Win32:Evo-gen

Viruses and worms
1

Along with the my new cell phone the company also gave me voice mail with me voice recondition . Today I received an email saying I had 4 new voice mail that I opened.

Avast raised the alarm in a few minutes there was 4 files into the shield log. I thought the problem was solved.

I tried a web search for the files and found nothing so I tried the Avast Forum for Win32:Evo-gen. I could not find a specific fix so I went to some other sites. One solution said to back everything up so I closed the programs and restarted the computer.

The computer was slow to restart and there was 1-2 notifications asking for permission to modify Adobe Flash player. When I clicked “No” the notification came back up again and again. To get around this I opened Task Manager and closed the application.

Now the computer takes 1-2 minutes to respond and the size of window menu bars have changed.

With an even bigger problem I returned to the Avast site and after reading 6 or 8 post I found a link on how to remove the malware.

I downloaded both ComboFfix and adwcleaner but neither will start.

When try to open either I get and error message"The dependency service or group failed to start".

When open the Downloads directory I can see the files but when I click on the files the directory stops responding

I just checked the Avast shield log and it is empty. Avast is no longer giving any warnings.

2

Hi, Who told you to run ComboFix?
Can you tell me the full path of detected file? Screenshot will do.

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

3

It is downloaded but Windows Explorer is stalled/running very slow. It took 4 minutes to update the desktop

Thankfully the Firefox is still running up to speed

I just started FSS from the desktop…waiting…waiting…

4

Just go the same error message

“The dependency service or group failed to start”.

5

Don’t run varius tool when you do not know what they serve.
You’re probably screwed up system by running a variety of tools (?) and not knowing the what they doing.

What OS do you run? Windows Vista, 7 , 8? XP?
Is it 32bit or 64bit system.

6

Windows 7 - 64bit

Far as I know all of none of the tools has run. All have had the same error message.

If I screwed something up won’t be the first time I have to fix my mistakes.

Cannot get a screen shot to download. Here is the path of some of the files

C:\Users\John Taylor\AppData\Local\omatcplbl.exe
C:\Users\John Taylor\AppData\Local\mniuoiog.exe
C:\Users\John Taylor\AppData\Local\naoprtxr.exe
C:\Users\John Taylor\AppData\Local\Google\Install.…\000000cmb.@
C:\Users\John Taylor\AppData\Local\Google\Install.…\80000064.@
C:\Users\John Taylor\AppData\Local\Google\Install.…\80000000.@
C:\Users\John Taylor\AppData\Local\Google\Install.…\0000004.@
C:\Users\John Taylor\AppData\Local\Google\Install.…\80000032.@

There are 38 files in all

7

Ok, let’s run FRST64 in Windows Recovery Environment.

Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

[*]Plug the flashdrive into the infected PC.
[*]Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
[*]Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

[*] In the command window type in notepad and press Enter.
[*] When notepad opens, click File and select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter.

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run. When the tool opens click Yes to disclaimer.
[*]Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

8

Thanks Magna

Here is the file

9

Hi,

FRST log shows me that you have been run ComboFix. Note for future:
Combofix is not a tool that is supposed to be used without expert oversight, sUBs the creator of Combofix has gone to great lengths to let people know this, including a clear and succinct message which is displayed every time that Combofix is run.

Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[] Copy/Paste the contents of the code box below into Notepad.


