Members
Stats
  • Total Posts: 28531
  • Total Topics: 8240
  • Online Today: 940
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Kaspersky PMD.Invader problem  (Read 4917 times)

0 Members and 1 Guest are viewing this topic.

fungus

  • SCF Member
  • **
  • Posts: 13
  • KARMA: 2
Kaspersky PMD.Invader problem
« on: 17. March 2010., 23:33:06 »
Quote from: Samker

As I know, it is a Kas. behavioral detection from Proactive Defense (simply means KIS does not know what application is causing the detection).


But Fungus don't worry, We'll resolve this with some other tool. ;)

Please, Open NEW Topic in SCF "PC Help Center": http://scforum.info/index.php?action=forum and provide us next info. ASAP:

1. All possible details related to yours problems / infection.

2. Run BitDefender Online AntiVirus Scan: http://scforum.info/index.php/topic,734.0.html

3. Download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

4. Provide us logs from HijackThis & BitDefender Online Scan


I'll wait your reply (with logs).

Regards,

S.


Samker as you recommended me to use Bitdefender online scan and HijackThis.

I show you logs generated by Bitdefender and HighjackThis.


BitDefender Logs

Quote
BitDefender QuickScan Beta 32-bit v0.9.9.9
------------------------------------------

Scan date:  Thu Mar 18 03:23:21 2010
Machine ID: DC1E65AA



No infection found.
---------------------


Processes
---------
<unsigned>  AntiPoisoner.exe                          592    C:\cap\AntiPoisoner.exe

<verified>  DAEMON Tools Lite                         600    C:\Program Files\DAEMON Tools Lite\DTLite.exe
<verified>  Firefox                                  6084    C:\Program Files\Mozilla Firefox\firefox.exe
<verified>  GrooveMonitor Utility                     416    F:\Program\Microsoft Office\Office12\GrooveMonitor.exe
<verified>  Kaspersky Anti-Virus                     1232    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
<verified>  Kaspersky Anti-Virus                     4020    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
<verified>  Microsoft® Windows® Operating System     1576    C:\Windows\Explorer.EXE
<verified>  Microsoft® Windows® Operating System     1540    C:\Windows\system32\Dwm.exe
<verified>  Microsoft® Windows® Operating System     1636    C:\Windows\system32\taskhost.exe
<verified>  Microsoft® Windows® Operating System     6104    C:\Windows\system32\wuauclt.exe
<verified>  Realtek HD Audio Manager                  340    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
<verified>  Vypress Chat                             2396    F:\Program\Vypress\VyChat.exe
<verified>  Windows Live Messenger                   1720    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
<verified>  µTorrent                                 1444    C:\Program Files\uTorrent\uTorrent.exe


Network activity
----------------
Process uTorrent.exe (1444) connected on port 2491 - 85.216.219.178
Process uTorrent.exe (1444) connected on port 2984 - 41.196.139.234
Process uTorrent.exe (1444) connected on port 10741 - 94.98.100.174
Process uTorrent.exe (1444) connected on port 16226 - 41.238.36.163
Process uTorrent.exe (1444) connected on port 38978 - 70.25.36.141
Process uTorrent.exe (1444) connected on port 53249 - 119.153.178.148
Process uTorrent.exe (1444) connected on port 55214 - 196.210.33.193
Process uTorrent.exe (1444) connected on port 64712 - 60.48.61.45
Process uTorrent.exe (1444) connected on port 65241 - 116.71.170.163
Process uTorrent.exe (1444) connected on port 3921 - 41.230.1.253
Process uTorrent.exe (1444) connected on port 49823 - 41.251.117.115
Process uTorrent.exe (1444) connected on port 33328 - 84.52.141.66
Process uTorrent.exe (1444) connected on port 29344 - 188.51.92.14
Process uTorrent.exe (1444) connected on port 58333 - 92.96.38.168
Process uTorrent.exe (1444) connected on port 40687 - 81.192.211.175
Process uTorrent.exe (1444) connected on port 62862 - 123.2.151.132
Process uTorrent.exe (1444) connected on port 59835 - 94.141.194.230
Process uTorrent.exe (1444) connected on port 10748 - 117.102.43.126
Process uTorrent.exe (1444) connected on port 33482 - 213.91.243.23
Process uTorrent.exe (1444) connected on port 2450 - 119.155.5.104
Process uTorrent.exe (1444) connected on port 29405 - 94.99.80.214
Process uTorrent.exe (1444) connected on port 34363 - 178.41.4.3
Process uTorrent.exe (1444) connected on port 3413 - 91.144.12.11
Process uTorrent.exe (1444) connected on port 56612 - 81.111.165.76
Process uTorrent.exe (1444) connected on port 52380 - 95.155.64.217
Process uTorrent.exe (1444) connected on port 46410 - 78.98.236.86
Process uTorrent.exe (1444) connected on port 32037 - 78.144.207.151
Process uTorrent.exe (1444) connected on port 46806 - 80.227.206.95
Process uTorrent.exe (1444) connected on port 22956 - 115.133.216.155
Process uTorrent.exe (1444) connected on port 61771 - 118.42.98.155

