Inactive AVG free version detects "IDP.Trojan.2428539A

[Mitch Flander]

I have the new posts. Can you tell me if we're addressing the IDP. Trojan? If so, did you get a chance to look at the procedure I had a question about a few posts back where I dropped in the security check log?

Here is the GMER log and Listparts log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-20 09:39:57
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 rev.
Running: 7ex48rit.exe; Driver: C:\Users\Mitch\AppData\Local\Temp\kgloypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x9787A004]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x9787A0D4]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x97879D76]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x97879E1E]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x97879EBA]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x97879F56]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E47589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E6C092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4A0 82E73AB0 8 Bytes [04, A0, 87, 97, D4, A0, 87, ...] {ADD AL, 0xa0; XCHG [EDI-0x68785f2c], EDX}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82E73AF8 4 Bytes [76, 9D, 87, 97]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82E73DC8 8 Bytes [1E, 9E, 87, 97, BA, 9E, 87, ...] {PUSH DS; SAHF ; XCHG [EDI-0x68786146], EDX}
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 82E73E3C 4 Bytes [56, 9F, 87, 97]

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\AVG\AVG2012\avgwdsvc.exe[384] C:\Windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe[512] C:\Windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Windows\system32\lsass.exe[820] C:\Windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Windows\System32\svchost.exe[1096] c:\windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Windows\System32\svchost.exe[1128] c:\windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Windows\system32\svchost.exe[1172] c:\windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Windows\system32\svchost.exe[1276] c:\windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\iphlpapi.dll time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Windows\system32\winlogon.exe[1480] C:\Windows\system32\ADVAPI32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: WINTRUST.dllunknown module: SspiCli.dllunknown module: bcrypt.dllunknown module: pcwum.dllunknown module: KERNELBASE.dll
? C:\Windows\system32\winlogon.exe[1480] C:\Windows\system32\userenv.dll time/date stamp mismatch; unknown module: DNSAPI.dllunknown module: logoncli.dllunknown module: netutils.dllunknown module: SspiCli.dllunknown module: GPAPI.dllunknown module: GPSVC.dllunknown module: profapi.dllunknown module: KERNELBASE.dll
? C:\Windows\System32\spoolsv.exe[1892] C:\Windows\System32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Windows\System32\svchost.exe[1952] C:\Windows\System32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Windows\Explorer.EXE[3464] C:\Windows\System32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3732] C:\Windows\system32\iphlpapi.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
? C:\Program Files\Google\Chrome\Application\chrome.exe[3888] C:\Windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\winlogon.exe[1480] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!LoadLibraryExA] [738C9B20] C:\Program Files\NetMotion Client\nmlogon.dll (NetMotion Logon DLL/NetMotion Wireless, Inc.)
IAT C:\Windows\system32\winlogon.exe[1480] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!LoadLibraryW] [738C9A80] C:\Program Files\NetMotion Client\nmlogon.dll (NetMotion Logon DLL/NetMotion Wireless, Inc.)
IAT C:\Windows\system32\winlogon.exe[1480] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!GetProcAddress] [738C9800] C:\Program Files\NetMotion Client\nmlogon.dll (NetMotion Logon DLL/NetMotion Wireless, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp nmdrv.sys

