Win32:Evo-gen (Susp)

Viruses and worms
1

Hi, Avast just informed me that they had quarantined a potentially dangerous rootkit.
File Location: C:\Windows\SoftwareDistribution\DataStore\Logs
(note this was hijacking svchost.exe (there are around 60+ of them!)
Original File name:tmp.edb
Size of File: 524288
Last Modification: 15:38:08
Time of Transfer: 16:44:12
Category: Infected Files
Virus description: Win32-Evo-gen
File ID: 1
Previous virus issues : http://forum.avast.com/index.php?topic=118828.msg916264#msg916264

Hopefully we can get this fixed. Very worried indeed.

2

As this is an evo detection it may be a false positive, but lets check it out

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

3

Ok, Avast has currently got it inside the virus chest, should i remove it from the chest before running the OTL?

Many Thanks
Oliver

4

No leave it there

The file was probably created as part of windows update located here:
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb

5

Ok, Scan complete :D, Posting OTL + Extras

6

Looks clean so I reckon we are looking at an FP here ;D

7

Ah thanks great :D! Should i just run a quick MBAM scan? After that if its clean should i remove OTL/report the FP to avast or should i just delete the file in question from the virus vault.

Many Thanks
Oliver

8

Just delete the file as it is a windows storage file that it would have deleted on reboot

Aye give MBAM a whirl

9

Hi, just gone ahead and removed the file. I have found a new file in the same location edb.chk (thought i should mention this just in case), Scanned it and found no issues. I’m guessing its a FP. Shall continue to monitor for any changes. The MBAM results where fine.

10

Aye I do not think there is anything there

11

Ok, just ran an avast scan and it said one of the folders couldn’t be scanned. I am re-running the scan again to see if it comes up again. I have also gone ahead and manually rescanned that directory.

12

My guess is that directory was already deleted but when the scanner went to look at it it thought it was still there. :smiley:

Just doing a quick search and ive found someone else whom asked the same question.

13

Those are event trace logs used by windows, and the unable to scan is not a problem

14

Its come back clear now, I shall contiune to monitor for the next 24 hours, if anything changes ill be sure to post.

Thanks again Essexboy :slight_smile:

15

My pleasure ;D