Process uTorrent.exe (1444) listens on ports: 45157
Process VyChat.exe (2396) listens on ports: 8167


Autoruns and critical files
---------------------------
<verified>  Adobe Acrobat                            F:\Program\Adobe Reader\Reader\Reader_sl.exe
<verified>  Adobe Reader and Acrobat Manager         C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
<verified>  DAEMON Tools Lite                        C:\Program Files\DAEMON Tools Lite\DTLite.exe
<verified>  GrooveMonitor Utility                    F:\Program\Microsoft Office\Office12\GrooveMonitor.exe
<verified>  GrooveShellExtensions Module             F:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
<verified>  Kaspersky Anti-Virus                     C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
<verified>  Kaspersky Anti-Virus                     c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mzvkbd3.dll
<verified>  Kaspersky Anti-Virus                     C:\Windows\system32\klogon.dll
<verified>  Microsoft® Windows® Operating System     c:\windows\system32\userinit.exe
<verified>  Realtek HD Audio Manager                 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
<verified>  Windows Live Messenger                   C:\Program Files\Windows Live\Messenger\msnmsgr.exe
<verified>  µTorrent                                 C:\Program Files\uTorrent\uTorrent.exe


Browser plugins
---------------
<verified>  2007 Microsoft Office system             C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
<verified>  AcroIEHelperShim Library                 c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
<verified>  Adobe Acrobat                            C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified>  BitDefender QuickScan                    C:\Users\fungus\AppData\Roaming\Mozilla\Firefox\Profiles/5x7imrtd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified>  BitDefender QuickScan                    C:\Users\fungus\AppData\Roaming\Mozilla\Firefox\Profiles/5x7imrtd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified>  Bonjour                                  C:\Program Files\Bonjour\mdnsNSP.dll
<verified>  DivX Player Netscape Plugin              C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
<verified>  DivX Player Netscape Plugin              C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
<verified>  DivX Web Player                          C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
<verified>  GrooveShellExtensions Module             F:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
<verified>  Kaspersky Anti-Virus                     c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
<verified>  Kaspersky Anti-Virus                     c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
<verified>  Microsoft® Windows Live Login Helper     c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll
<verified>  Microsoft® Windows® Operating System     C:\Windows\System32\mswsock.dll
<verified>  Microsoft® Windows® Operating System     C:\Windows\System32\NapiNSP.dll
<verified>  Microsoft® Windows® Operating System     C:\Windows\System32\nlaapi.dll
<verified>  Microsoft® Windows® Operating System     C:\Windows\System32\pnrpnsp.dll
<verified>  Microsoft® Windows® Operating System     C:\Windows\System32\winrnr.dll
<verified>  Mozilla Default Plug-in                  C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified>  NPSWF32.dll                              C:\Windows\System32\Macromed\Flash\NPSWF32.dll
<verified>  Silverlight Plug-In                      C:\Program Files\Microsoft Silverlight\3.0.40624.0\npctrl.dll
<verified>  Windows® Internet Explorer               C:\Windows\System32\ieframe.dll


