i'm sorry i doin't know where to post this

[lurkingatu2]

hello

can you guys look at this file for me avria antivir pe classic keeps finding it

as TR/Inject.aed i uploaded it to malwarebytes but it woin't help me find out if

it's a f/p and i installed mbam on this pc and mbam finds nothing

i sent it to avira and thay say

File ID Filename Size (Byte) Result

3793551 KCMDNIns.exe 24 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result

KCMDNIns.exe MALWARE

The file 'KCMDNIns.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Inject.aed. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.03.35.

Please note: The detection of Spy/Adware is not available in the product "AntiVir PersonalEdition Classic". Please address specific questions to support@avira.com

i think it has something to do with acer when i googled it from what i can tell

in the hjt logs thay have a acer pc and there is not much info about it on google

i scaned it at jotti's and virustotal and virscan,org

jotti's found it with

AntiVir Found TR/Inject.aed

VBA32 Found Trojan.Win32.Inject.aed

virustotal found

AntiVir 7.6.0.75 2008.03.24 TR/Inject.aed

Ikarus T3.1.1.20 2008.03.24 Virus.Trojan.Win32.Inject.aed

VBA32 3.12.6.3 2008.03.21 Trojan.Win32.Inject.aed

Webwasher-Gateway 6.6.2 2008.03.24 Trojan.Inject.aed

virscan found

A-Squared 3.0.0.126 2008.03.23 2008-03-23 Trojan.Win32.Inject.aed

AntiVir 7.6.0.75 7.0.3.66 2008-03-24 TR/Inject.aed

Ikarus T3.1.01.20 2008.03.19.70473 2008-03-19 Virus.Trojan.Win32.Inject.aed

KingSoft 2007.6.20.249 2008.3.25 2008-03-25 Win32.Troj.Small.ap.24576

nProtect 2008-03-24.01 1247199 2008-03-24 Trojan/W32.Inject.24576.D

Prevx V2 20080325 2008-03-25 TROJAN.DOWNLOADER.GEN

VBA32 3.12.6.3 20080324.1134 2008-03-24 Trojan.Win32.Inject.aed

Additional information

File size: 24576 bytes

MD5: 4a51d7a6efa86cceb60d72680c57952b

SHA1: 79ddd8fabfb2d6fc3a85c0bb509eb8f4328e4d8d

PEiD: Armadillo v1.71

here is the file

password:help

thanks

[RubbeR DuckY]

Might be malware.

1. No version tab.

2. Hidden file, with no icon.

3. Might be VMWare aware, looking at the Import functions it has.

4. Did nothing on VMWare.

[GT500]

Upload the file to VirusTotal to see what the other anti-virus softwares say about it.

Also, don't just e-mail it to a single anti-virus software vendor. Send it to as many as you can. I can PM you their e-mail addresses if you want.

[Gimpguy2000]

Just a note, that file has been deemed a Trojan downloader and\or malware but seems it's the trojan variant to me. There are other variants of it and if I recall was used to attack some bank sites, injecting code into the site and gathering people's info, etc.. Also, this hits the restore typically and purging the restore to get rid of it is usually the last step if it keeps cropping up. An Anti virus software will keep detecting it if in the restore but cannot access it to rid the system of it. That's going off my memory though

Paul

[GT500]

... Also, this hits the restore typically and purging the restore to get rid of it is usually the last step if it keeps cropping up. An Anti virus software will keep detecting it if in the restore but cannot access it to rid the system of it. That's going off my memory though

Paul

That used to be quite common. I remember a time when emptying the system restore was always the first step in removing viruses. It's still a good practice when a computer is infected though, as there are still plenty of nastys that like to hide in there.

[JeanInMontana]

That used to be quite common. I remember a time when emptying the system restore was always the first step in removing viruses. It's still a good practice when a computer is infected though, as there are still plenty of nastys that like to hide in there.

Resetting System Restore is a last step. The restore point are saved so there is a place to go back if something goes wrong in the fixes. Once the machine is deemed clean then restore points are cleared. Most HJT log volunteers agree an infected restore point is still better than none if the alternative is need to reformat due to something going wrong in the fix. Just an FYI.

[GT500]

... infected restore point is still better than none if the alternative is need to reformat due to something going wrong in the fix. Just an FYI.

Repair install? Admittedly it doesn't fix everything, but I would believe that it does re-create the registry and replace the system files...

[lurkingatu2]

hello

i understand about giving it around i'v gave it to sunbelt,superantispyware,avast

emsi a-squared,mbam,and i just gave it to castlecops and as you can see i'v scaned

it at jotti's and virustotal and virscan,org and i'm asking at avrias fourm but so far thay

have not said much

i also called Acer but thay would not say yes or no because this pc is not under warrenty

but she said if it was her she would not delete it

i went through this before with a file called kill1211.exe that prevx 2 was saying

was bad and found out it was from Acer

http://www.castlecops.com/modules.php?name...ic&p=964199

so i'm still lost as what to do with it

thanks

[Gimpguy2000]

I already mentioned that here as well...

Also, this hits the restore typically and purging the restore to get rid of it is usually the last step if it keeps cropping up

What is failed here is the mention of people backing up their info on a regular basis, this is the number one prevention against data loss, then infected restore points wouldn't be such an issue. Plus , and this is from hands on experience for years, many infected restore points don't work or cripple the system upon rebooting, depending on the infection type.

[GT500]

I'll send you a PM with e-mail addresses. Send the sample to all of the addresses that you have not yet sent it to, and turn off your System Restore. Then run a full virus scan while Windows is booted in Safe Mode.

