I found something kind of interesting. On Mar 17. kaspersky detected it with the same infection. However,today it doesn’t. I’m leaning towards a false positive.
More info on this executable. It is only on one of my two accounts on XP, so not on the normal user account. It is a hidden archive file in system32, it was made using Amadillo v.1711 and Microsoft Visual Basics v. 5.0 and 6.0, it consists of text, rdata, and data, Import table (libr. 2), Kernel32.dll and User32.dll Security Admin etc. (all inbuilt), Stream Type Security 148, Standard 24576, Obj.id. 64
It has a pure virtual function, and is a Windows 32-bit VxD Message Server CMDNMST for
Windows Graphical User Interface (GUI) What it does? Open Process Kernel32.dll, Get Window Thread Process, Find Window User32.dll, GetModuleHandle, Get CommandLine, Get Version, Exit Process, Get Current Process, Free Environment String, Set Handle Count, HeapDestroy, HeapCreate, WriteFile, GetCPInfo, SetACP, GetOEMCP, HeapAlloc, VirtualAlloc, Heap ReAlloc, LinkLibrary, MultiByteToWideChas, LCMapString.A, LCMapStringW, GetStringTypeA, GetStringTypeW,
Found this, but mine reads: kcmndinst.exe
for cmdninst.exe
Component Name: cmdninst.exe
Description of cmdninst.exe
This is a component of MS Windows Application. Part of the widely popular Windows operating system. The Windows family of operating systems developed the point-and-click graphical user interface for easy interaction with programs and files.
Recommendation for cmdninst.exe
N/A
Trusted: Yes
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No
Company Name: Microsoft Corporation
Platforms Affected:
Methods of Distribution: .
Variants/Versions:
Release Date: 1983
i’m trying to find info on this also avira antivir pe classic started to find this
on my last scan
antivir did not find this before my last scan on 3/12/08 i sent it to them and
am waiting for a email from them there is some that talked about on there German part
of the forum
i googled it and looked at some hjt logs and seen that the others find it on a acer pc
and that is what i have (Acer aspire T180)
the date from this file is 8/6/2003 and it’s 24,576 bytes i wonder if it’s a acer thing
Maybe it has to do with acer and their software, because I am on an Acer too. That could be the clue. Part of Acer Media Synchronization or something similar… Thanks for that information, lurkingatu2,
polonus
P.S. Hi, “oldman” you keep digging please, I trust you to get at the facts! In the description of the malware, kcmdnins.exe had “keylogger”-like aspects. More and more I also lean to it being a False Positive,
sorry i could not get here earlier the fourm must have had a problem
well i got a email back from avira and thay say
File ID Filename Size (Byte) Result
3793551 KCMDNIns.exe 24 KB MALWARE
Please find a detailed report concerning each individual sample below:
Filename Result
KCMDNIns.exe MALWARE
The file ‘KCMDNIns.exe’ has been determined to be ‘MALWARE’. Our analysts named the threat TR/Inject.aed. The term “TR/” denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.03.35.
Please note: The detection of Spy/Adware is not available in the product “AntiVir PersonalEdition Classic”. Please address specific questions to support@avira.com
so i’m not sure what to do i scanned it at jotti’s and virustotal and virscan,org
jotti’s found it with
AntiVir Found TR/Inject.aed
VBA32 Found Trojan.Win32.Inject.aed
Thank you for posting back. I still don’t know what to make of it. If the file date is correct, it’s been kicking around for almost 5 years and no one has make a fuss over it until now. From the description, it’s spyware, but spying on what? If it is indeed from Acer, perhaps a question directed in their direction will shed some light on it.
Other manufacturers have similar sofware that “phones” home for updates. (as far as we know) Maybe we are getting too parinoid.
It would have been nice if avira’s descrpition was a little more detailed. More of an explaination on what the unwanted modifications where. Updates??
Polonus, I suggest you submit your sample and see who has joined in the detections. As I said earlier, kaspersky seems to have changed their minds. Maybe they know something we don’t.
Perhaps Awil could have a look and give us a better understanding of what the “trojan” actually does.
well i called Acer support in the us but thay would not say because my pc is not under warrenty
thay wanted me to call pay support but the way she said she could not say if it was or not makes
me think it’s from Acer
i’v also sent it to avast and i’m asking at avria so i still doin’t know what to do with it lol
cmdninst.exe seems to be Microsoft Config Manager Device Installer Launcher.
Everything I could find about KCMDNIns.exe says it is Trojan.Win32.Inject.aed (which is already known) and for whatever reason, I found nothing related to Acer computers.
i gave it to castlecops and that say kaspersky says it’s no malware and avria says
File ID Filename Size (Byte) Result
3793551 KCMDNIns.exe 24 KB FALSE POSITIVE
Please find a detailed report concerning each individual sample below:
Filename Result
KCMDNIns.exe FALSE POSITIVE
The file ‘KCMDNIns.exe’ has been determined to be ‘FALSE POSITIVE’. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.
Thanks for the further investigations. If I was leaning towards a False Positive earlier, I am convinced now. So it is important to really evaluate every thing flagged by an anti-malware scanner to be able to make the right decision. Again this adds to the credibility and quality of this support forum,