Missing files
-------------
File not found: c:\windows\system32\dreamscene.dll
 referenced in: HKCR\CLSID\{E31004D1-A431-41B8-826F-E902F9D95C81}\InprocServer32\(default)


Scan
----
<unsigned>  MD5: 72a911916a542299b0352f18b98c0348  C:\cap\AntiPoisoner.exe
<unsigned>  MD5: fcc244da361936e8186a2cf24df7d7e7  C:\Program Files\DAEMON Tools Lite\mfc80u.dll
<unsigned>  MD5: 462e2f4886a0b389d4fda12a15f8219a  C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned>  MD5: 52d4d6ec27a57313ab9f90e242c3cfa4  C:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned>  MD5: a87b04299a14747bbcbe8cb4147612c2  C:\Program Files\Mozilla Firefox\softokn3.dll


No file uploaded.

Scan finished - communication took 5 sec
Total traffic - 0.00 MB sent, 0.12 KB recvd
Scanned 761 files and modules - 17 seconds


HijackThis Logs.

Quote
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:06 AM, on 17/03/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
F:\Program\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\cap\AntiPoisoner.exe
F:\Program\Vypress\VyChat.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Program\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: AntiPoisoner.lnk = C:\cap\AntiPoisoner.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = ?
O8 - Extra context menu item: &Download with &DAP - F:\Program\DAP Premium\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program\DAP Premium\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Program\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\Program\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\Program\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\Program\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - F:\xampp\apache\bin\apache.exe
O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\Windows\system32\ASTSRV.EXE
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 6030 bytes


When my pc was being scanned by HijackThis. an error comes up.
and this the error image.




I hope someone has a solution for this problem.

Samker's Computer Forum - SCforum.info

Kaspersky PMD.Invader problem
« on: 17. March 2010., 23:33:06 »




madchip

  • SCF Member
  • **
  • Posts: 35
  • KARMA: 7
Re: Kaspersky PMD.Invader problem
« Reply #1 on: 18. March 2010., 19:59:35 »
hello, i see you have this one:

<unsigned>  MD5: 72a911916a542299b0352f18b98c0348  C:\cap\AntiPoisoner.exe

look at this site what mean this file




http://www.prevx.com/filenames/X695781619483048544-X1/ANTIPOISONER.EXE.html

it's a infection

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Kaspersky PMD.Invader problem (AntiPoisoner.exe)
« Reply #2 on: 18. March 2010., 20:58:59 »
Yes I agree with MC, only suspect file at first look is "AntiPoisoner.exe".

Fungus now please open again HJT, check and fix this items:

Quote
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll (file missing)


After that download, install, update and Run Full scan with SUPERAntiSpyware: http://scforum.info/index.php/topic,116.0.html and Malwarebytes: http://scforum.info/index.php/topic,2201.0.html

Finally, please make another Online AV Scan with McAfee and provide us result (is your PC clean??): http://scforum.info/index.php/topic,734.0.html

If you experience problem with "PMD.Invader" after scanning with AntiSpyware programs, provide us New screenshoot of that Kaspersky pop-up.


Regards,

S.







fungus

  • SCF Member
  • **
  • Posts: 13
  • KARMA: 2
Re: Kaspersky PMD.Invader problem
« Reply #3 on: 25. March 2010., 00:06:29 »
I hv a problem if I remove AntiPoisoner.exe my Internet will not work.
and it was provided by internet service provider.

what should I do ?

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Kaspersky PMD.Invader problem
« Reply #4 on: 25. March 2010., 08:49:42 »
I hv a problem if I remove AntiPoisoner.exe my Internet will not work.
and it was provided by internet service provider.

what should I do ?


Don't worry F., I wasn't suggest you to remove that process.

Please follow my instruction (above) and provide us results... ;)

Regards,

S.

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising