i'm sorry i doin't know where to post this Options

[lurkingatu2]

hello

can you guys look at this file for me avria antivir pe classic keeps finding it
as TR/Inject.aed i uploaded it to malwarebytes but it woin't help me find out if
it's a f/p and i installed mbam on this pc and mbam finds nothing

i sent it to avira and thay say

File ID Filename Size (Byte) Result
3793551 KCMDNIns.exe 24 KB MALWARE


Please find a detailed report concerning each individual sample below:

Filename Result
KCMDNIns.exe MALWARE

The file 'KCMDNIns.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Inject.aed. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.03.35.

Please note: The detection of Spy/Adware is not available in the product "AntiVir PersonalEdition Classic". Please address specific questions to support@avira.com

i think it has something to do with acer when i googled it from what i can tell
in the hjt logs thay have a acer pc and there is not much info about it on google

i scaned it at jotti's and virustotal and virscan,org

jotti's found it with
AntiVir Found TR/Inject.aed
VBA32 Found Trojan.Win32.Inject.aed

virustotal found
AntiVir 7.6.0.75 2008.03.24 TR/Inject.aed
Ikarus T3.1.1.20 2008.03.24 Virus.Trojan.Win32.Inject.aed
VBA32 3.12.6.3 2008.03.21 Trojan.Win32.Inject.aed
Webwasher-Gateway 6.6.2 2008.03.24 Trojan.Inject.aed

virscan found
A-Squared 3.0.0.126 2008.03.23 2008-03-23 Trojan.Win32.Inject.aed
AntiVir 7.6.0.75 7.0.3.66 2008-03-24 TR/Inject.aed
Ikarus T3.1.01.20 2008.03.19.70473 2008-03-19 Virus.Trojan.Win32.Inject.aed
KingSoft 2007.6.20.249 2008.3.25 2008-03-25 Win32.Troj.Small.ap.24576
nProtect 2008-03-24.01 1247199 2008-03-24 Trojan/W32.Inject.24576.D
Prevx V2 20080325 2008-03-25 TROJAN.DOWNLOADER.GEN
VBA32 3.12.6.3 20080324.1134 2008-03-24 Trojan.Win32.Inject.aed

Additional information
File size: 24576 bytes
MD5: 4a51d7a6efa86cceb60d72680c57952b
SHA1: 79ddd8fabfb2d6fc3a85c0bb509eb8f4328e4d8d
PEiD: Armadillo v1.71

here is the file
password:help

thanks

[RubbeR DuckY]

Might be malware.

1. No version tab.
2. Hidden file, with no icon.
3. Might be VMWare aware, looking at the Import functions it has.
4. Did nothing on VMWare.

[GT500]

Upload the file to VirusTotal to see what the other anti-virus softwares say about it.

Also, don't just e-mail it to a single anti-virus software vendor. Send it to as many as you can. I can PM you their e-mail addresses if you want.

[Gimpguy2000]

Just a note, that file has been deemed a Trojan downloader and\or malware but seems it's the trojan variant to me. There are other variants of it and if I recall was used to attack some bank sites, injecting code into the site and gathering people's info, etc.. Also, this hits the restore typically and purging the restore to get rid of it is usually the last step if it keeps cropping up. An Anti virus software will keep detecting it if in the restore but cannot access it to rid the system of it. That's going off my memory though

Paul

[GT500]

... Also, this hits the restore typically and purging the restore to get rid of it is usually the last step if it keeps cropping up. An Anti virus software will keep detecting it if in the restore but cannot access it to rid the system of it. That's going off my memory though

Paul

That used to be quite common. I remember a time when emptying the system restore was always the first step in removing viruses. It's still a good practice when a computer is infected though, as there are still plenty of nastys that like to hide in there.

[JeanInMontana]

That used to be quite common. I remember a time when emptying the system restore was always the first step in removing viruses. It's still a good practice when a computer is infected though, as there are still plenty of nastys that like to hide in there.

Resetting System Restore is a last step. The restore point are saved so there is a place to go back if something goes wrong in the fixes. Once the machine is deemed clean then restore points are cleared. Most HJT log volunteers agree an infected restore point is still better than none if the alternative is need to reformat due to something going wrong in the fix. Just an FYI.

[GT500]

... infected restore point is still better than none if the alternative is need to reformat due to something going wrong in the fix. Just an FYI.

Repair install? Admittedly it doesn't fix everything, but I would believe that it does re-create the registry and replace the system files...

