Win32:Delf-MZG and Win32:Zbot-MKK

I was hit with these FPs

http://forum.avast.com/index.php?topic=51647.0

but have been away from computer so unable to fully report until I get back home

Detection references

Win32:Delf-MZG
Win32:Zbot-MKK

First one computer, began with warnings on OA then avast message box asking if I wanted to reboot into a safe environment for system checkup and I took that option - approx 20 detections in my Program files but nothing in my Windows files (see attachment)

Then test running another computer, same thing happened. Boot scan was running when I left home and I just noticed detection in Windows installer as I out the door. So Windows files as well this time.

May be of note that earlier in the day on the first computer that I had found in Services that avast! Antivirus had not been started despite being set to Automatic.

Back soon

Hi mkis, if you browse the forum, you will probably be able to answer this yourself.
http://forum.avast.com/index.php?topic=51647
Not a happy day for Avast.

mkis, did you try restoring the files?
http://forum.avast.com/index.php?topic=51643.msg436955#msg436955

Not yet. Only just back online and at a friends place.

I’ve been sending through from files and screenshots that I quickly saved to USB removable just before I left home. Be back at home again soon. Not sure as to extent of issues as a boot scan was still running as I left home. Will read through forum entries when I at home. First computer that started receiving warnings seemed back to smooth running by the time I left home. Neither of the computers tested are used as part of my work. So not overly worried about anything myself.

I think best option is to run Restart with boot scan immediately, send files with virus warnings to chest, and sit tight until the weather clears. But may be better advice offering out there amongst forum members.

Anyway not much I can do for now. Back soon.

Best option is probably to not do a boot scan; to make sure the VPS is updated, and then to re-scan everything in the infected area of the chest, and if clean, restore it to original location.

Thanks Tarq

I just got home and opened up the second computer, the one I saw with the Windows installer infected. I went to the chest and restored the whole of the chest. I then ran a scan on OA where the first detection message came up. The scan returned 8 infected files.

I went to the update service and ran a manual update. Watched the update through, then went to chest and restored everything. Ran a scan on Online Armor and Tall Emu and came up clean.

Dectections were as above. Mainly Program files, the Windows installer come from a exe or something in the Programs folder though installer itself is amongst Windows files I think.

Haven’t checked for damage in OA or anything. Will be doing some uninstall / reinstall of few programs most likely. I had been up all night changing things around then only an hour or so sleep and something to do this afternoon. The alerts happened in between so I woke up about 7 hours ago and the alerts began. Oops I deleted a couple of supposed OA files. A bad practice from the dark old days that tends to stick on a bit. Then I ran the bootscan with avast and had 20 or so files in the chest. Watched it through, will post back some details. By then I had to rush but ran computer nest to it (the one I’m on now) for email, the update came through, so alerts started going off, so I ran the bootscan and went do other things.

Baddest mistake was not posting immediately to the forum. I hadn’t the slightest the size of the issue at the time. My mind was on another issue with avast not starting in services which was unrelated.

Just as baddest mistake was as Tarq says above.
So UPDATE IMMEDIATELY

In addition to these found viruses, after starting to run a scan on my entire system, I found:

2009-12-02 6:11:53 PM SYSTEM 1856 Sign of “Win32:Delf-MZG [Trj]” has been found in “C:\Program Files\IrfanView\Plugins\CADImage.dll” file.
2009-12-02 6:56:14 PM SYSTEM 1856 Sign of “Win32:Delf-MZG [Trj]” has been found in “C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\bb04gy7s.default\Cache\8B655DE1d01[UPX][Embedded_R#403ef8][UPX]” file.
2009-12-02 6:56:29 PM SYSTEM 1856 Sign of “Win32:Delf-MZG [Trj]” has been found in “C:\Users\UserName\install\irfanview_plugins_425_setup.exe.part[UPX][Embedded_R#403ef8][UPX]” file.
2009-12-02 6:56:41 PM SYSTEM 1856 Sign of “Win32:Delf-MZG [Trj]” has been found in “C:\Users\UserName\install\irfanview_plugins_425_setup.exe[UPX][Embedded_R#403ef8][UPX]” file.
2009-12-02 6:58:02 PM SYSTEM 1856 Sign of “Win32:Delf-MZG [Trj]” has been found in “C:\Users\UserName\install\test\irfanview_plugins_425_setup.exe[UPX][Embedded_R#403ef8][UPX]” file.
2009-12-02 7:23:03 PM SYSTEM 1856 Sign of “Win32:Delf-MZG [Trj]” has been found in “C:\Users\UserName.VirtualBox\HardDisks\W7.vdi” file.
2009-12-02 7:23:51 PM SYSTEM 1856 Sign of “Win32:Small-HUF [Trj]” has been found in “C:\Users\UserName.VirtualBox\Machines\W7-Surf\Snapshots{c1353af8-1307-49c2-8550-d883dda5b43f}.sav” file.
2009-12-03 10:30:35 AM UserName 5432 Sign of “Win32:Adloader-AC [Trj]” has been found in “C:\Users\UserName.VirtualBox\HardDisks\W7.vdi” file.
I only got part of the way through. I suppose what is in the virtual drive files .sav and .vdi could be anything.

