Help-can't clean or delete a trojan

Discussion in 'ESET Smart Security' started by MAC614, Sep 27, 2008.

Thread Status:
Not open for further replies.
  1. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    one virus shows up everytime I scan, I try to clean it or delete but I get an error message.Please help

    D:\i386\Apps\App002342\BAE.dll - Win32/TrojanClicker.Agent.NEO trojan - error while deleting (Access denied)
     
  2. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    bump...........
     
  3. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello,

    use UnDLL for removing this file. Make log from SysInspector and send it to support[at]eset.sk with this thread's url in the subject.

    Regards
     
  4. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    How do I remove the file?

    I typed the file name in the open box but it didn't show the file
     
  5. ASpace

    ASpace Guest

    When using UnDll you can Browse to the file . Otherwise you must place the full path (e.g. -> D:\I386\....\filename.dll)

    Not entirely sure but could the detection of D:\i386\Apps\App002342\BAE.dll potentially be a false positive ? Even though there is known malware that hides itself with this name , this can also be a legitimane file . Moreover , it is located in D:\i386\...

    If possible I would first try to upload the file to VirusTotal (www.virustotal.com) , just to have some idea
     
  6. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    I found out that it's in recovery folder on D. It won't let me open it in undll saying that I don't have permission but when I close out of undll and went to it I was able to open it. It warns me that this area contains filies that is used for system recovering. should I delete the recovery folder? any suggestions
     
  7. norky

    norky Registered Member

    Joined:
    May 1, 2004
    Posts:
    172
    Location:
    Lithia, FL
    That's most likely going to be a false positive.
     
  8. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    what do you mean by false positive?
     
  9. ASpace

    ASpace Guest


    false positive = wrong detection , mistake , detection of non-malicious file.
    As I asked you can you possible upload D:\i386\Apps\App002342\BAE.dll to VirusTotal www.virustotal.com and tell us the results , please.
     
  10. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    The results was 0 bytes size received / Se ha recibido un archivo vacio

    Then a pop up pops up with this info

    Threat found
    Alert

    Object: D:\i386\Apps\App002342\BAE.dll

    Threat:
    Win32/TrojanClicker.Agent.NEO trojan

    Comment:
    Error while cleaning
    Event occurred during an attempt to access the file by the application:
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,408
    Could you please disable the resident (real-time) protection for a while and send the file to samples[at]eset.com with something like "probable False positive" in the subject?
     
  12. DanL

    DanL Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    159
    This appears to be a false positive that started with eset 9/26 update.
    Mostly on Dell and Gateway computers.

    See this thread at DSL Reports:
    http://www.dslreports.com/forum/r21183393-nod32-v27-and-baedll

    I also had this alert yesterday on one of my Gateway laptops.

    Hopefully, it is a false positive, and Eset will have a fix soon.
     
  13. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    This Make sense, I'm on a gateway computer. Thanks for the help to all
     
  14. DanL

    DanL Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    159
    Remember....even though this appears to be a false positive, until someone
    can verify, we are not in the clear yet.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.