Hello! Everyday after an hour or two after I boot up my computer I will get a pop up saying they have quarantined a Win32:Evo-gen [Susp] file which normally is some random DLL file. I have scanned with Avast and Malwarebytes and cannot find anything. Any suggestions?
Win32:Evo-gen [Susp] = Suspicious
what is the location of the file? full file path
do you have the full message avast give, maybe a screenshot of the popup message
If you have not rebooted computer, right click avast tray icon and select show last popup
Attached is the screen shot C:\windows\temp* this file changes every day.
Process C:\winodws\syswow\svchost.exe
do you have some sync stuff, like onedrive / gdrive / dropbox ? if so try clear cache
Try empty your temp folders > TFC cleaner http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
At first sight, given its location (a .dll file in temp) and random looking name, I would say avast is right to be suspicious of it. So for now (until further investigation) I would say not to Add the file to the scan exclusion list or Report the file as a false positive.
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
Since you have already run MBAM, you could attach its scan log to your next post.
Start with the Farbar Recovery Scan Tool (second one on the above link) and attach the two logs mentioned in the Information topic I gave the link for.
Here are the logs. Thanks for your help.
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
- Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
Out of curiosity what is this fixing or changing?
Attached is the fixlog. This time though right after I logged in I got the threat blocked, which normally takes time.
The fixlist was trying to remove some unneeded ‘trash’ left in various places and close out some behind the scenes jobs that could be running.
I am beginning to suspect that this is a FP of some of the remote access software on this system.
-
Can you upload the file(s) in question to virustotal.com and reply with links back to the scans there?
-
Does the file(s) / warnings end if you temporarily disable TightVNC server / app?
A few sites on virus total detects it as malware as you can see in the screen shot. Today I have not received an alert yet but you might have something with the remote desktop as it seems to happen right around the first time I used VNC, RDP, or teamviewer.