Author Topic: Rootkit found?  (Read 3416 times)

0 Members and 1 Guest are viewing this topic.

Offline mallomar

  • Jr. Member
  • **
  • Posts: 23
Rootkit found?
« on: September 26, 2013, 06:23:20 AM »
Not sure if these two events are related... I have an Acer Aspire One netbook running XP, SP3.

This morning, the netbook would not "wake up." The green light (on the ON button) was lit, but the screen was totally blank, like it wasn't working. Tried turning the machine off and one a couple times, but still nothing came up onscreen. Husband disconnected and reconnected the battery, and the netbook then started up -- screen was working. So I don't really know if it was a problem with startup, or just a glitch with the screen.

Shortly after I started running the netbook, I got an Avast pop-up:

Rootkit Found

A suspicious hidden object (rootkit) has been detected on your system. this may be a sign of a malware infection. it is recommended to remove the object immediately.

svc: googledesktopmanager-80708-050100 > c:\...\googledesktop.exe

rootkit name:   Win32:Evo-gen [Susp]

I think there was an Avast virus definitions update before I got the pop-up, but I'm not sure.

Anyway, I don't know if I should let Avast delete the rootkit, or if it is a false positive. Could it do any harm to try to remove it without knowing if it's a false positive?

I'm not a technical person so I'm trying to be cautious.

Thanks for any advice.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37641
  • F-Secure user
Re: Rootkit found?
« Reply #1 on: September 26, 2013, 08:21:19 AM »
svc: googledesktopmanager-80708-050100 > c:\...\googledesktop.exe
upload the file at and test with 40+ malware scanners ( if tested befor, click new scan)
post link to scan result here

if it comes back clean at VT, send it to avast lab so that they can correct the detection

You can upload files and send reports to avast  here:    (change subject to suite Your case)

you can use mail

send to in a password protected zip file
mail subject:  False Positive / undetected sample (select subject according to your case)
zip password:  infected

or you can send files from avast chest
how to use the chest.

Offline redwolfe_98

  • Full Member
  • ***
  • Posts: 107
Re: Rootkit found?
« Reply #2 on: September 26, 2013, 01:44:24 PM »
mallomar, i suspect it is a false-positive.. it seems that lots of people are getting "Win32:Evo-gen [Susp]" false-positives this morning..

i don't know about the avast-free program, but, with the avast-pro program, on the "support" tab, there is a utility, there, for submitting files to "avast" (without first having to quarantine the file)..

assuming that it is a false-positive, you wouldn't want to quarantine the file.. i mean, if it was me, i always verify that a file actually is malware before i allow it to be removed..

Offline essexboy

  • Malware removal instructor
  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Rootkit found?
« Reply #3 on: September 26, 2013, 03:21:07 PM »
This may not be a false positive as google desktop is the latest hidey hole for the ZA malware.  Do you use google desktop ?

Offline mallomar

  • Jr. Member
  • **
  • Posts: 23
Re: Rootkit found?
« Reply #4 on: September 26, 2013, 04:01:41 PM »

I tested the file at Virus Total:

Test result was 0 / 48 which I assume means zero viruses. I sent the file to Avast.


Offline mallomar

  • Jr. Member
  • **
  • Posts: 23
Re: Rootkit found?
« Reply #5 on: September 26, 2013, 04:03:38 PM »

Yeah, I didn't want to remove the file and then find out it was clean and something I needed. Although in this case it's apparently a file I don't need.


Offline mallomar

  • Jr. Member
  • **
  • Posts: 23
Re: Rootkit found?
« Reply #6 on: September 26, 2013, 04:06:15 PM »

Frankly, I didn't even know what google desktop was. I had to google it to find out! And no, I don't use it -- never have. I suspect it's something that was preinstalled on the netbook but not activated.

I suppose I could uninstall it, since I don't use it.