Win32:Evo-gen (Susp) avast detecting in windows drivers and system restore?

Viruses and worms
1

Today i am getting avast free version 8 latest detecting Win32:Evo-gen (Susp)?,now in virus chest firstly detected in system32 drivers now in system volume restore which is weird because it says last changed 2005?,i have reformatted my pc after this date xp home,any ideas help on this?.

2

Well it would have been saved as a restore point on deletion/modification/moved, etc. that would account for the detection in the system volume information folder.

More important though what was the file name ?

What scan were you running when this was detected ?
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to Open the chest and right click on the file and select ‘Extract’ it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

3

Thanks David for the reply!,

The files are:-
DETECTED ON 07/04/2013 in LOCAL SETTINGS…INFECTED FILES:Win32:Evo-Gen (Susp)…Size File:839680
VS319109.000
VS319109.028

I DO NOT HAVE CLUE WHAT THESE ABOVE ARE?

DETECTED TODAY 11/04/2013

Original File Name:UBSBM.sys ORIGINAL fOLDER:C/Windows/system32/drivers INFECTED FILE:no virus

I cannot restore this file it is GREYED OUT?.

Googled this and this is what i found:-
Ubsbm.sys with description ubCore® Serial Bus Manager (x86 XP/2003/Vista/7 Rel) is a driver file from company Unibrain belonging to product ubCore® Serial Bus Manager.
The file is digitally signed from Microsoft Windows Hardware Compatibility Publisher - Microsoft Time-Stamp Service

4

The two in local settings look a little suspect and I rather suspect that this was in the temp sub folder of local settings folder. There are no hits on a search for that file name (excluding the file type), which could mean they are randomly generated and suspect.

The UBSBM.sys is now being reported as no virus, have you scanned this within the virus chest ?
I suspect that this file is still or back in the system32/drivers folder, please check ?

5

Thanks for the reply,i scanned again in virus chest as you suggested and The UBSBM.sys says no virus,but i cannot restore it as it is GREYED OUT?,The UBSBM is NOT present in DRIVERS FOLDER?.

6

I can’t understand why it can’t be restored, that may have something to do with it being a driver.

Does avast give you an option to extract as mentioned earlier (probably not if the whole entry is greyed out) ?
I have never seen an item greyed out in the chest before.