Device \Driver\ACPI_HAL \Device\00000057 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp nmdrv.sys
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp nmdrv.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0007615150eb
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0007615150eb (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Users\Mitch\Documents\personal\Locked 0 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct 0 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\lowes login.txt 30 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\amazon log in.txt 77 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\att and uverse login.txt 109 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\avg license.txt 53 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\blackberry forums.txt 35 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\blue cross blue shield log in.txt 47 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\cigna dental log in.txt 40 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\citimortgage login.txt 53 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\COA benefits login.txt 49 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\directv login.txt 49 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\MXenergy.txt 33 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\online payment confirmation 0 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\online payment confirmation\simmons 6_11 online payment conf.txt 160 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\paypal login.txt 76 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\peachcare login.txt 88 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\retirement acct logins.txt 649 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\scottrade login.txt 67 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\simmons first login.txt 95 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\state farm.txt 38 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\target log in.txt 387 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\taxact login 09.txt 50 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\trev gosolar.txt 60 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\world golf tour.txt 38 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\ebay log in.txt 33 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\FIA log in.txt 470 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\flightsim.com log in.txt 14 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\ga fed credit union.txt 44 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\ga fed quickpay xfer.txt 56 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\ge moneybank login.txt 36 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\gwinnett county water resources.txt 57 bytes
File C:\Users\Mitch\Documents\personal\Locked\acct\home depot log-in.txt 39 bytes
File C:\Users\Mitch\Documents\personal\Locked\misc 0 bytes
File C:\Users\Mitch\Documents\personal\Locked\misc\Jermaine logs cont.pdf 611856 bytes
File C:\Users\Mitch\Documents\personal\Locked\misc\Jermaine logs.docx 10796 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs 0 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2008 0 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2008\2008_Federal_Return Mitch.pdf 49865 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2008\2008_Federal_Return Terri.pdf 44376 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2008\2008_Georgia_Return Mitch.pdf 26591 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2008\2008_Georgia_Return Terri.pdf 26141 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2009 0 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2009\1099-R.pdf 165410 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2009\2009_Federal_Return.pdf 71442 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2009\2009_Georgia_Return.pdf 22145 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2010 0 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2010\2010_Federal_Form_W4_suggested.pdf 26651 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2010\2010_Federal_Return.pdf 47484 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2010\2010_Georgia_Return.pdf 19236 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2010 fed withholding suggestions.txt 617 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011 0 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Federal_Form_1040.pdf 23232 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Federal_Form_4952.pdf 7639 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Federal_Schedule_A.pdf 10284 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Federal_Schedule_B.pdf 9366 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Federal_Schedule_D.pdf 17965 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Georgia_Return.pdf 20605 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\taxes fed state 04.pdf 46312 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\chris_april_ssn.txt 58 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\Federal and State Electronic Filing Instructions.doc 25600 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\suggested 2012 W4.pdf 123284 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\taxes fed 03.T03 48576 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\taxes fed state 04.pdf 387173 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\taxes fed state 05.PDF 359794 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\taxes fed state 06.pdf 309176 bytes
File C:\Users\Mitch\Documents\personal\Locked\tax docs\taxes fed state 07.pdf 295549 bytes

---- EOF - GMER 1.0.15 ----

*****************************************************************************************************************************************

ListParts by Farbar Version: 10-08-2012
Ran by Mitch (administrator) on 20-08-2012 at 09:41:00
Windows 7 (X86)
Running From: C:\Users\SG3 13\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 39%
Total physical RAM: 3571.9 MB
Available physical RAM: 2162.87 MB
Total Pagefile: 7142.08 MB
Available Pagefile: 5792.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1956.38 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:222.63 GB) (Free:102.18 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:3.37 GB) NTFS
3 Drive e: (COD2CD1) (CDROM) (Total:0.45 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 258 MB 31 KB
Partition 2 Primary 10 GB 259 MB
Partition 3 Primary 222 GB 10 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 10 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 222 GB Healthy System (partition with boot components)

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {1311a3a9-3644-11df-a071-b1f2960e9c50}
resumeobject {1311a3a8-3644-11df-a071-b1f2960e9c50}
displayorder {1311a3a9-3644-11df-a071-b1f2960e9c50}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows Boot Loader
-------------------
identifier {1311a3a9-3644-11df-a071-b1f2960e9c50}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {1311a3aa-3644-11df-a071-b1f2960e9c50}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {1311a3a8-3644-11df-a071-b1f2960e9c50}
nx OptIn

Windows Boot Loader
-------------------
identifier {1311a3aa-3644-11df-a071-b1f2960e9c50}
device ramdisk=[C:]\Recovery\1311a3aa-3644-11df-a071-b1f2960e9c50\Winre.wim,{1311a3ab-3644-11df-a071-b1f2960e9c50}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[C:]\Recovery\1311a3aa-3644-11df-a071-b1f2960e9c50\Winre.wim,{1311a3ab-3644-11df-a071-b1f2960e9c50}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Windows Boot Loader
-------------------
identifier {572bcd55-ffa7-11d9-aae0-0007e994107d}
device partition=D:
path \Windows\System32\boot\winload.exe
description Windows Recovery Environment
osdevice partition=D:
systemroot \Windows
nx OptIn
detecthal Yes
winpe Yes

