Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mopping Up "Win32:Evo-gen [susp]"


  • Please log in to reply
20 replies to this topic

#1 milon

milon

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 04 November 2013 - 02:14 PM

I apologize if this is in the wrong forum.  This seems like the best place to put this, since I don't know for certain that I'm dealing with malware and I don't have any logs yet to post.  I have no problem with this post being moved, just please inform me if you do move it.
 
Background:
I'm fairly new at my work, which is a small office with no IT department.  I've become the unofficial IT guy because I've got some experience and knowledge in the field.  I recently discovered a virus at work and need some help to resolve it.  Initial scans by Avast labelled the infection as "Win32:Evo-gen [susp]".
 
Setup:
We have a workgroup network with a 64-bit Win7 PC acting as data server.  The other computers are all 32-bit WinXP machines.  Some computers had Kaspersky and some had Avira, but they all expired a LONG time ago (months to a year or more).  Also, Windows Updates was NOT enabled on ANY of them.  Yikes!!  I'm currently setting up Avast anti-virus and doing Windows Updates on each system.  Oddly enough, the only computer showing any virus activity is the Win7 system.  Which is very unfortunate, because that's our data server.   :(  (No idea how the WinXP machines aren't affected, but I scanned with avast and checked a few things manually.  They're clean.)
 
Current Win7 Symptoms:
  • Avast finds 2 viruses each time I scan, but nothing appears in the virus chest or in the scan history when the scan completes
  • The Security Center service cannot start (in services.msc) and is NOT listed in the Control Panel
  • Windows Defender shows up in Control Panel, but it's got a blank white page icon and cannot start. "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
  • Windows Firewall appears normally in Control Panel.  Clicking on it goes to the Windows Firewall control panel menu.  There's a red box titled "Update your Firewall Settings", and beneath that it says "Windows Firewall is not using the recommended settings to protect your computer."  If I click on Turn Windows Firewall on or off (on the left) it just shows the same screen with the red box.  If I click "Use recommended settings", a message box appears that says "Windows Firewall can't change some of your settings. Error code 0x80070424". There is no other firewall software installed on any of our systems.
  • A folder path existed with the following name:
    "C:\Program Files (x86)\Google\Desktop\Install\   \   \...\ﯹ๛\{873cfa82-854f-4640-6f6b-ec60eaf0c1ba}"
    That's not a typo, and no, this computer does not have ANY Google software installed on it.  It's an illegal tree path.  Trying to delete it from Explorer results in "Access is denied".  Trying to navigate into the \...\ folder makes Explorer crash.  I can navigate to the curly brace bit using 7-Zip File Manager, but I cannot move or open or delete it.  To prevent anything nasty from being executed, I booted into Safe Mode and used 7-Zip to rename it to "C:\Program Files (x86)\stupid\folder\why\can\I\not\delete\you"
  • Attempting to download (security-related?) attachments in Internet Explorer results in an immediate deletion by IE, saying that it contained a virus
  • Attempting to extract the contents of a .zip file fails every time with no error message
NOTE: I can circumvent the last two issues by downloading from another computer and extracting with it, or by using 7-Zip on the Win7 machine.
 
What I've Tried:
Unfortunately, I've tried so many things I can't give an accurate report of what I did or what order I did it in.  I've run various scans and killed unknown start-up processes.  Originally, Avast detected 6 instances of "Win32:Evo-gen [susp]", and it claimed to have resolved that.  Now it doesn't have a record of any virus activity beyond finding 2 viruses each time I scan.  I rebooted the Win7 system into safe mode, opened an Administrator cmd.exe and ran "sfc /scannow".  It got to 58% before spitting out "Windows Resource Protection could not perform the requested operation."
 
It's quite possible that the infection is dead but has left the system damaged.  It's equally possible that the infection isn't gone at all.  I know that ideally we would just reformat the system, but I really don't want to get into figuring out what's important, doing data backups, trying to find the install discs (if we even have them), setting it all up again, making sure nothing is broken, etc. Because it's our server, having it offline means we can't work, so having it offline for an undetermined amount of time really isn't an option right now. What should I do?

Edited by milon, 04 November 2013 - 02:16 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:44 AM

Posted 04 November 2013 - 02:32 PM

Hello milon
This seems to be a false positive.... see my post here and do the steps.

http://www.bleepingcomputer.com/forums/t/510285/win32evo-gen-also/#entry3179126

Start from the linked post which is headed .....

