TechSpot

AVG free version detects "IDP.Trojan.2428539A

Inactive
By Mitch Flander
Aug 12, 2012
  1. Mitch Flander

    Mitch Flander TS Rookie Topic Starter Posts: 23

    I have the new posts. Can you tell me if we're addressing the IDP. Trojan? If so, did you get a chance to look at the procedure I had a question about a few posts back where I dropped in the security check log?

    Here is the GMER log and Listparts log:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-08-20 09:39:57
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 rev.
    Running: 7ex48rit.exe; Driver: C:\Users\Mitch\AppData\Local\Temp\kgloypog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x9787A004]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x9787A0D4]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x97879D76]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x97879E1E]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x97879EBA]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x97879F56]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E47589 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E6C092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!RtlSidHashLookup + 4A0 82E73AB0 8 Bytes [04, A0, 87, 97, D4, A0, 87, ...] {ADD AL, 0xa0; XCHG [EDI-0x68785f2c], EDX}
    .text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82E73AF8 4 Bytes [76, 9D, 87, 97]
    .text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82E73DC8 8 Bytes [1E, 9E, 87, 97, BA, 9E, 87, ...] {PUSH DS; SAHF ; XCHG [EDI-0x68786146], EDX}
    .text ntkrnlpa.exe!RtlSidHashLookup + 82C 82E73E3C 4 Bytes [56, 9F, 87, 97]

    ---- User code sections - GMER 1.0.15 ----

    ? C:\Program Files\AVG\AVG2012\avgwdsvc.exe[384] C:\Windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe[512] C:\Windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Windows\system32\lsass.exe[820] C:\Windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Windows\System32\svchost.exe[1096] c:\windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Windows\System32\svchost.exe[1128] c:\windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Windows\system32\svchost.exe[1172] c:\windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Windows\system32\svchost.exe[1276] c:\windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\iphlpapi.dll time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Windows\system32\winlogon.exe[1480] C:\Windows\system32\ADVAPI32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: WINTRUST.dllunknown module: SspiCli.dllunknown module: bcrypt.dllunknown module: pcwum.dllunknown module: KERNELBASE.dll
    ? C:\Windows\system32\winlogon.exe[1480] C:\Windows\system32\userenv.dll time/date stamp mismatch; unknown module: DNSAPI.dllunknown module: logoncli.dllunknown module: netutils.dllunknown module: SspiCli.dllunknown module: GPAPI.dllunknown module: GPSVC.dllunknown module: profapi.dllunknown module: KERNELBASE.dll
    ? C:\Windows\System32\spoolsv.exe[1892] C:\Windows\System32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Windows\System32\svchost.exe[1952] C:\Windows\System32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Windows\Explorer.EXE[3464] C:\Windows\System32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3732] C:\Windows\system32\iphlpapi.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll
    ? C:\Program Files\Google\Chrome\Application\chrome.exe[3888] C:\Windows\system32\IPHLPAPI.DLL time/date stamp mismatch; unknown module: dhcpcsvc.DLLunknown module: dhcpcsvc6.DLLunknown module: DNSAPI.dllunknown module: WINNSI.DLLunknown module: NSI.dll

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\winlogon.exe[1480] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!LoadLibraryExA] [738C9B20] C:\Program Files\NetMotion Client\nmlogon.dll (NetMotion Logon DLL/NetMotion Wireless, Inc.)
    IAT C:\Windows\system32\winlogon.exe[1480] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!LoadLibraryW] [738C9A80] C:\Program Files\NetMotion Client\nmlogon.dll (NetMotion Logon DLL/NetMotion Wireless, Inc.)
    IAT C:\Windows\system32\winlogon.exe[1480] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!GetProcAddress] [738C9800] C:\Program Files\NetMotion Client\nmlogon.dll (NetMotion Logon DLL/NetMotion Wireless, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp nmdrv.sys

    Device \Driver\ACPI_HAL \Device\00000057 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp nmdrv.sys
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp nmdrv.sys
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0007615150eb
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0007615150eb (not active ControlSet)

