Win32 Evo-Gen [Susp] in temp folder

[REDACTED]

Hi, my problem is EXTREMELY similar to the one discussed in this topic who TwinHeadedEagle seemed to be a part of:
https://forum.avast.com/index.php?topic=169825.0


Whenever I scan the "WAX" tmp file it always comes up as not a threat, unless scanned by Avast in which case it is classified as Win32 Evo-Gen [Susp]. Virustotal also follows suit:
 https://www.virustotal.com/en/file/ac657ad939ca3e700c02641fa7bc967db7a000ec319d4d6c15ba8d32bfbe57ef/analysis/1434557387/

I have run Rkill then ESET, TDSSkiller, MBAM, and HitmanPro all in safe mode but can't seem to find the source. The best that occurs is Avast finds the new "WAX" tmp file created about every few hours and I quarantine it. I have even preformed a factory reset and the problem still persists.

For the record, the initial problem was that one day when I logged in internet browsers were not working on my computer, but every other device on the network had internet capabilities. I restarted the computer and it began to work again, but I didn't like that so I ran a scan with Avast and HitmanPro and this chaos was the result. When I preformed a factory reset the same "loss" of internet mishap occurred and to fix it i needed a restart, but the tmp files were still being created.

There are no slowdowns or anything of the sort happening on my computer, but I don't like these constant "WAX" tmp files being flagged by Avast and the internet "loss" coincidence is earning my interest.

Thank you in advance to whoever helps me get rid of this problem.
Paul

[Pondus]

and what if you clear your temp folders?

TFC cleaner   http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/


if still a problem, follow instructions here  https://forum.avast.com/index.php?topic=53253.0

[REDACTED]

When I used the TFC Cleaner it ran and the temp file was deleted. However once I restart the computer another "WAX" tmp file just takes it place, again being flagged only by Avast.
New TotalVirus Link: https://www.virustotal.com/en/file/c81ef0c79500e426ef890c241185c8688d604512dd35cdece181df7470c585e7/analysis/1434561507/

One thing I have noticed is that after running the TFC Cleaner I can access my Windows\Temp folder without getting a "you are not permitted to access this folder" pop-up. Previous to this I couldn't even look at the contents of the folder and I only knew what was inside by examining scan logs created by anti-virus scanners. Also I am an administrator, for that matter. Sorry to bother, but are you able to explain this behavior?

I forgot to mention, the "WAX" files are often accompanied by a .txt. Would you like me to attach the .txt file in my next post?

I have also attached my MBAM log, my Farbar logs, and the aswMBR log as per your 2nd link.

[Pondus]

Now you wait for a malware expert to check your logs


is seems you are running plenty antivirus

AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: McAfee Firewall (Enabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

Why Using Multiple Antivirus Programs is a Bad Idea   https://blog.kaspersky.com/multiple-antivirus-programs-bad-idea/

General: Uninstalling a third-party antivirus software  https://www.avast.com/en-eu/faq.php?article=AVKB11#artTitle

[REDACTED]

Mcafee had come with the computer and because I had done a factory reset it came up again. Normally I just use Avast as my AV, but I had forgotten to "clean up" a bit after performing the factory reset.

I turned off Mcafee real-time scanning while I ran the 3 scanners you advised me to run, and will uninstall it right now if you or another moderator says I can do so right now. The only other two I have are Avast and Windows Defender. Windows defender is turned off and I plan to use Avast as my primary AV.

Edit: I uninstalled the Mcafee after reading your 2nd link.

[magna86]

Hello,

There is no real loaded malware on board. Still, run this script for FRST and tell me will this fix your problem?

Please keep in mind, Windows' $Temp is default temporaly location for varius programs. There shall be files in there always.
Yes, malware may abuse this path but the psoted logs shows no malware and avast! ejects the alerts using 'eve-gen' which usually means possible malware, and in real life is the false detection.

If you still getting avast! warning, my recommendation is to contact avast support and ask them to examine and remove the FP detecions. Or you may put the file to ignore if you wish.

The following FixList shall tell the tool to remove some 0byte file and it shall delete the all defaults temp and cache folders, using force if need be. Temp will be cleaned after this running.


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

CreateRestorePoint:
CMD: ipconfig /flushdns

Hosts:
C:\ProgramData\DP45977C.lfl

EmptyTemp:
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.