system
1
So, the virus file update (130927-2, it could have been an earlier update, as I didn’t have internet for a couple of days) may have caused a problem. It has now decided to go after the Microsoft.NET Framework and flag its DLLs as viruses (more specifically, Win32:Evo-Gen [Susp]) when MBAM and SuperAnti-Spyware say they’re fine. I’m gonna be sending a password-covered rar file with the DLLs in an email soon. Hopefully, it’ll get to you guys so that way you can fix it.
DavidR
2
What scan are you running that detects these ?
The [Susp] suffix after the name is suspicious, so I don’t know if that is saying they are infected, but suspicious.
What is the location for these detections ?
I have .net in various versions on both my systems and haven’t seen any detections so far, but I don’t do lots of on-demand scans (which are depreciated in a resident on-access antivirus). I do a weekly scheduled Quick scan on default settings.
I have just run a Quick scan (on my XP Pro system) whilst replying to this topic and no detections, I have virus definitions version 130928-0. If you ensure you have the latest virus definitions version try a scan again.
system
3
Location is in the Temp file, and I wasn’t running any scans. The File Shield was blocking them, and this was with the definitions from yesterday. I hope that today’s updates fixed that.
DavidR
4
Being in the Temp folder (for a dll file) would be something considered suspicious to start with as it is also trying to modify system settings and that has probably cumulated in the alert/block.
I take it that this was around the time of a windows update, which included .net ?
system
5
Yeah. I ended up reverting back to the day before, and then avast went ballistic and deleted the DLLs yet again, so I set up an exclusion.
EDIT: I thought that today’s update fixed the problem, but when I removed the exclusion, avast went berserk yet again.
ANOTHER EDIT: All of the DLLs targeted belong to the screenshot program Screenpresso (which I use to take screenshots while I’m playing games on my PC). Should I upload the stuff from Screenpresso?
AND ONE MORE EDIT: I didn’t update the .NET framework yesterday.
DavidR
6
My thinking on the windows update was related to the files being in the temp folder as happens on some updates, whilst files are unpacked and replace the originals. But this doesn’t appear to be the case.
I think it is just the way this program utilises .net; I would have though it would run the .net dlls from their own folder location and not from the temp folder. For me running dlls, executable files from a temp location is a little suspicious. That said avast does that when checking for the presence an emergency update.
I would have thought that true .net dlls are digitally signed and that would probably prevent an alert. I don’t think sending the screepresso stuff to avast, but the dlls created in the temp folder should be sent from the virus chest (if you have the files shield set to send to chest).
Unfortunately I have zero experience of this screenpresso application (I’m not a gamer), so I have no idea how it utilises .net.
system
7
Screenpresso is a screenshot utility.
Also, Avast isolated a lot of the DLLs, so I figured I should send them all the ones it isolated in.
system
9
The OS is Windows 7 Home Premium 64-Bit, .NET framework is version 4, and the reason why I said it was related to the .NET framework was because the alert pop-up referred to csc.exe in the microsoft.NET framework.
Also, the reason why I use a screenshot utility is because sometimes I have to take a few screenshots in short succession, and the method you described doesn’t really cut it.
EDIT: I uninstalled, the reinstalled Screenpresso, and it seems to have done the trick. I’ll let you guys know if it happens again.