Resume from Hibernate
---------------------
identifier {1311a3a8-3644-11df-a071-b1f2960e9c50}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

Windows Legacy OS Loader
------------------------
identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
device unknown
path \ntldr
description Earlier Version of Windows
custom:45000001 1
custom:47000005 301989892
6

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {1311a3ab-3644-11df-a071-b1f2960e9c50}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\1311a3aa-3644-11df-a071-b1f2960e9c50\boot.sdi


****** End Of Log ******

 

[Jay Pfoutz]

• Please download Hitman Pro by Surfright from here and save it to your desktop.
• Double click HitmanPro36.exe to run the scanner
• Click Next
• Accept the license conditions and click Next
• Choose to do only a single scan. Do not enter any e-mail address and click Next
• Hitman Pro will now scan your computer
• After the scan, choose to ignore all threats - I want to have a look first, before deciding what to do
• Click Next
• You will now find an option to export the results of the scan to an XML file (log.xml). Please do so. Close Hitman Pro.
• Please copy and paste the contents of log.xml into your next reply (You can open XML files with notepad)

Note: For best results, keep Hitman Pro for the future to prevent re-infection. Consider purchasing it now.

 

[Mitch Flander]

DragonMaster,

Cannot connect to Surfright. It just finally times out after multiple tries. Is there another site you'd recommend. A search for Hitman Pro turned up a few other sites, but I don't want to try them without your blessing.

 

[Jay Pfoutz]

www.surfright.com is the alternate site.

 

[Mitch Flander]

That site won't connect either. I don't get an error message other than, "it's taking too long to respond" and it just times out. Is whatever is infecting this pc somehow blocking that site? All other sites are connecting normally.

 

[Jay Pfoutz]

The rootkit is probably blocking it, because it knows it can be defeated by Hitman Pro.

Here is a download link from MediaFire, where I uploaded: http://www.mediafire.com/?7elks7e36d6oc7o

Download from MediaFire and then run Hitman Pro as instructed above

 

[Mitch Flander]

DragonMaster:

Thanks... got the Hitman log for you here:

HitmanPro 3.6.1.164
www.hitmanpro.com

Computer name . . . . : MITCH-PC
Windows . . . . . . . : 6.1.0.7600.X86/2
User name . . . . . . : Mitch-PC\Mitch
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free

Scan date . . . . . . : 2012-08-22 14:22:51
Scan mode . . . . . . : Normal
Scan duration . . . . : 12m 42s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 10

Objects scanned . . . : 1,307,247
Files scanned . . . . : 52,924
Remnants scanned . . : 487,727 files / 766,596 keys

Suspicious files ____________________________________________________________

C:\Users\Mitch\Documents\BFBC2\pb\pbcl.dll
Size . . . . . . . : 960,138 bytes
Age . . . . . . . : 205.1 days (2012-01-30 12:04:02)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 70053EEA7AC3C1427D779B3F258A13CF74B02980DCDDEFBC24B341CFFA1E4AA2
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.

C:\Windows\system32\rpcnet.dll
Size . . . . . . . : 58,288 bytes
Age . . . . . . . : 6.2 days (2012-08-16 09:22:05)
Entropy . . . . . : 6.2
SHA-256 . . . . . : 323F4EE52DFDECEE704F76F6780D2DBA526EE2EA9854B0B9C75F0D0BD2EB9FDA
Product . . . . . : Installation/Management Application
Publisher . . . . : Absolute Software Corp.
Description . . . : rpcnet
Version . . . . . : 8.0.910.0
Copyright . . . . : Copyright (c) 1997-2012 Absolute Software Corporation. All Rights Reserved.
RSA Key Size . . . : 1024
Authenticode . . . : Invalid
Fuzzy . . . . . . : 24.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.


