Topic: Kaspersky PMD.Invader problem

[fungus]

As I know, it is a Kas. behavioral detection from Proactive Defense (simply means KIS does not know what application is causing the detection).


But Fungus don't worry, We'll resolve this with some other tool.

Please, Open NEW Topic in SCF "PC Help Center": http://scforum.info/index.php?action=forum and provide us next info. ASAP:

1. All possible details related to yours problems / infection.

2. Run BitDefender Online AntiVirus Scan: http://scforum.info/index.php/topic,734.0.html

3. Download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

4. Provide us logs from HijackThis & BitDefender Online Scan


I'll wait your reply (with logs).

Regards,

S.

Samker as you recommended me to use Bitdefender online scan and HijackThis.

I show you logs generated by Bitdefender and HighjackThis.


BitDefender Logs

BitDefender QuickScan Beta 32-bit v0.9.9.9
------------------------------------------

Scan date:  Thu Mar 18 03:23:21 2010
Machine ID: DC1E65AA



No infection found.
---------------------


Processes
---------
<unsigned>  AntiPoisoner.exe                          592    C:\cap\AntiPoisoner.exe

<verified>  DAEMON Tools Lite                         600    C:\Program Files\DAEMON Tools Lite\DTLite.exe
<verified>  Firefox                                  6084    C:\Program Files\Mozilla Firefox\firefox.exe
<verified>  GrooveMonitor Utility                     416    F:\Program\Microsoft Office\Office12\GrooveMonitor.exe
<verified>  Kaspersky Anti-Virus                     1232    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
<verified>  Kaspersky Anti-Virus                     4020    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
<verified>  Microsoft® Windows® Operating System     1576    C:\Windows\Explorer.EXE
<verified>  Microsoft® Windows® Operating System     1540    C:\Windows\system32\Dwm.exe
<verified>  Microsoft® Windows® Operating System     1636    C:\Windows\system32\taskhost.exe
<verified>  Microsoft® Windows® Operating System     6104    C:\Windows\system32\wuauclt.exe
<verified>  Realtek HD Audio Manager                  340    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
<verified>  Vypress Chat                             2396    F:\Program\Vypress\VyChat.exe
<verified>  Windows Live Messenger                   1720    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
<verified>  µTorrent                                 1444    C:\Program Files\uTorrent\uTorrent.exe


Network activity
----------------
Process uTorrent.exe (1444) connected on port 2491 - 85.216.219.178
Process uTorrent.exe (1444) connected on port 2984 - 41.196.139.234
Process uTorrent.exe (1444) connected on port 10741 - 94.98.100.174
Process uTorrent.exe (1444) connected on port 16226 - 41.238.36.163
Process uTorrent.exe (1444) connected on port 38978 - 70.25.36.141
Process uTorrent.exe (1444) connected on port 53249 - 119.153.178.148
Process uTorrent.exe (1444) connected on port 55214 - 196.210.33.193
Process uTorrent.exe (1444) connected on port 64712 - 60.48.61.45
Process uTorrent.exe (1444) connected on port 65241 - 116.71.170.163
Process uTorrent.exe (1444) connected on port 3921 - 41.230.1.253
Process uTorrent.exe (1444) connected on port 49823 - 41.251.117.115
Process uTorrent.exe (1444) connected on port 33328 - 84.52.141.66
Process uTorrent.exe (1444) connected on port 29344 - 188.51.92.14
Process uTorrent.exe (1444) connected on port 58333 - 92.96.38.168
Process uTorrent.exe (1444) connected on port 40687 - 81.192.211.175
Process uTorrent.exe (1444) connected on port 62862 - 123.2.151.132
Process uTorrent.exe (1444) connected on port 59835 - 94.141.194.230
Process uTorrent.exe (1444) connected on port 10748 - 117.102.43.126
Process uTorrent.exe (1444) connected on port 33482 - 213.91.243.23
Process uTorrent.exe (1444) connected on port 2450 - 119.155.5.104
Process uTorrent.exe (1444) connected on port 29405 - 94.99.80.214
Process uTorrent.exe (1444) connected on port 34363 - 178.41.4.3
Process uTorrent.exe (1444) connected on port 3413 - 91.144.12.11
Process uTorrent.exe (1444) connected on port 56612 - 81.111.165.76
Process uTorrent.exe (1444) connected on port 52380 - 95.155.64.217
Process uTorrent.exe (1444) connected on port 46410 - 78.98.236.86
Process uTorrent.exe (1444) connected on port 32037 - 78.144.207.151
Process uTorrent.exe (1444) connected on port 46806 - 80.227.206.95
Process uTorrent.exe (1444) connected on port 22956 - 115.133.216.155
Process uTorrent.exe (1444) connected on port 61771 - 118.42.98.155

Process uTorrent.exe (1444) listens on ports: 45157
Process VyChat.exe (2396) listens on ports: 8167


