AEC.SYS detected as trojan (False positive?) [Resolved]

When I restarted my PC, C:\windows\SYSTEM32\DRIVERS\AEC.SYS was detected as trojan horse DLDR-GAMES.D MALWARE. I think I acted too hastily in telling BOClean to delete file & clean registry.

http://www.virustotal.com/vt/en/resultadox?6d2451bb979c829fb999fad8935a6e0f

I then started up my other PC. After updating BOClean, I restarted that PC & got the same result (but did not delete file this time). Uploaded aec.sys to virus total no virus/threat found.

http://img297.imageshack.us/img297/4895/clipboard01ww2.png

http://img168.imageshack.us/img168/5724/clipboard02ju2.png

Tho I have image backups made, but would like to ask: for FP cases, generally how should one go about restoring files & registry entries deleted by BOClean?

i got the same false-positive… when the alert popped up, i told BOC to not remove the file… i wanted to check it out before allowing BOC to delete it…

i don’t know what to tell you about restoring the file that was deleted… to fix the problem, i would try running “system file checker”, first…

to run “system file checker”, go to “start”/“run” and type “sfc /scannow” (minus quotations)… when i run “system file checker”, i have to have the win xp cd in the cd-rom drive…

a false positive indeed.
(got same alert)

NOD32 says is clean.

[attachment deleted by admin]

Thanks. I’ll prob restore my backup image then. I learn today that BOClean does not have quarantine function.

actually, there is a setting in BOC’s “configuration” for “keep copy of trojan as evidence”… in that case, a copy of the file is saved, only with a different name and extension, and, supposedly, it can be restored by changing the name and extension back to the original name and extension, and then restoring the file…

i have tried testing that, before, to see if a file that had been saved could be restored… the last time that i tried it, with BOC 4.22, it worked, but i had tried it before, with previous versions of BOC, and it didn’t work, not for me…

Thanks redwolfe_98. I’ve already restored my drive, but I’ll remember to try that out 1st next time.

Deleted registry entries may be a problem tho… I think.

Same here… what’s worse, you can’t drag the application into the Program Excluder, as it will not accept sysfiles…

I’m no longer convinced that the fact that Kevin is now concentrating on programming rather than detections is such a good thing…

I am still getting alerts each time I log in. Even if I tell it to delete the trojan. I am assuming from reading this thread that this is a FALSE positive, am I correct? My main question is how do I stop BOClean from alerting me each time I log on.

Thanks in advance,
L

AEC.exe is Microsoft Acoustic Echo Canceler. Don’t know what it is for but it isn’t a trojan.

Yup, we know… :-\ Also see here

I have just started up my pc to see C:\WINDOWS\SYSTEM32\DRIVERS\AEC.SYS this trojan horse program was found on my machine. It has been shut down, but the file from which it started still remains and can be started up again Do you want the file file removed also? If I click yes it does not remove the file and how sure am I that this is not a false positive as my anti virus says everythings ok and so does comodo’s firewall so whats going on I have tried rebooting but the some message from B.OClean comes up which is a good thing I guess but I need help on where to go from here

Sorry,
something didn’t work. I couldn’t see the whole thread (or was to daft). So my post was more than redundant.
grampa.

Firstly hi to all,

Pls help me,i am a novice pc user(keep any answers simple pls…) and i use the superb boclean, today i booted my pc and recieved this message;

05/21/2007 15:39:10: C:\WINDOWS\SYSTEM32\DRIVERS\AEC.SYS
Trojan horse was found in above file
DLDR-GAMES.D MALWARE STOPPED by BOCLEAN!

i have scanned my system with my a/v(nod32)and nothing!!

i am currently scanning my system with kaspersky online scanner and nothing!!
please can anyone advise me! many thanx Novieiam…

Hi Novieiam, it is a False Positive.

If you read this topic and some other topics posted today, you will notice that a lot of people have False Positives. That is because something is wrong with the latest update :frowning:

My advise is that you DON’T DELETE any Positive’s now, UNLESS you are 100% SURE what you are doing :-\

All we can do is wait untill they fixed it in the next update :-\

Greetz, Red.

Hi grampa,

The topic has been merged. You must have posted before this which is why you didn’t see the rest. The moderators are merging many of the false positive posts to avoid filling the forums with these posts.

Mike

Thanks mike6688 for filling me in. I was beginning to doubt my brains.
Thanks to you I fell like (:NRD) again.
Cheers,
grampa.

No problem. :wink:

Mike

Hi All

we’ll investigate this and let you know shortly.
thanks for the heads up.

Melih

Melih :slight_smile:

Could you make a temperory sticky to inform forum visitors :slight_smile:

Greetz, Red.

Hi,
BOclean has just popped up this message twice now. Is it really a trojan?

Thanks.

PS, I’ve uploaded it to virus total but I’ve got a 70 minute wait.

A google search has it down as this…

http://www.dynamiclink.nl/htmfiles/rframes/info_sys/info_a/43.htm
Microsoft Acoustic Echo Canceller

[attachment deleted by admin]