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Files - GMER 1.0.15 ----

    File C:\Users\Mitch\Documents\personal\Locked 0 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct 0 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\lowes login.txt 30 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\amazon log in.txt 77 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\att and uverse login.txt 109 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\avg license.txt 53 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\blackberry forums.txt 35 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\blue cross blue shield log in.txt 47 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\cigna dental log in.txt 40 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\citimortgage login.txt 53 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\COA benefits login.txt 49 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\directv login.txt 49 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\MXenergy.txt 33 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\online payment confirmation 0 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\online payment confirmation\simmons 6_11 online payment conf.txt 160 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\paypal login.txt 76 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\peachcare login.txt 88 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\retirement acct logins.txt 649 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\scottrade login.txt 67 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\simmons first login.txt 95 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\state farm.txt 38 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\target log in.txt 387 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\taxact login 09.txt 50 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\trev gosolar.txt 60 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\world golf tour.txt 38 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\ebay log in.txt 33 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\FIA log in.txt 470 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\flightsim.com log in.txt 14 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\ga fed credit union.txt 44 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\ga fed quickpay xfer.txt 56 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\ge moneybank login.txt 36 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\gwinnett county water resources.txt 57 bytes
    File C:\Users\Mitch\Documents\personal\Locked\acct\home depot log-in.txt 39 bytes
    File C:\Users\Mitch\Documents\personal\Locked\misc 0 bytes
    File C:\Users\Mitch\Documents\personal\Locked\misc\Jermaine logs cont.pdf 611856 bytes
    File C:\Users\Mitch\Documents\personal\Locked\misc\Jermaine logs.docx 10796 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs 0 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2008 0 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2008\2008_Federal_Return Mitch.pdf 49865 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2008\2008_Federal_Return Terri.pdf 44376 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2008\2008_Georgia_Return Mitch.pdf 26591 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2008\2008_Georgia_Return Terri.pdf 26141 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2009 0 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2009\1099-R.pdf 165410 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2009\2009_Federal_Return.pdf 71442 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2009\2009_Georgia_Return.pdf 22145 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2010 0 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2010\2010_Federal_Form_W4_suggested.pdf 26651 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2010\2010_Federal_Return.pdf 47484 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2010\2010_Georgia_Return.pdf 19236 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2010 fed withholding suggestions.txt 617 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011 0 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Federal_Form_1040.pdf 23232 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Federal_Form_4952.pdf 7639 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Federal_Schedule_A.pdf 10284 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Federal_Schedule_B.pdf 9366 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Federal_Schedule_D.pdf 17965 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\2011_Georgia_Return.pdf 20605 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\2011\taxes fed state 04.pdf 46312 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\chris_april_ssn.txt 58 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\Federal and State Electronic Filing Instructions.doc 25600 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\suggested 2012 W4.pdf 123284 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\taxes fed 03.T03 48576 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\taxes fed state 04.pdf 387173 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\taxes fed state 05.PDF 359794 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\taxes fed state 06.pdf 309176 bytes
    File C:\Users\Mitch\Documents\personal\Locked\tax docs\taxes fed state 07.pdf 295549 bytes

    ---- EOF - GMER 1.0.15 ----

    *****************************************************************************************************************************************

    ListParts by Farbar Version: 10-08-2012
    Ran by Mitch (administrator) on 20-08-2012 at 09:41:00
    Windows 7 (X86)
    Running From: C:\Users\SG3 13\Desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 39%
    Total physical RAM: 3571.9 MB
    Available physical RAM: 2162.87 MB
    Total Pagefile: 7142.08 MB
    Available Pagefile: 5792.97 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1956.38 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:222.63 GB) (Free:102.18 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:3.37 GB) NTFS
    3 Drive e: (COD2CD1) (CDROM) (Total:0.45 GB) (Free:0 GB) CDFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 232 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 258 MB 31 KB
    Partition 2 Primary 10 GB 259 MB
    Partition 3 Primary 222 GB 10 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D RECOVERY NTFS Partition 10 GB Healthy

    ======================================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 222 GB Healthy System (partition with boot components)