Cookies _____________________________________________________________________

C:\Users\Mitch\AppData\Roaming\Microsoft\Windows\Cookies\mitch@avgtechnologies.112.2o7[2].txt
C:\Users\Mitch\AppData\Roaming\Microsoft\Windows\Cookies\mitch@eaeacom.112.2o7[1].txt
C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:ad.wsod.com
C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:atdmt.com
C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:collective-media.net
C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:doubleclick.net
C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:revsci.net
C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:serving-sys.com

 

[Jay Pfoutz]

For the first item suspiciously detected, it is actually Battlefield Bad Company 2's PunkBuster system, which means that it is safe.

For the second item suspiciously detected, it is a root-level driver LoJack Service, so it can't be malware.

Since it wants to argue though, and you came here to get it checked out, do the following please:

Please go to: VirusTotal

• Click the Browse button and search for the following file: C:\Windows\system32\rpcnet.dll
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

 

[Mitch Flander]

Dragon Master,

I'm still confused as to what the rpcnetp.exe is (note the final "P). That's the process noted when AVG finds the threat "IDP.Trojan2428539A". Shouldn't THAT be the file that's scanned instead of rpcnet.dll? Pardon my ignorance, just trying to be sure here.

Here is the virustotal scan results:


SHA256: 323f4ee52dfdecee704f76f6780d2dba526ee2ea9854b0b9c75f0d0bd2eb9fda
SHA1: f1b52f8abea89662776d8744cb2570a390bf1c77
MD5: 11d2208dc9f65f704751862ed048ac04
File size: 56.9 KB ( 58288 bytes )
File name: rpcnet.dll
File type: Win32 DLL
Detection ratio: 0 / 42
Analysis date: 2012-08-23 15:57:47 UTC ( 1 minute ago )
[RIGHT][RIGHT]

[/RIGHT]
[RIGHT][RIGHT]1[/RIGHT][/RIGHT]
[RIGHT][RIGHT]3[/RIGHT][/RIGHT][/RIGHT]
More details
AntivirusResultUpdate
AhnLab-V3 - 20120823
AntiVir - 20120823
Antiy-AVL - 20120822
Avast - 20120823
AVG - 20120823
BitDefender - 20120823
ByteHero - 20120817
CAT-QuickHeal - 20120823
ClamAV - 20120823
Commtouch - 20120823
Comodo - 20120823
DrWeb - 20120823
Emsisoft - 20120823
eSafe - 20120823
ESET-NOD32 - 20120822
F-Prot - 20120823
F-Secure - 20120823
Fortinet - 20120823
GData - 20120823
Ikarus - 20120818
Jiangmin - 20120823
K7AntiVirus - 20120822
Kaspersky - 20120823
McAfee - 20120823
McAfee-GW-Edition - 20120823
Microsoft - 20120823
Norman - 20120823
nProtect - 20120823
Panda - 20120823
PCTools - 20120823
Rising - 20120823
Sophos - 20120823
SUPERAntiSpyware - 20120823
Symantec - 20120823
TheHacker - 20120822
TotalDefense - 20120823
TrendMicro - 20120823
TrendMicro-HouseCall - 20120823
VBA32 - 20120823
VIPRE - 20120823
ViRobot - 20120823
VirusBuster - 20120823

• Comments
• Votes
• Additional information

ssdeep

1536:yqYe2rM2Y97fdq98BZtTrxLcaUARgwUaDC8j:ZS4JzpxLcaNRgcH
TrID

Clipper DOS Executable (33.5%)
Generic Win/DOS Executable (33.2%)
DOS Executable Generic (33.2%)
Sigcheck

publisher................: Absolute Software Corp.
product..................: Installation/Management Application
internal name............: rpcnet
copyright................: Copyright (c) 1997-2012 Absolute Software Corporation. All Rights Reserved.
original name............: rpcnet.dll
comments.................:
file version.............: 8.0.910.0
description..............: rpcnet
Portable Executable structural information

Compilation timedatestamp.....: 2012-03-02 04:40:48
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00004A80