"How to exclude a file or folder from AVG scan"
This is Post #10 of that topic and follow those directions -
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 milon

milon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 04 November 2013 - 03:05 PM

Hi boopme, thanks for the response.

 

I've seen false positives before, but I don't know how you concluded this is a false positive.  What clues are you seeing?  Also, even if I thought it was a false positive (I honestly don't know at this point), I wouldn't know what files to exclude.  During the scan, Avast reports that it finds 2 viruses.  It's supposed to say what those files are after the scan completes.  It doesn't.  (See current symptom #1 above.)


Edited by milon, 04 November 2013 - 03:16 PM.


#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:44 AM

Posted 04 November 2013 - 04:05 PM

Hello -

This is a well documented False Positive, (even on avast! forum) so it continues to "show".

 

Scan your machine with ESET OnlineScan

Please use Internet Explorer for this as it prefers to use ActiveX

Follow How To Temporarily Disable Your Anti-virus
1.Hold down Control (Ctrl) key and click on This Link to open ESET OnlineScan in a new window.
2.Click the ESET Online Scanner button.
3. For alternate browsers only:!! (Microsoft Internet Explorer users can skip these steps)

- 1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
- 2. Double click on the icon on your desktop.

4.Check "YES, I accept the Terms of Use."
5.Click the Start button.
6.Accept any security warnings from your browser.
7.Under scan settings, check "Scan Archives" and "Remove found threats"
8.Click Advanced settings and select the following:

*Scan potentially unwanted applications
*Scan for potentially unsafe applications
*Enable Anti-Stealth technology

9.ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time.

10.When the scan completes, click List Threats

11.Click Export, and save the file to your desktop using a unique name, such as ESETScan

* Include the contents of this report in your next reply.

12.Click the Back button.
13.Click the Finish button.

 

This will also clear out any other minor infections that avast! misses ....

 

Thank You -


Edited by noknojon, 04 November 2013 - 04:07 PM.


#5 milon

milon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 04 November 2013 - 04:27 PM

Okay, thanks for the information.  I'll do as you suggest and report the results.  I still don't understand what the false positive is from.  What is the offending software?  And how do I repair the broken system functions?



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:44 AM

Posted 04 November 2013 - 04:31 PM

After you finish the above step, please try another Free (I assume) Antivirus (you do not say).

The reason it is not in the Virus Chest, is because it is non-existant. That means False Positive.

 

If you run only a couple (up to 10) computers try => Microsoft Security Essentials (MSE).

You also have full Microsoft Antivirus Support available to you while running this -

Need security for your business
Microsoft Security Essentials is available for small businesses with up to 10 PCs.

This will then stop any avast! False/Pos from showing up.

 

Thank You -



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:44 AM

Posted 04 November 2013 - 09:59 PM

The offending software is probably Canon software and the file CALMAIN.exe being improperly detected.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:44 AM

Posted 05 November 2013 - 02:16 AM

Thanks boopme -

The offending software is probably Canon software and the file CALMAIN.exe being improperly detected.

There is quite a lot on this being a False Positive on the avast! site, but in most of their posts they will not give the actual file or software related to this. Just " [susp] " (suspect) and not real -

 

It has been detected only by them for quite a while now -



#9 milon

milon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 05 November 2013 - 12:13 PM

Thanks boopme and noknojon for the information.  I didn't realize that this was a false positive unique to avast.  We don't have any canon software running, but I'm more confident that it's a false positive.  I'll let you know the results of the scan when it finishes.  

 

My biggest concern still hasn't changed, however.  How do I restore the functionality of the Security Center, Windows Firewall, and Windows Defender?  I don't care too much about WF or WD, but it bothers me that they are broken.  Security Center is of high importance to me, however, and that's the number one thing I want to fix.  What do I do for that?



#10 NDSupport

NDSupport

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 05 November 2013 - 12:36 PM

This may not be the time or place but RKill finds and list "C:\Program Files (x86)\Google\Desktop\Install\ \ \...\ﯹ๛\{873cfa82-854f-4640-6f6b-ec60eaf0c1ba}" As a 0Access/Sirefef junction point. If this is a well documented false positive, why does BleepingComputers RKill application list it otherwise? I have found this path in several machines infected by Sirefef/0Access and have removed it via a PXE, as a PXE seems to be the only way to remove the folder without locking up explorer. Sorry if I'm wasting anyone's time.