    ======================================================================================================

    Windows Boot Manager
    --------------------
    identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
    device partition=C:
    description Windows Boot Manager
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    default {1311a3a9-3644-11df-a071-b1f2960e9c50}
    resumeobject {1311a3a8-3644-11df-a071-b1f2960e9c50}
    displayorder {1311a3a9-3644-11df-a071-b1f2960e9c50}
    toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {1311a3a9-3644-11df-a071-b1f2960e9c50}
    device partition=C:
    path \Windows\system32\winload.exe
    description Windows 7
    locale en-US
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    recoverysequence {1311a3aa-3644-11df-a071-b1f2960e9c50}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \Windows
    resumeobject {1311a3a8-3644-11df-a071-b1f2960e9c50}
    nx OptIn

    Windows Boot Loader
    -------------------
    identifier {1311a3aa-3644-11df-a071-b1f2960e9c50}
    device ramdisk=[C:]\Recovery\1311a3aa-3644-11df-a071-b1f2960e9c50\Winre.wim,{1311a3ab-3644-11df-a071-b1f2960e9c50}
    path \windows\system32\winload.exe
    description Windows Recovery Environment
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    osdevice ramdisk=[C:]\Recovery\1311a3aa-3644-11df-a071-b1f2960e9c50\Winre.wim,{1311a3ab-3644-11df-a071-b1f2960e9c50}
    systemroot \windows
    nx OptIn
    winpe Yes
    custom:46000010 Yes

    Windows Boot Loader
    -------------------
    identifier {572bcd55-ffa7-11d9-aae0-0007e994107d}
    device partition=D:
    path \Windows\System32\boot\winload.exe
    description Windows Recovery Environment
    osdevice partition=D:
    systemroot \Windows
    nx OptIn
    detecthal Yes
    winpe Yes

    Resume from Hibernate
    ---------------------
    identifier {1311a3a8-3644-11df-a071-b1f2960e9c50}
    device partition=C:
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
    filedevice partition=C:
    filepath \hiberfil.sys
    pae Yes
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
    device partition=C:
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    badmemoryaccess Yes

    Windows Legacy OS Loader
    ------------------------
    identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
    device unknown
    path \ntldr
    description Earlier Version of Windows
    custom:45000001 1
    custom:47000005 301989892
    6

    EMS Settings
    ------------
    identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {4636856e-540f-4170-a130-a84776f4c654}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Global Settings
    ---------------
    identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    inherit {4636856e-540f-4170-a130-a84776f4c654}
    {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Boot Loader Settings
    --------------------
    identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    {7ff607e0-4395-11db-b0de-0800200c9a66}

    Hypervisor Settings
    -------------------
    identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    Device options
    --------------
    identifier {1311a3ab-3644-11df-a071-b1f2960e9c50}
    description Ramdisk Options
    ramdisksdidevice partition=C:
    ramdisksdipath \Recovery\1311a3aa-3644-11df-a071-b1f2960e9c50\boot.sdi


    ****** End Of Log ******
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    • Please download Hitman Pro by Surfright from here and save it to your desktop.
    • Double click HitmanPro36.exe to run the scanner
    • Click Next
    • Accept the license conditions and click Next
    • Choose to do only a single scan. Do not enter any e-mail address and click Next
    • Hitman Pro will now scan your computer
    • After the scan, choose to ignore all threats - I want to have a look first, before deciding what to do
    • Click Next
    • You will now find an option to export the results of the scan to an XML file (log.xml). Please do so. Close Hitman Pro.
    • Please copy and paste the contents of log.xml into your next reply (You can open XML files with notepad)

    Note: For best results, keep Hitman Pro for the future to prevent re-infection. Consider purchasing it now.
  3. Mitch Flander

    Mitch Flander TS Rookie Topic Starter Posts: 23

    DragonMaster,

    Cannot connect to Surfright. It just finally times out after multiple tries. Is there another site you'd recommend. A search for Hitman Pro turned up a few other sites, but I don't want to try them without your blessing.
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  5. Mitch Flander

    Mitch Flander TS Rookie Topic Starter Posts: 23

    That site won't connect either. I don't get an error message other than, "it's taking too long to respond" and it just times out. Is whatever is infecting this pc somehow blocking that site? All other sites are connecting normally.
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    The rootkit is probably blocking it, because it knows it can be defeated by Hitman Pro.

