Unknown trojan horse around?

Here’s my BOClean logfile:

Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\UNICLEAR.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.

I couldn’t find any reliable info on this one yet. Is or was it a (now killed…) system file, or is this some newbie?

Thanks for any info about it

Due to the lack of unified naming conventions in the anti-malware industry it’s often difficult to run one of these down. :frowning:
I’d suggest running the UNICLEAR.EXE through Virus Total as well as submitting it to Comodo submissions. From the CBO FAQ:

[u][b]Suspected False Positives?[/b][/u]

Q: Where do we send the files that are being alerted on that we suspect are FPs?

A: You can email them to: malwaresubmit [ at ] avlab.comodo.com .
You may want to specify in the subject line “False Positive?” for clarity’s sake.
As usual, zip and password protect with “infected” including that information in the body.

yes, ok, but BOClean has already killed, i.e. deleted the mentioned file…

It asked me to do so and do an immediate restart, so I did.

I think I won’t be able to send it to anywhere, now, right?

Well, that does kind of put a stop on sending it for analysis… :wink:

On the other side, if it’s a valid Windows file, it will be regenerated by the OS.


Do you have CBO set to save a copy?

Yes, I had BOClean set to keep a copy. Don’t really know where it does save copies of found malware. Any idea where they are located?


And to Little Mac:

Hi friend, you said:

‘On the other side, if it’s a valid Windows file, it will be regenerated by the OS.’

Are you sure?

Even if having removed this function before OS install?

As many malware types use this “regenerate” function, it is not available here anymore…

Well, given that you’ve done modifications to your system, yours may not regenerate Windows OS files… :wink:

I’ll put it this way ~ Under normal circumstances, valid Windows OS files should be automatically regenerated by default.

Does that work better for you? ;D


For regeneration and recreation, I always prefer to use a DVD backup. Am I evil?


Yet, my question has not been answered.

Where does BOClean “quarantine” the evil ones?

I did not find anything.

I think it shows the path in the configuration window. If not, try clicking the link to documentation; it may say there.

Sorry, I know that’s not a direct answer; I’m not at a Windows machine now and don’t have immediate access to BOC to check.


C:\Documents and Settings\All Users\Application Data\BOC425\evidence.boc

Thanx a lot, Cat, I found it now. Btw, do you know, if there’s a way for the user to safely read what kind of information is being logged inside the .boc file xcept of containing the malware image itself?

Would be kind of you to let me know. :slight_smile:

BOC renames the file, there is no other information stored in the evidence file.