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 45497 45568 6.19 243856e81dd3ea690d997913486e3a73
.data 53248 804 1024 0.64 c46ed36b39df963bb9ce2533ced17df0
.cdata 57344 666 1024 2.66 f156ea513ef5aeceebadc21b386a48e9
.rsrc 61440 1096 1536 2.55 b422c3814d79688ee3c2d7bf0d589f97
.reloc 65536 2300 2560 6.38 69b8aef0409c82fbd4f184ebdb0b902f

PE Imports....................:

[[USERENV.dll]]
CreateEnvironmentBlock, DestroyEnvironmentBlock

[[KERNEL32.dll]]
GetStdHandle, GetComputerNameA, GetOverlappedResult, WaitForSingleObject, PurgeComm, GetLocalTime, DeleteCriticalSection, GetCurrentProcess, LocalAlloc, lstrcatA, SetErrorMode, WaitCommEvent, SetStdHandle, WriteFile, SetFileAttributesA, SetEvent, LocalFree, MoveFileA, ResumeThread, InitializeCriticalSection, FindClose, GetEnvironmentVariableA, WriteProcessMemory, CopyFileA, ExitProcess, FlushFileBuffers, GetModuleFileNameA, LoadLibraryExA, SetThreadPriority, SetFilePointer, CreateThread, GetExitCodeThread, ClearCommError, GetSystemDirectoryA, TerminateProcess, GetCommState, BackupSeek, GetCurrentThreadId, HeapFree, EnterCriticalSection, TerminateThread, lstrcmpiA, FreeLibrary, GetVersionExA, LoadLibraryA, RtlUnwind, ExitThread, CreateRemoteThread, OpenProcess, DeleteFileA, GetWindowsDirectoryA, GetCommProperties, SetCommMask, ReadProcessMemory, BackupWrite, WaitForMultipleObjects, GetProcessHeap, lstrcmpA, FindFirstFileA, lstrcpyA, ResetEvent, GetTempFileNameA, CreateFileMappingA, GetProcAddress, GetBinaryTypeA, SetCommTimeouts, SetCommState, CreateEventA, CreateFileA, HeapAlloc, LeaveCriticalSection, GetLastError, VirtualAllocEx, lstrlenA, SetupComm, VirtualFreeEx, GetCurrentProcessId, SetFileTime, BackupRead, GetCommandLineA, RaiseException, MapViewOfFile, GetModuleHandleA, ReadFile, CloseHandle, GetVersion, CreateProcessA, UnmapViewOfFile, Sleep, GetFileAttributesExA

[[WSOCK32.dll]]
Ord(12), Ord(3), Ord(11), Ord(57), Ord(23), Ord(21), Ord(111), Ord(116), Ord(4), Ord(115), Ord(52), Ord(19), Ord(18)

[[NETAPI32.dll]]
Netbios

[[ADVAPI32.dll]]
RegDeleteKeyA, RegCloseKey, RegDeleteValueA, OpenServiceA, QueryServiceConfigA, RegQueryValueExA, AdjustTokenPrivileges, ControlService, RegCreateKeyExA, DeleteService, RegDisablePredefinedCache, SetSecurityDescriptorDacl, CloseServiceHandle, RegOpenKeyA, EqualSid, OpenProcessToken, CreateServiceA, QueryServiceStatus, GetKernelObjectSecurity, SetTokenInformation, RegOpenKeyExA, SetEntriesInAclA, GetTokenInformation, DuplicateTokenEx, SetServiceStatus, CreateProcessAsUserA, RegisterServiceCtrlHandlerA, RevertToSelf, StartServiceCtrlDispatcherA, FreeSid, ChangeServiceConfigA, AllocateAndInitializeSid, InitializeSecurityDescriptor, RegSetValueExA, StartServiceA, ImpersonateLoggedOnUser, OpenSCManagerA, SetKernelObjectSecurity

[[SHLWAPI.dll]]
AssocQueryStringA

[[USER32.dll]]
GetMessageA, CreateWindowExA, wsprintfA, DispatchMessageA, PostQuitMessage, PostMessageA, SendMessageA, KillTimer, PeekMessageA, MsgWaitForMultipleObjects, TranslateMessage, DefWindowProcA, SetTimer, RegisterClassA, PostThreadMessageA