    Here is a download link from MediaFire, where I uploaded: http://www.mediafire.com/?7elks7e36d6oc7o

    Download from MediaFire and then run Hitman Pro as instructed above
  7. Mitch Flander

    Mitch Flander TS Rookie Topic Starter Posts: 23

    DragonMaster:

    Thanks... got the Hitman log for you here:

    HitmanPro 3.6.1.164
    www.hitmanpro.com

    Computer name . . . . : MITCH-PC
    Windows . . . . . . . : 6.1.0.7600.X86/2
    User name . . . . . . : Mitch-PC\Mitch
    UAC . . . . . . . . . : Enabled
    License . . . . . . . : Free

    Scan date . . . . . . : 2012-08-22 14:22:51
    Scan mode . . . . . . : Normal
    Scan duration . . . . : 12m 42s
    Disk access mode . . : Direct disk access (SRB)
    Cloud . . . . . . . . : Internet
    Reboot . . . . . . . : No

    Threats . . . . . . . : 0
    Traces . . . . . . . : 10

    Objects scanned . . . : 1,307,247
    Files scanned . . . . : 52,924
    Remnants scanned . . : 487,727 files / 766,596 keys

    Suspicious files ____________________________________________________________

    C:\Users\Mitch\Documents\BFBC2\pb\pbcl.dll
    Size . . . . . . . : 960,138 bytes
    Age . . . . . . . : 205.1 days (2012-01-30 12:04:02)
    Entropy . . . . . : 7.6
    SHA-256 . . . . . : 70053EEA7AC3C1427D779B3F258A13CF74B02980DCDDEFBC24B341CFFA1E4AA2
    Fuzzy . . . . . . : 29.0
    The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
    Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
    Authors name is missing in version info. This is not common to most programs.
    Version control is missing. This file is probably created by an individual. This is not typical for most programs.
    Program contains PE structure anomalies. This is not typical for most programs.

    C:\Windows\system32\rpcnet.dll
    Size . . . . . . . : 58,288 bytes
    Age . . . . . . . : 6.2 days (2012-08-16 09:22:05)
    Entropy . . . . . : 6.2
    SHA-256 . . . . . : 323F4EE52DFDECEE704F76F6780D2DBA526EE2EA9854B0B9C75F0D0BD2EB9FDA
    Product . . . . . : Installation/Management Application
    Publisher . . . . : Absolute Software Corp.
    Description . . . : rpcnet
    Version . . . . . : 8.0.910.0
    Copyright . . . . : Copyright (c) 1997-2012 Absolute Software Corporation. All Rights Reserved.
    RSA Key Size . . . : 1024
    Authenticode . . . : Invalid
    Fuzzy . . . . . . : 24.0
    Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
    Time indicates that the file appeared recently on this computer.
    The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.


    Cookies _____________________________________________________________________

    C:\Users\Mitch\AppData\Roaming\Microsoft\Windows\Cookies\mitch@avgtechnologies.112.2o7[2].txt
    C:\Users\Mitch\AppData\Roaming\Microsoft\Windows\Cookies\mitch@eaeacom.112.2o7[1].txt
    C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:ad.wsod.com
    C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:atdmt.com
    C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:collective-media.net
    C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:doubleclick.net
    C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:revsci.net
    C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\5fceb8m9.default\cookies.sqlite:serving-sys.com
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    For the first item suspiciously detected, it is actually Battlefield Bad Company 2's PunkBuster system, which means that it is safe.

    For the second item suspiciously detected, it is a root-level driver LoJack Service, so it can't be malware.