#11 milon

milon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 05 November 2013 - 02:06 PM

Thanks for the information, NDSupport. I read your other post and ESET page you linked to. Very informative. The Win7 system is exhibiting the same behavior - IE is deleting downloads and various system services are crippled/removed. I did not run the ESET removal tool because ESET didn't identify a Sirefef infection. Speaking of which, here's the results of the ESET scan:
 

C:\Program Files (x86)\PSChiro\Database\Setup\5.2.16\ChiroSuite5.2.16.EXE probably a variant of Win32/Agent.MFEUIKZ trojan cleaned by deleting - quarantined

 
That's the only "infected", which I guarantee is a false positive. That's an installer for an old version of our data server. I don't think it's needed, but I also don't feel comfortable deleting it. I restored it. It seems clear that avast was throwing up false positives, though it's still strange that it didn't state what files it thought were infected.

 

Anyway, I'm still at my original question. How do I fix Security Center etc?



#12 NDSupport

NDSupport

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 05 November 2013 - 02:18 PM

Repairing Windows Defender can be done a few ways, the "Windows Repair Kit (All-in-One)" is pretty useful, and if I'm not mistaken comes with repairs to Security Center / Windows Defender. (In my virtual "toolbox" I carry the 32b and 64b program file folders for Windows Defender.) I believe there is a guide on Bleeping Computer for this fix but; If you're running 64b Windows 7, you would want to zip up the Windows Defender folder in the Program File (x86) folder, and the zip up the Windows Defender folder located in Program Files. (These should be taken from a working machine) - Unzip the folders into their proper location on the problem machine (Rename the current Windows Defender folders to .old), restart, and go from there.

#13 milon

milon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 05 November 2013 - 02:41 PM

Here's a little back story I didn't mention before:  Work was getting rid of another Win7 system due to cosmetic defects (ie. it fell off a counter and was no longer presentable for our customers).  I took it home to monkey around with it, and found the virus on it.  That's what led me to find the virus at work.  The Win7 system I took home has the exact same symptoms as the Win7 server at work.

 

Here's the interesting part.  I was planning on reformatting the one I took home, but hadn't gotten to it yet.  So just for the heck of it, I ran ESET's Sirefef removal tool on it.  It stated that it found a Sirefef infection, so I let it reboot and clean the system.  It asked to restore the missing services, which I allowed. After the next reboot, it seems to be fixed.  Windows Defender and Windows Firewall are restored and working properly.  Security Center is working again too, but doesn't have an icon in the Control Panel.  Oh well, that's really not a problem in my books.

 

Is there any reason I should apply this fix to the Win7 server at work?


Edited by milon, 05 November 2013 - 03:15 PM.


#14 NDSupport

NDSupport

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 05 November 2013 - 03:11 PM

Are you asking if you should apply the "Eset" fix to the server? Or asking if you should apply my aforementioned fix (replacing Windows Defender folders)?

#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:44 PM

Posted 05 November 2013 - 03:32 PM

This may not be the time or place but RKill finds and list "C:\Program Files (x86)\Google\Desktop\Install\ \ \...\ﯹ๛\{873cfa82-854f-4640-6f6b-ec60eaf0c1ba}" As a 0Access/Sirefef junction point. If this is a well documented false positive, why does BleepingComputers RKill application list it otherwise? I have found this path in several machines infected by Sirefef/0Access and have removed it via a PXE, as a PXE seems to be the only way to remove the folder without locking up explorer. Sorry if I'm wasting anyone's time.

That's not a false positive, that folder is a definite sign of a ZeroAccess/Sirefef infection. They were referring to "Win32:Evo-gen [susp]" being a false positive.

 

It's quite possible that the infection is dead but has left the system damaged.  It's equally possible that the infection isn't gone at all.

Just to let you know, all those symptoms mean the infection is very much still running (this is a response to the first post, the infection may be gone by now, but it's worth noting). The windows' services not working after removing the infection happens a lot, but that file and the fact you could not download tell me that ZA is/was still alive and running.

 

xXToffeeXx~


Edited by xXToffeeXx, 05 November 2013 - 03:32 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users