[[TAPI32.dll]]
lineGetID, lineSetDevConfig, lineInitialize, lineSetStatusMessages, lineShutdown, lineMakeCall, lineGetCallStatus, lineDeallocateCall, lineGetDevConfig, lineClose, lineDrop, lineGetDevCaps, lineOpen


PE Exports....................:

ServiceMain

PE Resources..................:

Resource type Number of resources
RT_VERSION 1

Resource language Number of resources
ENGLISH US 1
Symantec Reputation

Suspicious.Insight
First seen by VirusTotal

2012-04-21 16:20:28 UTC ( 4 months ago )
Last seen by VirusTotal

2012-08-23 15:57:47 UTC ( 2 minutes ago )
File names (max. 25)

1. rpcnet.dll
2. rpcnet
3. rpcnet.dll
4. E0DC1974B0F50A09E35100C5EF9484006A6D5A03.dll
5. file-3859079_dll
6. 11d2208dc9f65f704751862ed048ac04
7. rpcnet.dll
8. RPCNET.DLL
9. 11d2208dc9f65f704751862ed048ac04.dll
10. rpcnet.dl_

 

[Mitch Flander]

DragonMaster,

I rebooted again and although AVG didn't flag it this time (can't understand why NOT), rpcnetp.exe (not rpcnet.exe) showed up in the services again. I know you didn't request it, but I ran the virustotal scan on THAT file.

Here are the results:


SHA256: 364aea446798b729e552aa6fc6a333a45e7fc4407940ce20ed7d644ab72703d1
File name: rpcnetp.exe
Detection ratio: 2 / 42
Analysis date: 2012-08-23 17:04:45 UTC ( 4 minutes ago )
[RIGHT][RIGHT]

[/RIGHT]
[RIGHT][RIGHT]0[/RIGHT][/RIGHT]
[RIGHT][RIGHT]0[/RIGHT][/RIGHT][/RIGHT]
More details
AntivirusResultUpdate
AhnLab-V3 - 20120823
AntiVir - 20120823
Antiy-AVL - 20120822
Avast - 20120823
AVG - 20120823
BitDefender - 20120823
ByteHero - 20120822
CAT-QuickHeal - 20120823
ClamAV - 20120823
Commtouch - 20120823
Comodo - 20120823
DrWeb - 20120823
Emsisoft - 20120823
eSafe - 20120823
ESET-NOD32 - 20120822
F-Prot - 20120823
F-Secure - 20120823
Fortinet - 20120823
GData - 20120823
Ikarus - 20120818
Jiangmin - 20120823
K7AntiVirus - 20120823
Kaspersky - 20120823
McAfee Artemis!9CD881ED1CA9 20120823
McAfee-GW-Edition Artemis!9CD881ED1CA9 20120823
Microsoft - 20120823
Norman - 20120823
nProtect - 20120823
Panda - 20120823
PCTools - 20120823
Rising - 20120823
Sophos - 20120823
SUPERAntiSpyware - 20120823
Symantec - 20120823
TheHacker - 20120822
TotalDefense - 20120823
TrendMicro - 20120823
TrendMicro-HouseCall - 20120823
VBA32 - 20120823
VIPRE - 20120823
ViRobot - 20120823
VirusBuster - 20120823

• Comments
• Votes
• Additional information

ssdeep

384:QwTVsn/LdYM7iCTX3A1DFLw3Eol/7l5fbM:QwJ2/Ld3XTX3AHw3Eoll5f
TrID

Clipper DOS Executable (33.5%)
Generic Win/DOS Executable (33.2%)
DOS Executable Generic (33.2%)
Portable Executable structural information

Compilation timedatestamp.....: 2009-08-22 19:44:16
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00002D33

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 13910 14336 6.28 68a21422d28a26520c02305c6880ffc9
.data 20480 432 512 0.45 5dc8ac78fbac152a77acbf305f8e8c48
.cdata 24576 572 1024 1.38 f6964bf41f3003f4957a17635791af68
.reloc 28672 836 1024 5.86 b169a3c86a1c682ae421dec534babddf

