Win32:Evo-gen [susp] persisting

[jaymeeraine]

I thought I was pretty slick when it came to keeping infections off my computer, but oh well.

As I said above, I've used the guide on this site in addition to a couple of other diagnostic and removal programs. They have found a couple of registry issues and tracking cookies that were removed, but no actual instances of the Win32:Evo-gen malware. However, at varying times throughout the day (sometimes twice a day, sometimes up to 5-6 times a day), avast! pops up with the same 4 notifications, all of them blocking instances of the malware from being "created or modified".

When I re-do the removal tutorial from this site right after doing it the first time, it comes back clean, but when I run it after the next time avast!'s notifications pop, some of the programs find the same registry issues all over again, even though they were properly quarantined and/or deleted before.

The only websites I use are Netflix, Google, Outlook, Facebook, and occasionally Twitter and DeviantArt.

It's always the same four files that come up as being infected, too (I think I tried deleting the entire folder they were in once ,but no dice on stopping Win32:Evo-gen). I don't know if it makes a difference, but avast! says they are all in the SoftwareDistribution\Download section, and have the following names: 2 flashutil:activex.exe and 2 temp files named with a string of numbers and letters. The process avast! provides for these warnings are under WinSxS, Windows servicing stack, TiWorker.exe (I don't know if any of these names matter or are useful).

I'm not sure what else to do. I don't know if the malware is actually on my machine, or something keeps trying to get it on there or regenerate it and so avast! is stopping it from regenerating over and over.

I should also mention that for the first 5-10 minutes after I reboot my PC, my Disk Usage jumps to 100% several times for no particular reason (even when I only have start-up programs open).

I have taken the steps from the tutorial both in safe mode and out of safe mode.

 

[TwinHeadedEagle]

Hello, my name is THE, and I'll be working with you

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Like everyone, I have a private life, so be patient with me. Sometimes I will respond immediately, sometimes it will take a coupe hours.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

Because of this, I advise you to backup any personal files and folders before you start.


Question: Is Avast your only active protection, because you mentioned MSE, and I saw parts of Norton. Having more than one antivirus installed is bad, could slow your maching or make it unbootable.



Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

[jaymeeraine]

Hello THE, thanks for your prompt response!

I do have Norton Anti-Theft (I forgot), but I don't have the full Norton Anti-virus software. Could you tell me what MSE stands for?

Here are the results from Farbar. Thanks again.

 

[TwinHeadedEagle]

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

• Wait for initial scan to finish - if there is any query, click No;
• Click Scan button and wait until the full scan is complete;
• Click Save ... - save the report to the Desktop (named Gmer1 );
  
• Right-click wherever in the GMER's window and select Options > 3rd party - click the Scan button;
• Please wait until the full scan is complete;
• Click Save ... button and save report to Desktop (named Gmer2 );
  note: time scan for Gmer2 log may take some time
• Click the >>> and select Autostart card;
• After quick scan, click Copy button;
• Open notepad and Paste text. Save report to the Desktop (named Gmer3 )

 

[jaymeeraine]

When I double-click GMER from the desktop, it says: C:\Windows\system32\config\system: The process cannot access the file because it is being used by another process.

It does not automatically perform an initial scan after giving me this error. Should I continue with the subsequent scans anyway?

 

[TwinHeadedEagle]

No, we will try with another scan...

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

 

[jaymeeraine]

Here are the results from TDSS Killer with the specified parameters (it detected no objects). I could not find the log file, so I clicked on 'Report' after the scan and copied the information into a Notepad document (attached). I hope that's okay.

 

[TwinHeadedEagle]

Ok, that looks good...

We'll continue tomorow with one more scan, now it's late, at least in my country

 

[jaymeeraine]

No problem! Thanks for all your help!

 

[TwinHeadedEagle]

It seems that your computer is clean, but let's scan it with one more tool, to be sure...


Download ComboFix from one of the following locations:

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
----------------------------------------------------------------
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

<ul>
<li>Close any open browsers.</li>
<li>Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
<>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em> performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</>.Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
-----------------------------------------------------------------

How to run the Combofix scan :

1. Double click on ComboFix.exe & follow the prompts.
2. Accept the disclaimer and allow to update if it asks
3. When finished, it shall produce a log for you.
   [*]Please include the C:\ComboFix.txt in your next reply.

Additional notes:
<ol><li> Do not mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li> Do not "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li> If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>

 

[jaymeeraine]

Here is the log!

Right before I saw your latest message, avast! gave me the 4 alerts of having blocked Win32:Evo-gen I hope Combofix got rid of it!

 

[TwinHeadedEagle]

Go to this directory

c:\eek

Arhive Run folder and attach it here...

 

[jaymeeraine]

I archived the EEK Run folder using Winrar, but the forum says that the file is too large to upload

 

[TwinHeadedEagle]

Upload it anywhere

http://zippyshare.com/

for example

And copy the link here

 

[jaymeeraine]

Here's the link: http://www23.zippyshare.com/v/82563133/file.html

 

[TwinHeadedEagle]

That folder is related to Emisoft Emergency Kit (but I couldn't figure out, what "eek" stands for)

I didn't found malware on your system, it's clean.

Avast alerts are False Postitive detection.

Tell me is Avast updated to latest 2014 version?

 

[jaymeeraine]

Oh, that's a relief!!

I had Avast 2013. I just updated it to 2014. Hopefully I will not get any more alerts! I will watch to see if any more instances of Win32:Evo-gen warnings pop up today.

Thank you!

 

[TwinHeadedEagle]

2014 version has a lot of FP's these few days since it is released, a lot of people complain about it, so you don't have to worry, it will probably be fixed. If you want further informations, go to Avast forums, and ask around...

Ok, we're done here, let's clear the tools


Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

• Remove disinfection tools
• Create registry backup
• Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

> I don't need DelFix log report.



Uninstall Java 21, that is outdated, and update Adobe Reader to latest XI version.

Stay safe

 

[jaymeeraine]

Done! Thanks so much for all your help, you were great!! Have a good day.