    Since it wants to argue though, and you came here to get it checked out, do the following please:

    Please go to: VirusTotal
    • Click the Browse button and search for the following file: C:\Windows\system32\rpcnet.dll
    • Click Open
    • Then click Send File
    • Please be patient while the file is scanned.
    • Once the scan results appear, please provide them in your next reply.
    If it says already scanned -- click "reanalyze now"

    Please post the results in your next reply.
  9. Mitch Flander

    Mitch Flander TS Rookie Topic Starter Posts: 23

    Dragon Master,

    I'm still confused as to what the rpcnetp.exe is (note the final "P). That's the process noted when AVG finds the threat "IDP.Trojan2428539A". Shouldn't THAT be the file that's scanned instead of rpcnet.dll? Pardon my ignorance, just trying to be sure here.

    Here is the virustotal scan results:


    SHA256: 323f4ee52dfdecee704f76f6780d2dba526ee2ea9854b0b9c75f0d0bd2eb9fda
    SHA1: f1b52f8abea89662776d8744cb2570a390bf1c77
    MD5: 11d2208dc9f65f704751862ed048ac04
    File size: 56.9 KB ( 58288 bytes )
    File name: rpcnet.dll
    File type: Win32 DLL
    Detection ratio: 0 / 42
    Analysis date: 2012-08-23 15:57:47 UTC ( 1 minute ago )
    [​IMG]
    1​
    3​
    More details
    AntivirusResultUpdate
    AhnLab-V3 - 20120823
    AntiVir - 20120823
    Antiy-AVL - 20120822
    Avast - 20120823
    AVG - 20120823
    BitDefender - 20120823
    ByteHero - 20120817
    CAT-QuickHeal - 20120823
    ClamAV - 20120823
    Commtouch - 20120823
    Comodo - 20120823
    DrWeb - 20120823
    Emsisoft - 20120823
    eSafe - 20120823
    ESET-NOD32 - 20120822
    F-Prot - 20120823
    F-Secure - 20120823
    Fortinet - 20120823
    GData - 20120823
    Ikarus - 20120818
    Jiangmin - 20120823
    K7AntiVirus - 20120822
    Kaspersky - 20120823
    McAfee - 20120823
    McAfee-GW-Edition - 20120823
    Microsoft - 20120823
    Norman - 20120823
    nProtect - 20120823
    Panda - 20120823
    PCTools - 20120823
    Rising - 20120823
    Sophos - 20120823
    SUPERAntiSpyware - 20120823
    Symantec - 20120823
    TheHacker - 20120822
    TotalDefense - 20120823
    TrendMicro - 20120823
    TrendMicro-HouseCall - 20120823
    VBA32 - 20120823
    VIPRE - 20120823
    ViRobot - 20120823
    VirusBuster - 20120823
    ssdeep

    1536:yqYe2rM2Y97fdq98BZtTrxLcaUARgwUaDC8j:ZS4JzpxLcaNRgcH
    TrID

    Clipper DOS Executable (33.5%)
    Generic Win/DOS Executable (33.2%)
    DOS Executable Generic (33.2%)
    Sigcheck

    publisher................: Absolute Software Corp.
    product..................: Installation/Management Application
    internal name............: rpcnet
    copyright................: Copyright (c) 1997-2012 Absolute Software Corporation. All Rights Reserved.
    original name............: rpcnet.dll
    comments.................:
    file version.............: 8.0.910.0
    description..............: rpcnet
    Portable Executable structural information

    Compilation timedatestamp.....: 2012-03-02 04:40:48
    Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
    Entry point address...........: 0x00004A80

    PE Sections...................:

    Name Virtual Address Virtual Size Raw Size Entropy MD5
    .text 4096 45497 45568 6.19 243856e81dd3ea690d997913486e3a73
    .data 53248 804 1024 0.64 c46ed36b39df963bb9ce2533ced17df0
    .cdata 57344 666 1024 2.66 f156ea513ef5aeceebadc21b386a48e9
    .rsrc 61440 1096 1536 2.55 b422c3814d79688ee3c2d7bf0d589f97
    .reloc 65536 2300 2560 6.38 69b8aef0409c82fbd4f184ebdb0b902f

    PE Imports....................:

