Win32:Evo-gen alert many times

Hi! About three weeks ago I started to get alerts about “Win32:Evo-gen” when Windows 7 starts. Both webshield and fileshield. It has happened random times, not every boot. Here are some more details and needed logs also as attachments:

Webshield:

17.10.2014 14:44:58 httx://depotsdament.in/1.exe [L] Win32:Evo-gen [Susp] (0)

21.10.2014 22:27:18 httx://storagent.info/v2729/lp/?q=kau2F1Fz75zyKEG%2BxziXZNZ2aXg19SHm70ogaixKLksxxp%2BrZjMifLNOIObdcLEIDxzY5HWCO5eI6BNPvmZzwDJs3Q3V194aqkZuVnU3VaSRe3eQCSX17gIfhpwytyTEz1WdLrOIYbqG6jMQxINLTwIb4kp0qp%2FdHioorvwtN49Unv66OgVSdjK32ZMZ9KQRIvZt%2FjYkv3BgPsiodDaIl0%2B [L] Win32:Evo-gen [Susp] (0)

28.10.2014 17:38:57 httx://depotistsr.in/cc.exe [L] Win32:Evo-gen [Susp] (0)

Fileshield:

17.10.2014 14:44:59 C:\Windows\TEMP\setE85B.tmp.exe [L] Win32:Evo-gen [Susp] (0)

21.10.2014 22:27:18 C:\Users\Ghost\AppData\Local\Temp\5DE8.tmp [L] Win32:Evo-gen [Susp] (0)

28.10.2014 17:38:58 C:\Windows\TEMP\setCDAA.tmp.exe [L] Win32:Evo-gen [Susp] (0)

clear your temp folders with this

TFC cleaner http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

clear your browsers with this AdwCleaner http://www.bleepingcomputer.com/download/adwcleaner/ attach log

when done, run FRST again and attach a fresh log

log experts will be online later today and analyz it…

Here is AdwCleaner log.

And here are the fresh FRST logs.

up

Could you let me know if this stops the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-2276675278-53350996-1433419833-1000\...\Winlogon: [Shell] C:\Windows\expstart.exe [925184 2014-10-12] () <==== ATTENTION HKU\S-1-5-18\...\Run: [Copy] => "C:\Users\Ghost\AppData\Roaming\Copy\CopyAgent.exe" ShellIconOverlayIdentifiers: [1aCopyShExtError] -> {83BEA36E-7680-4598-A4DF-994426F6E78D} => No File ShellIconOverlayIdentifiers: [2aCopyShExtSynced] -> {845B7388-6F85-4F32-9FD5-F02DC7882B89} => No File ShellIconOverlayIdentifiers: [3aCopyShExtSyncing] -> {F6378A7A-F753-449B-AE1B-997A96132E61} => No File ShellIconOverlayIdentifiers: [4aCopyShExtSyncingProg1] -> {3A511828-777D-46F8-82F4-5B530C1B3D9E} => No File ShellIconOverlayIdentifiers: [5aCopyShExtSyncingProg2] -> {C8C88204-5B14-40EC-BA72-8AEBC762047E} => No File ShellIconOverlayIdentifiers: [6aCopyShExtSyncingProg3] -> {ACFF45C3-3EEB-4351-86C2-6696BA264239} => No File ShellIconOverlayIdentifiers: [7aCopyShExtSyncingProg4] -> {29AF997F-488B-46F0-AE78-7146F1B89CC3} => No File ShellIconOverlayIdentifiers: [8aCopyShExtSyncingProg5] -> {03F9AD29-1C78-4B66-8890-B177B5430C53} => No File Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Did that. Here is the fixlog.

Are you still getting the alerts on restart ?

Haven’t got today after running the fixes, but didn’t get before running them today either. Actually what confuses me is it, that when they started to appear about 3 weeks ago the alerts comes randomly. I mean they doesn’t come with every boot or every day, but about once in week in different days like the reports says I posted in my first post. After they have appeared I’ve did Temp cleaning with CCleaner, but after some time they comes again with same kind of files locating to Temp with another name coming from different domains. I still have two recent infected files in Quarantine if that helps.

|Could you monitor and if it re-appears could you run a fresh FRST scan so that I can run a comparison

Yes I can. I’ll be in touch if that happens again.

Today the alerts appeared again. I discovered that they are caused by Updater.exe of Popcorn Time. I uninstalled Popcorn Time and ran TFC and FRST. I don’t think it’s a false positive, because it seems that the Updater.exe of Popcorn Time is really trying to download those random .exes from suspicious websites and trying to drop them to Temp folder. There seems to be similar situation http://www.reddit.com/r/PopCornTime/comments/2kjivd/updaterexe_setting_off_avast_alerts/. I also attached the fresh logs of FRST.

Copied from webshield report:

30.10.2014 19:25:39 httx://groupsetzipmyjob.net/vc.exe [L] Win32:Evo-gen [Susp] (0)

Intriguing that, as popcorn was a legitimate programme I did not go much deeper into it. Have the alerts ceased since you removed it

At least not during the last reboot. Strange thing anyway. I think I’m gonna make a reclamation to Popcorn Time developers. Big thanks for helping and if the alerts reappear I’ll be in touch again.

I think I will download it and test it out :slight_smile:

As soon as you are happy let me know and I will tidy up