hello

not sure what to do avira antivir pe classic finds this file KCMDNIns.exe as a TR/Inject.aed
i sent it to them and thay say it's malware and i think it's from Acer because i googled it
and most of what i can find in hjt logs is it's from Acer and i went through this when i tryed
prevx 2 last year and it found kill1211.exe but at castlecops thay found out it's from Acer
http://www.castlecops.com/modules.php?n ... c&p=964199

i'v given it to malwarebytes in hopes of finding out
http://www.malwarebytes.org/forums/inde ... topic=4077
i also found this from avasts forum
http://forum.avast.com/index.php?topic=34058.0

i'v scaned it at jotti's and virustotal and virscan,org
jotti's found it with
AntiVir Found TR/Inject.aed
VBA32 Found Trojan.Win32.Inject.aed

virustotal found
AntiVir 7.6.0.75 2008.03.24 TR/Inject.aed
Ikarus T3.1.1.20 2008.03.24 Virus.Trojan.Win32.Inject.aed
VBA32 3.12.6.3 2008.03.21 Trojan.Win32.Inject.aed
Webwasher-Gateway 6.6.2 2008.03.24 Trojan.Inject.aed

virscan found
A-Squared 3.0.0.126 2008.03.23 2008-03-23 Trojan.Win32.Inject.aed
AntiVir 7.6.0.75 7.0.3.66 2008-03-24 TR/Inject.aed
Ikarus T3.1.01.20 2008.03.19.70473 2008-03-19 Virus.Trojan.Win32.Inject.aed
KingSoft 2007.6.20.249 2008.3.25 2008-03-25 Win32.Troj.Small.ap.24576
nProtect 2008-03-24.01 1247199 2008-03-24 Trojan/W32.Inject.24576.D
Prevx V2 20080325 2008-03-25 TROJAN.DOWNLOADER.GEN
VBA32 3.12.6.3 20080324.1134 2008-03-24 Trojan.Win32.Inject.aed

Additional information
File size: 24576 bytes
MD5: 4a51d7a6efa86cceb60d72680c57952b
SHA1: 79ddd8fabfb2d6fc3a85c0bb509eb8f4328e4d8d
PEiD: Armadillo v1.71

now i'm lost as what to do i even tryed calling Acer support and my pc is not under
warrenty so thay would not tell me yes or no so here is my hjt log and i posted one
at avrias forum but i'm not asking for help there

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:42 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRAM FILES\MAMUTU\mamutu.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Mamutu\a2service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Mamutu Guard] "C:\PROGRAM FILES\MAMUTU\mamutu.exe" /silent
O4 - Startup: Acer Empowering Technology.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 8254142296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8254076031
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b53083.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Mamutu Service (Mamutu) - Emsi Software GmbH - C:\Program Files\Mamutu\a2service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7189 bytes

i'm so lost lol
oh yes this my other pc that i doin't use much

I'm leaning towards False Positive.

Every single log I have looked at that lists KCMDNIns.exe in the System Directory is for an Acer.
Everything I find is to the contrary.

File date, size, name, and location is consistent in all logs. This is a file from 2003 and AntiVir is just now flagging it as malicious. Again this make me believe it is a FP.

hello

i gave it to castlecops and that say kaspersky says it's no malware and avria says

File ID Filename Size (Byte) Result
3793551 KCMDNIns.exe 24 KB FALSE POSITIVE


Please find a detailed report concerning each individual sample below:

Filename Result
KCMDNIns.exe FALSE POSITIVE

The file 'KCMDNIns.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

thanks you so much shadowputerdude

Good to know, that it is indeed a FP.

Yes and reguardless of the BS in your thread at Malwarebytes. Deleting System Restore points on an infected machine is among the last steps NOT the first. GimpGuy has never gotten over that I didn't allow him to link to his site from here and that I had to tell him he couldn't do HJT logs period at Malwarebytes. The other one, I really don't know if he has any ties to the security community at all. I think he may be a classmate of Marcin's.

I don't normally interject into HJT threads on any site. This issue has got to me a bit and I don't want to say anything more at Malwarebytes and start a big *thing* with either of them.

I'm not going to leave any comments in the thread at Malwrebytes, but it is filled with pure BS. C:\WINDOWS\system32\KCMDNIns.exe was never a Trojan, it has been a false positive the whole time. Every single log I have looked at in every single thread that C:\WINDOWS\system32\KCMDNIns.exe is brought up, the system is an Acer.

It's an Acer core file.

I, like Jean, am very particular about who works Malware threads. I see many posting advice that I would never allow anywhere near a support forum, let alone a Malware removal thread.

Any verdict about c:\windows\system32\kill1211.exe?

Spy Sweeper flags it as Trojan.gen, but Castle Cops says it's an Acer system file. I emailed Acer and they said it wasn't a system file.

Thanks.
S.

It is indeed an Acer file. It is not a Trojan, never was. All the security applications that flag it as malicious are incorrect.