Help - Search - Members
Full Version: Invader software
Kaspersky Lab Forum > English User Forum > Virus-related issues
novice
I recently started using Kaspersky 6.0 to get rid of my unwanted viruses. And while I 've scanned my entire computer, I persistently find several viruses each time I reboot (trojan.win32.bho.q, not-a-virus:adware.win32.virtumonde.hb, and others). I have followed the instructions to scan in the safe mode and now the proactive defense has detected and blocked over 4000 events of an invader and is still going after two hours. Should I continue this process or do I need to proceed to a rescue disk to perform the scan?

detected: riskware Invader Running process: C:\WINNT\system32\winlogon.exe


C:\WINNT\system32\winlogon.exe Process C:\WINNT\system32\winlogon.exe (PID: 868) is attempting to invade process C:\WINNT\explorer.exe (PID: 3092). This behaviour is typical of some malware.
C:\WINNT\system32\winlogon.exe Attempt to terminate process
C:\WINNT\explorer.exe Attempt to terminate process: successfully

Thanks.
Lucian Bara
hello
invaders aren't always bad.
can you psot a hijackthis log?
http://www.merijn.org/files/HiJackThis_v2.exe
novice
I hope this is want you wanted.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:40:24 AM, on 3/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\System32\psc_mon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\lxbscoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nytimes.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5164318A-CD3A-45F6-2619-0629467CCB16} - C:\WINNT\System32\aiznmfh.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {F11B077A-12B1-4554-B043-4777769074CB} - C:\WINNT\System32\geedd.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINNT\System32\psc_mon.exe
O4 - HKCU\..\Run: [msnmsgr] "c:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Policies\Explorer\Run: [{8882AD7B-0BF2-1033-0926-030416200001}] "C:\Program Files\Common Files\{8882AD7B-0BF2-1033-0926-030416200001}\Update.exe" mc-110-12-0000501
O4 - HKUS\S-1-5-19\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.6.8\webbuying.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.6.8\webbuying.exe (User 'NETWORK SERVICE')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = ?
O4 - Global Startup: UCLA Cisco VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O20 - Winlogon Notify: geedd - C:\WINNT\System32\geedd.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINNT\System32\lxbscoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6751 bytes
Lucian Bara
please send the follwoing files for analasys:

C:\WINNT\System32\psc_mon.exe
C:\WINNT\System32\geedd.dll

http://forum.kaspersky.com/index.php?showtopic=13881

afterwards try to rename them to .old (psc_mon.old & geedd.old), use unlocker if you are unsuccessfull: http://ccollomb.free.fr/unlocker/

delete the folder C:\Program Files\Web Buying

then open hijackthis again, choose do a scan only and check the following items:

O2 - BHO: (no name) - {5164318A-CD3A-45F6-2619-0629467CCB16} - C:\WINNT\System32\aiznmfh.dll (file missing)
02 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINNT\System32\psc_mon.exe
O4 - HKUS\S-1-5-19\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.6.8\webbuying.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.6.8\webbuying.exe (User 'NETWORK SERVICE')
O20 - Winlogon Notify: geedd - C:\WINNT\System32\geedd.dll


close all the windows except the hjt window and press fix checked

afterwards download superantispyware http://www.superantispyware.com/ install & update it and perform a scan with it in safe mode & clean what it finds.

then post a fresh log.
novice
I tried accessing the two files
C:\WINNT\System32\psc_mon.exe
C:\WINNT\System32\geedd.dll


However, when I ran the Kaspersky Online Scanner, it did not detect either of these two files and the quarantine section of Kaspersky 6 didn't have any files either. Should I go ahead with the next step and delete the folder C:\Program Files\Web Buying?
dah145
QUOTE(novice @ 25.03.2007 10:56)
I tried accessing the two files
C:\WINNT\System32\psc_mon.exe
C:\WINNT\System32\geedd.dll
However, when I ran the Kaspersky Online Scanner, it did not detect either of these two files and the quarantine section of Kaspersky 6 didn't have any files either. Should I go ahead with the next step and delete the folder C:\Program Files\Web Buying?
*


Send those files to newvirus@kaspersky.com , preferably in a password protected ZIP or RAR file, write a short description and of course put the archive password.
Maratka
QUOTE(dah145 @ 25.03.2007 04:01)
Send those files to newvirus@kaspersky.com , preferably in a password protected ZIP or RAR file, write a short description and of course put the archive password.
*


Please note:
The best type of archive to send a virus to KL is ZIP
The best password - is "infected"

Thanks!
novice
I could not find these two files.

C:\WINNT\System32\geedd.dll
C:\Program Files\Web Buying

However, I used the Super Antivirus and my subsequent HijackThis log is as follows:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nytimes.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {86505DCE-177F-4FBD-AAF2-E8A885AAAE53} - C:\WINNT\System32\geedd.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [msnmsgr] "c:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Policies\Explorer\Run: [{8882AD7B-0BF2-1033-0926-030416200001}] "C:\Program Files\Common Files\{8882AD7B-0BF2-1033-0926-030416200001}\Update.exe" mc-110-12-0000501
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = ?
O4 - Global Startup: UCLA Cisco VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINNT\System32\lxbscoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

Thanks.
Lucian Bara
in hijackthis fix these one's too:
O2 - BHO: (no name) - {86505DCE-177F-4FBD-AAF2-E8A885AAAE53} - C:\WINNT\System32\geedd.dll (file missing)
O4 - HKCU\..\Policies\Explorer\Run: [{8882AD7B-0BF2-1033-0926-030416200001}] "C:\Program Files\Common Files\{8882AD7B-0BF2-1033-0926-030416200001}\Update.exe" mc-110-12-0000501

i guess i missed them.

also try a scan with f-secure blacklight: http://www.f-secure.com/blacklight/ if you still have problems.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.