upload a suspicious file?

i’m trying prevx 2 on my new pc a acer desktop and it finds this file kill1211.exe (the name doin’t look to good) and i can’t find much info on it i’v scaned it at virustotal and jotti but thay find nothing where can i upload it to avast or a addy i can send it to :)thanks

it’s ok i found it thinks :slight_smile:

You can send the samples to virus@avast.com
You can zip and password the files… Inform a link to this thread and the password used. Or you can add the file to Chest and, from there, resend to Alwil for analysis.
Thanks.

Apart from your other topic in CastleCops that has yet to return any useful info, I found this http://forums.techguy.org/security/472497-infected-w-terminal-service-trojan.html.

On one of the google hits, pages that can be translated reveals that there may be other files associated with this:
C:\WINDOWS\system32\RemD1211.exe
C:\WINDOWS\system32\RemD1215.exe
I’m basing this assumption on the 1211 and similar 1215 in the file names, perhaps a search on these might bring up more information. Though it looks like much the same hits most to translated pages.

thanks you guys :slight_smile: and i sent it to avast and thank you DavidR :slight_smile: i seen that also on google i searched my pc for them other files remd1221 and remd1215 and found them and under properties it says the desciption is remove program for windows 2000 drivers lol :slight_smile: this pc is a media center pc with win xp pro sp2 lol and i looked at the properties of kill1211.exe and under desciption it just says kill1211.exe lol :slight_smile: also i got this pc new not even a year ago and doin’t use it much the date it was created on kill1211 is 11-16-05 and i took it out of the box on about 10-01-06 so that file came with it lol :slight_smile: i also sent that file off to some others and see if i get a e-mail back and i will let you know :slight_smile: thanks again

Your welcome, I would imagine if it came back clean from and jotti I would think it is clean, just a strange name, a tool perhaps like pskill or killbox, both sound strange/dangerous and they are tools (also detected by some AVs), but it is most strange not to get a definitive answer on google.

You aren’t normally contacted about submissions unless they require any more information.

hay guys now prevx2 is not picking it up but castlecop’s says this at unknown files http://www.castlecops.com/t194480-kill1211_exe.html i doin’t know what to do now? it says to have a hjt read can you guy’s look at it please i know i doin’t have avast on here but i doin’t use this pc much untell my other one die’s lol i sent it to avira and sunbelt but have not heard back yet but the prevx task bar icon is green and not finding nothing now i’m lost lol Logfile of HijackThis v1.99.1
Scan saved at 9:21:17 AM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [avgnt] C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe /min
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM..\Run: [PrevxOne] “C:\Program Files\Prevx2\PXConsole.exe”
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180565447437
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip..{C8ACCB0D-248D-4F83-B7CE-8711DAC30823}: NameServer =
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)

thanks :slight_smile:

The chances are it was a false positive detection by prevx2 that has now been corrected, based on the fact that none of the scanners in VT and Jotti found anything that isn’t an unreasonable assumption.

The last reply in your castlecops topic seems to think it belongs to “AcerEmpowering Technology Monitor” http://www.castlecops.com/p964268-kill1211_exe.html#964268.