Help-can't clean or delete a trojan

Discussion in 'ESET Smart Security' started by MAC614, Sep 27, 2008.

Thread Status:
Not open for further replies.
  1. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    one virus shows up everytime I scan, I try to clean it or delete but I get an error message.Please help

    D:\i386\Apps\App002342\BAE.dll - Win32/TrojanClicker.Agent.NEO trojan - error while deleting (Access denied)
     
  2. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    bump...........
     
  3. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello,

    use UnDLL for removing this file. Make log from SysInspector and send it to support[at]eset.sk with this thread's url in the subject.

    Regards
     
  4. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    How do I remove the file?

    I typed the file name in the open box but it didn't show the file
     
  5. ASpace

    ASpace Guest

    When using UnDll you can Browse to the file . Otherwise you must place the full path (e.g. -> D:\I386\....\filename.dll)

    Not entirely sure but could the detection of D:\i386\Apps\App002342\BAE.dll potentially be a false positive ? Even though there is known malware that hides itself with this name , this can also be a legitimane file . Moreover , it is located in D:\i386\...

    If possible I would first try to upload the file to VirusTotal (www.virustotal.com) , just to have some idea
     
  6. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    I found out that it's in recovery folder on D. It won't let me open it in undll saying that I don't have permission but when I close out of undll and went to it I was able to open it. It warns me that this area contains filies that is used for system recovering. should I delete the recovery folder? any suggestions
     
  7. norky

    norky Registered Member

    Joined:
    May 1, 2004
    Posts:
    172
    Location:
    Lithia, FL
    That's most likely going to be a false positive.
     
  8. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    what do you mean by false positive?
     
  9. ASpace

    ASpace Guest


    false positive = wrong detection , mistake , detection of non-malicious file.
    As I asked you can you possible upload D:\i386\Apps\App002342\BAE.dll to VirusTotal www.virustotal.com and tell us the results , please.
     
  10. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    The results was 0 bytes size received / Se ha recibido un archivo vacio

    Then a pop up pops up with this info

    Threat found
    Alert

    Object: D:\i386\Apps\App002342\BAE.dll

    Threat:
    Win32/TrojanClicker.Agent.NEO trojan

    Comment:
    Error while cleaning
    Event occurred during an attempt to access the file by the application:
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Could you please disable the resident (real-time) protection for a while and send the file to samples[at]eset.com with something like "probable False positive" in the subject?
     
  12. DanL

    DanL Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    159
    This appears to be a false positive that started with eset 9/26 update.
    Mostly on Dell and Gateway computers.

    See this thread at DSL Reports:
    http://www.dslreports.com/forum/r21183393-nod32-v27-and-baedll

    I also had this alert yesterday on one of my Gateway laptops.

    Hopefully, it is a false positive, and Eset will have a fix soon.
     
  13. MAC614

    MAC614 Registered Member

    Joined:
    Sep 8, 2008
    Posts:
    15
    This Make sense, I'm on a gateway computer. Thanks for the help to all
     
  14. DanL

    DanL Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    159
    Remember....even though this appears to be a false positive, until someone
    can verify, we are not in the clear yet.
     
Thread Status:
Not open for further replies.