Location of startup: FILE
C:\DOCUME~1\MYNAME\LOCALS~1\TEMP\CMDLIN~1.DLL
In other words… C:\Documents and Settings\Myname\Local Settings\Temp\ (I’m assuming its) CmdLineExt02.dll
I open up the dll and sandboxie pops up (I didn’t even have it opened) and says “Could not invoke program”
Says it is a trojan horse… Should I remove it… It pops up when I open WC3 Frozen Throne + my WC3 Banlist … So… Should I send the file somewhere… Or…What?
You can email them to: bocleansubmissions at comodo.com .
You may want to specify in the subject line "False Positive?" for clarity's sake.
As usual, zip and password protect with "infected" including that information in the body
I remember this file… I think I had a problem with BitDefender or A-Squared detecting it and both were removed… It’s something with Blizzard protection or something… I’ll send it to Comodo right away… And here’s Virustotal results.
AhnLab-V3 2007.5.16.1 05.18.2007 no virus found
AntiVir 7.4.0.23 05.20.2007 no virus found
Authentium 4.93.8 05.18.2007 no virus found
Avast 4.7.997.0 05.18.2007 no virus found
AVG 7.5.0.467 05.20.2007 no virus found
BitDefender 7.2 05.20.2007 no virus found CAT-QuickHeal 9.00 05.18.2007 Adware.CmdLine (Not a Virus)
ClamAV devel-20070416 05.20.2007 no virus found
DrWeb 4.33 05.20.2007 no virus found eSafe 7.0.15.0 05.20.2007 Spyware.CmdLineExt
eTrust-Vet 30.7.3644 05.19.2007 no virus found
Ewido 4.0 05.20.2007 no virus found
FileAdvisor 1 05.20.2007 No threat detected Fortinet 2.85.0.0 05.20.2007 PossibleThreat
F-Prot 4.3.2.48 05.18.2007 no virus found
F-Secure 6.70.13030.0 05.20.2007 no virus found
Ikarus T3.1.1.7 05.20.2007 no virus found
Kaspersky 4.0.2.24 05.20.2007 no virus found
McAfee 5034 05.18.2007 no virus found
Microsoft 1.2503 05.20.2007 no virus found
NOD32v2 2278 05.20.2007 no virus found
Norman 5.80.02 05.18.2007 no virus found
Panda 9.0.0.4 05.20.2007 no virus found
Prevx1 V2 05.20.2007 no virus found
Sophos 4.17.0 05.20.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.20.2007 no virus found
TheHacker 6.1.6.118 05.18.2007 no virus found
VBA32 3.12.0 05.20.2007 no virus found
VirusBuster 4.3.7:9 05.20.2007 no virus found
Webwasher-Gateway 6.0.1 05.20.2007 no virus found
Boclean gave me this alert but i think its a false positive
I have deleted the file anyway, going to install program again, this is from driver cleaner.
05/21/2007 15:24:40: DLDR-BANLOAD.AW MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\PROGRAMAS\DRIVERCLEANERDOTNET\DRIVERCHECKDOTNET.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
I’m sure someone is working on this problem, but just to add my 2 cents worth…I had 3 FP’s today, the first was the AEC.SYS after a reboot…I opted to delete this one, then I rebooted and up popped DMIO.SYS which I deleted…I rebooted again and another one WANARP.SYS popped up…I did not delete this one. After checking this forum and seeing others having the same issue, I replaced the deleted files from my Service Pack Files, but on the next reboot, DMIO.SYS came up again. I ignored this one also and am waiting for a fix. I did send the WANARP.SYS to VirusTotal, and it was clean, also checked with my Prevx scanner, Avast and my rootkit scanners and nothing found.
It almost seems that if I deleted a file, another was chosen, and I can’t help but wonder how long that would have continued.
Should I do anything more than report this here in the forums?
Thanks!
Mele1949
Hi mele1949,
Looks like we have an update that needs looking into, hang tight I’ve emailed support about it.
Anytime there is a question on a file you can email them to: bocleansubmissions at comodo.com .
You may want to specify in the subject line “False Positive?” for clarity’s sake.
As usual, zip and password protect with “infected” including that information in the body.
Hi, I just wanted to say that I was having a similar problem. Except I deleted the file “AEC.sys”, and after rebooting Windows File Protection put it back (there was an entry in the event log).
How do you restore a file (I opted to save a copy as evidence).
05/21/2007 12:00:11: C:\WINDOWS\SYSTEM32\DRIVERS\WANARP.SYS
Trojan horse was found in above file
Logged in user:
Active trojan horse was shut down. System now safe.
Above file copied to evidence location for examination
Trojan horse was removed, registry cleaned.
05/21/2007 17:57:56: C:\WINDOWS\SYSTEM32\DRIVERS\AEC.SYS
Trojan horse was found in above file
DLDR-GAMES.D MALWARE STOPPED by BOCLEAN!
Logged in user: Owner
Active trojan horse was shut down. System now safe.
Trojan horse was removed, registry cleaned.
This is a false positive. Windows file protection should restore this file on reboot, so you have no need to worry of it being deleted. If BOClean alerts you again click no on the option for this detection.
am I glad I found this thread, I just had this error about a hour ago, it was driving me nuts…
I also deleted it as others not realizing it was FP, but…
I also noticed that my spywareblaster had alot of “restricted sites” open, the same with spybot, I went to immmunize and found alot of them were not selected.
Well, I actually deleted it (AEC.SYS) in safe mode, and it was not restored! Luckily I found someone on DC++ who shared his Windows folder, so I could get it back.
I’m glad that this was a false positive and I don’t blame Comodo, just feel happy to have good protection