Hi there.

Just to confirm, i am not the same user as from the other topic here with the same title. I thought maybe he was having the same trouble as me, but it seems an update did not fix the problem.

I first noticed the problem today when I first started up. When the desktop was loading, and Avast began, it popped up with a threat detected. I didn’t quite catch what it said the first time, but it had DEAMON in the name. Avast said it blocked it. but its still doing it on each startup, the last one says
Object: "C:\WINDOWS\System32\winlogon.exe
Infection: Win32: Evo-gen [Susp]
Process: C:\WINDOWS\System32\igfxsrvc.exe

When I run a virus scan, it detects 3 infected names, each at a medium level. These are
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe
and another
C:\WINDOWS\explorer.exe

Each status is Threat Win32: Evo-gen [Susp]

If I click repair or move to chest, I just get a red result of “Error: The process cannot access the file because its being used by another process(32)”

I have booted into safe-mode. Run RKill, Avast, and Malwarebytes Anti-Malware…

Everything on my Avast is green, and up to date. Like I said, the other topic mentioned just updating the definitions etc… I did just that, and it’s still showing the same results.

Any help would be greatly appreciated.

Hi maniax1075,

please follow instructions written here: http://forum.avast.com/index.php?topic=53253.0. I doubt this detection is a false positive. All the files you see flagged as malicious are important Windows files so if there was a false positive it would certainly be known by now.

Once you attach the logs here i’m sure some of the seasoned malware removal experts will help you (thanks guys! ). If it indeed proves to be a false positive i will update the detection.

Good luck,
Peter

Monitoring

I am also getting these notices ref Threat Win32:Evo-gen [Susp] for

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe
as well as for aolupdates.exe and other update.exe programs for programs I have used for years.
Each status is Threat Win32: Evo-gen [Susp]

When the detection box comes up from Avast only way to get the notice to go away is to select Block. This only works until the next time these files are scanned by Avast.
When checking the log there is red X then error the specified file is read only (6009)
I have checked each file with Malwarebytes anti malware and Super Anti spyware as well as have running a complete scan with Malwarebytes and no virus infections were reported.
My Avast virus definitions version is 120316-0 downloaded at 12:58pm cst.

I have used Avast for over a year and only on 3/15/12 did this problem begin. I have not downloaded any new programs for over a month.

Any help would be appreciated

Have you altered any system files by using a theme / docking programme ?

As my Avast is not reporting this

I have not downloaded any new programs for over a month

Run an OTL and aswMBR scan please and we will see what they tell us

Was unable to open OTL program. It would say it encountered a problem and had to close. I was able to run the other program and have attached the info. Have not altered any systems files in any way that I’m aware of

aswMBR is also calling the two system files as infected

The failure of OTL to run is also suspicious

When you download combofix please rename it to winlogon

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I am no longer getting a winlogon virus detection and atm I haven’t gotten an explorer.exe virus notice though from the log report I’m not sure if the explorer.exe was repaired.
Attaching the combo-fix log.
I appreciate your assistance!

Ok. Well the first step was Malwarebytes… I already have that program, and it is not detecting any malware.

step 2.
log files have been attached.

step 3:
log has been attached.

step 4… i dont have internet issues, so I dont think that step is necessary, and I can see the start menu etc…

crosses fingers someone can help

@Lacybri

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe . c:\windows\explorer.exe . . . is infected!!

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy:: c:\windows\ServicePackFiles\i386\explorer.exe|c:\windows\explorer.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

@maniax1075 http://forum.avast.com/index.php?topic=95712.new#new

Ok, I followed all those steps. But it still has not fixed the problem. … tho, once the log file showed up, I went to restart the computer, but it just kept showing the hour glass… after 10 mins I gave up and just hit the restart button on the computer itself. Would that affect the changes?

@maniax1075
you`r suppose to reply and attach logs in the new topic Essexboy made for you…
helping multiple users in same topic will be chaotic…thats why he started a new

I will reply in the other thread - please post there

Thank you so very much for your help. I have attached the latest log after running combofix with the explorer you supplied. So far Avast has not notified me of any further Win32:Evo-gen virus alerts. Hopefully the problem is fixed but will await your reply after you’ve read the log

I just realized I had sent the original log by mistake. Am sending the NEW log, log1.text. in my followup message. Sorry for the mistake. I’m new at this.

Sorry I may have resent the first log instead of the new one

That looks good, any further problems outstanding before I remove my tools ?

No further problems! Thank you so much for your assistance and expertise! You really were a fantastic help! Best wishes!!

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe

OTL still will not work. I get a message 'OTL has encountered a problem and needs to close.
Ran the ComboFix /Uninstall program
Checked that Do not show hidden files and folders was selected and verified the same
Updated Java
Already have Malwarebytes and it is updated
I use ZoneAlarm and keep it updated
Of course I have Avast Free anti-virus and keep it updated- thank goodness that was how I learned I was infected
I have microsoft windows updates on automatic update
Downloaded FileHippo update checker

The only thing I have noticed is that when I turn computer off or go to reboot it takes a good 3 minutes or more before computer turns off (Windows XP SP3). This seemed to have suddenly happened after first discovering I had the win32: Evo-gen virus. Not sure if this might be related or if this was coincidence. That seems to be the only unusual thing now.

Will let run for 24hrs and come back if I notice anything else.

Again, thank you so very much for all of your help, assistance and suggestions
BIG BIG SMILE