False Positive? [Resolved]

SECUREROM-DRM MALWARE STOPPE by BOCLEAN

Location of startup: FILE
C:\DOCUME~1\MYNAME\LOCALS~1\TEMP\CMDLIN~1.DLL

In other words… C:\Documents and Settings\Myname\Local Settings\Temp\ (I’m assuming its) CmdLineExt02.dll

I open up the dll and sandboxie pops up (I didn’t even have it opened) and says “Could not invoke program”

Says it is a trojan horse… Should I remove it… It pops up when I open WC3 Frozen Throne + my WC3 Banlist … So… Should I send the file somewhere… Or…What?

Have you scanned it at Virus Total?
http://www.virustotal.com/en/indexf.html
As always, we encourage you to send it to submissions.
From the FAQ:
False Positives…where to send?

You can email them to: bocleansubmissions at comodo.com . You may want to specify in the subject line "False Positive?" for clarity's sake. As usual, zip and password protect with "infected" including that information in the body

I remember this file… I think I had a problem with BitDefender or A-Squared detecting it and both were removed… It’s something with Blizzard protection or something… I’ll send it to Comodo right away… And here’s Virustotal results.

AhnLab-V3 2007.5.16.1 05.18.2007 no virus found
AntiVir 7.4.0.23 05.20.2007 no virus found
Authentium 4.93.8 05.18.2007 no virus found
Avast 4.7.997.0 05.18.2007 no virus found
AVG 7.5.0.467 05.20.2007 no virus found
BitDefender 7.2 05.20.2007 no virus found
CAT-QuickHeal 9.00 05.18.2007 Adware.CmdLine (Not a Virus)
ClamAV devel-20070416 05.20.2007 no virus found
DrWeb 4.33 05.20.2007 no virus found
eSafe 7.0.15.0 05.20.2007 Spyware.CmdLineExt
eTrust-Vet 30.7.3644 05.19.2007 no virus found
Ewido 4.0 05.20.2007 no virus found
FileAdvisor 1 05.20.2007 No threat detected
Fortinet 2.85.0.0 05.20.2007 PossibleThreat
F-Prot 4.3.2.48 05.18.2007 no virus found
F-Secure 6.70.13030.0 05.20.2007 no virus found
Ikarus T3.1.1.7 05.20.2007 no virus found
Kaspersky 4.0.2.24 05.20.2007 no virus found
McAfee 5034 05.18.2007 no virus found
Microsoft 1.2503 05.20.2007 no virus found
NOD32v2 2278 05.20.2007 no virus found
Norman 5.80.02 05.18.2007 no virus found
Panda 9.0.0.4 05.20.2007 no virus found
Prevx1 V2 05.20.2007 no virus found
Sophos 4.17.0 05.20.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.20.2007 no virus found
TheHacker 6.1.6.118 05.18.2007 no virus found
VBA32 3.12.0 05.20.2007 no virus found
VirusBuster 4.3.7:9 05.20.2007 no virus found
Webwasher-Gateway 6.0.1 05.20.2007 no virus found

Boclean gave me this alert but i think its a false positive
I have deleted the file anyway, going to install program again, this is from driver cleaner.

05/21/2007 15:24:40: DLDR-BANLOAD.AW MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\PROGRAMAS\DRIVERCLEANERDOTNET\DRIVERCHECKDOTNET.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.

Can anyone confirm please.
Thank you

I’m sure someone is working on this problem, but just to add my 2 cents worth…I had 3 FP’s today, the first was the AEC.SYS after a reboot…I opted to delete this one, then I rebooted and up popped DMIO.SYS which I deleted…I rebooted again and another one WANARP.SYS popped up…I did not delete this one. After checking this forum and seeing others having the same issue, I replaced the deleted files from my Service Pack Files, but on the next reboot, DMIO.SYS came up again. I ignored this one also and am waiting for a fix. I did send the WANARP.SYS to VirusTotal, and it was clean, also checked with my Prevx scanner, Avast and my rootkit scanners and nothing found.
It almost seems that if I deleted a file, another was chosen, and I can’t help but wonder how long that would have continued.
Should I do anything more than report this here in the forums?
Thanks!
Mele1949

Hi mele1949,
Looks like we have an update that needs looking into, hang tight I’ve emailed support about it.
Anytime there is a question on a file you can email them to: bocleansubmissions at comodo.com .
You may want to specify in the subject line “False Positive?” for clarity’s sake.
As usual, zip and password protect with “infected” including that information in the body.

Hi, I just wanted to say that I was having a similar problem. Except I deleted the file “AEC.sys”, and after rebooting Windows File Protection put it back (there was an entry in the event log).

Best advise for now is that you DON’T DELETE any Positive now, UNLESS you are 100% SURE what you are doing :-\

Greetz, Red.

Thanks Cat, Red…will do as you suggest and monitor the situation here.
Mele1949

How do you restore a file (I opted to save a copy as evidence).

05/21/2007 12:00:11: C:\WINDOWS\SYSTEM32\DRIVERS\WANARP.SYS
Trojan horse was found in above file

Logged in user:
Active trojan horse was shut down. System now safe.
Above file copied to evidence location for examination
Trojan horse was removed, registry cleaned.

05/21/2007 17:57:56: C:\WINDOWS\SYSTEM32\DRIVERS\AEC.SYS
Trojan horse was found in above file
DLDR-GAMES.D MALWARE STOPPED by BOCLEAN!
Logged in user: Owner
Active trojan horse was shut down. System now safe.
Trojan horse was removed, registry cleaned.

Thank You!

This is a false positive. Windows file protection should restore this file on reboot, so you have no need to worry of it being deleted. If BOClean alerts you again click no on the option for this detection.

Mike

Geeze,

am I glad I found this thread, I just had this error about a hour ago, it was driving me nuts…

I also deleted it as others not realizing it was FP, but…

I also noticed that my spywareblaster had alot of “restricted sites” open, the same with spybot, I went to immmunize and found alot of them were not selected.

Anybody else notice this?

Thanks :slight_smile:

Hi,

Please ensure you have the latest update for BOClean. This fixes the false psotives encountered.

Mike

Well, I actually deleted it (AEC.SYS) in safe mode, and it was not restored! Luckily I found someone on DC++ who shared his Windows folder, so I could get it back.

I’m glad that this was a false positive and I don’t blame Comodo, just feel happy to have good protection :slight_smile: :slight_smile: :slight_smile:

If the file was deleted in safe mode, then no it will not be restored. I’ve attached the file, for anyone who may have deleted it.

Mike

[attachment deleted by admin]

As this should be resolved with the last update:

False Positives Fixed with latest update!

I’ll mark it resolved and lock it up. If anyone feels it needs reopened please feel free to IM a mod and we’ll open it back up.