Start
HKU\John Taylor\...\Run: [dhoaxjug] - C:\Users\John Taylor\AppData\Local\skqrlmcs.exe [92160 2013-11-13] ()
HKU\John Taylor\...\Run: [Google Update] - [x]
HKU\John Taylor\...\Run: [AS2014] - C:\ProgramData\dasrnsa3\dasrnsa3.exe [569344 2013-11-13] ()
S2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [244960 2011-10-25] ()
C:\Users\John Taylor\AppData\Local\skqrlmcs.exe
C:\ProgramData\dasrnsa3\dasrnsa3.exe
C:\Program Files (x86)\StartNow Toolbar
2013-11-13 16:50 - 2013-11-13 16:50 - 00301568 _____ C:\Users\John Taylor\AppData\Local\bilbdqqs.exe
2013-11-13 16:50 - 2013-11-13 16:50 - 00001666 _____ C:\Users\John Taylor\Desktop\Antivirus Security Pro.lnk
2013-11-13 16:50 - 2013-11-13 16:50 - 00000118 _____ C:\Users\John Taylor\Desktop\Antivirus Security Pro support.url
2013-11-13 16:49 - 2013-11-13 16:50 - 00000000 ____D C:\ProgramData\dasrnsa3
2013-11-13 16:49 - 2013-11-13 16:49 - 00569344 _____ C:\Users\John Taylor\AppData\Local\tqickgrx.exe
013-11-13 10:52 - 2013-11-13 10:52 - 00287232 _____ C:\Users\John Taylor\AppData\Local\viivlkcg.exe
2013-11-13 09:40 - 2013-11-13 09:40 - 00287232 _____ C:\Users\John Taylor\AppData\Local\rqpnnqpf.exe
2013-11-13 09:39 - 2013-11-13 09:39 - 00067958 _____ C:\Users\John Taylor\AppData\Local\xpqakiui
2013-11-13 09:38 - 2013-11-13 09:38 - 00000000 _____ C:\Users\John Taylor\AppData\Roaming\SharedSettings.ccs
2013-11-13 09:13 - 2013-11-13 09:13 - 00092160 _____ C:\Users\John Taylor\AppData\Local\skqrlmcs.exe
C:\Users\John Taylor\AppData\Local\Google\Desktop\Install
C:\Users\John Taylor\AppData\Local\Temp\FNP_ACT_InstallerCA.dll
C:\Users\John Taylor\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\John Taylor\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\John Taylor\AppData\Local\Temp\msimg32.dll
End

[*] Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.

THEN…

Try to run FRST in normal mode. Just press Scan button and post me fresh FRST.txt logreport.

10

Hi

I saw it in the log. When I tried to run ComboFix what looked to be a command prompt window appeared but it stayed blank so I closed it. ComboFix may have run but the computer was already running so slow that may have shut it down before it the warning window appeared.

Here is the Fixlog.

John

11

I ran it again in Normal Mode I forgot to enable Driver MD5. I hope that wasn’t a mistake.

Here are the FRST file and the Addition files.

12

Here is a screen shot.

This was what Avast blocked in 3 hours. After that the computer was disconnected from the web.

13

Can you make a new screenshot with the window only.

This is not eaven a bit readable.

14

Here is the screen shot again

15

I think there is something in your Chrome or in your system.

Look at the .exe files at the top. And the KillAV one, not so good.

16

Hi,

I didn’t finish with fix process. First FRST fix had task just to neutralize malware. This fix will remove the malware completely.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Policies\Explorer: [] 
HKLM-x32\...\Run: [] - [x]
SearchScopes: HKCU - DefaultScope {0388404D-6072-4CEB-B521-8F090FEAEE57} URL = http://klit.startnow.com/s/?q={searchTerms}&src=defsearch&provider=&provider_name=yahoo&provider_code=&partner_id=693&product_id=741&affiliate_id=&channel=&toolbar_id=200&toolbar_version=2.4.0&install_country=CA&install_date=20130131&user_guid=39D756B81C194E8D99A46115FEB2B51A&machine_id=b076414cf7e28ab338d89b9f79db4fd6&browser=IE&os=win&os_version=6.1-x64-SP1&iesrc={referrer:source}
SearchScopes: HKCU - {0388404D-6072-4CEB-B521-8F090FEAEE57} URL = http://klit.startnow.com/s/?q={searchTerms}&src=defsearch&provider=&provider_name=yahoo&provider_code=&partner_id=693&product_id=741&affiliate_id=&channel=&toolbar_id=200&toolbar_version=2.4.0&install_country=CA&install_date=20130131&user_guid=39D756B81C194E8D99A46115FEB2B51A&machine_id=b076414cf7e28ab338d89b9f79db4fd6&browser=IE&os=win&os_version=6.1-x64-SP1&iesrc={referrer:source}
BHO-x32: StartNow Toolbar Helper - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll No File
Toolbar: HKLM-x32 - StartNow Toolbar - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll No File
C:\Program Files (x86)\StartNow Toolbar
2013-11-13 16:50 - 2013-11-13 16:50 - 00000000 ____D C:\Users\John Taylor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
2013-11-13 10:52 - 2013-11-13 10:52 - 00287232 _____ C:\Users\John Taylor\AppData\Local\viivlkcg.exe
File: C:\Users\John Taylor\Downloads\ddmsetup1360.exe
CMD: ipconfig /flushdns
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

THEN

Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Post me fresh FRST.txt

17

Hey Magna

Sorry I got busy for a few days.

Your help on this is appreciated! Can I buy you a drink.

Here is the fixlog.

I have not been able to download TFC. Something on this machine keeps resetting the connection. It starts to downland then I get an error message.

John

18

All right … FRST did it’s job. It’s time for extra scanning/cleaning …

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.
  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]
  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.