    [[USERENV.dll]]
    CreateEnvironmentBlock, DestroyEnvironmentBlock

    [[KERNEL32.dll]]
    GetStdHandle, GetComputerNameA, GetOverlappedResult, WaitForSingleObject, PurgeComm, GetLocalTime, DeleteCriticalSection, GetCurrentProcess, LocalAlloc, lstrcatA, SetErrorMode, WaitCommEvent, SetStdHandle, WriteFile, SetFileAttributesA, SetEvent, LocalFree, MoveFileA, ResumeThread, InitializeCriticalSection, FindClose, GetEnvironmentVariableA, WriteProcessMemory, CopyFileA, ExitProcess, FlushFileBuffers, GetModuleFileNameA, LoadLibraryExA, SetThreadPriority, SetFilePointer, CreateThread, GetExitCodeThread, ClearCommError, GetSystemDirectoryA, TerminateProcess, GetCommState, BackupSeek, GetCurrentThreadId, HeapFree, EnterCriticalSection, TerminateThread, lstrcmpiA, FreeLibrary, GetVersionExA, LoadLibraryA, RtlUnwind, ExitThread, CreateRemoteThread, OpenProcess, DeleteFileA, GetWindowsDirectoryA, GetCommProperties, SetCommMask, ReadProcessMemory, BackupWrite, WaitForMultipleObjects, GetProcessHeap, lstrcmpA, FindFirstFileA, lstrcpyA, ResetEvent, GetTempFileNameA, CreateFileMappingA, GetProcAddress, GetBinaryTypeA, SetCommTimeouts, SetCommState, CreateEventA, CreateFileA, HeapAlloc, LeaveCriticalSection, GetLastError, VirtualAllocEx, lstrlenA, SetupComm, VirtualFreeEx, GetCurrentProcessId, SetFileTime, BackupRead, GetCommandLineA, RaiseException, MapViewOfFile, GetModuleHandleA, ReadFile, CloseHandle, GetVersion, CreateProcessA, UnmapViewOfFile, Sleep, GetFileAttributesExA

    [[WSOCK32.dll]]
    Ord(12), Ord(3), Ord(11), Ord(57), Ord(23), Ord(21), Ord(111), Ord(116), Ord(4), Ord(115), Ord(52), Ord(19), Ord(18)

    [[NETAPI32.dll]]
    Netbios

    [[ADVAPI32.dll]]
    RegDeleteKeyA, RegCloseKey, RegDeleteValueA, OpenServiceA, QueryServiceConfigA, RegQueryValueExA, AdjustTokenPrivileges, ControlService, RegCreateKeyExA, DeleteService, RegDisablePredefinedCache, SetSecurityDescriptorDacl, CloseServiceHandle, RegOpenKeyA, EqualSid, OpenProcessToken, CreateServiceA, QueryServiceStatus, GetKernelObjectSecurity, SetTokenInformation, RegOpenKeyExA, SetEntriesInAclA, GetTokenInformation, DuplicateTokenEx, SetServiceStatus, CreateProcessAsUserA, RegisterServiceCtrlHandlerA, RevertToSelf, StartServiceCtrlDispatcherA, FreeSid, ChangeServiceConfigA, AllocateAndInitializeSid, InitializeSecurityDescriptor, RegSetValueExA, StartServiceA, ImpersonateLoggedOnUser, OpenSCManagerA, SetKernelObjectSecurity

    [[SHLWAPI.dll]]
    AssocQueryStringA

    [[USER32.dll]]
    GetMessageA, CreateWindowExA, wsprintfA, DispatchMessageA, PostQuitMessage, PostMessageA, SendMessageA, KillTimer, PeekMessageA, MsgWaitForMultipleObjects, TranslateMessage, DefWindowProcA, SetTimer, RegisterClassA, PostThreadMessageA

    [[TAPI32.dll]]
    lineGetID, lineSetDevConfig, lineInitialize, lineSetStatusMessages, lineShutdown, lineMakeCall, lineGetCallStatus, lineDeallocateCall, lineGetDevConfig, lineClose, lineDrop, lineGetDevCaps, lineOpen