Avsat1M,
please update the VPS to the latest database.
If any of those detected files were placed in the chest, please re-scan them from the chest, and if clean (and they probably are) right-click and restore each in turn.

I disabled OA for the time being because of deletions and put WinPatrol in. Everything as good as normal. I havent looked through all the Programs but nothing there I cant reinstall.

I just ran a manual update and everything up to date.

welcome back mkis.

I’ve been real busy offline, and the FPs issue is resolved, or I may have started a link about deleting files to rid yourself of virus alerts, called oops I deleted some OA files. I still had a computer to check up, and see what screenshots I had been left with. That’s been done now, and this post summarises the FP breakout at my place, with special emphasis on ‘don’t delete any files in case you are going to need them later’. The files that you are being asked to delete may be important files that you will need to run your system or some part of your system. And turns out the files are needed and will have to be restored from the chest. (Rarely ever happens, but this time it did).

Here is the run of events

T was alerted to the detections
I bought up MWSnap, avast (to scan OA), Revo (to uninstall OA - I had recently had firewall issues)

I sent one file to chest. wait.
second one to chest but chest refused to take it. wait. delete.
next alert up on screen

Neither MWSnap nor Revo up yet. went on demand to avast scan - to scan OA.
Scan runs - virus found in memory
prompt by avast - so went to bootscan - detections = Win32:Delf-MZC[Trj] and Zbot-MKK[Trj] (screenshot avast warnings)

Since the computer has virtually nothing on it but program and system files, it wasn’t too much trouble to watch the sequence of the scan through. I didn’t write down everything, and likely missed something else, and so on, but here is the how the scan ran through. there were no FPs amongst Windows files.

Programs - OA, Hostman, Faststone have alerts, OOo_ and Winfast (stream tv) have no alerts
Windows -

IE
Installer
.NET
helper
health
prefetch
service packs
system
system32 Adobe ( I use Foxit Reader so no Adobe in Progams)
java internet macromedia
mui
drivers

Computer reboots to normal mode, and later on hostsfile updates.

Second computer -
Oops I did it again. such a pain not being able to just move forward, surely just delete. But no, not at all, Like DavirR says you are left with no other option if you delete a file. What is called for is patience. I dont have much. Problem is I’m in with the newbies now, we’re not to know any better, So I delete a few files here…

Wait to see how long the prompt. Then go into bootscan mode - saw that the FPs included installer this time round…in fact we’re not to know any better - at the same time the Whole FP has proved to be a great learning experience but lets hope it doesn;t happen again.

obviously installer. FPs confined to Programs.
Put this computer back to best performance, still have to re-install OA. Things pretty much back to boring best now.


Computer one -
A firewall issue was solved. Ages and ages ago I had downloaded avast Internet Security 5 to have look around.The program had not been completely uninstalled and I still had remnants in my system, including an avast5 firewall. I was’nt sure which aswclear uninstall utility to run on this, so in my rush I ran 32, Managed Client, and DNM, and I seem to have done the uninstall well enough. put down as solved.

I have to reinstall OA on this computer. Has been done once before. Bit of a process to go through.

http://support.tallemu.com/vbforum/showthread.php?t=9909&highlight=mkis

I disabled OA in Services (see screenshot). So that it does not turn up on startup list (screenshot of WinPatrol). I get WinPatrol to fill in for OA. Also, since I haven’t got a computer currently running Outpost 09 (free) I may yet run that firewall on this computer for a tryout.

Otherwise evrything back to boring best on this computer as well.

Edit - Firewall issue wasn’t solved. I had go to registry and wipe avast5 firewall and have since then uninstall reinstall a clean avast home 4.8. All good.

Wish I could help on this issue… I haven’t read yet anyone’s files being renamed and put in the chest. Through the chest it may be that the file locations can be seen. My chest will not open and receive the following message:

Initialization of Chest files. Action was completed with errors!
Program cannot use Chest client: (null)—>Description: Virus chest server is not running. RPC communication failed.
Initialization of Chest files

Program will try to load all Chest files from the following server: (null)

Action was completed with errors!

Avast needed to do a boot time scan as there was virus present in memory… that was when all this began. There were a total of 737 files moved and there appears to be no way to access where they were. Short of identifying the code in each file I am at a loss. Anyone have any ideas… Thanks in advance

Hi 2km3

You need to provide more information about yr system and what has happened to it

avast does not put files in the chest automatically. It will always ask first.

Have a look at this page for the failure concerning the chest and files
http://www.google.co.nz/search?rlz=1C1GGLS_enNZ344NZ345&sourceid=chrome&ie=UTF-8&q=Program+cannot+use+Chest+client:+(null)

My system is as follows: Acer Aspire 5100, 1.6ghz turion 64 x2, 1gb ram, XP Pro SP2, Tinys Personal firewall, Avast AV.

