Virus & Spyware

rleduc · ‎03-08-2007

In the HijackThis form and in this form there are several threads regarding a low threat trojan picked up by PC-Cillan. Namely the file ~df394b.tmp triggers a "TROJ_GENERIC.ADV" warning. This can occur repeatedly if certain sound applications are used. The file in question is located in a subdirectory with a name of the form clclean.000*.* of the users local settings (C:\Documents and Settings\{user name here}\Local Settings\Temp). Local Settings is a hidden directory.

This directory is created by some Creative Labs products, apparently as part of some license verification scheme. According to other threads on TROJ_GENERIC.ADV on this forum and the HijackThis form, Trendmicro is working on a fix for PCCillan.

It seems to me that their only conceivable fix is to not identify this file as a trojan, when in fact it may well access the internet without a user's explicit permission. As such, I personally have decided in principal to shut off these products. Here is how to stop the clclean.000* directories from being created. I have noticed no lack of functionality, although I guess I did pay $20 extra for the machine to get this software, which I will no longer use.

Big Picture:

1. Turn off the start-up items: (1) Rundll32 CTMBHA.DLL,MBMon and (2) CTSysVol
2. Turn off the service "Creative Labs Licensing".

After completing this, you may need to go in to the control panels, select the sound settings, and check the box asking for a volume control to be put in the taskbar as the above steps shut off the fancy Creative Labs sound control software. The windows sound control is unaffected.

Details:
1. Log in as an administrator.
2. To turn off the start-up items:
a: click the start button and click "Run"
b: type msconfig and hit return
c: in the system configuration utility that comes up, click on the startup tab
d: uncheck the two start up items.
e: click ok.
f: click 'Exit without Restart' (you'll need to restart for the changes to take effect)

3. To turn off the service item:
a: Click on control panels
b: click on administrative tools (or in the category view, performance and maitenance and then administrative tools)
c: click on services
d: in the window, scroll till you find the service Creative Labs Licensing. Right click on it and select properties.
e: in the properties box, change service startup status to 'Disabled'.

Close things up and reboot.

You may need to add the windows sound icon to the task bar using the sound settings as described above.

I have experienced no trouble with this fix, although I can no longer use most or all of the Creative Labs Sound Blaster Audiology software. Good Riddance in my view. Your mileage may vary.

Message Edited by rleduc on 03-08-2007 09:46 AM

rleduc · ‎03-08-2007

I should also mention that when you reboot, windows will ask you if you want to start the system configuration utility again. It is perfectly safe to check the 'don't show this message again box'. If you do start msconfig by hand, the old start-up items are still there in the start-up list and you can restart them if you desire.

Likewise, the old services are still listed by the services control panel and can be restarted by hand at any time.

ky331 · ‎03-08-2007

You wrote that, per your 'fix', you "can no longer use most or all of the Creative Labs Sound Blaster Audigy software"

For some [most?] users, this would not be considered an acceptable 'solution'.

Also: Once you "turn-off" the items you mention via MSCONFIG, can you easily 'restore' them if you later decide to do so?

EDIT: Looks like your second post just answered this, in the affirmative. But I'd still suggest 'caution' in-general here, as I believe some versions of MSConfig offer a "Clean-Up" option, which in fact remove references to disabled programs.

If not, a far preferable approach would be to use an enhanced startup manager, such as WinPatrol,

www.Winpatrol.com

which will allow you to DISABLE items (rather than REMOVE them) from start up, with the ability to easily re-ENABLE them at any time that you wish.

lastly (for now), there have been some reports that

Rundll32 CTMBHA.DLL,MBMon

is the only "offending" line, generating the ClClean file...

that is to say, it might suffice to disable this one line alone, rather than all 3 (2 start-up + 1 service) that you've suggested.

If you're in a position to test this, it would be interesting to learn your results.

Message Edited by ky331 on 03-08-2007 11:20 AM

Windows 10 Pro (64-bit), Windows Defender, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, WinPatrol PLUS, SAS (on-demand scanner), uBlock Origin, Microsoft EDGE, Firefox, Pale Moon.

[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

rleduc · ‎03-10-2007

Originally, I only stopped the Rundll32 start up item and the Creative Labs licensing software, keeping the CTSysVol startup item working. This still left the Creative Labs volume control icon (the CTSysVol startup item) in the system tray. When I double clicked on that, the software failed for lack of the licensing service, and also started the clclean.0001 etc. So just stopping the Rundll32 item and Creative Labs licensing service alone did not do the trick.

It stands to reason that adding something back in, such as the Creative Labs Licensing Service will not cause the clclean object to disappear again, but I have not tested this.

The reason I stopped the Creative Labs licensing service in the first place is that Security Task Manager identified the clclean.0001 etc. as being created by Macrovision's Cleanup, a tool for license management. See here:

http://www.file.net/process/clclean.0001.html

and from Macrovision's own forums here:

http://community.macrovision.com/archive/index.php?t-141781.html

I can't speak for other users, but I know I choose not to have (1) an antivirus warning popping up frequently (or at all) for this program and (2) a licensing program that is identified, perhaps quite correctly, by the antivirus software as a trojan. There are malware you pick up from the world at large and what I would term malware from corporate entities that the corporate entity may well believe is legitimate.

Users who do not care about item (2) may well find this a useful temporary fix to avoid the frequent antivirus warnings until Trendmicro turns off detection of this item [Lord knows, they can't "fix it" in the sense of (2)].

