say we don't have three of the best Techs. I must say educated Techs, but I am not one of those, even thought I have been taught plenty by one of them. We have been doing this for 6 years. Why FREE? because we are retired and can, and we like to help our members fray the cost of going to a shop and getting it repaired

Having said that, the computer in question is a member that I am in remote working on. Not at the present moment, but from 7-11pm est every night in our chat room. What you are saying is what I was thinking is my problem in the first place. I tried to restore the file and then things would have been peachy, but got an error so went to step 2 and extracted, and the file is NOT in its original place, so thats the problem, and  I will fix it tonight. I should have written down the file path, but I didn't so will get it tonight when I go on her computer again.

We promote Freeware and use it ourselves. A few years back when I paid for everything McAfee sold.. I got WinFixer2005, and there was no fix for it. I fought that thing one night with the help of my friend on IM, and I swore after I get my computer clean I will never pay for security again. I eventually had to reinstall Windows because of that, because the Tech nor I could find anything to get rid of it. Right now I am testing AVG 9 Free, so I got out of the Avast virus alert, simply because I had to uninstall Avast to test AVG 9 Free....Lucky, me.

Thanks for listening, and you have a good day,

Bama

Offline 2km3

  • Newbie
  • *
  • Posts: 6
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #83 on: December 07, 2009, 08:25:50 PM »
This is a perfect example of someone who is more concerned of there own existance than others.  A persistance to annoy, and possible an indifference to help.....  I have a question for you... how large is your image and how many programs do you have currently running on your system.  For some that is not an option unless you want to build 20gb partitions every two days by your operand.  People do not need to be insulted at a time like this.  I agree with some of what you have to say but lose the pessimistic attitude.

This is the perfect example as to WHY everyone should be using imaging software. I constantly push imaging software, and seem to get ignored. It must be that people would rather have disasters on their system so they can complain about them. Imaging software is so common place now that they include it in Vista and Win 7 as part of the OS. In my opinion, if you are not using imaging software, then you have no right to complain about any of this. And for all the people going off on a rant and wanting compensation for what happened, I hope you get back exactly what you gave........nothing if you are using the free version.

I got all the popups last night warning me, and I just clicked the X up in the corner and kept using my system. I knew right away they were FP's, and that it would get fixed. So, this morning I restored from an image I created two days ago, updated Avast virus data base, and it was just like nothing happened.

Take control of your PC people, and quit complaining. If your system got trashed by this human mistake, then shame on you for not backing up your operating system and software.  

Offline mikereid

  • Newbie
  • *
  • Posts: 14
Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
« Reply #84 on: December 08, 2009, 02:02:36 AM »
Hello there sorry for the delay in a reply, was away for the weekend

Tarq, alureon was in system32\drivers\putobymspjqvrent.sys
        mal0b in documents & settings\HP_administrator\local settings\temp\~.exe

Computer still running fine, and strangely my internet is working ok now - but not with IE as usual - thats still not working
However i randomly downloaded firefox on my mums pc, installed it on here an it works!

Still would prefer IE working but this is better than nothing
Do you suggest a clean IE install? How do i go about removing IE completely?

My avast is version 091207-0, todays version, but it only seems to update automatically, not on demand as it were, when it cant seem to connect

MBAM can't connect when i try to update that also, cant connect to the Itunes store either for example, so connectivity is still clearly an issue, but just getting firefox and browsing working on here was a relief