[lurkingatu2]

hello

i understand about giving it around i'v gave it to sunbelt,superantispyware,avast
emsi a-squared,mbam,and i just gave it to castlecops and as you can see i'v scaned
it at jotti's and virustotal and virscan,org and i'm asking at avrias fourm but so far thay
have not said much

i also called Acer but thay would not say yes or no because this pc is not under warrenty
but she said if it was her she would not delete it

i went through this before with a file called kill1211.exe that prevx 2 was saying
was bad and found out it was from Acer
http://www.castlecops.com/modules.php?name...ic&p=964199

so i'm still lost as what to do with it

thanks

[Gimpguy2000]

I already mentioned that here as well...

Also, this hits the restore typically and purging the restore to get rid of it is usually the last step if it keeps cropping up

What is failed here is the mention of people backing up their info on a regular basis, this is the number one prevention against data loss, then infected restore points wouldn't be such an issue. Plus , and this is from hands on experience for years, many infected restore points don't work or cripple the system upon rebooting, depending on the infection type.

[GT500]

I'll send you a PM with e-mail addresses. Send the sample to all of the addresses that you have not yet sent it to, and turn off your System Restore. Then run a full virus scan while Windows is booted in Safe Mode.

[Gimpguy2000]

I'll send you a PM with e-mail addresses. Send the sample to all of the addresses that you have not yet sent it to, and turn off your System Restore. Then run a full virus scan while Windows is booted in Safe Mode.

Just a mention, if you have made sure the pc is clean, you can back up all important information prior to doing this, it's a good safety precaution.

Paul

[GT500]

... Plus , and this is from hands on experience for years, many infected restore points don't work or cripple the system upon rebooting, depending on the infection type.

Agreed. Using an infected restore point could make the problem worse. I've rarely found instances where a system restore was needed. If system files or the registry are damaged, a simple repair install typically fixes it (note that the entire registry doesn't normally get regenerated, and typically just the system entries are replaced).

[JeanInMontana]

hello

i understand about giving it around i'v gave it to sunbelt,superantispyware,avast
emsi a-squared,mbam,and i just gave it to castlecops and as you can see i'v scaned
it at jotti's and virustotal and virscan,org and i'm asking at avrias fourm but so far thay
have not said much

i also called Acer but thay would not say yes or no because this pc is not under warrenty
but she said if it was her she would not delete it

i went through this before with a file called kill1211.exe that prevx 2 was saying
was bad and found out it was from Acer
http://www.castlecops.com/modules.php?name...ic&p=964199

so i'm still lost as what to do with it

thanks

Are you following your topic here http://www.montanamenagerie.org/forum/view...php?p=3893#3893 ?

[lurkingatu2]

hello

i gave it to castlecops and that say kaspersky says it's no malware and avria says

File ID Filename Size (Byte) Result
3793551 KCMDNIns.exe 24 KB FALSE POSITIVE


Please find a detailed report concerning each individual sample below:

Filename Result
KCMDNIns.exe FALSE POSITIVE

The file 'KCMDNIns.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

so thank you everybody

[Gimpguy2000]

Good to hear That's good news and I hope others update this definition as well, if I recall, A2 and others , maybe Avast I think, detects this too. So many simply coined this a trojan or malware and we typically have to suck up this definition so I'm glad CC found what it was for sure. I think the issue may be the inject.aed which it's " bad variants" like Win32.inject.aed were known to infect the folder with KCMDNIns.exe or even call KCMDNIns.exe a keylogger, malware itself, but now I wonder just how accurate this was.


Cheers,

Paul

[JeanInMontana]

To clarify a bit. CastleCops is not a software vendor. They must have submitted to Kasperskys to get a report. You can save yourself a ton of time by submitting yourself here http://uploads.malwarebytes.org/. Bruce and his team [also associated with CastleCops] will determine if it's malware and it helps MBAM at the same time.

The other option Lurkingatu2 is to give me the file and I will get it to a site with restricted membership, but all major vendors are there and get their information from there for a good share of the new defs.

[GT500]

The other option Lurkingatu2 is to give me the file and I will get it to a site with restricted membership, but all major vendors are there and get their information from there for a good share of the new defs.

It's been a while since I've been to that site. I normally just e-mail my samples to each vendor that I could find e-mail addresses for (I have a list of more than 20 addresses).

[JeanInMontana]

What site?

[GT500]

What site?

There is a forum where vendors and users post samples of viruses and other malware. I know that ESET, Kaspersky Labs, and Avira are just some of the vendors that take part in this community. I think Symatec, McAfee, ALWIL Software, Comodo, and a few others are also members. Only vendors are allowed to read topics (to prevent users from downloading samples).

I don't remember the address to the site, or the name (it's been too long, and I have e-mail addresses for almost every vendor), but it was rather interesting.

[JeanInMontana]

I'm talking about Malware Research. Membership is very restricted and most known vendors are there to collect files. I checked and your not a member under this nym you use here.