False Positive? [Resolved]

btman · May 20, 2007, 4:19am

SECUREROM-DRM MALWARE STOPPE by BOCLEAN

Location of startup: FILE
C:\DOCUME~1\MYNAME\LOCALS~1\TEMP\CMDLIN~1.DLL

In other words… C:\Documents and Settings\Myname\Local Settings\Temp\ (I’m assuming its) CmdLineExt02.dll

I open up the dll and sandboxie pops up (I didn’t even have it opened) and says “Could not invoke program”

Says it is a trojan horse… Should I remove it… It pops up when I open WC3 Frozen Throne + my WC3 Banlist … So… Should I send the file somewhere… Or…What?

_cat · May 20, 2007, 4:33am

Have you scanned it at Virus Total?
http://www.virustotal.com/en/indexf.html
As always, we encourage you to send it to submissions.
From the FAQ:
False Positives…where to send?

You can email them to: bocleansubmissions at comodo.com . You may want to specify in the subject line "False Positive?" for clarity's sake. As usual, zip and password protect with "infected" including that information in the body

btman · May 20, 2007, 7:56pm

I remember this file… I think I had a problem with BitDefender or A-Squared detecting it and both were removed… It’s something with Blizzard protection or something… I’ll send it to Comodo right away… And here’s Virustotal results.

AhnLab-V3 2007.5.16.1 05.18.2007 no virus found
AntiVir 7.4.0.23 05.20.2007 no virus found
Authentium 4.93.8 05.18.2007 no virus found
Avast 4.7.997.0 05.18.2007 no virus found
AVG 7.5.0.467 05.20.2007 no virus found
BitDefender 7.2 05.20.2007 no virus found
CAT-QuickHeal 9.00 05.18.2007 Adware.CmdLine (Not a Virus)
ClamAV devel-20070416 05.20.2007 no virus found
DrWeb 4.33 05.20.2007 no virus found
eSafe 7.0.15.0 05.20.2007 Spyware.CmdLineExt
eTrust-Vet 30.7.3644 05.19.2007 no virus found
Ewido 4.0 05.20.2007 no virus found
FileAdvisor 1 05.20.2007 No threat detected
Fortinet 2.85.0.0 05.20.2007 PossibleThreat
F-Prot 4.3.2.48 05.18.2007 no virus found
F-Secure 6.70.13030.0 05.20.2007 no virus found
Ikarus T3.1.1.7 05.20.2007 no virus found
Kaspersky 4.0.2.24 05.20.2007 no virus found
McAfee 5034 05.18.2007 no virus found
Microsoft 1.2503 05.20.2007 no virus found
NOD32v2 2278 05.20.2007 no virus found
Norman 5.80.02 05.18.2007 no virus found
Panda 9.0.0.4 05.20.2007 no virus found
Prevx1 V2 05.20.2007 no virus found
Sophos 4.17.0 05.20.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.20.2007 no virus found
TheHacker 6.1.6.118 05.18.2007 no virus found
VBA32 3.12.0 05.20.2007 no virus found
VirusBuster 4.3.7:9 05.20.2007 no virus found
Webwasher-Gateway 6.0.1 05.20.2007 no virus found

mllopes · May 21, 2007, 2:54pm

Boclean gave me this alert but i think its a false positive
I have deleted the file anyway, going to install program again, this is from driver cleaner.

05/21/2007 15:24:40: DLDR-BANLOAD.AW MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\PROGRAMAS\DRIVERCLEANERDOTNET\DRIVERCHECKDOTNET.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.

Can anyone confirm please.
Thank you

mele1949 · May 21, 2007, 6:11pm

I’m sure someone is working on this problem, but just to add my 2 cents worth…I had 3 FP’s today, the first was the AEC.SYS after a reboot…I opted to delete this one, then I rebooted and up popped DMIO.SYS which I deleted…I rebooted again and another one WANARP.SYS popped up…I did not delete this one. After checking this forum and seeing others having the same issue, I replaced the deleted files from my Service Pack Files, but on the next reboot, DMIO.SYS came up again. I ignored this one also and am waiting for a fix. I did send the WANARP.SYS to VirusTotal, and it was clean, also checked with my Prevx scanner, Avast and my rootkit scanners and nothing found.
It almost seems that if I deleted a file, another was chosen, and I can’t help but wonder how long that would have continued.
Should I do anything more than report this here in the forums?
Thanks!
Mele1949

_cat · May 21, 2007, 6:22pm

Hi mele1949,
Looks like we have an update that needs looking into, hang tight I’ve emailed support about it.
Anytime there is a question on a file you can email them to: bocleansubmissions at comodo.com .
You may want to specify in the subject line “False Positive?” for clarity’s sake.
As usual, zip and password protect with “infected” including that information in the body.

JohnB2006 · May 21, 2007, 6:27pm

Hi, I just wanted to say that I was having a similar problem. Except I deleted the file “AEC.sys”, and after rebooting Windows File Protection put it back (there was an entry in the event log).

Rednose · May 21, 2007, 6:32pm

Best advise for now is that you DON’T DELETE any Positive now, UNLESS you are 100% SURE what you are doing :-\

Greetz, Red.

mele1949 · May 21, 2007, 6:51pm

Thanks Cat, Red…will do as you suggest and monitor the situation here.
Mele1949

G1111 · May 21, 2007, 6:56pm

How do you restore a file (I opted to save a copy as evidence).

05/21/2007 12:00:11: C:\WINDOWS\SYSTEM32\DRIVERS\WANARP.SYS
Trojan horse was found in above file

Logged in user:
Active trojan horse was shut down. System now safe.
Above file copied to evidence location for examination
Trojan horse was removed, registry cleaned.

ratchet · May 21, 2007, 11:07pm

05/21/2007 17:57:56: C:\WINDOWS\SYSTEM32\DRIVERS\AEC.SYS
Trojan horse was found in above file
DLDR-GAMES.D MALWARE STOPPED by BOCLEAN!
Logged in user: Owner
Active trojan horse was shut down. System now safe.
Trojan horse was removed, registry cleaned.

Thank You!

mike6688 · May 22, 2007, 12:50am

This is a false positive. Windows file protection should restore this file on reboot, so you have no need to worry of it being deleted. If BOClean alerts you again click no on the option for this detection.

Mike

gismo999 · May 22, 2007, 1:11am

Geeze,

am I glad I found this thread, I just had this error about a hour ago, it was driving me nuts…

I also deleted it as others not realizing it was FP, but…

I also noticed that my spywareblaster had alot of “restricted sites” open, the same with spybot, I went to immmunize and found alot of them were not selected.

Anybody else notice this?

Thanks

mike6688 · May 22, 2007, 2:42pm

Hi,

Please ensure you have the latest update for BOClean. This fixes the false psotives encountered.

Mike

LeoniAquila · May 22, 2007, 4:09pm

Well, I actually deleted it (AEC.SYS) in safe mode, and it was not restored! Luckily I found someone on DC++ who shared his Windows folder, so I could get it back.

I’m glad that this was a false positive and I don’t blame Comodo, just feel happy to have good protection

mike6688 · May 22, 2007, 6:55pm

If the file was deleted in safe mode, then no it will not be restored. I’ve attached the file, for anyone who may have deleted it.

Mike

[attachment deleted by admin]

_cat · May 22, 2007, 8:20pm

As this should be resolved with the last update:

False Positives Fixed with latest update!

I’ll mark it resolved and lock it up. If anyone feels it needs reopened please feel free to IM a mod and we’ll open it back up.