    PE Exports....................:

    ServiceMain

    PE Resources..................:

    Resource type Number of resources
    RT_VERSION 1

    Resource language Number of resources
    ENGLISH US 1
    Symantec Reputation

    Suspicious.Insight
    First seen by VirusTotal

    2012-04-21 16:20:28 UTC ( 4 months ago )
    Last seen by VirusTotal

    2012-08-23 15:57:47 UTC ( 2 minutes ago )
    File names (max. 25)

    1. rpcnet.dll
    2. rpcnet
    3. rpcnet.dll
    4. E0DC1974B0F50A09E35100C5EF9484006A6D5A03.dll
    5. file-3859079_dll
    6. 11d2208dc9f65f704751862ed048ac04
    7. rpcnet.dll
    8. RPCNET.DLL
    9. 11d2208dc9f65f704751862ed048ac04.dll
    10. rpcnet.dl_
  10. Mitch Flander

    Mitch Flander TS Rookie Topic Starter Posts: 23

    DragonMaster,

    I rebooted again and although AVG didn't flag it this time (can't understand why NOT), rpcnetp.exe (not rpcnet.exe) showed up in the services again. I know you didn't request it, but I ran the virustotal scan on THAT file.

    Here are the results:


    SHA256: 364aea446798b729e552aa6fc6a333a45e7fc4407940ce20ed7d644ab72703d1
    File name: rpcnetp.exe
    Detection ratio: 2 / 42
    Analysis date: 2012-08-23 17:04:45 UTC ( 4 minutes ago )
    [​IMG]
    0​
    0​
    More details
    AntivirusResultUpdate
    AhnLab-V3 - 20120823
    AntiVir - 20120823
    Antiy-AVL - 20120822
    Avast - 20120823
    AVG - 20120823
    BitDefender - 20120823
    ByteHero - 20120822
    CAT-QuickHeal - 20120823
    ClamAV - 20120823
    Commtouch - 20120823
    Comodo - 20120823
    DrWeb - 20120823
    Emsisoft - 20120823
    eSafe - 20120823
    ESET-NOD32 - 20120822
    F-Prot - 20120823
    F-Secure - 20120823
    Fortinet - 20120823
    GData - 20120823
    Ikarus - 20120818
    Jiangmin - 20120823
    K7AntiVirus - 20120823
    Kaspersky - 20120823
    McAfee Artemis!9CD881ED1CA9 20120823
    McAfee-GW-Edition Artemis!9CD881ED1CA9 20120823
    Microsoft - 20120823
    Norman - 20120823
    nProtect - 20120823
    Panda - 20120823
    PCTools - 20120823
    Rising - 20120823
    Sophos - 20120823
    SUPERAntiSpyware - 20120823
    Symantec - 20120823
    TheHacker - 20120822
    TotalDefense - 20120823
    TrendMicro - 20120823
    TrendMicro-HouseCall - 20120823
    VBA32 - 20120823
    VIPRE - 20120823
    ViRobot - 20120823
    VirusBuster - 20120823
    ssdeep

    384:QwTVsn/LdYM7iCTX3A1DFLw3Eol/7l5fbM:QwJ2/Ld3XTX3AHw3Eoll5f
    TrID

    Clipper DOS Executable (33.5%)
    Generic Win/DOS Executable (33.2%)
    DOS Executable Generic (33.2%)
    Portable Executable structural information

    Compilation timedatestamp.....: 2009-08-22 19:44:16
    Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
    Entry point address...........: 0x00002D33

    PE Sections...................:

    Name Virtual Address Virtual Size Raw Size Entropy MD5
    .text 4096 13910 14336 6.28 68a21422d28a26520c02305c6880ffc9
    .data 20480 432 512 0.45 5dc8ac78fbac152a77acbf305f8e8c48
    .cdata 24576 572 1024 1.38 f6964bf41f3003f4957a17635791af68
    .reloc 28672 836 1024 5.86 b169a3c86a1c682ae421dec534babddf

    PE Imports....................:

    [[ADVAPI32.dll]]
    DuplicateTokenEx, RegOpenKeyA, RegCloseKey, StartServiceCtrlDispatcherA, OpenProcessToken, SetServiceStatus, CreateProcessAsUserA, RegQueryValueExA, RegDeleteValueA, RegEnumValueA, SetTokenInformation, RegisterServiceCtrlHandlerA

    [[KERNEL32.dll]]
    GetLastError, GetStdHandle, EnterCriticalSection, WriteProcessMemory, VirtualAllocEx, TerminateThread, lstrlenA, GetOverlappedResult, WaitForSingleObject, FreeLibrary, CopyFileA, ExitProcess, LoadLibraryA, RtlUnwind, ExitThread, CreateRemoteThread, DeleteCriticalSection, VirtualFreeEx, LocalAlloc, OpenProcess, ReadProcessMemory, GetModuleFileNameA, WaitForMultipleObjects, SetStdHandle, GetModuleHandleA, RaiseException, CreateThread, lstrcmpiA, SetFilePointer, ReadFile, lstrcatA, WriteFile, CloseHandle, ResetEvent, GetSystemDirectoryA, GetVersion, SetEvent, LocalFree, TerminateProcess, ResumeThread, CreateProcessA, GetExitCodeThread, InitializeCriticalSection, lstrcpyA, CreateEventA, Sleep, SetThreadPriority, CreateFileA, GetCurrentThreadId, GetProcAddress, GetCurrentProcessId, LeaveCriticalSection

    [[WSOCK32.dll]]
    Ord(115), Ord(116), Ord(10), Ord(11)

    [[USER32.dll]]
    wsprintfA, SetTimer, PeekMessageA, GetMessageA, DispatchMessageA, PostQuitMessage, PostMessageA, KillTimer, CreateWindowExA, TranslateMessage, DefWindowProcA, RegisterClassA, PostThreadMessageA

    [[USERENV.dll]]
    CreateEnvironmentBlock


    PE Exports....................:

    rpcnetp
    Symantec Reputation

    Suspicious.Insight
    First seen by VirusTotal

    2010-01-28 22:16:34 UTC ( 2 years, 6 months ago )
    Last seen by VirusTotal

    2012-08-23 17:04:45 UTC ( 4 minutes ago )
    File names (max. 25)

    1. rpcnetp.ex_
    2. rpcnetp (2).exe
    3. file-2994402_exe
    4. arab_desert.exe
    5. 9cd881ed1ca9347841e3ba32ec9020c8
    6. 9CD881ED1CA9347841E3BA32EC9020C8
    7. rpcnetp.exe
    8. rpcnetp.exe
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Looks as if it'll have to be ignored then in AVG. There is not near enough data to support an infected file. Just another one of AVG's stupid false positives. No surprise really. I'm used to seeing AVG false positives. Kind of like Norton in the olden days of antivirus software.
     
  12. Mitch Flander

    Mitch Flander TS Rookie Topic Starter Posts: 23

    Ok... so even though AVG has never reported this before (indicating to me it was NOT on my machine before), you're saying I can safely ignore this thing that's reported as a trojan? Again, rcpnetp.exe shows in services with no description whatever and as "automatic" for startup. I just disabled it. Heck, I don't know what to think or do at this point. Are you're telling me it's harmless and I can put it on the exceptions list in AVG?
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Yes. Hopefully, AVG can get it right and remove the false positive from the database.

    Please report the false positive to the AVG team and see what they say: http://samplesubmit.avg.com/us-en/false-detection

    They normally resolve these issues quickly.
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
  15. Mitch Flander

    Mitch Flander TS Rookie Topic Starter Posts: 23

    DragonMaster,

    Didn't mean to let it go inactive, just haven't heard back from AVG. Also, the computer seems to be running fine of late and for SOME reason the service "rpcnetp.exe" is NOT showing up anymore. Obviously AVG no longer reports it. How could it just disappear since it was still present on every other reboot, even after your last action post to me. Very mysterious. Any ideas on that?

    Mitch
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    No clue. I'm sure the AVG team would know, though. :p


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.