Author Topic: Win32:Delf-MZG and Win32:Zbot-MKK  (Read 11622 times)

0 Members and 1 Guest are viewing this topic.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Win32:Delf-MZG and Win32:Zbot-MKK
« on: December 03, 2009, 10:50:27 AM »

I was hit with these FPs

http://forum.avast.com/index.php?topic=51647.0

but have been away from computer so unable to fully report until I get back home

Detection references

Win32:Delf-MZG
Win32:Zbot-MKK

First one computer, began with warnings on OA then avast message box asking if I wanted to reboot into a safe environment for system checkup and I took that option - approx 20 detections in my Program files but nothing in my Windows files (see attachment)

Then test running another computer, same thing happened. Boot scan was running when I left home and I just noticed detection in Windows installer as I out the door. So Windows files as well this time.


May be of note that earlier in the day on the first computer that I had found in Services that avast! Antivirus had not been started despite being set to Automatic.

Back soon
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #1 on: December 03, 2009, 11:07:14 AM »
Hi mkis, if you browse the forum, you will probably be able to answer this yourself.
http://forum.avast.com/index.php?topic=51647
Not a happy day for Avast.
Windows 10,Windows Firewall,Firefox w/Adblock.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #2 on: December 03, 2009, 11:14:55 AM »
If at first you don't succeed, then skydiving's not for you.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #3 on: December 03, 2009, 11:59:24 AM »
Not yet. Only just back online and at a friends place.

I've been sending through from files and screenshots that I quickly saved to USB removable just before I left home. Be back at home again soon. Not sure as to extent of issues as a boot scan was still running as I left home. Will read through forum entries when I at home. First computer that started receiving warnings seemed back to smooth running by the time I left home. Neither of the computers tested are used as part of my work. So not overly worried about anything myself.

I think best option is to run Restart with boot scan immediately, send files with virus warnings to chest, and sit tight until the weather clears. But may be better advice offering out there amongst forum members.

Anyway not much I can do for now. Back soon.  

« Last Edit: December 03, 2009, 12:01:57 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #4 on: December 03, 2009, 12:11:51 PM »
Best option is probably to not do a boot scan; to make sure the VPS is updated, and then to re-scan everything in the infected area of the chest, and if clean, restore it to original location.
Windows 10,Windows Firewall,Firefox w/Adblock.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #5 on: December 03, 2009, 02:10:30 PM »
Thanks Tarq

I just got home and opened up the second computer, the one I saw with the Windows installer infected. I went to the chest and restored the whole of the chest. I then ran a scan on OA where the first detection message came up. The scan returned 8 infected files.

I went to the update service and ran a manual update. Watched the update through, then went to chest and restored everything. Ran a scan on Online Armor and Tall Emu and came up clean.

Dectections were as above. Mainly Program files, the Windows installer come from a exe or something in the Programs folder though installer itself is amongst Windows files I think.

Haven't checked for damage in OA or anything. Will be doing some uninstall / reinstall of few programs most likely. I had been up all night changing things around then only an hour or so sleep and something to do this afternoon. The alerts happened in between so I woke up about 7 hours ago and the alerts began. Oops I deleted a couple of supposed OA files. A bad practice from the dark old days that tends to stick on a bit. Then I ran the bootscan with avast and had 20 or so files in the chest. Watched it through, will post back some details.  By then I had to rush but ran computer nest to it (the one I'm on now) for email, the update came through, so alerts started going off, so I ran the bootscan and went do other things.

Baddest mistake was not posting immediately to the forum. I hadn't the slightest the size of the issue at the time. My mind was on another issue with avast not starting in services which was unrelated.

Just as baddest mistake was as Tarq says above.
So UPDATE IMMEDIATELY  
« Last Edit: December 06, 2009, 09:04:35 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Avast1M

  • Guest
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #6 on: December 03, 2009, 11:51:41 PM »
In addition to these found viruses, after starting to run a scan on my entire system, I found:

2009-12-02 6:11:53 PM   SYSTEM   1856   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\IrfanView\Plugins\CADImage.dll" file. 
2009-12-02 6:56:14 PM   SYSTEM   1856   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\bb04gy7s.default\Cache\8B655DE1d01\[UPX]\[Embedded_R#403ef8]\[UPX]" file. 
2009-12-02 6:56:29 PM   SYSTEM   1856   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Users\UserName\install\irfanview_plugins_425_setup.exe.part\[UPX]\[Embedded_R#403ef8]\[UPX]" file. 
2009-12-02 6:56:41 PM   SYSTEM   1856   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Users\UserName\install\irfanview_plugins_425_setup.exe\[UPX]\[Embedded_R#403ef8]\[UPX]" file. 
2009-12-02 6:58:02 PM   SYSTEM   1856   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Users\UserName\install\test\irfanview_plugins_425_setup.exe\[UPX]\[Embedded_R#403ef8]\[UPX]" file. 
2009-12-02 7:23:03 PM   SYSTEM   1856   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Users\UserName\.VirtualBox\HardDisks\W7.vdi" file. 
2009-12-02 7:23:51 PM   SYSTEM   1856   Sign of "Win32:Small-HUF [Trj]" has been found in "C:\Users\UserName\.VirtualBox\Machines\W7-Surf\Snapshots\{c1353af8-1307-49c2-8550-d883dda5b43f}.sav" file. 
2009-12-03 10:30:35 AM   UserName   5432   Sign of "Win32:Adloader-AC [Trj]" has been found in "C:\Users\UserName\.VirtualBox\HardDisks\W7.vdi" file. 

I only got part of the way through. I suppose what is in the virtual drive files .sav and .vdi could be anything.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #7 on: December 04, 2009, 12:55:04 AM »
Avsat1M,
please update the VPS to the latest database.
If any of those detected files were placed in the chest, please re-scan them from the chest, and if clean (and they probably are) right-click and restore each in turn.
Windows 10,Windows Firewall,Firefox w/Adblock.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #8 on: December 04, 2009, 05:23:15 AM »
I disabled OA for the time being because of deletions and put WinPatrol in. Everything as good as normal. I havent looked through all the Programs but nothing there I cant reinstall.

I just ran a manual update and everything up to date.
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3054
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #9 on: December 04, 2009, 05:32:56 AM »
welcome back mkis.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #10 on: December 06, 2009, 09:12:40 PM »
I've been real busy offline, and the FPs issue is resolved, or I may have started a link about deleting files to rid yourself of virus alerts, called oops I deleted some OA files. I still had a computer to check up, and see what screenshots I had been left with. That's been done now, and this post summarises the FP breakout at my place, with special emphasis on 'don't delete any files in case you are going to need them later'. The files that you are being asked to delete may be important files that you will need to run your system or some part of your system. And turns out the files are needed and will have to be restored from the chest. (Rarely ever happens, but this time it did).

Here is the run of events

T was alerted to the detections
I bought up MWSnap, avast (to scan OA), Revo (to uninstall OA - I had recently had firewall issues)

I sent one file to chest. wait.
second one to chest but chest refused to take it. wait. delete.
next alert up on screen

Neither MWSnap nor Revo up yet. went on demand to avast scan - to scan OA.
Scan runs - virus found in memory
prompt by avast - so went to bootscan - detections = Win32:Delf-MZC[Trj] and Zbot-MKK[Trj] (screenshot avast warnings)

Since the computer has virtually nothing on it but program and system files, it wasn't too much trouble to watch the sequence of the scan through. I didn't write down everything, and likely missed something else, and  so on, but here is the how the scan ran through. there were no FPs amongst Windows files.
 
Programs - OA, Hostman, Faststone have alerts, OOo_ and Winfast (stream tv) have no alerts
Windows -

IE
Installer
.NET
helper
health
prefetch
service packs
system
system32   Adobe ( I use Foxit Reader so no Adobe in Progams)
java internet macromedia
mui
drivers

Computer reboots to normal mode, and later on hostsfile updates.


Second computer -
Oops I did it again. such a pain not being able to just move forward, surely just delete. But no, not at all, Like DavirR says you are left with no other option if you delete a file. What is called for is patience. I dont have much. Problem is I'm in with the newbies now, we're not to know any better, So I delete a few files here...

Wait to see how long the prompt. Then go into bootscan mode - saw that the FPs included installer this time round...in fact we're not to know any better - at the same time the Whole FP has proved to be a great learning experience but lets hope it doesn;t happen again.

obviously installer. FPs confined to Programs.
Put this computer back to best performance, still have to re-install OA. Things pretty much back to boring best now.

-----------------

Computer one -
A firewall issue was solved. Ages and ages ago I had downloaded avast Internet Security 5 to have look around.The program had not been completely uninstalled and I still had remnants in my system, including an avast5 firewall. I was'nt sure which aswclear uninstall utility to run on this, so in my rush I ran 32, Managed Client, and DNM, and I seem to have done the uninstall well enough. put down as solved.

