hello

can you guys look at this file for me avria antivir pe classic keeps finding it
as TR/Inject.aed i uploaded it to malwarebytes but it woin't help me find out if
it's a f/p and i installed mbam on this pc and mbam finds nothing

i sent it to avira and thay say

File ID Filename Size (Byte) Result
3793551 KCMDNIns.exe 24 KB MALWARE


Please find a detailed report concerning each individual sample below:

Filename Result
KCMDNIns.exe MALWARE

The file 'KCMDNIns.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Inject.aed. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.03.35.

Please note: The detection of Spy/Adware is not available in the product "AntiVir PersonalEdition Classic". Please address specific questions to support@avira.com

i think it has something to do with acer when i googled it from what i can tell
in the hjt logs thay have a acer pc and there is not much info about it on google

i scaned it at jotti's and virustotal and virscan,org

jotti's found it with
AntiVir Found TR/Inject.aed
VBA32 Found Trojan.Win32.Inject.aed

virustotal found
AntiVir 7.6.0.75 2008.03.24 TR/Inject.aed
Ikarus T3.1.1.20 2008.03.24 Virus.Trojan.Win32.Inject.aed
VBA32 3.12.6.3 2008.03.21 Trojan.Win32.Inject.aed
Webwasher-Gateway 6.6.2 2008.03.24 Trojan.Inject.aed

virscan found
A-Squared 3.0.0.126 2008.03.23 2008-03-23 Trojan.Win32.Inject.aed
AntiVir 7.6.0.75 7.0.3.66 2008-03-24 TR/Inject.aed
Ikarus T3.1.01.20 2008.03.19.70473 2008-03-19 Virus.Trojan.Win32.Inject.aed
KingSoft 2007.6.20.249 2008.3.25 2008-03-25 Win32.Troj.Small.ap.24576
nProtect 2008-03-24.01 1247199 2008-03-24 Trojan/W32.Inject.24576.D
Prevx V2 20080325 2008-03-25 TROJAN.DOWNLOADER.GEN
VBA32 3.12.6.3 20080324.1134 2008-03-24 Trojan.Win32.Inject.aed

Additional information
File size: 24576 bytes
MD5: 4a51d7a6efa86cceb60d72680c57952b
SHA1: 79ddd8fabfb2d6fc3a85c0bb509eb8f4328e4d8d
PEiD: Armadillo v1.71

here is the file
password:help

thanks

Might be malware.

1. No version tab.
2. Hidden file, with no icon.
3. Might be VMWare aware, looking at the Import functions it has.
4. Did nothing on VMWare.

Upload the file to VirusTotal to see what the other anti-virus softwares say about it.

Also, don't just e-mail it to a single anti-virus software vendor. Send it to as many as you can. I can PM you their e-mail addresses if you want.

Just a note, that file has been deemed a Trojan downloader and\or malware but seems it's the trojan variant to me. There are other variants of it and if I recall was used to attack some bank sites, injecting code into the site and gathering people's info, etc.. Also, this hits the restore typically and purging the restore to get rid of it is usually the last step if it keeps cropping up. An Anti virus software will keep detecting it if in the restore but cannot access it to rid the system of it. That's going off my memory though

Paul

That used to be quite common. I remember a time when emptying the system restore was always the first step in removing viruses. It's still a good practice when a computer is infected though, as there are still plenty of nastys that like to hide in there.

Resetting System Restore is a last step. The restore point are saved so there is a place to go back if something goes wrong in the fixes. Once the machine is deemed clean then restore points are cleared. Most HJT log volunteers agree an infected restore point is still better than none if the alternative is need to reformat due to something going wrong in the fix. Just an FYI.

Repair install? Admittedly it doesn't fix everything, but I would believe that it does re-create the registry and replace the system files...

hello

i understand about giving it around i'v gave it to sunbelt,superantispyware,avast
emsi a-squared,mbam,and i just gave it to castlecops and as you can see i'v scaned
it at jotti's and virustotal and virscan,org and i'm asking at avrias fourm but so far thay
have not said much

i also called Acer but thay would not say yes or no because this pc is not under warrenty
but she said if it was her she would not delete it

i went through this before with a file called kill1211.exe that prevx 2 was saying
was bad and found out it was from Acer
http://www.castlecops.com/modules.php?name...ic&p=964199

so i'm still lost as what to do with it

thanks

I already mentioned that here as well...



What is failed here is the mention of people backing up their info on a regular basis, this is the number one prevention against data loss, then infected restore points wouldn't be such an issue. Plus , and this is from hands on experience for years, many infected restore points don't work or cripple the system upon rebooting, depending on the infection type.