[Gimpguy2000]

I'll send you a PM with e-mail addresses. Send the sample to all of the addresses that you have not yet sent it to, and turn off your System Restore. Then run a full virus scan while Windows is booted in Safe Mode.

Just a mention, if you have made sure the pc is clean, you can back up all important information prior to doing this, it's a good safety precaution.

Paul

[GT500]

... Plus , and this is from hands on experience for years, many infected restore points don't work or cripple the system upon rebooting, depending on the infection type.

Agreed. Using an infected restore point could make the problem worse. I've rarely found instances where a system restore was needed. If system files or the registry are damaged, a simple repair install typically fixes it (note that the entire registry doesn't normally get regenerated, and typically just the system entries are replaced).

[JeanInMontana]

hello

i understand about giving it around i'v gave it to sunbelt,superantispyware,avast

emsi a-squared,mbam,and i just gave it to castlecops and as you can see i'v scaned

it at jotti's and virustotal and virscan,org and i'm asking at avrias fourm but so far thay

have not said much

i also called Acer but thay would not say yes or no because this pc is not under warrenty

but she said if it was her she would not delete it

i went through this before with a file called kill1211.exe that prevx 2 was saying

was bad and found out it was from Acer

http://www.castlecops.com/modules.php?name...ic&p=964199

so i'm still lost as what to do with it

thanks

Are you following your topic here http://www.montanamenagerie.org/forum/view...php?p=3893#3893 ?

[lurkingatu2]

hello

i gave it to castlecops and that say kaspersky says it's no malware and avria says

File ID Filename Size (Byte) Result

3793551 KCMDNIns.exe 24 KB FALSE POSITIVE

Please find a detailed report concerning each individual sample below:

Filename Result

KCMDNIns.exe FALSE POSITIVE

The file 'KCMDNIns.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

so thank you everybody

[Gimpguy2000]

Good to hear That's good news and I hope others update this definition as well, if I recall, A2 and others , maybe Avast I think, detects this too. So many simply coined this a trojan or malware and we typically have to suck up this definition so I'm glad CC found what it was for sure. I think the issue may be the inject.aed which it's " bad variants" like Win32.inject.aed were known to infect the folder with KCMDNIns.exe or even call KCMDNIns.exe a keylogger, malware itself, but now I wonder just how accurate this was.

Cheers,

Paul

[JeanInMontana]

To clarify a bit. CastleCops is not a software vendor. They must have submitted to Kasperskys to get a report. You can save yourself a ton of time by submitting yourself here http://uploads.malwarebytes.org/. Bruce and his team [also associated with CastleCops] will determine if it's malware and it helps MBAM at the same time.

The other option Lurkingatu2 is to give me the file and I will get it to a site with restricted membership, but all major vendors are there and get their information from there for a good share of the new defs.

[GT500]

The other option Lurkingatu2 is to give me the file and I will get it to a site with restricted membership, but all major vendors are there and get their information from there for a good share of the new defs.

It's been a while since I've been to that site. I normally just e-mail my samples to each vendor that I could find e-mail addresses for (I have a list of more than 20 addresses).

[JeanInMontana]

What site?

[GT500]

What site?

There is a forum where vendors and users post samples of viruses and other malware. I know that ESET, Kaspersky Labs, and Avira are just some of the vendors that take part in this community. I think Symatec, McAfee, ALWIL Software, Comodo, and a few others are also members. Only vendors are allowed to read topics (to prevent users from downloading samples).

I don't remember the address to the site, or the name (it's been too long, and I have e-mail addresses for almost every vendor), but it was rather interesting.

[JeanInMontana]

I'm talking about Malware Research. Membership is very restricted and most known vendors are there to collect files. I checked and your not a member under this nym you use here.

[Gimpguy2000]

To clarify a bit. CastleCops is not a software vendor. They must have submitted to Kasperskys to get a report.

I think he did mention that in his first line just to clarify the clarify lol,

i gave it to castlecops and that say kaspersky says it's no malware and avria says

Cheers,

Paul

[GT500]

I'm talking about Malware Research. Membership is very restricted and most known vendors are there to collect files. I checked and your not a member under this nym you use here.

malware-research.co.uk ?

Anyway, I was never a member of the community I mentioned. Like I said, it was just a place to post virus samples in order to easily submit them to multiple vendors. I also don't think it was "Malware Research" (assuming I got the correct site). I could be wrong, as it's been a long time since I stumbled upon that site, but the theme they are using on their forums isn't the same.

[JeanInMontana]

@GT500 yes you have the correct site. I'm curious about what site you may have been a member of. There aren't that many that one can just post files at, serch that memory .

@ Paul my point is using CC is basically a wasted step. They don't have any thing going on that an individual can't take care of themselves and probably in much less time. A file scan at Jotti's or VT will give faster more accurate answers.

[GT500]

@GT500 yes you have the correct site. I'm curious about what site you may have been a member of. There aren't that many that one can just post files at, serch that memory .

I was never a member of the site. I just stumbled upon it one, and I only spent about 2 minutes there. It was a nice community, but they don't let non-vendors read any of the topics, so I got bored with it quickly. I was also on the hunt for e-mail addresses for the av companies, so I didn't feel I needed the community.

[JeanInMontana]

I was never a member of the site. I just stumbled upon it one, and I only spent about 2 minutes there. It was a nice community, but they don't let non-vendors read any of the topics, so I got bored with it quickly. I was also on the hunt for e-mail addresses for the av companies, so I didn't feel I needed the community.

Non vendors outnumber the vendors by far. No one that is not a member can read the forum because of what is there. It can't get to the wrong hands. Membership is restricted and for good reason. I misunderstood you I guess. I thought you were a member of another forum that had direct ties to vendors.