Autoruns and critical files
---------------------------
<verified>  Adobe Acrobat                            F:\Program\Adobe Reader\Reader\Reader_sl.exe
<verified>  Adobe Reader and Acrobat Manager         C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
<verified>  DAEMON Tools Lite                        C:\Program Files\DAEMON Tools Lite\DTLite.exe
<verified>  GrooveMonitor Utility                    F:\Program\Microsoft Office\Office12\GrooveMonitor.exe
<verified>  GrooveShellExtensions Module             F:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
<verified>  Kaspersky Anti-Virus                     C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
<verified>  Kaspersky Anti-Virus                     c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mzvkbd3.dll
<verified>  Kaspersky Anti-Virus                     C:\Windows\system32\klogon.dll
<verified>  Microsoft® Windows® Operating System     c:\windows\system32\userinit.exe
<verified>  Realtek HD Audio Manager                 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
<verified>  Windows Live Messenger                   C:\Program Files\Windows Live\Messenger\msnmsgr.exe
<verified>  µTorrent                                 C:\Program Files\uTorrent\uTorrent.exe


Browser plugins
---------------
<verified>  2007 Microsoft Office system             C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
<verified>  AcroIEHelperShim Library                 c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
<verified>  Adobe Acrobat                            C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified>  BitDefender QuickScan                    C:\Users\fungus\AppData\Roaming\Mozilla\Firefox\Profiles/5x7imrtd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified>  BitDefender QuickScan                    C:\Users\fungus\AppData\Roaming\Mozilla\Firefox\Profiles/5x7imrtd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified>  Bonjour                                  C:\Program Files\Bonjour\mdnsNSP.dll
<verified>  DivX Player Netscape Plugin              C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
<verified>  DivX Player Netscape Plugin              C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
<verified>  DivX Web Player                          C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
<verified>  GrooveShellExtensions Module             F:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
<verified>  Kaspersky Anti-Virus                     c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
<verified>  Kaspersky Anti-Virus                     c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
<verified>  Microsoft® Windows Live Login Helper     c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll
<verified>  Microsoft® Windows® Operating System     C:\Windows\System32\mswsock.dll
<verified>  Microsoft® Windows® Operating System     C:\Windows\System32\NapiNSP.dll
<verified>  Microsoft® Windows® Operating System     C:\Windows\System32\nlaapi.dll
<verified>  Microsoft® Windows® Operating System     C:\Windows\System32\pnrpnsp.dll
<verified>  Microsoft® Windows® Operating System     C:\Windows\System32\winrnr.dll
<verified>  Mozilla Default Plug-in                  C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified>  NPSWF32.dll                              C:\Windows\System32\Macromed\Flash\NPSWF32.dll
<verified>  Silverlight Plug-In                      C:\Program Files\Microsoft Silverlight\3.0.40624.0\npctrl.dll
<verified>  Windows® Internet Explorer               C:\Windows\System32\ieframe.dll


Missing files
-------------
File not found: c:\windows\system32\dreamscene.dll
 referenced in: HKCR\CLSID\{E31004D1-A431-41B8-826F-E902F9D95C81}\InprocServer32\(default)


Scan
----
<unsigned>  MD5: 72a911916a542299b0352f18b98c0348  C:\cap\AntiPoisoner.exe
<unsigned>  MD5: fcc244da361936e8186a2cf24df7d7e7  C:\Program Files\DAEMON Tools Lite\mfc80u.dll
<unsigned>  MD5: 462e2f4886a0b389d4fda12a15f8219a  C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned>  MD5: 52d4d6ec27a57313ab9f90e242c3cfa4  C:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned>  MD5: a87b04299a14747bbcbe8cb4147612c2  C:\Program Files\Mozilla Firefox\softokn3.dll


No file uploaded.

Scan finished - communication took 5 sec
Total traffic - 0.00 MB sent, 0.12 KB recvd
Scanned 761 files and modules - 17 seconds

HijackThis Logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:06 AM, on 17/03/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
F:\Program\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\cap\AntiPoisoner.exe
F:\Program\Vypress\VyChat.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Program\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: AntiPoisoner.lnk = C:\cap\AntiPoisoner.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = ?
O8 - Extra context menu item: &Download with &DAP - F:\Program\DAP Premium\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program\DAP Premium\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Program\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\Program\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\Program\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\Program\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - F:\xampp\apache\bin\apache.exe
O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\Windows\system32\ASTSRV.EXE
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 6030 bytes

When my pc was being scanned by HijackThis. an error comes up.
and this the error image.




I hope someone has a solution for this problem.

[madchip]

hello, i see you have this one:

<unsigned>  MD5: 72a911916a542299b0352f18b98c0348  C:\cap\AntiPoisoner.exe

look at this site what mean this file




http://www.prevx.com/filenames/X695781619483048544-X1/ANTIPOISONER.EXE.html

it's a infection

[Samker]

Yes I agree with MC, only suspect file at first look is "AntiPoisoner.exe".

Fungus now please open again HJT, check and fix this items:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll (file missing)

After that download, install, update and Run Full scan with SUPERAntiSpyware: http://scforum.info/index.php/topic,116.0.html and Malwarebytes: http://scforum.info/index.php/topic,2201.0.html

Finally, please make another Online AV Scan with McAfee and provide us result (is your PC clean??): http://scforum.info/index.php/topic,734.0.html

If you experience problem with "PMD.Invader" after scanning with AntiSpyware programs, provide us New screenshoot of that Kaspersky pop-up.


Regards,

S.

[fungus]

I hv a problem if I remove AntiPoisoner.exe my Internet will not work.
and it was provided by internet service provider.

what should I do ?

[Samker]

I hv a problem if I remove AntiPoisoner.exe my Internet will not work.
and it was provided by internet service provider.

what should I do ?

Don't worry F., I wasn't suggest you to remove that process.

Please follow my instruction (above) and provide us results...

Regards,

S.