I'll send you a PM with e-mail addresses. Send the sample to all of the addresses that you have not yet sent it to, and turn off your System Restore. Then run a full virus scan while Windows is booted in Safe Mode.

Just a mention, if you have made sure the pc is clean, you can back up all important information prior to doing this, it's a good safety precaution.

Paul

Agreed. Using an infected restore point could make the problem worse. I've rarely found instances where a system restore was needed. If system files or the registry are damaged, a simple repair install typically fixes it (note that the entire registry doesn't normally get regenerated, and typically just the system entries are replaced).

Are you following your topic here http://www.montanamenagerie.org/forum/view...php?p=3893#3893 ?

hello

i gave it to castlecops and that say kaspersky says it's no malware and avria says

File ID Filename Size (Byte) Result
3793551 KCMDNIns.exe 24 KB FALSE POSITIVE


Please find a detailed report concerning each individual sample below:

Filename Result
KCMDNIns.exe FALSE POSITIVE

The file 'KCMDNIns.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

so thank you everybody

Good to hear That's good news and I hope others update this definition as well, if I recall, A2 and others , maybe Avast I think, detects this too. So many simply coined this a trojan or malware and we typically have to suck up this definition so I'm glad CC found what it was for sure. I think the issue may be the inject.aed which it's " bad variants" like Win32.inject.aed were known to infect the folder with KCMDNIns.exe or even call KCMDNIns.exe a keylogger, malware itself, but now I wonder just how accurate this was.


Cheers,

Paul

To clarify a bit. CastleCops is not a software vendor. They must have submitted to Kasperskys to get a report. You can save yourself a ton of time by submitting yourself here http://uploads.malwarebytes.org/. Bruce and his team [also associated with CastleCops] will determine if it's malware and it helps MBAM at the same time.

The other option Lurkingatu2 is to give me the file and I will get it to a site with restricted membership, but all major vendors are there and get their information from there for a good share of the new defs.

It's been a while since I've been to that site. I normally just e-mail my samples to each vendor that I could find e-mail addresses for (I have a list of more than 20 addresses).

What site?

There is a forum where vendors and users post samples of viruses and other malware. I know that ESET, Kaspersky Labs, and Avira are just some of the vendors that take part in this community. I think Symatec, McAfee, ALWIL Software, Comodo, and a few others are also members. Only vendors are allowed to read topics (to prevent users from downloading samples).

I don't remember the address to the site, or the name (it's been too long, and I have e-mail addresses for almost every vendor), but it was rather interesting.

I'm talking about Malware Research. Membership is very restricted and most known vendors are there to collect files. I checked and your not a member under this nym you use here.

I think he did mention that in his first line just to clarify the clarify lol,



Cheers,

Paul

malware-research.co.uk ?

Anyway, I was never a member of the community I mentioned. Like I said, it was just a place to post virus samples in order to easily submit them to multiple vendors. I also don't think it was "Malware Research" (assuming I got the correct site). I could be wrong, as it's been a long time since I stumbled upon that site, but the theme they are using on their forums isn't the same.

@GT500 yes you have the correct site. I'm curious about what site you may have been a member of. There aren't that many that one can just post files at, serch that memory .

@ Paul my point is using CC is basically a wasted step. They don't have any thing going on that an individual can't take care of themselves and probably in much less time. A file scan at Jotti's or VT will give faster more accurate answers.

I was never a member of the site. I just stumbled upon it one, and I only spent about 2 minutes there. It was a nice community, but they don't let non-vendors read any of the topics, so I got bored with it quickly. I was also on the hunt for e-mail addresses for the av companies, so I didn't feel I needed the community.

Non vendors outnumber the vendors by far. No one that is not a member can read the forum because of what is there. It can't get to the wrong hands. Membership is restricted and for good reason. I misunderstood you I guess. I thought you were a member of another forum that had direct ties to vendors.

The community I had stumbled upon didn't even allow regular members to read topic. Only vendors. That's part of the reason why I never signed up.

LMAO OK we are back to where this started for the most part and nothing has been learned. I am not aware of a site as you describe, I thought I had a fair grasp of all major security sites as I'm a member of most. I am really curious what this site might be. If there are regular members especially.

Back to topic, somewhere , lol..

lurkingatu, have Avira removed it by now? There have been a couple of updates already so was wondering if they actually did. They are fairly good about it. From what I hear, many are happy with Kaspersky and Avira and a couple of others, me I am an Avira user, I think the detection rate is great and doesn't hog the sys. I may switch to Kaspersky as I believe they have the highest detection rates and many will say , even an AVIRA page said they are good but can't keep up with Kaspersky. So, I am seriously thinking of switching. As long as they don't become like Norton, I'll be happy.

