Author Topic: Win32:Evo-gen (Susp)  (Read 6925 times)

0 Members and 1 Guest are viewing this topic.

Offline [Oli]

  • Sr. Member
  • ****
  • Posts: 328
Win32:Evo-gen (Susp)
« on: April 13, 2013, 05:55:51 PM »
Hi, Avast just informed me that they had quarantined a potentially dangerous rootkit.
File Location: C:\Windows\SoftwareDistribution\DataStore\Logs
(note this was hijacking svchost.exe (there are around 60+ of them!)
Original File name:tmp.edb
Size of File: 524288
Last Modification: 15:38:08
Time of Transfer: 16:44:12
Category: Infected Files
Virus description: Win32-Evo-gen
File ID: 1
Previous virus issues : http://forum.avast.com/index.php?topic=118828.msg916264#msg916264


Hopefully we can get this fixed. Very worried indeed.
« Last Edit: April 13, 2013, 06:01:14 PM by OliPicard »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37858
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Evo-gen (Susp)
« Reply #1 on: April 13, 2013, 06:19:12 PM »
As this is an evo detection it may be a false positive, but lets check it out

Download OTL  to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.


  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post  both logs

Offline [Oli]

  • Sr. Member
  • ****
  • Posts: 328
Re: Win32:Evo-gen (Susp)
« Reply #2 on: April 13, 2013, 06:20:05 PM »
Ok, Avast has currently got it inside the virus chest, should i remove it from the chest before running the OTL?

Many Thanks
Oliver

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37858
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Evo-gen (Susp)
« Reply #3 on: April 13, 2013, 06:20:30 PM »
No leave it there

The file was probably created as part of windows update  located here:
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
« Last Edit: April 13, 2013, 06:22:15 PM by essexboy »

Offline [Oli]

  • Sr. Member
  • ****
  • Posts: 328
Re: Win32:Evo-gen (Susp)
« Reply #4 on: April 13, 2013, 06:32:38 PM »
Ok, Scan complete  :D, Posting OTL + Extras


« Last Edit: January 07, 2015, 07:02:50 PM by OliPicard »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37858
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Evo-gen (Susp)
« Reply #5 on: April 13, 2013, 06:36:52 PM »
Looks clean so I reckon we are looking at an FP here  ;D

Offline [Oli]

  • Sr. Member
  • ****
  • Posts: 328
Re: Win32:Evo-gen (Susp)
« Reply #6 on: April 13, 2013, 06:38:29 PM »
Ah thanks great  :D! Should i just run a quick MBAM scan? After that if its clean should i remove OTL/report the FP to avast or should i just delete the file in question from the virus vault.

Many Thanks
Oliver

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37858
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Evo-gen (Susp)
« Reply #7 on: April 13, 2013, 06:39:26 PM »
Just delete the file as it is a windows storage file that it would have deleted on reboot

Aye give MBAM a whirl

Offline [Oli]

  • Sr. Member
  • ****
  • Posts: 328
Re: Win32:Evo-gen (Susp)
« Reply #8 on: April 13, 2013, 07:55:04 PM »
Hi, just gone ahead and removed the file. I have found a new file in the same location edb.chk (thought i should mention this just in case), Scanned it and found no issues.  I'm guessing its a FP. Shall continue to monitor for any changes. The MBAM results where fine.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37858
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Evo-gen (Susp)
« Reply #9 on: April 13, 2013, 07:58:03 PM »
Aye I do not think there is anything there

Offline [Oli]

  • Sr. Member
  • ****
  • Posts: 328
Re: Win32:Evo-gen (Susp)
« Reply #10 on: April 13, 2013, 08:06:14 PM »
Ok, just ran an avast scan and it said one of the folders couldn't be scanned. I am re-running the scan again to see if it comes up again. I have also gone ahead and manually rescanned that directory.

Offline [Oli]

  • Sr. Member
  • ****
  • Posts: 328
Re: Win32:Evo-gen (Susp)
« Reply #11 on: April 13, 2013, 08:08:25 PM »
My guess is that directory was already deleted but when the scanner went to look at it it thought it was still there. :D

Just doing a quick search and ive found someone else whom asked the same question.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37858
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Evo-gen (Susp)
« Reply #12 on: April 13, 2013, 08:11:00 PM »
Those are event trace logs used by windows, and the unable to scan is not a problem

Offline [Oli]

  • Sr. Member
  • ****
  • Posts: 328
Re: Win32:Evo-gen (Susp)
« Reply #13 on: April 13, 2013, 08:28:24 PM »
Its come back clear now, I shall contiune to monitor for the next 24 hours, if anything changes ill be sure to post.

Thanks again Essexboy :)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37858
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Evo-gen (Susp)
« Reply #14 on: April 13, 2013, 08:35:08 PM »
My pleasure  ;D