Author Topic: Threat: Win32 Evo-Gen [Susp] in temp folder (Read 7459 times)

REDACTED · « **on:** April 20, 2015, 12:44:42 PM »

A friend went on my laptop and went to a site that I felt was a bit dodgy. I told them to close it and I did a full scan with Avast Free and it brought up about 5 different Win 32 Evo-Gen files in my C:\Windows\Temp folder, all with a name starting with 'WAX' (eg. WAXA3AC.tmp)

Avast Quarantined them and I got a bit paranoid and tried a load of scanners such as MBAM, Stinger, Emisoft & Hitman
After doing these for a day or two, I felt that my laptop was fine, but saw an offer for Avast Internet Security, so I bought that...

So, everything seemed fine, but I did a full scan this morning just to make sure and it finds another 'WAX' file in my temp folder (WAXA3AC.tmp)

Is this likely to be a false positive temp file or is there something wrong?
Any help is greatly appreciated, I am just getting myself a little worried that my new laptop might have a virus already....

Avast Screenshot:
https://dl.dropboxusercontent.com/u/105134666/Screenshot%202015-04-20%2011.32.35.png

Thanks
Sam

TwinHeadedEagle · « **Reply #1 on:** April 20, 2015, 12:46:37 PM »

Hello,

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

REDACTED · « **Reply #2 on:** April 20, 2015, 12:59:52 PM »

Thanks for the quick reply

https://dl.dropboxusercontent.com/u/105134666/Addition.txt
https://dl.dropboxusercontent.com/u/105134666/FRST.txt

I still have avast open in that window in my screenshot, shall I just send it to quarantine as it asks?

Thanks
Sam

TwinHeadedEagle · « **Reply #3 on:** April 20, 2015, 01:07:40 PM »

You can quarantine it.

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Right-click on icon and select Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Download

Malwarebytes Anti-Rootkit to your desktop.

Double-click the icon to start the tool.
It will ask you where to extract it, then it will start.
Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
Click in the introduction screen "next" to continue.
Click in the following screen "Update" to obtain the latest malware definitions.
Once the update is complete select "Next" and click "Scan".
When the scan is finished and no malware has been found select "Exit".
If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
Open the MBAR folder and paste the content of the following files in your next reply:

"mbar-log-{date} (xx-xx-xx).txt"
"system-log.txt"

REDACTED · « **Reply #4 on:** April 20, 2015, 01:48:40 PM »

Great, thank you very much

https://dl.dropboxusercontent.com/u/105134666/Fixlog.txt

Mbar Log:
Malwarebytes Anti-Rootkit BETA 1.09.1.1004
www.malwarebytes.org

Database version:
main: v2015.04.20.01
rootkit: v2015.03.31.01

Windows 8.1 x64 NTFS
Internet Explorer 11.0.9600.17728
Sam :: SAMMY-LAPTOP [administrator]

20/04/2015 12:33:12 PM
mbar-log-2015-04-20 (12-33-12).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 349607
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

REDACTED · « **Reply #5 on:** April 20, 2015, 01:50:00 PM »

System log is too long for reply, so here is link to txt:
https://dl.dropboxusercontent.com/u/105134666/system-log.txt

TwinHeadedEagle · « **Reply #6 on:** April 20, 2015, 01:53:54 PM »

Very good. Tell me how is your PC behaving now, logs look good.

REDACTED · « **Reply #7 on:** April 20, 2015, 02:00:05 PM »

System appears to be fine, it was a little weird on the restart after FRST. When it came to logging back into windows, it got stuck on my login page after entering the details. I had to manually shut off the laptop and start again, but it worked after that...

Everything was a little slow to load at first, I imagine due to all of the temp folders and such being gone, but nothing unusual now except of course some preference being missing like things pinned to the explorer icon on the task bar...

Is it common to get false positives like this in the temp folder or do you think this was actually a virus that has just been taken care of?

I only ask as I'm worried it will come up in another full scan and I won't know if it's a recurring problem or just normal....

Thank you so much!
Sam

TwinHeadedEagle · « **Reply #8 on:** April 20, 2015, 02:02:51 PM »

Yes, everything in temp folder is kinda suspicious, it is not the place for something to works from, this folder is only used for temporary jobs, not for something to work from here.

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

REDACTED · « **Reply #9 on:** April 20, 2015, 02:06:55 PM »

Great, I assume my pc is safe to use properly again now?

Thank you so much again!

Sam

Author Topic: Threat: Win32 Evo-Gen [Susp] in temp folder (Read 7459 times)

REDACTED

Threat: Win32 Evo-Gen [Susp] in temp folder

TwinHeadedEagle

Re: Threat: Win32 Evo-Gen [Susp] in temp folder

REDACTED

Re: Threat: Win32 Evo-Gen [Susp] in temp folder

TwinHeadedEagle

Re: Threat: Win32 Evo-Gen [Susp] in temp folder

REDACTED

Re: Threat: Win32 Evo-Gen [Susp] in temp folder

REDACTED

Re: Threat: Win32 Evo-Gen [Susp] in temp folder

TwinHeadedEagle

Re: Threat: Win32 Evo-Gen [Susp] in temp folder

REDACTED

Re: Threat: Win32 Evo-Gen [Susp] in temp folder

TwinHeadedEagle

Re: Threat: Win32 Evo-Gen [Susp] in temp folder

REDACTED

Re: Threat: Win32 Evo-Gen [Susp] in temp folder