I have to reinstall OA on this computer. Has been done once before. Bit of a process to go through.  

http://support.tallemu.com/vbforum/showthread.php?t=9909&highlight=mkis  

I disabled OA in Services (see screenshot). So that it does not turn up on startup list (screenshot of WinPatrol). I get WinPatrol to fill in for OA. Also, since I haven't got a computer currently running Outpost 09 (free) I may yet run that firewall on this computer for a tryout.

Otherwise evrything back to boring best on this computer as well.

Edit - Firewall issue wasn't solved. I had go to registry and wipe avast5 firewall and have since then uninstall reinstall a clean avast home 4.8. All good.

 
« Last Edit: December 08, 2009, 10:23:26 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

2km3

  • Guest
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #11 on: December 08, 2009, 02:12:26 AM »
Wish I could help on this issue.... I haven't read yet anyone's files being renamed and put in the chest.  Through the chest it may be that the file locations can be seen.  My chest will not open and receive the following message:

Initialization of Chest files.  Action was completed with errors! 
Program cannot use Chest client: (null)--->Description: Virus chest server is not running. RPC communication failed.
Initialization of Chest files
------------------------------------------------------------------------------------------
Program will try to load all Chest files from the following server: (null)
------------------------------------------------------------------------------------------
Action was completed with errors!
 
Avast needed to do a boot time scan as there was virus present in memory... that was when all this began.  There were a total of 737 files moved and there appears to be no way to access where they were.  Short of identifying the code in each file I am at a loss.  Anyone have any ideas......    Thanks in advance

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #12 on: December 08, 2009, 04:58:23 AM »
Hi 2km3

You need to provide more information about yr system and what has happened to it

avast does not put files in the chest automatically. It will always ask first.

Have a look at this page for the failure concerning the chest and files
http://www.google.co.nz/search?rlz=1C1GGLS_enNZ344NZ345&sourceid=chrome&ie=UTF-8&q=Program+cannot+use+Chest+client:+(null)

Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

2km3

  • Guest
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #13 on: December 08, 2009, 12:05:38 PM »
My system is as follows:  Acer Aspire 5100, 1.6ghz turion 64 x2, 1gb ram, XP Pro SP2, Tinys Personal firewall, Avast AV.

12-3-09  1:13pm

It was time to check my entire system with Avast AV.....
There were files in memory detected with the update in question,  my system was rebooted and a boot time scan was done.  Of course infected files were found.... and I was asked what to do with them, I told the AV to put them ALL into the chest.  Apparently by looking at the CHEST folder the "infected" files were renamed when moved to the virus chest, they cannot be identified as the path and the original name is not available.  I updated the virus database, (at first I did NOT do a scan), after the update the virus chest would not open so I have no option to restore.  When this happened there was about 1.5gb of space left on my c: drive, after there was 200MB as all the files were put into the chest.  

12-8-09  3:35am

Somehow some of the files were returned to their paths, I did not return them.  I can not verify if all the files have been replaced, there are simply too many, though some have and some have not for certain.  I still can not open the chest after a complete scan and I get the same message as before.

Following are messages I get...

Initialization of Chest files.  Action was completed with errors!  
Program cannot use Chest client: (null)--->Description: Virus chest server is not running. RPC communication failed.
Initialization of Chest files
------------------------------------------------------------------------------------------
Program will try to load all Chest files from the following server: (null)
------------------------------------------------------------------------------------------
Action was completed with errors!

The operating system I can repair... though for now it appears to work ok.  I have not tried to install any programs nor uninstall any. My network works fine as does the internet.  System boots and shuts down fine as well.  There are 737 files listed in the awsboot.txt that were affected...  system restore folder, c:\ drive and my external e:\ drive.

It is the installed program files returned to their original paths that is my main concern.  Is it possible associate the files in the chest with their original name and path?
« Last Edit: December 08, 2009, 12:19:29 PM by 2km3 »

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Win32:Delf-MZG and Win32:Zbot-MKK
« Reply #14 on: December 08, 2009, 01:34:31 PM »
Yes it is able to associate. That name/path is where your files reinstate when you restore them.

You are not updated to service pack 3 so yr operating system is unreliable, not stable on average.

There are many answers to yr question about the chest failing to initialise. I don't much about it myself without more details. What do you mean 200MB? is that what's left on your whole hard drive? Even your 1.5GB. These are small volumes. So what is the size  of your hard drive that these should be so small?

Does the operating system appear to work ok for now?

Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.