Win32:Evo-gen

[JWT]

Along with the my new cell phone the company also gave me voice mail with me voice recondition . Today I received an email saying I had 4 new voice mail that I opened.


Avast raised the alarm in a few minutes there was 4 files into the shield log. I thought the problem was solved.

 I tried a web search for the files and found nothing so I tried the Avast Forum  for Win32:Evo-gen.  I could not find a specific fix so I went to some other sites.  One solution said to back everything up so I closed the programs and restarted the computer.


The computer was slow to restart and there was 1-2 notifications asking for permission to modify Adobe Flash player.  When I clicked "No" the notification came back up again and again. To get around this I opened Task Manager and closed the application.

Now the computer takes 1-2 minutes to respond and the size of window menu bars have changed.

With an even bigger problem I returned to the Avast site and after reading 6 or 8 post I found a link on how to remove the malware.


I downloaded both ComboFfix and adwcleaner but neither will start.

When try to open either I get and error message"The dependency service or group failed to start".

When open the Downloads directory I can see the files but when I click on the files the directory stops responding

I just checked the Avast shield log and it is empty.  Avast is no longer giving any warnings.


 

[magna86]

Hi, Who told you to run ComboFix?
Can you tell me the full path of detected file? Screenshot will do.


Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[JWT]

It is downloaded but Windows Explorer is stalled/running very slow. It took 4 minutes to update the desktop
 
Thankfully the Firefox is still running up to speed

I just started FSS from the desktop.......waiting....waiting....

[JWT]

Just go the same error message

"The dependency service or group failed to start".

[magna86]

Don't run varius tool when you do not know what they serve.
You're probably screwed up system by running a variety of tools (?) and not knowing the what they doing.

What OS do you run? Windows Vista, 7 , 8? XP?
Is it 32bit or 64bit system.

[JWT]

Windows 7  - 64bit

Far as I know all of  none of the tools has run. All have had the same error message.

 If I screwed something up won't be the first time I have to fix my mistakes.

Cannot get a screen shot to download. Here is the path of some of the files

C:\Users\John Taylor\AppData\Local\omatcplbl.exe
C:\Users\John Taylor\AppData\Local\mniuoiog.exe
C:\Users\John Taylor\AppData\Local\naoprtxr.exe
C:\Users\John Taylor\AppData\Local\Google\Install\...\000000cmb.@
C:\Users\John Taylor\AppData\Local\Google\Install\...\80000064.@
C:\Users\John Taylor\AppData\Local\Google\Install\...\80000000.@
C:\Users\John Taylor\AppData\Local\Google\Install\...\0000004.@
C:\Users\John Taylor\AppData\Local\Google\Install\...\80000032.@

There are 38 files in all

[magna86]

Ok, let's run FRST64 in Windows Recovery Environment.


Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

• Plug the flashdrive into the infected PC.
• Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
  
• Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
  

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

• In the command window type in notepad and press Enter.
  
• When notepad opens, click File and select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst64.exe and press Enter.
  

Note: Replace letter e with the drive letter of your flash drive.

• The tool will start to run. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  

It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

[JWT]

Thanks Magna

Here is the file

[magna86]

Hi,

FRST log shows me that you have been run ComboFix. Note for future:
Combofix is not a tool that is supposed to be used without expert oversight, sUBs the creator of Combofix has gone to great lengths to let people know this, including a clear and succinct message which is displayed every time that Combofix is run.







Open notepad.

• Click Start
  
• Type notepad.exe in the search programs and files box and click Enter.
  
• A blank Notepad page should open.
• Copy/Paste the contents of the code box below into Notepad.

Code: [Select]

Start
HKU\John Taylor\...\Run: [dhoaxjug] - C:\Users\John Taylor\AppData\Local\skqrlmcs.exe [92160 2013-11-13] ()
HKU\John Taylor\...\Run: [Google Update] - [x]
HKU\John Taylor\...\Run: [AS2014] - C:\ProgramData\dasrnsa3\dasrnsa3.exe [569344 2013-11-13] ()
S2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [244960 2011-10-25] ()
C:\Users\John Taylor\AppData\Local\skqrlmcs.exe
C:\ProgramData\dasrnsa3\dasrnsa3.exe
C:\Program Files (x86)\StartNow Toolbar
2013-11-13 16:50 - 2013-11-13 16:50 - 00301568 _____ C:\Users\John Taylor\AppData\Local\bilbdqqs.exe
2013-11-13 16:50 - 2013-11-13 16:50 - 00001666 _____ C:\Users\John Taylor\Desktop\Antivirus Security Pro.lnk
2013-11-13 16:50 - 2013-11-13 16:50 - 00000118 _____ C:\Users\John Taylor\Desktop\Antivirus Security Pro support.url
2013-11-13 16:49 - 2013-11-13 16:50 - 00000000 ____D C:\ProgramData\dasrnsa3
2013-11-13 16:49 - 2013-11-13 16:49 - 00569344 _____ C:\Users\John Taylor\AppData\Local\tqickgrx.exe
013-11-13 10:52 - 2013-11-13 10:52 - 00287232 _____ C:\Users\John Taylor\AppData\Local\viivlkcg.exe
2013-11-13 09:40 - 2013-11-13 09:40 - 00287232 _____ C:\Users\John Taylor\AppData\Local\rqpnnqpf.exe
2013-11-13 09:39 - 2013-11-13 09:39 - 00067958 _____ C:\Users\John Taylor\AppData\Local\xpqakiui
2013-11-13 09:38 - 2013-11-13 09:38 - 00000000 _____ C:\Users\John Taylor\AppData\Roaming\SharedSettings.ccs
2013-11-13 09:13 - 2013-11-13 09:13 - 00092160 _____ C:\Users\John Taylor\AppData\Local\skqrlmcs.exe
C:\Users\John Taylor\AppData\Local\Google\Desktop\Install
C:\Users\John Taylor\AppData\Local\Temp\FNP_ACT_InstallerCA.dll
C:\Users\John Taylor\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\John Taylor\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\John Taylor\AppData\Local\Temp\msimg32.dll
End


• Save it to your USB flashdrive as fixlist.txt
  

>>  Boot into Recovery Environment


Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

•     Press the Fix button once and wait.
  
•     FRST will process fixlist.txt
•     When finished, it will produce a log fixlog.txt on your USB flashdrive.
  

>>  Exit out of Recovery Environment and post me the log please.



-----------------------------------------------
THEN...




Try to run FRST in normal mode. Just press Scan button and post me fresh FRST.txt logreport.

[JWT]

Hi

I saw it in the log. When I tried to run ComboFix what looked to be a command prompt window appeared but it stayed blank so I closed it.  ComboFix may have run but the computer was already running so slow that may have shut it down before it the warning window appeared. 

Here is the Fixlog.

John

[JWT]

I ran it again in Normal Mode I forgot to enable Driver MD5. I hope that wasn't a mistake.

Here are the FRST file and the Addition files.

[JWT]

Here is a screen shot.

This was what Avast blocked in 3 hours. After that the computer was disconnected from the web.

[Secondmineboy]

Can you make a new screenshot with the window only.

This is not eaven a bit readable.

[JWT]

Here is the screen shot again

[Secondmineboy]

I think there is something in your Chrome or in your system.

Look at the .exe files at the top. And the KillAV one, not so good.