Thanks

Paul

Paul, Kaspersky's engine might be better at detecting new threats than AvtiVir currently is, but to tell you the truth, it typically just bounces back and forth between NOD32, AntiVir, and Kaspersky (with a few other obscure AV softwares thrown in for good measure). As far as response, Kaspersky Labs always gets my samples analysed first, so if that's what you are looking for, then go with Kaspersky.

If you really want to follow the same info I do, you can head over to AV Comparatives and look at their test results. They need to do another test with NOD32 v3 before the current data is really complete, but they are still a good resource.

Thanks GT, yeah, I agree, they do bounce around when it comes to results. It's fairly impossible to determine if an AV will be top of the line for any amount of time. I used Fix-it-Utilities for some time, it was excellent then they switched companies and blah... then went to Avast, tried AVG, never did like AVG, never tried NOD or Kaspersky and have been fairly, well , VERY happy with Avira. I do go to the av comparatives and check it out every so often. A big kink for me was my prior system which I am no longer limited to running something a bit more resource needy.

And yes, the response from Kaspersky labs was exactly what Avira was referring to. I think for now, Avira has been good to me, no issues so I'll stick with it, plus you can't beat the price. I have never used Kaspersky on my own computer, and briefly on other's systems. Unfortunately, I run mainly into Norton They promised a lot in the way of system performance for the new Norton version, I should check to see exactly what was improved, not that I'll ever use it, just out of curiosity.

Thanks for the feedback,

Paul

http://www.malwarebytes.org/forums/index.p...ost&p=15290 It's a F/P .

Actually AntiVir, NOD32, avast!, and Kaspersky are all light on resources. Granted I've never used the newer version of Kaspersky, and Kaspersky 5 wasn't that efficient, but I've heard a lot of good things about the newer versions.

As far as Kaspersky Labs' response time, I once had them analyse a sample I sent, and reply to me with an explanation of what it did and what they were going to name the new virus within 20 minutes of my sending them the sample. I was shocked. Most companies take at least a day to get to it, and some even up to a week.



Norton?

hello

yes it was a f/p and i also think avria pe classic is good thay say that it woin't find malware
but it doe's because most what it go's off with and i send in is malware f/p's and thay say this lol

Please note: The detection of Spy/Adware is not available in the product "AntiVir PersonalEdition Classic".

but i have the heuristics set on high so i think what thay mean is it woin't find it if it's already on the pc
i also tryed avg but could not stand it i really liked avast but could not get the web shield to work with
msn web accelerator (msn dialup) and i doin't use outlook so half of it was not on so i went back to avria

Yes, I know. I meant if they removed it from their definitions in the last couple of updates.

LMAO.

And thanks for the info

@ lurkingatu2

Thanks. I would still use a different spyware\adware tool along side of an anti-virus type, mainly, if they are good at being an anti-virus, doesn't always mean they are good at the spyware\adware if you know what I mean. I am one of those who like non-integrated tools as much as possible and over the years, I still think they do a better job on their own.

You on dial up? I truly feel bad for you. I know what that's like. Well, in some ways it was still better than nothing , if only slightly, lol.

Cheers,

Paul

yes thay fixed it in a few updates i forget some times when i send one in to
avria from there suspicious files page to mark it as suspected false positive
and not a suspicious file and i get the wrong info and i have to send it again
after i get the email back so it takes longer to find out lol if i send it as a
suspicious file that avria finds thay just say yes we find that lol then when
i ask at avrias forum Barrie a mod there asks if i remembered to send it as a
f/p i doin't get alot of them so i forget

and thank you and yes i also have ewido 4 ondemand and superantispyware pro
mbam spywareblaster mvp hosts and hp hosts with hostman and ie-spyads

and it's ok about dialup but the downloads suck or i would of helped sunbelt
with there viper counterspy took like 2 hours at a time to download every few
days or so doing it as beta but viper is to big or i would of tryed to help

Thanks , that's what I was wondering. Sounds like you are loaded to the till in security, loll.

It's too bad you couldn't find someone willing to download a bunch of things for you, put to CD\DVD or whatever and then you would at least have some main setup files. That's what I used to do, then all I had to worry about were updates. If you just post or browse, it's not at all bad, but yep, try to download!! You can grow old waiting for a download, lol.

Cheers,

Paul