In retrospect, I find I've lost absolutely zero functionality by not having the Creative Labs Audiology software installed. If it has other features, I have been completely unaware of them, hence probably don't need them. If I had to do it all over again, I would not have selected the Audiology option as part of my Dell purchase.

ky331 · ‎03-10-2007

it has been reported (by another forum member) that Trend Micro has confirmed, and fixed, the false positive here.

Unfortunately, false positives are a potentially a part of any anti-virus, anti-malware scanner ---- particularly those using heuristic scanning. This time, it was Trend Micro. But in the past, it's been Symantec/Norton, McAfee, Ad-Aware, and SpyBot --- just to name a few. Some of these have even claimed HiJackThis contained a virus!

Fortunately, the file being singled-out was not a "critical" file for your system to run... but suppose it had been an essential file required for Windows to boot: in such a case, you/we would have no choice but to put up with the (temporary) "nagging" popup from the Anti-virus, until the false positive were fixed. In other words, I'm saying that a false positive is not, in my opinion, a good reason to turn-off a legitimate program.

whether you want to run licensing programs, or auto-updater programs, or programs that "phone home" to check-up on things, is certainly a separate matter that you can decide [and disable] on your own.

Windows 10 Pro (64-bit), Windows Defender, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, WinPatrol PLUS, SAS (on-demand scanner), uBlock Origin, Microsoft EDGE, Firefox, Pale Moon.

[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

ky331 · ‎03-10-2007

Another question:

The two links you've included above (one of which I was familiar with) associate the clclean file with Macrovision... presumably for their InstallShield progam... and possibly due to the presence of certain Intel hardware.

If so, what is the connection between Macrovision, and Creative Audigy Soundblaster cards??? Unless you can establish such a connection, it might just be a fluke coincidence that both products might be using files with the same name.

P.S. I have the SoundBlaster Audigy software, and ClClean file, on my laptop as well. I do not use Trend Micro, so I have not encountered the false positive popup that has plagued you. But I am nonetheless interested in determining the real status of these files.

Windows 10 Pro (64-bit), Windows Defender, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, WinPatrol PLUS, SAS (on-demand scanner), uBlock Origin, Microsoft EDGE, Firefox, Pale Moon.

[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

rleduc · ‎03-10-2007

As to the connection with Creative Labs software: I can turn on and off the clclean stuff at will by turning on and off the Creative Labs products I named. Seems pretty conclusive cause and effect to me.

As to the connection with Macrovision: Security Task Manager's documentation says it identifies the title and description "contained in the file [i.e. the process clclean etc.]; for a visible window the title corresponds to the text in the window's title bar." This information identifies the program as Cleanup from Macrovision. Either this is correct, or the program spawned by the Creative Labs software is lying. Believing it is from Macrovision would make sense, since the Creative Labs software clearly uses some licensing software scheme and that's what Macrovision's Cleanup does according to Macrovision's own website.

As to false positives: I'm well acquainted with the concepts of specificity and sensitivity. Why should this be considered a false positive? Apparently, simply that the clclean stuff comes from a "trusted source", Creative Labs. I'm not so trusting - my criteria is functional. If a program is accessing the internet without my knowledge, I personally consider it malware. That's a personal choice, and I'm not alone in believing this way.

ky331 · ‎03-10-2007

"Why should this be considered a false positive?" No, the answer to this is NOT "simply that the clclean stuff comes from a "trusted source", Creative Labs", but rather, it is a false-positive --- at least, in terms of it being a VIRUS/TROJAN --- because:

1) the file has been submitted to VirusTotal, which asserted it was clean according to 31 different anti-virus scanners... see the 3rd posting in this thread:

http://www.dellcommunity.com/supportforums/board/message?board.id=si_hijack&thread.id=57574

2) TrendMicro, by virtue of its updated definitions which [allegedly] no longer pick-up on this file, has by this change, admitted it to be a false-positive.

-----------------

"If a program is accessing the internet without my knowledge, I personally consider it malware." And you indeed have every right to [provided this was not adequately disclosed in their EULA]. But if so, the file should have been picked up as SPYWARE, by an anti-spyware program, rather than as a TROJAN, by an anti-virus program.

Windows 10 Pro (64-bit), Windows Defender, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, WinPatrol PLUS, SAS (on-demand scanner), uBlock Origin, Microsoft EDGE, Firefox, Pale Moon.

[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

lailokenZen · ‎03-11-2007

I just went thru this with a client [with a Dell pc]... after not finding much help on the web or from the guys at trend. ewido/avg found nada, hijack this showed nothing of import, all other scum-ware scans came up with nothing. he also has CB software, but I didn't find it was causing the problem.

first Q - do you have Google Toolbar installed? do you sign in automatically to either gmail or any other google service when you open your browser - whichever one?

if so, uninstall the Google Toolbar, dump all your temporary files and this pesky message should be gone.

I am of the thought that google toolbar - with this new notifiier piece - is attempting to send out information when you open your browser, and that is what is triggering pc-cillin. when I logged my client out of his google acct., the warning did not come up again until he clicked to log in to get his google bookmarks or g-mail. I had him uninstall the toolbar and all is playing nice again.

~§~

ky331 · ‎03-11-2007

very interesting... so now, we have another potential cause/basis for this problem...

Windows 10 Pro (64-bit), Windows Defender, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, WinPatrol PLUS, SAS (on-demand scanner), uBlock Origin, Microsoft EDGE, Firefox, Pale Moon.

[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Virus & Spyware

Resolution Re: TROJ_GENERIC.ADV