12-3-09 1:13pm

It was time to check my entire system with Avast AV…
There were files in memory detected with the update in question, my system was rebooted and a boot time scan was done. Of course infected files were found… and I was asked what to do with them, I told the AV to put them ALL into the chest. Apparently by looking at the CHEST folder the “infected” files were renamed when moved to the virus chest, they cannot be identified as the path and the original name is not available. I updated the virus database, (at first I did NOT do a scan), after the update the virus chest would not open so I have no option to restore. When this happened there was about 1.5gb of space left on my c: drive, after there was 200MB as all the files were put into the chest.

12-8-09 3:35am

Somehow some of the files were returned to their paths, I did not return them. I can not verify if all the files have been replaced, there are simply too many, though some have and some have not for certain. I still can not open the chest after a complete scan and I get the same message as before.

Following are messages I get…

Initialization of Chest files. Action was completed with errors!
Program cannot use Chest client: (null)—>Description: Virus chest server is not running. RPC communication failed.
Initialization of Chest files

Program will try to load all Chest files from the following server: (null)

Action was completed with errors!

The operating system I can repair… though for now it appears to work ok. I have not tried to install any programs nor uninstall any. My network works fine as does the internet. System boots and shuts down fine as well. There are 737 files listed in the awsboot.txt that were affected… system restore folder, c:\ drive and my external e:\ drive.

It is the installed program files returned to their original paths that is my main concern. Is it possible associate the files in the chest with their original name and path?

Yes it is able to associate. That name/path is where your files reinstate when you restore them.

You are not updated to service pack 3 so yr operating system is unreliable, not stable on average.

There are many answers to yr question about the chest failing to initialise. I don’t much about it myself without more details. What do you mean 200MB? is that what’s left on your whole hard drive? Even your 1.5GB. These are small volumes. So what is the size of your hard drive that these should be so small?

Does the operating system appear to work ok for now?

So to restore then chest must function!?

My system is rock solid, never any stability issues, and very reliable thanks to the firewall. In fact it is so stable I have 93 programs installed on this windows system, all without issues… so far, except for the ones affected by the AV issue.

When the AV put all the files into the chest, that is what was left of my drive, 200MB, not the usual 1.5GB remaining which is more than enough for file space These values are approximate… To restore the space I moved some files from my desktop that were not affected to the external drive, that gave me the gig and a half I like to have. My Virtual Memory is fixed at 1.376GB, is located on c:\ it never changes and is more than enough.
Two things are for certain…
Files are in the chest and have not been restored.
The chest will not open.

My onboard drive that hosts XP is only 20GB, XP uses 18GB. There is an external 250GB for storage and booting Ubuntu Ultimate 1.9.
I use grub boot loader.

If the AV program has been damaged… will repairing or reinstalling the AV cause more problems regarding the identification of the files in the chest that need to be restored?

Well, I’m gonna have a really fun time fixing this one. Avast said my dialer (yeah, I know, dial-up is soooo 1990’s) program was infected so it’s in the virus chest. Now I can’t access the internet to update Avast and it won’t let me reload it from a disk because it says it’s infected and I don’t have permission to load it. ( I’m the Administrator darn it! If I don’t have permission…who does?!)

yes, you need to open yr chest. if the alerts were caused in the recent FPs episode then you will have the detections recorded as in the title of this post. You can find them amongst warnings / alerts in avast log viewer (right-click ‘a’ icon in bottom left corner, choose Log Viewer, select warnings or alerts.

If from recent FP incident then you have to restore files from the chest. So you cant uninstall avast.
You could try repair. You would keep your files.

If from recent FP incident, yr files in the chest will all be from Programs, so which if any of yr programs is not working properly. In my case OA was the program not working properly.

If not from the recent FP incident. then you might have a caught a live one. You need to provide more info or a screenshot will help. You can get a good photo capture if you search MWSnap and download and run the program. You can capture a whole desktop or part of a desktop with MWSnap running.

This is how I go to the chest - rightclick ‘a’ icon, start avast! antivirus → Stop memory test → exit Help? – open chest from simple user interface. Its always there no matter what.

So you need open yr chest 2km3. That google search page is the best I can offer on chest not initialising. I can see from the page that it happens a lot. But it hasn’t happened to me so I’m a bit in the dark thatwise. And have to know whether you can tie yr issues in with the recent FPs episode which this thread is about.

737 is a massive amount of files to have sent to the chest and not what I would expect from FPs. Best thing is to back up or copy your documents to reliable external or removable drive somewhere so that they will be safe. That is documents, pictures, music and so on. Best to make more room on yr hard drive. You need 15% free space (free 3GB minimum) to run. By copy docs, pics, music to CD shud free them from threat of virus. try and get about 5GB free space.

Then look to disk cleanup and maybe defrag. Check that google page.

And update to SP3

@ skibumm100

try uninstall and reinstall your dialer and associated programs and Restart.
Then see if you can connect to internet.

Thanks,

I’ll try it when I get home. The natives are restless w/o the internet.