MontanaMenagerie :: View topic - help please

MontanaMenagerie http://www.montanamenagerie.org/forum/

help please http://www.montanamenagerie.org/forum/viewtopic.php?f=3&t=862	Page 1 of 1

Author:	lurkingatu2 [ Mon Mar 24, 2008 7:49 pm ]
Post subject:	help please
hello not sure what to do avira antivir pe classic finds this file KCMDNIns.exe as a TR/Inject.aed i sent it to them and thay say it's malware and i think it's from Acer because i googled it and most of what i can find in hjt logs is it's from Acer and i went through this when i tryed prevx 2 last year and it found kill1211.exe but at castlecops thay found out it's from Acer http://www.castlecops.com/modules.php?n ... c&p=964199 i'v given it to malwarebytes in hopes of finding out http://www.malwarebytes.org/forums/inde ... topic=4077 i also found this from avasts forum http://forum.avast.com/index.php?topic=34058.0 i'v scaned it at jotti's and virustotal and virscan,org jotti's found it with AntiVir Found TR/Inject.aed VBA32 Found Trojan.Win32.Inject.aed virustotal found AntiVir 7.6.0.75 2008.03.24 TR/Inject.aed Ikarus T3.1.1.20 2008.03.24 Virus.Trojan.Win32.Inject.aed VBA32 3.12.6.3 2008.03.21 Trojan.Win32.Inject.aed Webwasher-Gateway 6.6.2 2008.03.24 Trojan.Inject.aed virscan found A-Squared 3.0.0.126 2008.03.23 2008-03-23 Trojan.Win32.Inject.aed AntiVir 7.6.0.75 7.0.3.66 2008-03-24 TR/Inject.aed Ikarus T3.1.01.20 2008.03.19.70473 2008-03-19 Virus.Trojan.Win32.Inject.aed KingSoft 2007.6.20.249 2008.3.25 2008-03-25 Win32.Troj.Small.ap.24576 nProtect 2008-03-24.01 1247199 2008-03-24 Trojan/W32.Inject.24576.D Prevx V2 20080325 2008-03-25 TROJAN.DOWNLOADER.GEN VBA32 3.12.6.3 20080324.1134 2008-03-24 Trojan.Win32.Inject.aed Additional information File size: 24576 bytes MD5: 4a51d7a6efa86cceb60d72680c57952b SHA1: 79ddd8fabfb2d6fc3a85c0bb509eb8f4328e4d8d PEiD: Armadillo v1.71 now i'm lost as what to do i even tryed calling Acer support and my pc is not under warrenty so thay would not tell me yes or no so here is my hjt log and i posted one at avrias forum but i'm not asking for help there Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:26:42 PM, on 3/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\sm56hlpr.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\WINDOWS\system32\SysMonitor.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\PROGRAM FILES\MAMUTU\mamutu.exe C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Mamutu\a2service.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http= R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local> O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1 O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Mamutu Guard] "C:\PROGRAM FILES\MAMUTU\mamutu.exe" /silent O4 - Startup: Acer Empowering Technology.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 8254142296 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8254076031 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b53083.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Mamutu Service (Mamutu) - Emsi Software GmbH - C:\Program Files\Mamutu\a2service.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7189 bytes i'm so lost lol oh yes this my other pc that i doin't use much

Author:	ShadowPuterDude [ Mon Mar 24, 2008 8:29 pm ]
Post subject:
I'm leaning towards False Positive. Every single log I have looked at that lists KCMDNIns.exe in the System Directory is for an Acer. Quote: Everything I could find about KCMDNIns.exe says it is Trojan. ... is already known) and for whatever reason, I found nothing related to Acer computers. ... Everything I find is to the contrary. File date, size, name, and location is consistent in all logs. This is a file from 2003 and AntiVir is just now flagging it as malicious. Again this make me believe it is a FP.

Author:	lurkingatu2 [ Wed Mar 26, 2008 2:05 pm ]
Post subject:
hello i gave it to castlecops and that say kaspersky says it's no malware and avria says File ID Filename Size (Byte) Result 3793551 KCMDNIns.exe 24 KB FALSE POSITIVE Please find a detailed report concerning each individual sample below: Filename Result KCMDNIns.exe FALSE POSITIVE The file 'KCMDNIns.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates. thanks you so much shadowputerdude

Author:	ShadowPuterDude [ Wed Mar 26, 2008 5:08 pm ]
Post subject:
Good to know, that it is indeed a FP.

Author:	JeanInMontana [ Thu Mar 27, 2008 1:18 pm ]
Post subject:
Yes and reguardless of the BS in your thread at Malwarebytes. Deleting System Restore points on an infected machine is among the last steps NOT the first. GimpGuy has never gotten over that I didn't allow him to link to his site from here and that I had to tell him he couldn't do HJT logs period at Malwarebytes. The other one, I really don't know if he has any ties to the security community at all. I think he may be a classmate of Marcin's. I don't normally interject into HJT threads on any site. This issue has got to me a bit and I don't want to say anything more at Malwarebytes and start a big thing with either of them.

Author:	ShadowPuterDude [ Thu Mar 27, 2008 3:30 pm ]
Post subject:
I'm not going to leave any comments in the thread at Malwrebytes, but it is filled with pure BS. C:\WINDOWS\system32\KCMDNIns.exe was never a Trojan, it has been a false positive the whole time. Every single log I have looked at in every single thread that C:\WINDOWS\system32\KCMDNIns.exe is brought up, the system is an Acer. It's an Acer core file. I, like Jean, am very particular about who works Malware threads. I see many posting advice that I would never allow anywhere near a support forum, let alone a Malware removal thread.

Author:	Skipswift [ Sun Apr 06, 2008 8:34 am ]
Post subject:	kill1211.exe
Any verdict about c:\windows\system32\kill1211.exe? Spy Sweeper flags it as Trojan.gen, but Castle Cops says it's an Acer system file. I emailed Acer and they said it wasn't a system file. Thanks. S.

Author:	ShadowPuterDude [ Sun Apr 06, 2008 9:17 am ]
Post subject:	Re: kill1211.exe
Skipswift wrote: Any verdict about c:\windows\system32\kill1211.exe? Spy Sweeper flags it as Trojan.gen, but Castle Cops says it's an Acer system file. I emailed Acer and they said it wasn't a system file. Thanks. S. It is indeed an Acer file. It is not a Trojan, never was. All the security applications that flag it as malicious are incorrect.

Page 1 of 1	All times are UTC - 7 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/