PE Imports....................:

[[ADVAPI32.dll]]
DuplicateTokenEx, RegOpenKeyA, RegCloseKey, StartServiceCtrlDispatcherA, OpenProcessToken, SetServiceStatus, CreateProcessAsUserA, RegQueryValueExA, RegDeleteValueA, RegEnumValueA, SetTokenInformation, RegisterServiceCtrlHandlerA

[[KERNEL32.dll]]
GetLastError, GetStdHandle, EnterCriticalSection, WriteProcessMemory, VirtualAllocEx, TerminateThread, lstrlenA, GetOverlappedResult, WaitForSingleObject, FreeLibrary, CopyFileA, ExitProcess, LoadLibraryA, RtlUnwind, ExitThread, CreateRemoteThread, DeleteCriticalSection, VirtualFreeEx, LocalAlloc, OpenProcess, ReadProcessMemory, GetModuleFileNameA, WaitForMultipleObjects, SetStdHandle, GetModuleHandleA, RaiseException, CreateThread, lstrcmpiA, SetFilePointer, ReadFile, lstrcatA, WriteFile, CloseHandle, ResetEvent, GetSystemDirectoryA, GetVersion, SetEvent, LocalFree, TerminateProcess, ResumeThread, CreateProcessA, GetExitCodeThread, InitializeCriticalSection, lstrcpyA, CreateEventA, Sleep, SetThreadPriority, CreateFileA, GetCurrentThreadId, GetProcAddress, GetCurrentProcessId, LeaveCriticalSection

[[WSOCK32.dll]]
Ord(115), Ord(116), Ord(10), Ord(11)

[[USER32.dll]]
wsprintfA, SetTimer, PeekMessageA, GetMessageA, DispatchMessageA, PostQuitMessage, PostMessageA, KillTimer, CreateWindowExA, TranslateMessage, DefWindowProcA, RegisterClassA, PostThreadMessageA

[[USERENV.dll]]
CreateEnvironmentBlock


PE Exports....................:

rpcnetp
Symantec Reputation

Suspicious.Insight
First seen by VirusTotal

2010-01-28 22:16:34 UTC ( 2 years, 6 months ago )
Last seen by VirusTotal

2012-08-23 17:04:45 UTC ( 4 minutes ago )
File names (max. 25)

1. rpcnetp.ex_
2. rpcnetp (2).exe
3. file-2994402_exe
4. arab_desert.exe
5. 9cd881ed1ca9347841e3ba32ec9020c8
6. 9CD881ED1CA9347841E3BA32EC9020C8
7. rpcnetp.exe
8. rpcnetp.exe

 

[Jay Pfoutz]

Looks as if it'll have to be ignored then in AVG. There is not near enough data to support an infected file. Just another one of AVG's stupid false positives. No surprise really. I'm used to seeing AVG false positives. Kind of like Norton in the olden days of antivirus software.

 

[Mitch Flander]

Ok... so even though AVG has never reported this before (indicating to me it was NOT on my machine before), you're saying I can safely ignore this thing that's reported as a trojan? Again, rcpnetp.exe shows in services with no description whatever and as "automatic" for startup. I just disabled it. Heck, I don't know what to think or do at this point. Are you're telling me it's harmless and I can put it on the exceptions list in AVG?

 

[Jay Pfoutz]

Yes. Hopefully, AVG can get it right and remove the false positive from the database.

Please report the false positive to the AVG team and see what they say: http://samplesubmit.avg.com/us-en/false-detection

They normally resolve these issues quickly.

 

[Jay Pfoutz]

Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.

 

[Mitch Flander]

DragonMaster,

Didn't mean to let it go inactive, just haven't heard back from AVG. Also, the computer seems to be running fine of late and for SOME reason the service "rpcnetp.exe" is NOT showing up anymore. Obviously AVG no longer reports it. How could it just disappear since it was still present on every other reboot, even after your last action post to me. Very mysterious. Any ideas on that?

Mitch

 

[Jay Pfoutz]

No clue. I'm sure the AVG team would know, though.